Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 02 Apr 2012 11:16:44 -0500
From: "Kevin Grittner" <Kevin.Grittner@...ourts.gov>
To: "Steven M. Christey" <coley@...us.mitre.org>
Cc: "Steffen Dettmer" <steffen@...t.de>,
 <oss-security@...ts.openwall.com>,<pgsql-jdbc@...tgresql.org>,
 "Tom Lane" <tgl@...hat.com>
Subject: Re: [JDBC] CVE DISPUTE notification: postgresql-jdbc: SQL
 injection due improper escaping of JDBC statement parameters

What follows is just one perspective from a DBA at a production
shop.
 
Jan Lieskovsky <jlieskov@...hat.com> wrote:
 
> This is NOT an official JDBC driver for PostgreSQL database
> development team statement yet (in the sense it would reference
> some upstream document / web page).
> Anyway, we have got preliminary notification there is a upstream
> intention to provide such page (document which postgresql-jdbc
> versions are expected to work correctly with which versions of
> PostgreSQL database server).
 
Presumably you are aware of this section on the download page:
 
http://jdbc.postgresql.org/download.html#current
 
Which says:
 
| This is the current version of the driver. Unless you have unusual
| requirements (running old applications or JVMs), this is the
| driver you should be using. It supports Postgresql 7.2 or newer
| and requires a 1.4 or newer JVM. It contains support for SSL and
| the javax.sql package. It comes in two flavors, JDBC3 and JDBC4.
| If you are using the 1.6 or 1.7 JVM, then you should use the JDBC4
| version. 
| 
| JDBC3 Postgresql Driver, Version 9.1-901
| 
| JDBC4 Postgresql Driver, Version 9.1-901
 
And the section on supported versions of PostgreSQL:
 
http://www.postgresql.org/support/versioning/
 
... which shows version 8.1 as having reached end-of-life and gone
out of support five years after release, in November, 2010.  As far
as I could tell from a quick skim of the referenced links, this
problem only exists when using this out-of-support version of the
JDBC driver.
 
While I certainly can't speak for the PostgreSQL community, I can
say that the shop at which I work (the Consolidated Courts
Automation Program of the Wisconsin Supreme Court), we pay attention
to these pages and never consider it safe to use an unsupported
version.  We upgrade our JDBC drivers as soon as practicable
whenever the recommended version on the JDBC download page changes. 
Of course, this is assigned to be done with some application
software release and the JDBC version rolls out through development,
testing, and staging servers before it is deployed to production, as
we do with the server product itself.
 
It is frequently mentioned on the PostgreSQL support lists that it
is not a good idea to use older drivers and client libraries with
newer servers, although the opposite is supported.  We respect this
advice, and it seems reasonable to us.  If that's not mentioned
explicitly on an official web page, I agree that it should be.
 
-Kevin

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.