Your message dated Fri, 13 Jun 2025 23:30:09 +0200
with message-id <[email protected]>
and subject line Re: Accepted libpgjava 42.7.7-1 (source) into unstable
has caused the Debian Bug report #1107696,
regarding libpgjava: CVE-2025-49146
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1107696: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107696
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libpgjava
Version: 42.7.5-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libpgjava.
CVE-2025-49146[0]:
| pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and
| until 42.7.7, when the PostgreSQL JDBC driver is configured with
| channel binding set to required (default value is prefer), the
| driver would incorrectly allow connections to proceed with
| authentication methods that do not support channel binding (such as
| password, MD5, GSS, or SSPI authentication). This could allow a man-
| in-the-middle attacker to intercept connections that users believed
| were protected by channel binding requirements. This vulnerability
| is fixed in 42.7.7.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-49146
https://www.cve.org/CVERecord?id=CVE-2025-49146
[1] https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54
[2]
https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libpgjava
Source-Version: 42.7.7-1
On Fri, Jun 13, 2025 at 01:49:22PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Fri, 13 Jun 2025 15:26:53 +0200
> Source: libpgjava
> Architecture: source
> Version: 42.7.7-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Java Maintainers
> <[email protected]>
> Changed-By: Christoph Berg <[email protected]>
> Changes:
> libpgjava (42.7.7-1) unstable; urgency=medium
> .
> * New upstream version 42.7.7.
> Fixes CVE-2025-49146: When the PostgreSQL JDBC driver is configured with
> channel binding set to required (default value is prefer), the driver
> would incorrectly allow connections to proceed with authentication
> methods
> that do not support channel binding (such as password, MD5, GSS, or SSPI
> authentication). This could allow a man-in-the-middle attacker to
> intercept connections that users believed were protected by channel
> binding requirements.
> Checksums-Sha1:
> 09e4468b9fbdbce67aa566e3568bfdc5df75bf36 2420 libpgjava_42.7.7-1.dsc
> bf95dc7a9ab835185b80bff3283eb903d6735753 1052965 libpgjava_42.7.7.orig.tar.gz
> 55d542519dd8f213d932f5a2284f39bae40e3f32 10480
> libpgjava_42.7.7-1.debian.tar.xz
> Checksums-Sha256:
> a983ffa7cdd966c2044e5ef2c71815a70b275dde7e92b2418471a9426ac13d0e 2420
> libpgjava_42.7.7-1.dsc
> 216e8ff44559bf1094f671c43d71f65863bff381fa8e0ec6934da5d59f5a112e 1052965
> libpgjava_42.7.7.orig.tar.gz
> ed6ff596666815afc80140877af83a42eade5b496fd486e859ea8bfb4e86ff31 10480
> libpgjava_42.7.7-1.debian.tar.xz
> Files:
> 3be9286e0671fd7c0ec2246a006fdda0 2420 java optional libpgjava_42.7.7-1.dsc
> 0773de80142ff9f753271407fb161460 1052965 java optional
> libpgjava_42.7.7.orig.tar.gz
> 108a42c16edb8eebbcdb30ac0b199d2a 10480 java optional
> libpgjava_42.7.7-1.debian.tar.xz
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmhMKpIACgkQTFprqxLS
> p64RoA//a1fsMkXNW0wMCZ69pPBFROlW/2s6pDf64XPGzOxRWlGSdTVZQ/NXPuq4
> rIY0GASEiUNkF7NUekbqH2vX165N/wEOJaSlxXERbniEKzYjUd7hUnFYaLtY49LS
> 7GZMpzzNz/jvIPyFTijLxMa6l6Y8+wNzm8I2uinLINny1k7GJ7shyBtSPZZd7FOc
> OrSJnT9C1AMx7wi37Svy/s7tr+SXS1ph1o6Nt3XMkG93TUTnmA3GYFAWtNF8tjpI
> HyZYoUOFwBLzOyK/KFIbJGW7Bo2YfwnKKnWxoazuGeJaYe729UVJ8x6He/exvQA+
> Ttzr7tASqCRUC0kJl7odpM6AVjS1lGllTFqJTa8XR08zHD+mQUQlNhVDItFbSxuM
> Ab9QGh8xHrJE7tqWBU7vobm+/6PbdSygUBaBD1ynkiqBPeMn7bR8680OEki+pW7i
> m7DwH4d9vUrJ0Zz26wZ+N/UAiiwK8nhcDU77b7SjazIQ6SyvlF8Zrl+OHNlBVAI3
> zdWkqb56kjGVJDy3rFw5bjpsk2lz4PyM6pSnbRJFFzOFSCTE3OhTs/cJcgxYsdWW
> /Qc3MJ8D3ovsp4eci1BCdD8BsGqi/yvC4FXz5cKfObZWOUEKo+CNDQdb4+5NLt1D
> Mqd95itjOBir3mW5XLESciaXktvDqBjZ8zB1kGmyxUQcYKiBdyU=
> =uFug
> -----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
