dependabot[bot] opened a new pull request, #24334:
URL: https://github.com/apache/camel/pull/24334

   Bumps [org.postgresql:postgresql](https://github.com/pgjdbc/pgjdbc) from 
42.7.11 to 42.7.12.
   <details>
   <summary>Release notes</summary>
   <p><em>Sourced from <a 
href="https://github.com/pgjdbc/pgjdbc/releases";>org.postgresql:postgresql's 
releases</a>.</em></p>
   <blockquote>
   <h2>Security</h2>
   <h3>Silent channel-binding authentication downgrade (CVE-2026-54291)</h3>
   <p><code>channelBinding=require</code> connections can be silently 
downgraded from SCRAM-SHA-256-PLUS (with channel binding) to plain 
SCRAM-SHA-256 (without it), losing the man-in-the-middle protection the setting 
is meant to guarantee. An attacker who can intercept the TLS connection 
triggers the downgrade with a certificate whose signature algorithm has no 
tls-server-end-point channel-binding hash. Examples are Ed25519, Ed448, and 
post-quantum algorithms.</p>
   <p>Two issues combine in releases 42.7.4 through 42.7.11:</p>
   <p>The bundled <code>com.ongres.scram:scram-client</code> (3.1 or 3.2) 
returns an empty byte array instead of failing when it cannot derive the 
binding hash for such a certificate. This is the library issue tracked as <a 
href="https://github.com/advisories/GHSA-p9jg-fcr6-3mhf";>GHSA-p9jg-fcr6-3mhf</a>.</p>
   <p>pgJDBC does not enforce channelBinding=require where it matters. 
ScramAuthenticator checks only that the server advertised a -PLUS mechanism; it 
neither rejects the empty binding nor checks that the negotiated mechanism uses 
channel binding. The connection therefore downgrades silently.</p>
   <p>Only connections that set channelBinding=require are affected. Under the 
default prefer policy, and under allow or disable, falling back to plain SCRAM 
is the documented behaviour.</p>
   <p>Releases before 42.7.4 are unaffected, because they do not support 
channel binding.</p>
   </blockquote>
   </details>
   <details>
   <summary>Changelog</summary>
   <p><em>Sourced from <a 
href="https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md";>org.postgresql:postgresql's
 changelog</a>.</em></p>
   <blockquote>
   <h2>[42.7.12] (2026-xx-xx)</h2>
   <h3>Security</h3>
   <h3>Added</h3>
   <ul>
   <li>feat: <code>reWriteBatchedInserts</code> now merges up to 32768 rows 
into one multi-values <code>INSERT</code> (bounded by the 65535 bind-parameter 
limit on the extended protocol) instead of capping at 128, which speeds up 
batches of few-column rows. The new <code>reWriteBatchedInsertsSize</code> 
connection property lowers that cap when set; the default of <code>0</code> 
uses that maximum.</li>
   <li>feat: invalidate the prepared-statement cache after CREATE/DROP/ALTER so 
callers no longer trip on &quot;cached plan must not change result type&quot; 
without opting into <code>autosave=ALWAYS</code>. Controlled by the new 
<code>flushCacheOnDdl</code> connection property (default <code>true</code>); 
set to <code>false</code> for the prior behaviour.</li>
   <li>feat: add <code>connectExecutor</code> connection property to customize 
the <code>Executor</code> used to run the worker task that performs the 
connection attempt when <code>loginTimeout</code> is in effect. The value is 
the fully qualified name of a class implementing 
<code>java.util.concurrent.Executor</code>. With a null value, the default, the 
driver retains the prior behavior of running the connection attempt on a daemon 
thread named <code>&quot;PostgreSQL JDBC driver connection thread&quot;</code>. 
The executor must run the task on a thread other than the caller's. Running the 
attempt on a named thread lets applications that monitor driver-created threads 
identify it.</li>
   <li>feat: add <code>connectThreadFactory</code> connection property to 
customize the <code>ThreadFactory</code> used to spawn the worker thread that 
runs the connection attempt when <code>loginTimeout</code> is in effect. The 
value is the fully qualified name of a class implementing 
<code>java.util.concurrent.ThreadFactory</code>. With a null value, the 
default, the driver retains the prior behavior of using a daemon thread named 
<code>&quot;PostgreSQL JDBC driver connection thread&quot;</code>. Useful for 
testing timeout behaviour or for applications that want detailed control of all 
driver-created threads.</li>
   <li>feat: add <code>classLoaderStrategy</code> connection property to 
control which classloaders the driver searches when loading a class named by a 
connection property, for example <code>socketFactory</code>. The default 
<code>driver-first</code> now falls back to the thread context classloader when 
the driver's classloader cannot resolve the class, which fixes class loading in 
non-flat class paths such as Quarkus and OSGi. Set <code>driver</code> to keep 
the previous driver-classloader-only behaviour, or <code>context-first</code> 
to prefer the thread context classloader [Issue <a 
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/2112";>#2112</a>](<a 
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/2112";>pgjdbc/pgjdbc#2112</a>)</li>
   </ul>
   <h3>Changed</h3>
   <ul>
   <li>refactor: the worker that runs the connection attempt under 
<code>loginTimeout</code> is now a <code>FutureTask</code> 
(<code>ConnectTask</code>) instead of the hand-rolled 
<code>ConnectThread</code>. When the caller hits the timeout, the task is now 
cancelled with <code>cancel(true)</code>, which interrupts the worker thread 
rather than letting it run to completion. This makes the connection attempt 
interruptible, so <code>loginTimeout</code> can stop a slow connection attempt 
instead of leaking a thread. As before, a connection that the worker still 
manages to establish after the caller gives up is closed by the worker so that 
it does not leak. There are no public API changes and this should only lead to 
faster background resource cleanup for connections that time out.</li>
   <li>chore: <code>PGXAConnection.ConnectionHandler</code> now rejects 
<code>setAutoCommit(false)</code> and <code>setSavepoint(...)</code> during an 
active XA branch, in addition to the long-rejected 
<code>setAutoCommit(true)</code> / <code>commit()</code> / 
<code>rollback()</code>. The <code>setSavepoint</code> rejection was already 
meant to be in place but the guard misspelled the method name as 
<code>setSavePoint</code>, so savepoints silently went through. Both changes 
bring the proxy in line with JTA 1.2 ยง3.4.</li>
   <li>chore: <code>commitPrepared</code> / <code>rollback</code>-of-prepared 
now return <code>XAER_RMFAIL</code> instead of <code>XAER_RMERR</code> when the 
underlying connection is left in a non-idle <code>TransactionState</code>. 
Transaction managers (Geronimo, Narayana, Atomikos) treat 
<code>XAER_RMFAIL</code> as retryable on a fresh <code>XAResource</code>; the 
prepared transaction is no longer abandoned.</li>
   </ul>
   <h3>Fixed</h3>
   <ul>
   <li>fix: the published GitHub release now ships the released 
<code>postgresql-&lt;version&gt;.jar</code> and its detached PGP signature, 
taken from the same signed build that is uploaded to Maven Central, instead of 
a leftover SNAPSHOT jar [Issue <a 
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3812";>#3812</a>](<a 
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3812";>pgjdbc/pgjdbc#3812</a>)
 [PR <a 
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3814";>#3814</a>](<a 
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3814";>pgjdbc/pgjdbc#3814</a>)</li>
   <li>fix: simplify the <code>Statement#cancel</code> state machine by 
dropping the redundant <code>CANCELLED</code> state. <code>killTimerTask</code> 
now waits for the state to return to <code>IDLE</code> directly, which removes 
a spin-forever case when more than one thread observes the cancel completing 
[PR <a 
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/1827";>#1827</a>](<a 
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/1827";>pgjdbc/pgjdbc#1827</a>).</li>
   <li>perf: defer simple-query flushes until the driver reads the response, 
allowing <code>BEGIN</code> and the following query to share a network flush 
[Issue <a 
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3894";>#3894</a>](<a 
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3894";>pgjdbc/pgjdbc#3894</a>)</li>
   <li>fix: <code>reWriteBatchedInserts</code> no longer throws 
<code>IllegalArgumentException</code> when batching a parameterless 
<code>INSERT</code> (for example <code>INSERT INTO t VALUES (1, 2)</code>) of 
256 rows or more.</li>
   <li>fix: a comment before <code>CALL</code> in a 
<code>CallableStatement</code> no longer hides the native call, so OUT 
parameter registration works for <code>/* comment */ call proc(?, ?)</code> and 
similar. <code>Parser.modifyJdbcCall</code> now skips leading whitespace and 
SQL comments (both <code>--</code> and <code>/* */</code>) before the call, 
tolerates a trailing comment after a <code>{ ... }</code> escape, and no longer 
adds a spurious comma when moving an OUT parameter into a call whose arguments 
are only a comment [Issue <a 
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/2538";>#2538</a>](<a 
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/2538";>pgjdbc/pgjdbc#2538</a>)</li>
   <li>fix: <code>PreparedStatement.toString()</code> no longer throws for a 
<code>bytea</code> value supplied as text via <code>PGobject</code>. Hex-format 
values (<code>\x...</code>) are validated and rendered as a <code>bytea</code> 
literal, and escape-format values are quoted and cast like any other literal 
[Issue <a 
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3757";>#3757</a>](<a 
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3757";>pgjdbc/pgjdbc#3757</a>)</li>
   <li>fix: the driver no longer nulls the <code>contextClassLoader</code> of 
shared <code>ForkJoinPool.commonPool()</code> worker threads, which previously 
left unrelated tasks on those threads running with a <code>null</code> 
classloader [Issue <a 
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/4155";>#4155</a>](<a 
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/4155";>pgjdbc/pgjdbc#4155</a>)</li>
   <li>fix: getCharacterStream wraps String in StringReader [PR <a 
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/4063";>#4063</a>](<a 
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/4063";>pgjdbc/pgjdbc#4063</a>)</li>
   <li>fix: <code>PGXAConnection</code> no longer saves and restores the 
underlying connection's JDBC <code>autoCommit</code> flag. All XA-protocol SQL 
(<code>BEGIN</code>, <code>PREPARE TRANSACTION</code>, <code>COMMIT</code>, 
<code>ROLLBACK</code>, <code>COMMIT PREPARED</code>, <code>ROLLBACK 
PREPARED</code>, the <code>recover()</code> SELECT) is sent through 
<code>QUERY_SUPPRESS_BEGIN</code>, so the caller's <code>autoCommit</code> 
value is invariant across every <code>XAResource</code> call. Fixes the 
&quot;2nd phase commit must be issued using an idle connection&quot; failure 
during recovery on managed datasources that pool connections with 
<code>autoCommit=false</code> (TomEE, WildFly, WebSphere Liberty).</li>
   <li>fix: <code>PGXAConnection.prepare()</code> now mutates XA state only 
after <code>PREPARE TRANSACTION</code> succeeds. A failed <code>PREPARE</code> 
previously left the driver thinking the branch was already prepared, so the 
follow-up <code>rollback(xid)</code> tried <code>ROLLBACK PREPARED</code> 
against a non-existent gid and returned <code>XAER_RMERR</code>. Transaction 
managers (Narayana) escalated this to <code>HeuristicMixedException</code>. 
With the fix, <code>rollback(xid)</code> takes the active-branch path and 
issues a plain <code>ROLLBACK</code>, which the server accepts cleanly. Fixes 
[Issue <a 
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3153";>#3153</a>](<a 
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3153";>pgjdbc/pgjdbc#3153</a>),
 [Issue <a 
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3123";>#3123</a>](<a 
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3123";>pgjdbc/pgjdbc#3123</a>).</li>
   <li>fix: an updatable result set over an unqualified table name is now 
classified using only the table visible through <code>search_path</code>. When 
two schemas held a table with the same name and the same primary or unique 
index name but a different set of key columns, the driver took the union of 
both schemas' columns, so the result set could be wrongly rejected as not 
updatable [PR <a 
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/4214";>#4214</a>](<a 
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/4214";>pgjdbc/pgjdbc#4214</a>).
 Supersedes [PR <a 
href="https://redirect.github.com/pgjdbc/pgjdbc/issues/3400";>#3400</a>](<a 
href="https://redirect.github.com/pgjdbc/pgjdbc/pull/3400";>pgjdbc/pgjdbc#3400</a>).</li>
   </ul>
   </blockquote>
   </details>
   <details>
   <summary>Commits</summary>
   <ul>
   <li><a 
href="https://github.com/pgjdbc/pgjdbc/commit/77df98e4e66c12936ded3478a0954f6f580bad99";><code>77df98e</code></a>
 Merge commit from fork</li>
   <li><a 
href="https://github.com/pgjdbc/pgjdbc/commit/68c53a435291fea8be40eb1d9c550311743d326d";><code>68c53a4</code></a>
 chore: bump version to 42.7.12</li>
   <li>See full diff in <a 
href="https://github.com/pgjdbc/pgjdbc/compare/REL42.7.11...REL42.7.12";>compare 
view</a></li>
   </ul>
   </details>
   <br />
   
   
   [![Dependabot compatibility 
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.postgresql:postgresql&package-manager=maven&previous-version=42.7.11&new-version=42.7.12)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
   
   Dependabot will resolve any conflicts with this PR as long as you don't 
alter it yourself. You can also trigger a rebase manually by commenting 
`@dependabot rebase`.
   
   [//]: # (dependabot-automerge-start)
   [//]: # (dependabot-automerge-end)
   
   ---
   
   <details>
   <summary>Dependabot commands and options</summary>
   <br />
   
   You can trigger Dependabot actions by commenting on this PR:
   - `@dependabot rebase` will rebase this PR
   - `@dependabot recreate` will recreate this PR, overwriting any edits that 
have been made to it
   - `@dependabot show <dependency name> ignore conditions` will show all of 
the ignore conditions of the specified dependency
   - `@dependabot ignore this major version` will close this PR and stop 
Dependabot creating any more for this major version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this minor version` will close this PR and stop 
Dependabot creating any more for this minor version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this dependency` will close this PR and stop 
Dependabot creating any more for this dependency (unless you reopen the PR or 
upgrade to it yourself)
   
   
   </details>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to