Bug#1107696: libpgjava: CVE-2025-49146
Salvatore Bonaccorso
carnil at debian.org
Thu Jun 12 10:06:07 BST 2025
Source: libpgjava
Version: 42.7.5-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for libpgjava.
CVE-2025-49146[0]:
| pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and
| until 42.7.7, when the PostgreSQL JDBC driver is configured with
| channel binding set to required (default value is prefer), the
| driver would incorrectly allow connections to proceed with
| authentication methods that do not support channel binding (such as
| password, MD5, GSS, or SSPI authentication). This could allow a man-
| in-the-middle attacker to intercept connections that users believed
| were protected by channel binding requirements. This vulnerability
| is fixed in 42.7.7.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-49146
https://www.cve.org/CVERecord?id=CVE-2025-49146
[1] https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54
[2] https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list