Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qsIPG-007TGD-Ib for pgsql-jdbc@arkaria.postgresql.org; Mon, 16 Oct 2023 07:52:54 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1qsIPE-00GfeI-8t for pgsql-jdbc@arkaria.postgresql.org; Mon, 16 Oct 2023 07:52:52 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qs976-00DDpN-2G for pgsql-jdbc@lists.postgresql.org; Sun, 15 Oct 2023 21:57:32 +0000 Received: from mail-io1-xd2a.google.com ([2607:f8b0:4864:20::d2a]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1qs974-000eXn-0g for pgsql-jdbc@postgresql.org; Sun, 15 Oct 2023 21:57:31 +0000 Received: by mail-io1-xd2a.google.com with SMTP id ca18e2360f4ac-79fe8986355so157836239f.2 for ; Sun, 15 Oct 2023 14:57:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697407049; x=1698011849; darn=postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ZClJtralA3Asx0EHhoh5f3J2hjFmfYfOzAvzOYD1z6Y=; b=i7Xk8tAq1e8tezv21DEJmdFniZh5BH6hbdCrnV9gbZyivjx+vhT2XQqK4YtYF56UQv A0eiYbuNkZ2qc680QwUj8jqPxK5mC34waibNQUD4lHREcmcDiWIlYXXHFDwOrwoUDq+M psLnY7VwI8rURVGGJsjSOwH5A/G8E4jlSv3gAaXCY+01xzP0wA3mcHWSTvfCJQUgSbqH fF7wA297RwBhGCCZColrF7F3gyRYURUGz4xQJ5WpLe64F9RVruRNeuiiZcgOddt2AFDy 54jU4/u0X17YCPOu7/0iYLTjfv7bhpaP3yTTbprIpte1+Ur9WeKNY1prtGaQ4mrEcx1L wGOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697407049; x=1698011849; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ZClJtralA3Asx0EHhoh5f3J2hjFmfYfOzAvzOYD1z6Y=; b=la0aAJaqWt7OKsvdmWlDmJLwuV3SAD1xrjerN59p2y0mQ6QFvdQcP+7aykrWH1Qh05 mBqPS/TalpfTqG0qPvPBW6RSbdGrAY1voog7Ah0RcRtrq8yvjPAFBM5Jzn8CA87BsmpJ qJ0O0oJ7tBKQGhcMaSZoC1NlqMRdw+MGhF1MLyKCrClqEuYXQbC6O2ISKO1mjNvYLSu9 MOo6Ex6TKWQ0pZJ1udoPmtPdD8JQaPbvbqHWBuY13aglu7cUUVzEDF+k1+X2W0Qcboa5 BVsI8VcjC4OWNfFa91uHBVUo8yi3R30GpQjjD2Esunh92LVOLBZvo9MfHhy6yzE8mlZO g0rA== X-Gm-Message-State: AOJu0Yzt8getL3sw7gZqoZRPDiXWT7oEQko5SknNnxi9bfDxeQOk3ZaG sRD88aoXmqmEG5Py2e3IKkmJ9QtJPdv5uYpvBSg= X-Google-Smtp-Source: AGHT+IEGMj4TmCiOx9nfsK1jIQIWuGH12pBTOaNeX/mmLar4O2IfuR5p8oRFMJut3mH3naMAa5LtUR5Mys82pjvT/u8= X-Received: by 2002:a6b:7841:0:b0:79f:e99b:474a with SMTP id h1-20020a6b7841000000b0079fe99b474amr33639846iop.18.1697407049256; Sun, 15 Oct 2023 14:57:29 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Rob Bygrave Date: Mon, 16 Oct 2023 10:57:18 +1300 Message-ID: Subject: Re: JDBC driver has EOL'd component To: Sehrope Sarkuni Cc: Suren Sethumadhavan , "pgsql-jdbc-security@lists.postgresql.org" , List Content-Type: multipart/alternative; boundary="00000000000035dc360607c86088" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --00000000000035dc360607c86088 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable *> override the checker-qual dependency.* Noting that the checker-qual dependency is not actually needed [as a transitive dependency] and instead can be *excluded* altogether (e.g. via maven exclusions) rather than updated. Cheers, Rob. On Sun, 15 Oct 2023 at 05:11, Sehrope Sarkuni wrote: > On Fri, Oct 13, 2023 at 6:48=E2=80=AFPM Suren Sethumadhavan < > Suren.Sethumadhavan@veritas.com> wrote: > >> Looks like JDBC drivers are shipping with an EOL=E2=80=99s version of Ch= ecker >> Qual (v 3.5.0). >> >> >> 1. Can you please confirm this? >> 2. If confirmed, when can we expect a version with newer versions of >> this component? >> >> > This is not a security issue and should be directed to the general pgjdbc > mailing list (cc'ed). > > The pgjdbc driver does not ship with any embedded dependencies. The drive= r > dependencies are part of the the Maven pom and the latest version of the > driver has a checker-qual dependency of 3.31.0: > https://repo1.maven.org/maven2/org/postgresql/postgresql/42.6.0/postgresq= l-42.6.0.pom > > While we periodically update the minimum dependency versions for the > driver's internal dependencies as we leverage new features, there is no > specific schedule for it. In the interim, if you want to use a newer > version of that dependency, you'll need to update your local pom.xml or > gradle config to override the checker-qual dependency. > > Regards, > -- Sehrope Sarkuni > Founder & CEO | JackDB, Inc. | https://www.jackdb.com/ > > --00000000000035dc360607c86088 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
> override the che= cker-qual dependency.

Noting that = the checker-qual dependency is not actually needed [as a transitive depende= ncy] and instead can be excluded=C2=A0altogether (e.g. via ma= ven exclusions) rather than updated.

Cheers, Rob.<= /div>

On Sun, 15 Oct 2023 at 05:11, Sehrope Sarkuni <sehrope@jackdb.com> wrote:
On Fri, Oct 1= 3, 2023 at 6:48=E2=80=AFPM Suren Sethumadhavan <Suren.Sethumadhavan@veritas.co= m> wrote:
Looks like JDBC drivers are shipping wi= th an EOL=E2=80=99s version of Checker Qual (v 3.5.0).
=C2=A0
  1. Can you please confirm this?
  2. If confirmed, when can we expect a= version with newer versions of this component?

This is not a security issue and s= hould be directed to the general pgjdbc mailing list (cc'ed).

Th= e pgjdbc driver does not ship with any embedded dependencies. The driver de= pendencies are part of the the Maven pom and the latest version of the driv= er has a checker-qual dependency of 3.31.0: https://repo1.maven.org/maven2/org/postgresql/postgresql/42.6.0= /postgresql-42.6.0.pom

While we periodically update the minimum = dependency versions for the driver's internal dependencies as we levera= ge new features, there is no specific schedule for it. In the interim, if y= ou want to use a newer version of that dependency, you'll need to updat= e your local pom.xml or gradle config to override the checker-qual dependen= cy.

Regards,<= /div>
-- Sehrope Sarkuni
Founder & CEO | JackDB, Inc. |=C2=A0https://www.jackdb.com/

--00000000000035dc360607c86088--