Bump github.com/jackc/pgx/v4 from 4.18.1 to 4.18.2 (!48) · Merge requests · Imanuel Ulbricht / Reemt Rühmkorfs Website

Imanuel Ulbricht requested to merge dependabot-go_modules-github.com-jackc-pgx-v4-4.18.2 into main Mar 04, 2024

Bumps github.com/jackc/pgx/v4 from 4.18.1 to 4.18.2.

Changelog

Sourced from github.com/jackc/pgx/v4's changelog.

4.18.2 (March 4, 2024)

Fix CVE-2024-27289

SQL injection can occur when all of the following conditions are met:

The non-default simple protocol is used.

A placeholder for a numeric value must be immediately preceded by a minus.

There must be a second placeholder for a string value after the first placeholder; both must be on the same line.

Both parameter values must be user-controlled.

Thanks to Paul Gerste for reporting this issue.

Fix CVE-2024-27304

SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.

Thanks to Paul Gerste for reporting this issue.

Fix *dbTx.Exec not checking if it is already closed

Commits

14690df Update changelog
779548e Update required Go version to 1.17
80e9662 Update github.com/jackc/pgconn to v1.14.3
0bf9ac3 Fix erroneous test case
f94eb0e Always wrap arguments in parentheses in the SQL sanitizer
826a892 Fix SQL injection via line comment creation in simple protocol
7d882f9 Fix *dbTx.Exec not checking if it is already closed
1d07b8b go mod tidy
See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Bump github.com/jackc/pgx/v4 from 4.18.1 to 4.18.2

4.18.2 (March 4, 2024)

Merge request reports