An update for postgresql-jdbc is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1237 Final 1.0 1.0 2024-03-01 Initial 2024-03-01 2024-03-01 openEuler SA Tool V1.0 2024-03-01 postgresql-jdbc security update An update for postgresql-jdbc is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3. PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. Is an open source JDBC driver written in Pure Java (Type 4), and communicates in the PostgreSQL native network protocol. Security Fix(es): pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.(CVE-2024-1597) An update for postgresql-jdbc is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical postgresql-jdbc https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1237 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2024-1597 https://nvd.nist.gov/vuln/detail/CVE-2024-1597 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openEuler-22.03-LTS-SP3 postgresql-jdbc-help-42.4.1-3.oe1.noarch.rpm postgresql-jdbc-42.4.1-3.oe1.noarch.rpm postgresql-jdbc-javadoc-42.4.1-3.oe1.noarch.rpm postgresql-jdbc-help-42.4.1-3.oe2003sp4.noarch.rpm postgresql-jdbc-javadoc-42.4.1-3.oe2003sp4.noarch.rpm postgresql-jdbc-42.4.1-3.oe2003sp4.noarch.rpm postgresql-jdbc-javadoc-42.4.1-3.oe2203.noarch.rpm postgresql-jdbc-42.4.1-3.oe2203.noarch.rpm postgresql-jdbc-help-42.4.1-3.oe2203.noarch.rpm postgresql-jdbc-help-42.4.1-3.oe2203sp1.noarch.rpm postgresql-jdbc-42.4.1-3.oe2203sp1.noarch.rpm postgresql-jdbc-javadoc-42.4.1-3.oe2203sp1.noarch.rpm postgresql-jdbc-help-42.4.1-3.oe2203sp2.noarch.rpm postgresql-jdbc-42.4.1-3.oe2203sp2.noarch.rpm postgresql-jdbc-javadoc-42.4.1-3.oe2203sp2.noarch.rpm postgresql-jdbc-javadoc-42.4.1-3.oe2203sp3.noarch.rpm postgresql-jdbc-42.4.1-3.oe2203sp3.noarch.rpm postgresql-jdbc-help-42.4.1-3.oe2203sp3.noarch.rpm postgresql-jdbc-42.4.1-3.oe1.src.rpm postgresql-jdbc-42.4.1-3.oe2003sp4.src.rpm postgresql-jdbc-42.4.1-3.oe2203.src.rpm postgresql-jdbc-42.4.1-3.oe2203sp1.src.rpm postgresql-jdbc-42.4.1-3.oe2203sp2.src.rpm postgresql-jdbc-42.4.1-3.oe2203sp3.src.rpm pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected. 2024-03-01 CVE-2024-1597 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 openEuler-22.03-LTS-SP3 Critical 10.0 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H postgresql-jdbc security update 2024-03-01 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1237