Update dependency org.postgresql:postgresql to v42.7.7 [SECURITY]

[renovate]

Note

Mend has cancelled the proposed renaming of the Renovate GitHub app being renamed to mend[bot].

This notice will be removed on 2025-10-07.

---

This PR contains the following updates:

Package	Change	Age	Confidence
org.postgresql:postgresql (source)	42.7.4 -> 42.7.7

---

pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration

BIT-postgresql-jdbc-driver-2025-49146 / CVE-2025-49146 / GHSA-hq9p-pm7w-8p54

More information

Details

Impact

When the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements.

Patches

TBD

Workarounds

Configure sslMode=verify-full to prevent MITM attacks.

References

• https://www.postgresql.org/docs/current/sasl-authentication.html#SASL-SCRAM-SHA-256
• https://datatracker.ietf.org/doc/html/rfc7677
• https://datatracker.ietf.org/doc/html/rfc5802

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References

• https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54
• https://nvd.nist.gov/vuln/detail/CVE-2025-49146
• https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0
• https://datatracker.ietf.org/doc/html/rfc5802
• https://datatracker.ietf.org/doc/html/rfc7677
• https://github.com/pgjdbc/pgjdbc
• https://www.postgresql.org/docs/current/sasl-authentication.html#SASL-SCRAM-SHA-256

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

pgjdbc/pgjdbc (org.postgresql:postgresql)

v42.7.7

Security

• security: Client Allows Fallback to Insecure Authentication Despite channelBinding=require configuration.
  Fix channel binding required handling to reject non-SASL authentication
  Previously, when channel binding was set to "require", the driver would silently ignore this
  requirement for non-SASL authentication methods. This could lead to a false sense of security
  when channel binding was explicitly requested but not actually enforced. The fix ensures that when
  channel binding is set to "require", the driver will reject connections that use
  non-SASL authentication methods or when SASL authentication has not completed properly.
  See the Security Advisory for more detail. Reported by George MacKerron
  The following CVE-2025-49146 has been issued

Added

• test: Added ChannelBindingRequiredTest to verify proper behavior of channel binding settings

v42.7.6

Features

• fix: Enhanced DatabaseMetadata.getIndexInfo() method, added index comment as REMARKS property PR #​3513

Performance Improvements

• performance: Improve ResultSetMetadata.fetchFieldMetaData by using IN row values instead of UNION ALL for improved query performance (later reverted) PR #​3510
• feat:Use a single simple query for all startup parameters, so groupStartupParameters is no longer needed PR #​3613

v42.7.5

Added

• ci: Test with Java 23 PR #​3381

Fixed

• regression: revert change in fc60537 PR #​3476
• fix: PgDatabaseMetaData implementation of catalog as param and return value PR #​3390
• fix: Support default GSS credentials in the Java Postgres client PR #​3451
• fix: return only the transactions accessible by the current_user in XAResource.recover PR #​3450
• feat: don't force send extra_float_digits for PostgreSQL >= 12 fix Issue #​3432 PR #​3446
• fix: exclude "include columns" from the list of primary keys PR #​3434
• perf: Enhance the meta query performance by specifying the oid. PR #​3427
• feat: support getObject(int, byte[].class) for bytea PR #​3274
• docs: document infinity and some minor edits PR #​3407
• fix: Added way to check for major server version, fixed check for RULE PR #​3402
• docs: fixed remaining paragraphs PR #​3398
• docs: fixed paragraphs in javadoc comments PR #​3397
• fix: Reuse buffers and reduce allocations in GSSInputStream addresses Issue #​3251 PR #​3255
• chore: Update Gradle to 8.10.2 PR #​3388
• fix: getSchemas() PR #​3386
• fix: Update rpm postgresql-jdbc.spec.tpl with scram-client PR #​3324
• fix: Clearing thisRow and rowBuffer on close() of ResultSet Issue #​3383 PR #​3384
• fix: Package was renamed to maven-bundle-plugin PR #​3382
• fix: As of version 18 the RULE privilege has been removed PR #​3378
• fix: use buffered inputstream to create GSSInputStream PR #​3373
• test: get rid of 8.4, 9.0 pg versions and use >= jdk version 17 PR #​3372
• Changed docker-compose version and renamed script file in instructions to match the real file name PR #​3363
• test:Do not assume "test" database in DatabaseMetaDataTransactionIsolationTest PR #​3364
• try to categorize dependencies PR #​3362

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.