Hi Michael, On Fri, Jun 19, 2020 at 12:08:36PM +0200, Michael Banck wrote: > tags 962828 +patch > thanks > > Hi, > > Am Sonntag, den 14.06.2020, 22:28 +0200 schrieb Christoph Berg: > > Re: Salvatore Bonaccorso > > > CVE-2020-13692[0]: > > > > PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. > > > > > > which older versions are affected by this, and what is the impact? > > > > > > > > > > I would probably only worry about 42.2.x versions > > > impact summary > > > https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html > > > > > > > > > > In Debian, we currently ship: > > > > > > > > libpgjava | 9.2-1002-1 | oldoldstable | source (ignore, it's EOL > > > > really soon) > > > > libpgjava | 9.4.1212-1 | oldstable | source > > > > libpgjava | 42.2.5-2 | stable | source > > > > libpgjava | 42.2.12-1 | testing | source > > > > libpgjava | 42.2.12-1 | unstable | source > > > > > > > > Can you share the actual CVE diff, so we can fix it in the older > > > > versions? > > > > > > Here is the diff > > > https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65 > > > > (I haven't checked yet if that diff applies to the buster package.) > > I've backpatched that commit to the stable version (several edits were > required but the general code structure is similar) and verified that it > builds and that autopkgtest runs fine. > > I haven't tested it otherwise yet, nor tried to reproduce the CVE, I > guess no exploits are available?
I'm not aware of any to explicitly test for the CVE. As I see you want to target buster-security in your upload: The CVE does not really warrant a CVE, as such it was marked no-dsa, but a fix can go ideally into the next point release. For that though the issue should first be fixed in unstable. But I would suggest (even if the version was never used) to actually use soemthing like 42.2.5-2+deb10u1 for the used version. Regards, Salvatore
