Date: Mon, 02 Apr 2012 11:16:44 -0500 From: "Kevin Grittner" <Kevin.Grittner@...ourts.gov> To: "Steven M. Christey" <coley@...us.mitre.org> Cc: "Steffen Dettmer" <steffen@...t.de>, <oss-security@...ts.openwall.com>,<pgsql-jdbc@...tgresql.org>, "Tom Lane" <tgl@...hat.com> Subject: Re: [JDBC] CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters What follows is just one perspective from a DBA at a production shop. Jan Lieskovsky <jlieskov@...hat.com> wrote: > This is NOT an official JDBC driver for PostgreSQL database > development team statement yet (in the sense it would reference > some upstream document / web page). > Anyway, we have got preliminary notification there is a upstream > intention to provide such page (document which postgresql-jdbc > versions are expected to work correctly with which versions of > PostgreSQL database server). Presumably you are aware of this section on the download page: http://jdbc.postgresql.org/download.html#current Which says: | This is the current version of the driver. Unless you have unusual | requirements (running old applications or JVMs), this is the | driver you should be using. It supports Postgresql 7.2 or newer | and requires a 1.4 or newer JVM. It contains support for SSL and | the javax.sql package. It comes in two flavors, JDBC3 and JDBC4. | If you are using the 1.6 or 1.7 JVM, then you should use the JDBC4 | version. | | JDBC3 Postgresql Driver, Version 9.1-901 | | JDBC4 Postgresql Driver, Version 9.1-901 And the section on supported versions of PostgreSQL: http://www.postgresql.org/support/versioning/ ... which shows version 8.1 as having reached end-of-life and gone out of support five years after release, in November, 2010. As far as I could tell from a quick skim of the referenced links, this problem only exists when using this out-of-support version of the JDBC driver. While I certainly can't speak for the PostgreSQL community, I can say that the shop at which I work (the Consolidated Courts Automation Program of the Wisconsin Supreme Court), we pay attention to these pages and never consider it safe to use an unsupported version. We upgrade our JDBC drivers as soon as practicable whenever the recommended version on the JDBC download page changes. Of course, this is assigned to be done with some application software release and the JDBC version rolls out through development, testing, and staging servers before it is deployed to production, as we do with the server product itself. It is frequently mentioned on the PostgreSQL support lists that it is not a good idea to use older drivers and client libraries with newer servers, although the opposite is supported. We respect this advice, and it seems reasonable to us. If that's not mentioned explicitly on an official web page, I agree that it should be. -Kevin
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ