pgjdbc/pgjdbc GitHub issues and pull requests (mirror)
help / color / mirror / Atom feedFrom: sehrope (@sehrope) <[email protected]>
To: pgjdbc/pgjdbc <[email protected]>
Subject: Re: [pgjdbc/pgjdbc] PR #3799: fix(deps): update dependency com.ongres.scram:scram-client to 3.2
Date: Wed, 17 Sep 2025 12:57:37 +0000
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
Thanks for updating this @jorsol
Looks like the only meaningful change is the fix for that timing safe comparison: https://github.com/ongres/scram/commit/e0b0cf99f05406a0d26682c72fcb5728e95124b3
Considering that the usage in pgjdbc of this is as a client, not a server, should we even consider this to be a security issue for this driver?
I'm leaning toward "no" as the connections are initiated by the client. The only way this would be an issue is if the client was actively helping a malicious server by repeatedly trying to connect to it (an insanely large number of times to get meaningful timing attack numbers).
view thread (3+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: github://pgjdbc/pgjdbc
Cc: [email protected], [email protected]
Subject: Re: [pgjdbc/pgjdbc] PR #3799: fix(deps): update dependency com.ongres.scram:scram-client to 3.2
In-Reply-To: <<[email protected]>>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox