dependabot[bot] opened a new pull request, #4476:
URL: https://github.com/apache/arrow-adbc/pull/4476

   Bumps [org.postgresql:postgresql](https://github.com/pgjdbc/pgjdbc) from 
42.7.11 to 42.7.12.
   <details>
   <summary>Release notes</summary>
   <p><em>Sourced from <a 
href="https://github.com/pgjdbc/pgjdbc/releases";>org.postgresql:postgresql's 
releases</a>.</em></p>
   <blockquote>
   <h2>v42.7.12: security</h2>
   <h3>Silent channel-binding authentication downgrade (CVE-2026-54291)</h3>
   <p><code>channelBinding=require</code> connections can be silently 
downgraded from SCRAM-SHA-256-PLUS (with channel binding) to plain 
SCRAM-SHA-256 (without it), losing the man-in-the-middle protection the setting 
is meant to guarantee. An attacker who can intercept the TLS connection 
triggers the downgrade with a certificate whose signature algorithm has no 
tls-server-end-point channel-binding hash. Examples are Ed25519, Ed448, and 
post-quantum algorithms.</p>
   <p>Two issues combine in releases 42.7.4 through 42.7.11:</p>
   <p>The bundled <code>com.ongres.scram:scram-client</code> (3.1 or 3.2) 
returns an empty byte array instead of failing when it cannot derive the 
binding hash for such a certificate. This is the library issue tracked as <a 
href="https://github.com/ongres/scram/security/advisories/GHSA-p9jg-fcr6-3mhf";>GHSA-p9jg-fcr6-3mhf</a>.</p>
   <p>pgJDBC does not enforce channelBinding=require where it matters. 
ScramAuthenticator checks only that the server advertised a -PLUS mechanism; it 
neither rejects the empty binding nor checks that the negotiated mechanism uses 
channel binding. The connection therefore downgrades silently.</p>
   <p>Only connections that set channelBinding=require are affected. Under the 
default prefer policy, and under allow or disable, falling back to plain SCRAM 
is the documented behaviour.</p>
   <p>Releases before 42.7.4 are unaffected, because they do not support 
channel binding.</p>
   </blockquote>
   </details>
   <details>
   <summary>Changelog</summary>
   <p><em>Sourced from <a 
href="https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md";>org.postgresql:postgresql's
 changelog</a>.</em></p>
   <blockquote>
   <h2>[42.7.12] (2026-06-29)</h2>
   <h3>Security</h3>
   <ul>
   <li>fix: Enforce SCRAM channel-binding policy and prevent silent downgrade.
   Under <code>channelBinding=require</code>, the driver silently downgraded 
from <code>SCRAM-SHA-256-PLUS</code> (with channel binding) to plain 
<code>SCRAM-SHA-256</code> (without it) when the server presented a certificate 
whose signature algorithm has no <code>tls-server-end-point</code> 
channel-binding hash (e.g. Ed25519, Ed448, or post-quantum algorithms). An 
attacker who can intercept the TLS connection could exploit this to strip 
channel-binding protection.
   The fix enforces channel binding in the driver's own code: it now fails the 
connection when no binding data can be extracted, and verifies the negotiated 
mechanism uses channel binding (<code>-PLUS</code>) when <code>require</code> 
is set.
   Only connections that set <code>channelBinding=require</code> are affected. 
The default <code>prefer</code> policy and releases before 42.7.4 (which 
introduced channel-binding support) are unaffected.
   See the <a 
href="https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-j92g-9f8w-j867";>Security
 Advisory</a> for more detail.
   The following <a 
href="https://nvd.nist.gov/vuln/detail/CVE-2026-54291";>CVE-2026-54291</a> has 
been issued.</li>
   </ul>
   </blockquote>
   </details>
   <details>
   <summary>Commits</summary>
   <ul>
   <li><a 
href="https://github.com/pgjdbc/pgjdbc/commit/77df98e4e66c12936ded3478a0954f6f580bad99";><code>77df98e</code></a>
 Merge commit from fork</li>
   <li><a 
href="https://github.com/pgjdbc/pgjdbc/commit/68c53a435291fea8be40eb1d9c550311743d326d";><code>68c53a4</code></a>
 chore: bump version to 42.7.12</li>
   <li>See full diff in <a 
href="https://github.com/pgjdbc/pgjdbc/compare/REL42.7.11...REL42.7.12";>compare 
view</a></li>
   </ul>
   </details>
   <br />
   
   
   [![Dependabot compatibility 
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.postgresql:postgresql&package-manager=maven&previous-version=42.7.11&new-version=42.7.12)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
   
   Dependabot will resolve any conflicts with this PR as long as you don't 
alter it yourself. You can also trigger a rebase manually by commenting 
`@dependabot rebase`.
   
   [//]: # (dependabot-automerge-start)
   [//]: # (dependabot-automerge-end)
   
   ---
   
   <details>
   <summary>Dependabot commands and options</summary>
   <br />
   
   You can trigger Dependabot actions by commenting on this PR:
   - `@dependabot rebase` will rebase this PR
   - `@dependabot recreate` will recreate this PR, overwriting any edits that 
have been made to it
   - `@dependabot show <dependency name> ignore conditions` will show all of 
the ignore conditions of the specified dependency
   - `@dependabot ignore this major version` will close this PR and stop 
Dependabot creating any more for this major version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this minor version` will close this PR and stop 
Dependabot creating any more for this minor version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this dependency` will close this PR and stop 
Dependabot creating any more for this dependency (unless you reopen the PR or 
upgrade to it yourself)
   
   
   </details>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to