Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 02 Apr 2012 11:16:44 -0500
From: "Kevin Grittner" <Kevin.Grittner@...ourts.gov>
To: "Steven M. Christey" <coley@...us.mitre.org>
Cc: "Steffen Dettmer" <steffen@...t.de>,
 <oss-security@...ts.openwall.com>,<pgsql-jdbc@...tgresql.org>,
 "Tom Lane" <tgl@...hat.com>
Subject: Re: [JDBC] CVE DISPUTE notification: postgresql-jdbc: SQL
 injection due improper escaping of JDBC statement parameters

What follows is just one perspective from a DBA at a production
shop.
 
Jan Lieskovsky <jlieskov@...hat.com> wrote:
 
> This is NOT an official JDBC driver for PostgreSQL database
> development team statement yet (in the sense it would reference
> some upstream document / web page).
> Anyway, we have got preliminary notification there is a upstream
> intention to provide such page (document which postgresql-jdbc
> versions are expected to work correctly with which versions of
> PostgreSQL database server).
 
Presumably you are aware of this section on the download page:
 
http://jdbc.postgresql.org/download.html#current
 
Which says:
 
| This is the current version of the driver. Unless you have unusual
| requirements (running old applications or JVMs), this is the
| driver you should be using. It supports Postgresql 7.2 or newer
| and requires a 1.4 or newer JVM. It contains support for SSL and
| the javax.sql package. It comes in two flavors, JDBC3 and JDBC4.
| If you are using the 1.6 or 1.7 JVM, then you should use the JDBC4
| version. 
| 
| JDBC3 Postgresql Driver, Version 9.1-901
| 
| JDBC4 Postgresql Driver, Version 9.1-901
 
And the section on supported versions of PostgreSQL:
 
http://www.postgresql.org/support/versioning/
 
... which shows version 8.1 as having reached end-of-life and gone
out of support five years after release, in November, 2010.  As far
as I could tell from a quick skim of the referenced links, this
problem only exists when using this out-of-support version of the
JDBC driver.
 
While I certainly can't speak for the PostgreSQL community, I can
say that the shop at which I work (the Consolidated Courts
Automation Program of the Wisconsin Supreme Court), we pay attention
to these pages and never consider it safe to use an unsupported
version.  We upgrade our JDBC drivers as soon as practicable
whenever the recommended version on the JDBC download page changes. 
Of course, this is assigned to be done with some application
software release and the JDBC version rolls out through development,
testing, and staging servers before it is deployed to production, as
we do with the server product itself.
 
It is frequently mentioned on the PostgreSQL support lists that it
is not a good idea to use older drivers and client libraries with
newer servers, although the opposite is supported.  We respect this
advice, and it seems reasonable to us.  If that's not mentioned
explicitly on an official web page, I agree that it should be.
 
-Kevin

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ