Bump github.com/jackc/pgx/v4 from 4.18.1 to 4.18.2
Bumps github.com/jackc/pgx/v4 from 4.18.1 to 4.18.2.
Changelog
Sourced from github.com/jackc/pgx/v4's changelog.
4.18.2 (March 4, 2024)
Fix CVE-2024-27289
SQL injection can occur when all of the following conditions are met:
- The non-default simple protocol is used.
- A placeholder for a numeric value must be immediately preceded by a minus.
- There must be a second placeholder for a string value after the first placeholder; both must be on the same line.
- Both parameter values must be user-controlled.
Thanks to Paul Gerste for reporting this issue.
Fix CVE-2024-27304
SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the attacker's control.
Thanks to Paul Gerste for reporting this issue.
- Fix *dbTx.Exec not checking if it is already closed
Commits
-
14690df
Update changelog -
779548e
Update required Go version to 1.17 -
80e9662
Update github.com/jackc/pgconn to v1.14.3 -
0bf9ac3
Fix erroneous test case -
f94eb0e
Always wrap arguments in parentheses in the SQL sanitizer -
826a892
Fix SQL injection via line comment creation in simple protocol -
7d882f9
Fix *dbTx.Exec not checking if it is already closed -
1d07b8b
go mod tidy - See full diff in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot recreate
will recreate this MR rewriting all the manual changes and resolving conflicts