Notable Changes
Notable changes
Security
- fix: Limit SCRAM PBKDF2 iterations accepted from the server.
pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new
scramMaxIterationsconnection property (default 100000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.
Added
- feat: implement
require_authconnection property, aligning with libpq behaviour PR #3895
Changed
- chore: bump Gradle to 9.4.1,
org.checkerframeworkto 1.0.2,com.gradleup.shadowto 9.4.0 PR #3978 - chore: bump errorprone to 2.48.0 PR #4005
- chore: replace Appveyor with
ikalnytskyi/action-setup-postgresPR #3966 - chore: use tag names for pinning GitHub Actions, pin
ikalnytskyi/action-setup-postgresPR #4007 - chore: use full version tags in GitHub Actions comments PR #3963
- chore: use
@vlsi/github-actions-random-matrixnpm package PR #4008 - chore: use greedy pairwise coverage for CI matrix generation PR #3965
- chore: replace log warning in
ConnectionFactory.closeStreamwithThrowable.addSuppressedPR #3970 - chore: suppress deprecations in test code to reduce build verbosity PR #3972
- ci: pass
${{ }}expressions via env to avoid shell injection PR #4006 - style: replace
@exceptionwith@throwsingetBooleanjavadoc PR #4035 - fix: Add sources and javadocs to shaded published lib generation PR #4043
- docs: add SCRAM authentication test setup section to TESTING.md PR #3945
- docs: fix location of 42.7.4 changelogs PR #3839
- test: add tests for
QueryExecutor#getTransactionStatePR #4006 - test: replace
@DisabledIfServerVersionannotations with@EnabledForServerVersionRangePR #3939 - test: increase timeouts for
LogicalReplicationTest - test: move test table creation from
@BeforeEachto@BeforeAllPR #3967 - test: add
@DisableLoggerannotation to suppress expected log warnings in tests PR #3971
Fixed
- fix: ensure extended protocol messages end with Sync message PR #3728
- fix: enable cursor-based fetching in extended protocol when transaction started via SQL command PR #3996
- fix: retry with SSL on
IOExceptionwhensslMode=ALLOWPR #3973 - fix: make sure the driver honours
connectTimeoutwhen retrying the connection PR #3968 - fix: allow fallback to non-SSL connection when
sslMode=preferandsslResponseTimeoutkicks in PR #3968 - fix: catch
SecurityExceptionfromsetContextClassLoaderonForkJoinPoolworkers PR #3962 - fix: use
compareToforLogSequenceNumbercomparison to handle unsigned values correctly PR #3961 - fix: release COPY lock on
IOExceptionto prevent connection hang PR #3957 - fix: return
jsonbasPGObjectinstead ofStringPR #3956 - fix: align SSL key file permission check with libpq PR #3952
- fix: guard connection closed flag with a reentrant lock to protect against concurrent close PR #3905
- fix: flaky
CopyBothResponseTestby using WAL flush LSN PR #3979 - fix: flaky replication restart tests by waiting for
confirmed_flush_lsnPR #3975 - fix: flaky
LogicalReplicationStatusTestby pollingpg_stat_replicationPR #3974 - fix: update docker scripts so
max_locks_per_transactionis the same in the replica as the primary; correctis_pg_version_less_thanPR #3958 - fix: add users to
pg_hba.conffor head sorequire_authtests pass PR #3954
Dependency updates
- deps: Update Gradle to v9.4.1
- deps: Update checkerframework to v3.55.1
- deps: Update errorprone to v2.48.0
- deps: Update logback to v1.5.32
- deps: Update dependency
net.bytebuddy:byte-buddy-parentto v1.18.8 - deps: Update dependency
net.bytebuddy:byte-buddy-agentto v1.18.8 - deps: Update dependency
org.junit:junit-bomto v5.14.3 - deps: Update dependency
org.mockito:mockito-bomto v5.23.0 - deps: Update dependency
org.ow2.asm:asm-bomto v9.9.1 - deps: Update dependency
org.apache.bcel:bcelto v6.12.0 - deps: Update dependency
org.roaringbitmap:roaringbitmapto v1.6.14 - deps: Update dependency
org.ops4j.pax.url:pax-url-aetherto v3.0.2 - deps: Update dependency
org.openrewrite.rewrite:org.openrewrite.rewrite.gradle.pluginto v7.30.0 - deps: Update
com.gradleup.shadowGradle plugin to v9.4.1 - deps: Update
com.gradleup.nmcpto v1.4.4 - deps: Update plugin
com.gradle.develocityto v4.4.0 - deps: Update plugin
biz.aqute.bnd.builderto v7.2.3 - deps: Update plugin
org.gradlex.build-parametersto v1.4.5 - deps: Update plugin
org.jetbrains.kotlin.jvmto v2.3.20 - deps: Update plugin
com.github.lburgazzoli.karafto v0.5.7 - deps: Update plugin
com.github.burrunan.s3-build-cacheto v1.9.5 - deps: Update
release-drafter/release-drafteraction to v6.4.0 - deps: Update
github/codeql-actionaction to v3.35.1 - deps: Update
codecov/codecov-actionaction to v5.5.4 - deps: Update
actions/checkoutaction to v6 - deps: Update
actions/configure-pagesaction to v6 - deps: Update
actions/create-github-app-tokenaction to v3 - deps: Update
sbt/sbtto v1.12.9 - deps: Update
ubuntu:24.04docker digest
Commits by author
Vladimir Sitnikov (27 commits)
- fix: ensure extended protocol messages end with Sync message
- fix: enable cursor-based fetching in extended protocol when transaction started via SQL command
- fix: retry with SSL on IOException when sslMode=ALLOW
- fix: make sure the driver honours connectTimeout when retrying the connection
- fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in
- fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers
- fix: use compareTo for LogSequenceNumber comparison
- fix: release COPY lock on IOException to prevent connection hang
- fix: flaky CopyBothResponseTest by using WAL flush LSN
- fix: flaky replication restart tests by waiting for confirmed_flush_lsn
- test: fix flaky LogicalReplicationStatusTest by polling pg_stat_replication
- test: increase timeouts for LogicalReplicationTest
- test: move test table creation from @BeforeEach to @BeforeAll
- test: add @DisableLogger annotation to suppress expected log warnings in tests
- test: add tests for QueryExecutor#getTransactionState
- chore: bump Gradle to 9.4.1, org.checkerframework to 1.0.2, com.gradleup.shadow to 9.4.0
- chore: bump errorprone to 2.48.0
- chore: replace Appveyor with ikalnytskyi/action-setup-postgres
- chore: use tag names for pinning github actions, pin ikalnytskyi/action-setup-postgres
- chore: use full version tags in GitHub Actions comments
- chore: use @vlsi/github-actions-random-matrix npm package
- chore: use greedy pairwise coverage for CI matrix generation
- chore: replace log warning in ConnectionFactory.closeStream with Throwable.addSuppressed
- chore: suppress deprecations in test code to reduce build verbosity
- ci: pass ${{ }} expressions via env to avoid shell injection
- style: replace @exception with @throws in getBoolean javadoc
Sehrope Sarkuni (9 commits)
- fix: Limit SCRAM PBKDF2 iterations accepted from the server
- test: Add SCRAM max iteration tests
- test: Disable scram test on older version without scram_iterations GUC
- docs: Add scram max iters fix to changelog
- Fix scram fix location in changelog and update published artifact developer list
- fix: Add sources and javadocs to shaded published lib generation
- test: Add EnabledForServerVersionRange and Disabled annotation to specify mandatory server version ranges
- test: Replace @DisabledIfServerVersion annotations with @EnabledForServerVersionRange
- test: Remove unused @DisabledIfServerVersion annotation
Dave Cramer (6 commits)
- implement require_auth, this is pretty much how libpq does this
- remove old comment about finalize, guard closed flag with a reentrant lock to protect against concurrent close
- Return jsonb as PGObject fixes Issue #3926
- Update docker scripts so the max_locks_per_transaction is the same in the replica as the primary
- add users to pg_hba.conf file for head for the require_auth tests to pass
- update Changelog and website for release of 42.7.11