Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 30 Mar 2012 11:45:24 -0400
From: Robert Haas <robertmhaas@...il.com>
To: Ludwig Nussel <ludwig.nussel@...e.de>
Cc: oss-security@...ts.openwall.com, security@...tgresql.org
Subject: Re: [pgsql-security] postgresql-jdbc 8.1 SQL injection with
 postgresql server 9.1

On Fri, Mar 30, 2012 at 11:27 AM, Robert Haas <robertmhaas@...il.com> wrote:
> On Fri, Mar 30, 2012 at 8:51 AM, Ludwig Nussel <ludwig.nussel@...e.de> wrote:
>> Postgresql 9.1 turned "standard conforming strings" on by default[1][2].
>> postgresql-jdbc before version 8.2-504 however did not know about that
>> kind of string and escaped single quotes with a backslash always. When
>> such an old version of postgresql-jdbc is used with a newer postgresql
>> server it not only breaks when strings contain single quotes, it also
>> allows for SQL injections[3].
>> The bug is neither in postgresql-jdbc as it was working correctly at the
>> time it was released, nor is it really postgresql 9.1's fault which I
>> guess doesn't expect and can't detect such an old jdbc adapter. The
>> security issue arises when mixing the old adapter and the new server.
>
> Right.  This issue has been previously reported to pgsql-security.
> The position of the pgsql-jdbc project is that a client version should
> be used with a matching server version; therefore, the project views
> the proposed combination as an unsupported configuration.  Moreover,
> PostgreSQL 8.2.x and postgresql-jdbc-8.2-x were desupported in general
> as of December 2011.  The end of life dates for each major release are
> documented on our web site[1], and the pgsql-jdbc download site[2]
> clearly identifies this version of the driver as an "archived version"
> rather than a "supported version".  As a rule, bug fix and security
> updates are not released for versions which are no longer supported;
> users are advised to update to a supported version.  Users of
> pgsql-jdbc are further advised to use a major version that matches the
> PostgreSQL server to which they are connecting.
>
> [1] http://www.postgresql.org/support/versioning/
> [2] http://jdbc.postgresql.org/download.html

Small correction: the complaint we received was actually about
postgresql-jdbc-8.1-x, which is listed as not supported.
postgresql-jdbc-8.2-x is still listed as a supported version, but I
believe you said this bug could only be reproduced with pre-8.2
versions of JDBC.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.