pgjdbc/pgjdbc GitHub issues and pull requests (mirror)  

help / color / mirror / Atom feed

[pgjdbc/pgjdbc] PR #3799: fix(deps): update dependency com.ongres.scram:scram-client to 3.2
3+ messages / 2 participants
[nested] [flat]

* [pgjdbc/pgjdbc] PR #3799: fix(deps): update dependency com.ongres.scram:scram-client to 3.2
@ 2025-09-16 20:29  "jorsol (@jorsol)" <[email protected]>
  0 siblings, 0 replies; 3+ messages in thread

From: jorsol (@jorsol) @ 2025-09-16 20:29 UTC (permalink / raw)
  To: pgjdbc/pgjdbc <[email protected]>

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing](https://github.com/pgjdbc/pgjdbc/blob/master/CONTRIBUTING.md) document?
* [x] Have you checked to ensure there aren't other open [Pull Requests](../../pulls) for the same update/change?

<!-- You can erase any parts of this template not applicable to your Pull Request. -->

### New Feature Submissions:

1. [x] Does your submission pass tests?
2. [ ] Does `./gradlew styleCheck` pass ?
3. [ ] Have you added your new test classes to an existing test suite in alphabetical order?

### Changes to Existing Features:

* [ ] Does this break existing behaviour? If so please explain.
* [ ] Have you added an explanation of what your changes do and why you'd like us to include them?
* [ ] Have you written new tests for your core changes, as applicable?
* [ ] Have you successfully run tests with your changes locally?


^ permalink  raw  reply  [nested|flat] 3+ messages in thread

* Re: [pgjdbc/pgjdbc] PR #3799: fix(deps): update dependency com.ongres.scram:scram-client to 3.2
@ 2025-09-17 12:57  "sehrope (@sehrope)" <[email protected]>
  1 sibling, 0 replies; 3+ messages in thread

From: sehrope (@sehrope) @ 2025-09-17 12:57 UTC (permalink / raw)
  To: pgjdbc/pgjdbc <[email protected]>

Thanks for updating this @jorsol 

Looks like the only meaningful change is the fix for that timing safe comparison: https://github.com/ongres/scram/commit/e0b0cf99f05406a0d26682c72fcb5728e95124b3

Considering that the usage in pgjdbc of this is as a client, not a server, should we even consider this to be a security issue for this driver?

I'm leaning toward "no" as the connections are initiated by the client.  The only way this would be an issue is if the client was actively helping a malicious server by repeatedly trying to connect to it (an insanely large number of times to get meaningful timing attack numbers).

^ permalink  raw  reply  [nested|flat] 3+ messages in thread

* Re: [pgjdbc/pgjdbc] PR #3799: fix(deps): update dependency com.ongres.scram:scram-client to 3.2
@ 2025-09-17 14:55  "jorsol (@jorsol)" <[email protected]>
  1 sibling, 0 replies; 3+ messages in thread

From: jorsol (@jorsol) @ 2025-09-17 14:55 UTC (permalink / raw)
  To: pgjdbc/pgjdbc <[email protected]>

Hi @sehrope — the only relevant change is a security fix. The attack would be highly complex and likely impractical, but we’re addressing it to be on the safe side.

I’d lean “no” as well on marking it as a driver security issue.

^ permalink  raw  reply  [nested|flat] 3+ messages in thread

end of thread, other threads:[~2025-09-17 14:55 UTC | newest]

Thread overview: 3+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2025-09-16 20:29 [pgjdbc/pgjdbc] PR #3799: fix(deps): update dependency com.ongres.scram:scram-client to 3.2 "jorsol (@jorsol)" <[email protected]>
2025-09-17 12:57 ` "sehrope (@sehrope)" <[email protected]>
2025-09-17 14:55 ` "jorsol (@jorsol)" <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox