[jira] [Updated] (SPARK-39996) Upgrade postgresql to 42.4.1

Sat, 06 Aug 2022 03:46:04 -0700 


     [ 
https://issues.apache.org/jira/browse/SPARK-39996?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bjørn Jørgensen updated SPARK-39996:
------------------------------------
    Description: 
Security
- fix: CVE-2022-31197 Fixes SQL generated in PgResultSet.refresh() to escape 
column identifiers so as to prevent SQL injection.
  - Previously, the column names for both key and data columns in the table 
were copied as-is into the generated
  SQL. This allowed a malicious table with column names that include statement 
terminator to be parsed and
  executed as multiple separate commands.
  - Also adds a new test class ResultSetRefreshTest to verify this change.
  - Reported by [Sho Kato](https://github.com/kato-sho)

[Release 
note|https://github.com/pgjdbc/pgjdbc/commit/bd91c4cc76cdfc1ffd0322be80c85ddfe08a38c2]
 

  was:


### Security
- fix: CVE-2022-31197 Fixes SQL generated in PgResultSet.refresh() to escape 
column identifiers so as to prevent SQL injection.
  - Previously, the column names for both key and data columns in the table 
were copied as-is into the generated
  SQL. This allowed a malicious table with column names that include statement 
terminator to be parsed and
  executed as multiple separate commands.
  - Also adds a new test class ResultSetRefreshTest to verify this change.
  - Reported by [Sho Kato](https://github.com/kato-sho)

[Release 
note|https://github.com/pgjdbc/pgjdbc/commit/bd91c4cc76cdfc1ffd0322be80c85ddfe08a38c2]
 


> Upgrade postgresql to 42.4.1
> ----------------------------
>
>                 Key: SPARK-39996
>                 URL: https://issues.apache.org/jira/browse/SPARK-39996
>             Project: Spark
>          Issue Type: Dependency upgrade
>          Components: Build
>    Affects Versions: 3.4.0
>            Reporter: Bjørn Jørgensen
>            Priority: Major
>
> Security
> - fix: CVE-2022-31197 Fixes SQL generated in PgResultSet.refresh() to escape 
> column identifiers so as to prevent SQL injection.
>   - Previously, the column names for both key and data columns in the table 
> were copied as-is into the generated
>   SQL. This allowed a malicious table with column names that include 
> statement terminator to be parsed and
>   executed as multiple separate commands.
>   - Also adds a new test class ResultSetRefreshTest to verify this change.
>   - Reported by [Sho Kato](https://github.com/kato-sho)
> [Release 
> note|https://github.com/pgjdbc/pgjdbc/commit/bd91c4cc76cdfc1ffd0322be80c85ddfe08a38c2]
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to