Your message dated Wed, 23 Apr 2025 09:34:43 +0000
with message-id <e1u7wv9-00cg2b...@fasolo.debian.org>
and subject line Bug#1065686: fixed in golang-github-jackc-pgx 4.18.1-2
has caused the Debian Bug report #1065686,
regarding golang-github-jackc-pgx: CVE-2024-27289
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1065686: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065686
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: golang-github-jackc-pgx
Version: 4.18.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for golang-github-jackc-pgx.
CVE-2024-27289[0]:
| pgx is a PostgreSQL driver and toolkit for Go. Prior to version
| 4.18.2, SQL injection can occur when all of the following conditions
| are met: the non-default simple protocol is used; a placeholder for
| a numeric value must be immediately preceded by a minus; there must
| be a second placeholder for a string value after the first
| placeholder; both must be on the same line; and both parameter
| values must be user-controlled. The problem is resolved in v4.18.2.
| As a workaround, do not use the simple protocol or do not place a
| minus directly before a placeholder.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-27289
https://www.cve.org/CVERecord?id=CVE-2024-27289
[1] https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p
[2] https://github.com/jackc/pgx/commit/826a89229b8b1cdf18e4190afa437d3df9901b9c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-github-jackc-pgx
Source-Version: 4.18.1-2
Done: Dr. Tobias Quathamer <to...@debian.org>
We believe that the bug you reported is fixed in the latest version of
golang-github-jackc-pgx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1065...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dr. Tobias Quathamer <to...@debian.org> (supplier of updated
golang-github-jackc-pgx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 23 Apr 2025 11:04:24 +0200
Source: golang-github-jackc-pgx
Architecture: source
Version: 4.18.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Dr. Tobias Quathamer <to...@debian.org>
Closes: 1065686 1065687
Changes:
golang-github-jackc-pgx (4.18.1-2) unstable; urgency=medium
.
* Team upload.
* Create a new git branch to fix CVEs during soft freeze.
* Add two patches from upstream
- CVE-2024-27289
pgx is a PostgreSQL driver and toolkit for Go. Prior to version
4.18.2, SQL injection can occur when all of the following
conditions are met: the non-default simple protocol is used; a
placeholder for a numeric value must be immediately preceded by a
minus; there must be a second placeholder for a string value
after the first placeholder; both must be on the same line; and
both parameter values must be user-controlled. The problem is
resolved in v4.18.2. As a workaround, do not use the simple
protocol or do not place a minus directly before a placeholder.
Closes: #1065686
- CVE-2024-27304
pgx is a PostgreSQL driver and toolkit for Go. SQL injection can
occur if an attacker can cause a single query or bind message to
exceed 4 GB in size. An integer overflow in the calculated
message size can cause the one large message to be sent as
multiple messages under the attacker's control. The problem is
resolved in v4.18.2 and v5.5.4. As a workaround, reject user
input large enough to cause a single query or bind message to
exceed 4 GB in size.
Closes: #1065687
Checksums-Sha1:
fc454961e7957ce365814ce062f846ac1ca42c41 2719
golang-github-jackc-pgx_4.18.1-2.dsc
4a37240a3da044ccbefae090e325709e3ec501df 5500
golang-github-jackc-pgx_4.18.1-2.debian.tar.xz
ae24ff1439b8c8848208b689a807c2fa66a58483 8227
golang-github-jackc-pgx_4.18.1-2_amd64.buildinfo
Checksums-Sha256:
27eb9d7ed9c8d047fe0548993d63614c74bbc01bf52eef7d63072b68c34fa9cf 2719
golang-github-jackc-pgx_4.18.1-2.dsc
c98f0f97831e527a857c6b13f1002e008c6893a222d058e109de75ea57d5d484 5500
golang-github-jackc-pgx_4.18.1-2.debian.tar.xz
2423087f632c2d13164982cc6e4de3fce9e7cff38f539c54960c4590dfbd1798 8227
golang-github-jackc-pgx_4.18.1-2_amd64.buildinfo
Files:
3cf610d0110aecb74ecfd240d7a40f09 2719 golang optional
golang-github-jackc-pgx_4.18.1-2.dsc
b9425db8181f69c1e9d751e1e3894870 5500 golang optional
golang-github-jackc-pgx_4.18.1-2.debian.tar.xz
2fd5131cf4567602c764c2def0fc3ee2 8227 golang optional
golang-github-jackc-pgx_4.18.1-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAmgIrvoACgkQEwLx8Dbr
6xne4g/+OOlZ+qaKaljAq6A9nU6z8+FdT2nFD4rg5gGJ5KvfePVvBwMN2h1DGkw/
cJgB8K903bd7YBQpShgjJp86UTjAE1jpJbkVo3W/vN6m74g0g8oNJ1/Twip/RDTM
gzDPLHTLztG87vMSSmG5WyUM/H4K+Dk6MgfTfw5oOAaiREaeIJunpeTpT6mbHj/2
JJoZ4nS1q1P9OJTOOEMV1TrjlC0Dh19AMhACAvyxvxbgK4AcPU5/f1XQkzTSeOQt
UQrFq7xX9TcvTbf5keAA6JLpSD2GtLCCJbIFIeuoe3VSSaQ1znl8yn189Cfp6tsa
e8sgZM9fEl9D9geBP10oTClW4NWH+FTMwUzgTq8DwJIPqP0sma0ofI3Q6s1Koiao
R/ueGgQGxKn9Tb9s8U2HT+a+f6LYenmn8iTbe3552hNAktrkKxjNZ/WtNH6an3Cd
4oD8STraOG18LJucwBRaYGjfp1j0cder/sQDd5Zr3HPq3ho9vMjPqEdxwSTwRPzS
uYlMtAirxWSRGcyp7fwAhhsbtqe1R8+bQMqgrUrvlpHQTMtFo48KjAYx4wiM89Li
cuvTmhPYYLHiRe6/PgUkpsvZtaxCxrcRM4IiYzHgyD5miJZiPbvGCpWkiRmXlMEN
ANhFMdZqRtPqXry4gQ/fjgkAVgzQzkI8e+nIo+wTWFXCzqyu3zA=
=neOm
-----END PGP SIGNATURE-----
pgp56VEJLl8m4.pgp
Description: PGP signature
--- End Message ---
