Message-ID: <gh-pgjdbc-pgjdbc-4078@github.com>
From: "vlsi (@vlsi)" <noreply+vlsi@github.com>
To: "pgjdbc/pgjdbc" <noreply+pgjdbc-pgjdbc@github.com>
Date: Mon, 18 May 2026 14:50:54 +0000
Subject: [pgjdbc/pgjdbc] PR #4078: docs: add 42.7.11 release changelog
List-Id: <gh-pgjdbc-pgjdbc.github.com>
X-GitHub-Additions: 146
X-GitHub-Author-Id: 213894
X-GitHub-Author-Login: vlsi
X-GitHub-Base: master
X-GitHub-Changed-Files: 1
X-GitHub-Commits: 1
X-GitHub-Deletions: 0
X-GitHub-Head-Branch: releasenotes_42711
X-GitHub-Head-SHA: f70d926282d7f4714e01710195942d76d6136938
X-GitHub-Issue: 4078
X-GitHub-Labels: documentation
X-GitHub-Merge-SHA: ffe5827abfcb538cb8651b484674ade936286bef
X-GitHub-Merged-By: vlsi
X-GitHub-Repo: pgjdbc/pgjdbc
X-GitHub-Requested-Reviewers: davecramer
X-GitHub-State: merged
X-GitHub-Type: pull_request
X-GitHub-Url: https://github.com/pgjdbc/pgjdbc/pull/4078
Content-Type: text/plain; charset=utf-8

The changelog page was missing for the release

diff --git a/docs/content/changelogs/2026-04-28-42.7.11-release.md b/docs/content/changelogs/2026-04-28-42.7.11-release.md
new file mode 100644
index 0000000000..56191fba6a
--- /dev/null
+++ b/docs/content/changelogs/2026-04-28-42.7.11-release.md
@@ -0,0 +1,146 @@
+---
+title:  PostgreSQL JDBC Driver 42.7.11 Released
+date:   2026-04-28 16:00:00 -0400
+categories:
+    - new release
+version: 42.7.11
+summary: "Security release: caps SCRAM PBKDF2 iterations (CVE-2026-42198). Adds require_auth, fixes cursor fetching after BEGIN, SSL fallback/timeout handling, COPY hang on IOException, and more."
+---
+**Notable changes**
+
+### Security
+* fix: Limit SCRAM PBKDF2 iterations accepted from the server.
+pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new `scramMaxIterations` connection property (default 100000) to cap iteration counts before computation begins.
+See the [Security Advisory](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq) for more detail.
+The following [CVE-2026-42198](https://nvd.nist.gov/vuln/detail/CVE-2026-42198) has been issued.
+
+### Added
+* feat: implement `require_auth` connection property, aligning with libpq behaviour [PR #3895](https://github.com/pgjdbc/pgjdbc/pull/3895)
+
+### Changed
+* chore: bump Gradle to 9.4.1, `org.checkerframework` to 1.0.2, `com.gradleup.shadow` to 9.4.0 [PR #3978](https://github.com/pgjdbc/pgjdbc/pull/3978)
+* chore: bump errorprone to 2.48.0 [PR #4005](https://github.com/pgjdbc/pgjdbc/pull/4005)
+* chore: replace Appveyor with `ikalnytskyi/action-setup-postgres` [PR #3966](https://github.com/pgjdbc/pgjdbc/pull/3966)
+* chore: use tag names for pinning GitHub Actions, pin `ikalnytskyi/action-setup-postgres` [PR #4007](https://github.com/pgjdbc/pgjdbc/pull/4007)
+* chore: use full version tags in GitHub Actions comments [PR #3963](https://github.com/pgjdbc/pgjdbc/pull/3963)
+* chore: use `@vlsi/github-actions-random-matrix` npm package [PR #4008](https://github.com/pgjdbc/pgjdbc/pull/4008)
+* chore: use greedy pairwise coverage for CI matrix generation [PR #3965](https://github.com/pgjdbc/pgjdbc/pull/3965)
+* chore: replace log warning in `ConnectionFactory.closeStream` with `Throwable.addSuppressed` [PR #3970](https://github.com/pgjdbc/pgjdbc/pull/3970)
+* chore: suppress deprecations in test code to reduce build verbosity [PR #3972](https://github.com/pgjdbc/pgjdbc/pull/3972)
+* ci: pass `${{ }}` expressions via env to avoid shell injection [PR #4006](https://github.com/pgjdbc/pgjdbc/pull/4006)
+* style: replace `@exception` with `@throws` in `getBoolean` javadoc [PR #4035](https://github.com/pgjdbc/pgjdbc/pull/4035)
+* fix: Add sources and javadocs to shaded published lib generation [PR #4043](https://github.com/pgjdbc/pgjdbc/pull/4043)
+* docs: add SCRAM authentication test setup section to TESTING.md [PR #3945](https://github.com/pgjdbc/pgjdbc/pull/3945)
+* docs: fix location of 42.7.4 changelogs [PR #3839](https://github.com/pgjdbc/pgjdbc/pull/3839)
+* test: add tests for `QueryExecutor#getTransactionState` [PR #4006](https://github.com/pgjdbc/pgjdbc/pull/4006)
+* test: replace `@DisabledIfServerVersion` annotations with `@EnabledForServerVersionRange` [PR #3939](https://github.com/pgjdbc/pgjdbc/pull/3939)
+* test: increase timeouts for `LogicalReplicationTest`
+* test: move test table creation from `@BeforeEach` to `@BeforeAll` [PR #3967](https://github.com/pgjdbc/pgjdbc/pull/3967)
+* test: add `@DisableLogger` annotation to suppress expected log warnings in tests [PR #3971](https://github.com/pgjdbc/pgjdbc/pull/3971)
+
+### Fixed
+* fix: ensure extended protocol messages end with Sync message [PR #3728](https://github.com/pgjdbc/pgjdbc/pull/3728)
+* fix: enable cursor-based fetching in extended protocol when transaction started via SQL command [PR #3996](https://github.com/pgjdbc/pgjdbc/pull/3996)
+* fix: retry with SSL on `IOException` when `sslMode=ALLOW` [PR #3973](https://github.com/pgjdbc/pgjdbc/pull/3973)
+* fix: make sure the driver honours `connectTimeout` when retrying the connection [PR #3968](https://github.com/pgjdbc/pgjdbc/pull/3968)
+* fix: allow fallback to non-SSL connection when `sslMode=prefer` and `sslResponseTimeout` kicks in [PR #3968](https://github.com/pgjdbc/pgjdbc/pull/3968)
+* fix: catch `SecurityException` from `setContextClassLoader` on `ForkJoinPool` workers [PR #3962](https://github.com/pgjdbc/pgjdbc/pull/3962)
+* fix: use `compareTo` for `LogSequenceNumber` comparison to handle unsigned values correctly [PR #3961](https://github.com/pgjdbc/pgjdbc/pull/3961)
+* fix: release COPY lock on `IOException` to prevent connection hang [PR #3957](https://github.com/pgjdbc/pgjdbc/pull/3957)
+* fix: return `jsonb` as `PGObject` instead of `String` [PR #3956](https://github.com/pgjdbc/pgjdbc/pull/3956)
+* fix: align SSL key file permission check with libpq [PR #3952](https://github.com/pgjdbc/pgjdbc/pull/3952)
+* fix: guard connection closed flag with a reentrant lock to protect against concurrent close [PR #3905](https://github.com/pgjdbc/pgjdbc/pull/3905)
+* fix: flaky `CopyBothResponseTest` by using WAL flush LSN [PR #3979](https://github.com/pgjdbc/pgjdbc/pull/3979)
+* fix: flaky replication restart tests by waiting for `confirmed_flush_lsn` [PR #3975](https://github.com/pgjdbc/pgjdbc/pull/3975)
+* fix: flaky `LogicalReplicationStatusTest` by polling `pg_stat_replication` [PR #3974](https://github.com/pgjdbc/pgjdbc/pull/3974)
+* fix: update docker scripts so `max_locks_per_transaction` is the same in the replica as the primary; correct `is_pg_version_less_than` [PR #3958](https://github.com/pgjdbc/pgjdbc/pull/3958)
+* fix: add users to `pg_hba.conf` for head so `require_auth` tests pass [PR #3954](https://github.com/pgjdbc/pgjdbc/pull/3954)
+
+### Dependency updates
+* deps: Update Gradle to v9.4.1
+* deps: Update checkerframework to v3.55.1
+* deps: Update errorprone to v2.48.0
+* deps: Update logback to v1.5.32
+* deps: Update dependency `net.bytebuddy:byte-buddy-parent` to v1.18.8
+* deps: Update dependency `net.bytebuddy:byte-buddy-agent` to v1.18.8
+* deps: Update dependency `org.junit:junit-bom` to v5.14.3
+* deps: Update dependency `org.mockito:mockito-bom` to v5.23.0
+* deps: Update dependency `org.ow2.asm:asm-bom` to v9.9.1
+* deps: Update dependency `org.apache.bcel:bcel` to v6.12.0
+* deps: Update dependency `org.roaringbitmap:roaringbitmap` to v1.6.14
+* deps: Update dependency `org.ops4j.pax.url:pax-url-aether` to v3.0.2
+* deps: Update dependency `org.openrewrite.rewrite:org.openrewrite.rewrite.gradle.plugin` to v7.30.0
+* deps: Update `com.gradleup.shadow` Gradle plugin to v9.4.1
+* deps: Update `com.gradleup.nmcp` to v1.4.4
+* deps: Update plugin `com.gradle.develocity` to v4.4.0
+* deps: Update plugin `biz.aqute.bnd.builder` to v7.2.3
+* deps: Update plugin `org.gradlex.build-parameters` to v1.4.5
+* deps: Update plugin `org.jetbrains.kotlin.jvm` to v2.3.20
+* deps: Update plugin `com.github.lburgazzoli.karaf` to v0.5.7
+* deps: Update plugin `com.github.burrunan.s3-build-cache` to v1.9.5
+* deps: Update `release-drafter/release-drafter` action to v6.4.0
+* deps: Update `github/codeql-action` action to v3.35.1
+* deps: Update `codecov/codecov-action` action to v5.5.4
+* deps: Update `actions/checkout` action to v6
+* deps: Update `actions/configure-pages` action to v6
+* deps: Update `actions/create-github-app-token` action to v3
+* deps: Update `sbt/sbt` to v1.12.9
+* deps: Update `ubuntu:24.04` docker digest
+
+**Commits by author**
+
+### Vladimir Sitnikov (27 commits)
+- [fix: ensure extended protocol messages end with Sync message](https://github.com/pgjdbc/pgjdbc/pull/3728)
+- [fix: enable cursor-based fetching in extended protocol when transaction started via SQL command](https://github.com/pgjdbc/pgjdbc/pull/3996)
+- [fix: retry with SSL on IOException when sslMode=ALLOW](https://github.com/pgjdbc/pgjdbc/pull/3973)
+- [fix: make sure the driver honours connectTimeout when retrying the connection](https://github.com/pgjdbc/pgjdbc/pull/3968)
+- [fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in](https://github.com/pgjdbc/pgjdbc/pull/3968)
+- [fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers](https://github.com/pgjdbc/pgjdbc/pull/3962)
+- [fix: use compareTo for LogSequenceNumber comparison](https://github.com/pgjdbc/pgjdbc/pull/3961)
+- [fix: release COPY lock on IOException to prevent connection hang](https://github.com/pgjdbc/pgjdbc/pull/3957)
+- [fix: flaky CopyBothResponseTest by using WAL flush LSN](https://github.com/pgjdbc/pgjdbc/pull/3979)
+- [fix: flaky replication restart tests by waiting for confirmed_flush_lsn](https://github.com/pgjdbc/pgjdbc/pull/3975)
+- [test: fix flaky LogicalReplicationStatusTest by polling pg_stat_replication](https://github.com/pgjdbc/pgjdbc/pull/3974)
+- [test: increase timeouts for LogicalReplicationTest](https://github.com/pgjdbc/pgjdbc/commit/327b9537f)
+- [test: move test table creation from @BeforeEach to @BeforeAll](https://github.com/pgjdbc/pgjdbc/pull/3967)
+- [test: add @DisableLogger annotation to suppress expected log warnings in tests](https://github.com/pgjdbc/pgjdbc/pull/3971)
+- [test: add tests for QueryExecutor#getTransactionState](https://github.com/pgjdbc/pgjdbc/pull/4006)
+- [chore: bump Gradle to 9.4.1, org.checkerframework to 1.0.2, com.gradleup.shadow to 9.4.0](https://github.com/pgjdbc/pgjdbc/pull/3978)
+- [chore: bump errorprone to 2.48.0](https://github.com/pgjdbc/pgjdbc/pull/4005)
+- [chore: replace Appveyor with ikalnytskyi/action-setup-postgres](https://github.com/pgjdbc/pgjdbc/pull/3966)
+- [chore: use tag names for pinning github actions, pin ikalnytskyi/action-setup-postgres](https://github.com/pgjdbc/pgjdbc/pull/4007)
+- [chore: use full version tags in GitHub Actions comments](https://github.com/pgjdbc/pgjdbc/pull/3963)
+- [chore: use @vlsi/github-actions-random-matrix npm package](https://github.com/pgjdbc/pgjdbc/pull/4008)
+- [chore: use greedy pairwise coverage for CI matrix generation](https://github.com/pgjdbc/pgjdbc/pull/3965)
+- [chore: replace log warning in ConnectionFactory.closeStream with Throwable.addSuppressed](https://github.com/pgjdbc/pgjdbc/pull/3970)
+- [chore: suppress deprecations in test code to reduce build verbosity](https://github.com/pgjdbc/pgjdbc/pull/3972)
+- [ci: pass ${{ }} expressions via env to avoid shell injection](https://github.com/pgjdbc/pgjdbc/pull/4006)
+- [style: replace @exception with @throws in getBoolean javadoc](https://github.com/pgjdbc/pgjdbc/pull/4035)
+
+### Sehrope Sarkuni (9 commits)
+- [fix: Limit SCRAM PBKDF2 iterations accepted from the server](https://github.com/pgjdbc/pgjdbc/commit/c9d41d133)
+- [test: Add SCRAM max iteration tests](https://github.com/pgjdbc/pgjdbc/commit/7dbcc79b2)
+- [test: Disable scram test on older version without scram_iterations GUC](https://github.com/pgjdbc/pgjdbc/pull/4040)
+- [docs: Add scram max iters fix to changelog](https://github.com/pgjdbc/pgjdbc/pull/4040)
+- [Fix scram fix location in changelog and update published artifact developer list](https://github.com/pgjdbc/pgjdbc/pull/4041)
+- [fix: Add sources and javadocs to shaded published lib generation](https://github.com/pgjdbc/pgjdbc/pull/4043)
+- [test: Add EnabledForServerVersionRange and Disabled annotation to specify mandatory server version ranges](https://github.com/pgjdbc/pgjdbc/pull/3939)
+- [test: Replace @DisabledIfServerVersion annotations with @EnabledForServerVersionRange](https://github.com/pgjdbc/pgjdbc/pull/3939)
+- [test: Remove unused @DisabledIfServerVersion annotation](https://github.com/pgjdbc/pgjdbc/pull/3939)
+
+### Dave Cramer (6 commits)
+- [implement require_auth, this is pretty much how libpq does this](https://github.com/pgjdbc/pgjdbc/pull/3895)
+- [remove old comment about finalize, guard closed flag with a reentrant lock to protect against concurrent close](https://github.com/pgjdbc/pgjdbc/pull/3905)
+- [Return jsonb as PGObject fixes Issue #3926](https://github.com/pgjdbc/pgjdbc/pull/3956)
+- [Update docker scripts so the max_locks_per_transaction is the same in the replica as the primary](https://github.com/pgjdbc/pgjdbc/pull/3958)
+- [add users to pg_hba.conf file for head for the require_auth tests to pass](https://github.com/pgjdbc/pgjdbc/pull/3954)
+- [update Changelog and website for release of 42.7.11](https://github.com/pgjdbc/pgjdbc/pull/4042)
+
+### Harinath Kanchu (1 commit)
+- [ssl: align key file permission check with libpq](https://github.com/pgjdbc/pgjdbc/pull/3952)
+
+### Emmanuel Oppong (1 commit)
+- [docs: add SCRAM authentication test setup section to TESTING.md](https://github.com/pgjdbc/pgjdbc/pull/3945)
+
+### pbe-axelor (1 commit)
+- [fix location of 42.7.4 changelogs](https://github.com/pgjdbc/pgjdbc/pull/3839)