[ https://issues.apache.org/jira/browse/SPARK-39996 ]
Bjørn Jørgensen deleted comment on SPARK-39996:
-----------------------------------------
was (Author: bjornjorgensen):
[GA testes
failed|https://github.com/bjornjorgensen/spark/runs/7705423158?check_suite_focus=true]
> Upgrade postgresql to 42.5.0
> ----------------------------
>
> Key: SPARK-39996
> URL: https://issues.apache.org/jira/browse/SPARK-39996
> Project: Spark
> Issue Type: Dependency upgrade
> Components: Build
> Affects Versions: 3.4.0
> Reporter: Bjørn Jørgensen
> Priority: Major
>
> Security
> - fix:
> [CVE-2022-31197|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31197]
> Fixes SQL generated in PgResultSet.refresh() to escape column identifiers so
> as to prevent SQL injection.
> - Previously, the column names for both key and data columns in the table
> were copied as-is into the generated
> SQL. This allowed a malicious table with column names that include
> statement terminator to be parsed and
> executed as multiple separate commands.
> - Also adds a new test class ResultSetRefreshTest to verify this change.
> - Reported by [Sho Kato](https://github.com/kato-sho)
> [Release
> note|https://github.com/pgjdbc/pgjdbc/commit/bd91c4cc76cdfc1ffd0322be80c85ddfe08a38c2]
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
