Message-ID: From: "sehrope (@sehrope)" To: "pgjdbc/pgjdbc" Date: Wed, 17 Sep 2025 12:57:37 +0000 Subject: Re: [pgjdbc/pgjdbc] PR #3799: fix(deps): update dependency com.ongres.scram:scram-client to 3.2 In-Reply-To: References: List-Id: X-GitHub-Author-Login: sehrope X-GitHub-Comment-Id: 3302879476 X-GitHub-Comment-Type: issue_comment X-GitHub-Issue: 3799 X-GitHub-Repo: pgjdbc/pgjdbc X-GitHub-Type: comment X-GitHub-Url: https://github.com/pgjdbc/pgjdbc/pull/3799#issuecomment-3302879476 Content-Type: text/plain; charset=utf-8 Thanks for updating this @jorsol Looks like the only meaningful change is the fix for that timing safe comparison: https://github.com/ongres/scram/commit/e0b0cf99f05406a0d26682c72fcb5728e95124b3 Considering that the usage in pgjdbc of this is as a client, not a server, should we even consider this to be a security issue for this driver? I'm leaning toward "no" as the connections are initiated by the client. The only way this would be an issue is if the client was actively helping a malicious server by repeatedly trying to connect to it (an insanely large number of times to get meaningful timing attack numbers).