Source: libpgjava Version: 42.7.5-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for libpgjava. CVE-2025-49146[0]: | pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and | until 42.7.7, when the PostgreSQL JDBC driver is configured with | channel binding set to required (default value is prefer), the | driver would incorrectly allow connections to proceed with | authentication methods that do not support channel binding (such as | password, MD5, GSS, or SSPI authentication). This could allow a man- | in-the-middle attacker to intercept connections that users believed | were protected by channel binding requirements. This vulnerability | is fixed in 42.7.7. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-49146 https://www.cve.org/CVERecord?id=CVE-2025-49146 [1] https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54 [2] https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0 Please adjust the affected versions in the BTS as needed. Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
