Skip to content

Update to Postgres driver version 42.7.7#1092

Merged
labkey-susanh merged 1 commit intorelease25.3-SNAPSHOTfrom
25.3_fb_postgresDriver
Jun 13, 2025
Merged

Update to Postgres driver version 42.7.7#1092
labkey-susanh merged 1 commit intorelease25.3-SNAPSHOTfrom
25.3_fb_postgresDriver

Conversation

@labkey-susanh
Copy link
Contributor

@labkey-susanh labkey-susanh commented Jun 12, 2025

Rationale

CVE-2025-49146 Affects versions from 42.7.4 until 42.7.7. We are not at risk since we do not configure channel binding, but good to update just the same.

Changes

  • Update postgresDriverVersion

@labkey-susanh labkey-susanh self-assigned this Jun 12, 2025
labkey-jeckels
labkey-jeckels approved these changes Jun 12, 2025
View reviewed changes
Copy link
Contributor

@labkey-jeckels labkey-jeckels left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, pending positive feedback from TeamCity.

@labkey-susanh labkey-susanh merged commit c2239a7 into release25.3-SNAPSHOT Jun 13, 2025
10 checks passed
@labkey-susanh labkey-susanh deleted the 25.3_fb_postgresDriver branch June 13, 2025 00:21
@labkey-adam
Copy link
Contributor

labkey-adam commented Jun 13, 2025

@labkey-susanh @labkey-jeckels As mentioned in the "Upgrade Dependencies" doc, we've been holding off upgrading the PG JDBC driver due to a metadata retrieval performance issue that @labkey-tchad filed. Doesn't look like that's been fixed... or has it? Are we okay upgrading with this degradation in place?

@labkey-susanh
Copy link
Contributor Author

labkey-susanh commented Jun 13, 2025

@labkey-susanh @labkey-jeckels As mentioned in the "Upgrade Dependencies" doc, we've been holding off upgrading the PG JDBC driver due to a metadata retrieval performance issue that @labkey-tchad filed. Doesn't look like that's been fixed... or has it? Are we okay upgrading with this degradation in place?

Thanks, @labkey-adam. I didn't realize/remember that this was a thing. I think we're probably safe to suppress this CVE since it's related to functionality that we do not use. Anyone disagree?

@labkey-jeckels
Copy link
Contributor

labkey-jeckels commented Jun 13, 2025

@labkey-susanh @labkey-jeckels As mentioned in the "Upgrade Dependencies" doc, we've been holding off upgrading the PG JDBC driver due to a metadata retrieval performance issue that @labkey-tchad filed. Doesn't look like that's been fixed... or has it? Are we okay upgrading with this degradation in place?

Thanks, @labkey-adam. I didn't realize/remember that this was a thing. I think we're probably safe to suppress this CVE since it's related to functionality that we do not use. Anyone disagree?

Sounds correct to me.

@labkey-susanh labkey-susanh mentioned this pull request Jun 13, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@labkey-jeckels labkey-jeckels labkey-jeckels approved these changes

@labkey-adam labkey-adam Awaiting requested review from labkey-adam

Assignees

@labkey-susanh labkey-susanh

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@labkey-susanh @labkey-adam @labkey-jeckels