-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 23 Apr 2025 11:04:24 +0200
Source: golang-github-jackc-pgx
Architecture: source
Version: 4.18.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Dr. Tobias Quathamer <toddy@debian.org>
Closes: 1065686 1065687
Changes:
golang-github-jackc-pgx (4.18.1-2) unstable; urgency=medium
.
* Team upload.
* Create a new git branch to fix CVEs during soft freeze.
* Add two patches from upstream
- CVE-2024-27289
pgx is a PostgreSQL driver and toolkit for Go. Prior to version
4.18.2, SQL injection can occur when all of the following
conditions are met: the non-default simple protocol is used; a
placeholder for a numeric value must be immediately preceded by a
minus; there must be a second placeholder for a string value
after the first placeholder; both must be on the same line; and
both parameter values must be user-controlled. The problem is
resolved in v4.18.2. As a workaround, do not use the simple
protocol or do not place a minus directly before a placeholder.
Closes: #1065686
- CVE-2024-27304
pgx is a PostgreSQL driver and toolkit for Go. SQL injection can
occur if an attacker can cause a single query or bind message to
exceed 4 GB in size. An integer overflow in the calculated
message size can cause the one large message to be sent as
multiple messages under the attacker's control. The problem is
resolved in v4.18.2 and v5.5.4. As a workaround, reject user
input large enough to cause a single query or bind message to
exceed 4 GB in size.
Closes: #1065687
Checksums-Sha1:
fc454961e7957ce365814ce062f846ac1ca42c41 2719 golang-github-jackc-pgx_4.18.1-2.dsc
4a37240a3da044ccbefae090e325709e3ec501df 5500 golang-github-jackc-pgx_4.18.1-2.debian.tar.xz
ae24ff1439b8c8848208b689a807c2fa66a58483 8227 golang-github-jackc-pgx_4.18.1-2_amd64.buildinfo
Checksums-Sha256:
27eb9d7ed9c8d047fe0548993d63614c74bbc01bf52eef7d63072b68c34fa9cf 2719 golang-github-jackc-pgx_4.18.1-2.dsc
c98f0f97831e527a857c6b13f1002e008c6893a222d058e109de75ea57d5d484 5500 golang-github-jackc-pgx_4.18.1-2.debian.tar.xz
2423087f632c2d13164982cc6e4de3fce9e7cff38f539c54960c4590dfbd1798 8227 golang-github-jackc-pgx_4.18.1-2_amd64.buildinfo
Files:
3cf610d0110aecb74ecfd240d7a40f09 2719 golang optional golang-github-jackc-pgx_4.18.1-2.dsc
b9425db8181f69c1e9d751e1e3894870 5500 golang optional golang-github-jackc-pgx_4.18.1-2.debian.tar.xz
2fd5131cf4567602c764c2def0fc3ee2 8227 golang optional golang-github-jackc-pgx_4.18.1-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAmgIrvoACgkQEwLx8Dbr
6xne4g/+OOlZ+qaKaljAq6A9nU6z8+FdT2nFD4rg5gGJ5KvfePVvBwMN2h1DGkw/
cJgB8K903bd7YBQpShgjJp86UTjAE1jpJbkVo3W/vN6m74g0g8oNJ1/Twip/RDTM
gzDPLHTLztG87vMSSmG5WyUM/H4K+Dk6MgfTfw5oOAaiREaeIJunpeTpT6mbHj/2
JJoZ4nS1q1P9OJTOOEMV1TrjlC0Dh19AMhACAvyxvxbgK4AcPU5/f1XQkzTSeOQt
UQrFq7xX9TcvTbf5keAA6JLpSD2GtLCCJbIFIeuoe3VSSaQ1znl8yn189Cfp6tsa
e8sgZM9fEl9D9geBP10oTClW4NWH+FTMwUzgTq8DwJIPqP0sma0ofI3Q6s1Koiao
R/ueGgQGxKn9Tb9s8U2HT+a+f6LYenmn8iTbe3552hNAktrkKxjNZ/WtNH6an3Cd
4oD8STraOG18LJucwBRaYGjfp1j0cder/sQDd5Zr3HPq3ho9vMjPqEdxwSTwRPzS
uYlMtAirxWSRGcyp7fwAhhsbtqe1R8+bQMqgrUrvlpHQTMtFo48KjAYx4wiM89Li
cuvTmhPYYLHiRe6/PgUkpsvZtaxCxrcRM4IiYzHgyD5miJZiPbvGCpWkiRmXlMEN
ANhFMdZqRtPqXry4gQ/fjgkAVgzQzkI8e+nIo+wTWFXCzqyu3zA=
=neOm
-----END PGP SIGNATURE-----
Attachment:
pgpXtbWBmpnAe.pgp
Description: PGP signature