You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Bjørn Jørgensen (Jira)" <ji...@apache.org> on 2022/08/06 10:46:00 UTC

[jira] [Updated] (SPARK-39996) Upgrade postgresql to 42.4.1

     [ https://issues.apache.org/jira/browse/SPARK-39996?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Bjørn Jørgensen updated SPARK-39996:
------------------------------------
    Description: 
Security
- fix: CVE-2022-31197 Fixes SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection.
  - Previously, the column names for both key and data columns in the table were copied as-is into the generated
  SQL. This allowed a malicious table with column names that include statement terminator to be parsed and
  executed as multiple separate commands.
  - Also adds a new test class ResultSetRefreshTest to verify this change.
  - Reported by [Sho Kato](https://github.com/kato-sho)

[Release note|https://github.com/pgjdbc/pgjdbc/commit/bd91c4cc76cdfc1ffd0322be80c85ddfe08a38c2] 

  was:


### Security
- fix: CVE-2022-31197 Fixes SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection.
  - Previously, the column names for both key and data columns in the table were copied as-is into the generated
  SQL. This allowed a malicious table with column names that include statement terminator to be parsed and
  executed as multiple separate commands.
  - Also adds a new test class ResultSetRefreshTest to verify this change.
  - Reported by [Sho Kato](https://github.com/kato-sho)

[Release note|https://github.com/pgjdbc/pgjdbc/commit/bd91c4cc76cdfc1ffd0322be80c85ddfe08a38c2] 


> Upgrade postgresql to 42.4.1
> ----------------------------
>
>                 Key: SPARK-39996
>                 URL: https://issues.apache.org/jira/browse/SPARK-39996
>             Project: Spark
>          Issue Type: Dependency upgrade
>          Components: Build
>    Affects Versions: 3.4.0
>            Reporter: Bjørn Jørgensen
>            Priority: Major
>
> Security
> - fix: CVE-2022-31197 Fixes SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection.
>   - Previously, the column names for both key and data columns in the table were copied as-is into the generated
>   SQL. This allowed a malicious table with column names that include statement terminator to be parsed and
>   executed as multiple separate commands.
>   - Also adds a new test class ResultSetRefreshTest to verify this change.
>   - Reported by [Sho Kato](https://github.com/kato-sho)
> [Release note|https://github.com/pgjdbc/pgjdbc/commit/bd91c4cc76cdfc1ffd0322be80c85ddfe08a38c2] 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org