Update dependency org.postgresql:postgresql to v42.7.11

[dev-mend-for-github-com]

This PR contains the following updates:

Package	Type	Update	Change
org.postgresql:postgresql (source)	compile	minor	42.6.0 → 42.7.11

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity	CVSS Score	Vulnerability
Critical	10.0	CVE-2024-1597
High	8.8	CVE-2025-49146
High	8.7	CVE-2026-42198

---

Release Notes

pgjdbc/pgjdbc (org.postgresql:postgresql)

v42.7.11

Security

• fix: Limit SCRAM PBKDF2 iterations accepted from the server.
  pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins.
  See the Security Advisory for more detail.
  The following CVE-2026-42198 has been issued.

Added

• feat: implement require_auth connection property, aligning with libpq behavior PR #​3895

Changed

• chore: replace Appveyor CI with ikalnytskyi/action-setup-postgres PR #​3966
• chore: upgrade Gradle to v9 PR #​3978

Fixed

• fix: ensure extended protocol messages end with Sync message PR #​3728
• fix: enable cursor-based fetching in extended protocol when transaction started via SQL command PR #​3996
• fix: retry with SSL on IOException when sslMode=ALLOW PR #​3973
• fix: make sure the driver honours connectTimeout when retrying the connection PR #​3968
• fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in PR #​3968
• fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers PR #​3962
• fix: use compareTo for LogSequenceNumber comparison to handle unsigned values correctly PR #​3961
• fix: release COPY lock on IOException to prevent connection hang PR #​3957
• fix: return jsonb as PGObject instead of String PR #​3956
• fix: align SSL key file permission check with libpq PR #​3952
• fix: guard connection closed flag with a reentrant lock to protect against concurrent close PR #​3905

v42.7.10

Changed

• chore: Migrate to Shadow 9 PR 3931
• style: fix empty line before javadoc for checkstyle compliance PR #​3925
• style: fix lambda argument indentation for checkstyle compliance PR #​3922
• test: add autosave=always|never|conservative and cleanupSavepoints=true|false to the randomized CI jobs PR #​3917

Fixed

• fix: non-standard strings failing test for version 19 PR #​3934
• fix: small issues in ConnectionFactoryImpl PR #​3929
• fix: process pending responses before fastpath to avoid protocol errors PR # 3913
• doc: use.md, fix typos PR #​3911
• doc: datasource.md, fix minor formatting issue PR #​3912
• doc: add the new PGP signing key to the official documentation PR #​3912

Reverted

• Revert "fix: make all Calendar instances proleptic Gregorian (#​3837) (#​3887)" PR #​3932

v42.7.9

Added

• feat: query timeout property PR #​3705
• feat: Add PEMKeyManager to handle PEM based certs and keys PR #​3700

Changed

• perf: optimize PGInterval.getValue() by replacing String.format with StringBuilder
• doc: update property quoteReturningIdentifiers default value PR #​3847
• security: Use a static method forName to load all user supplied classes. Use the Class.forName 3 parameter method and do not initilize it unless it is a subclass of the expected class

Fixed

• fix: incorrect pg_stat_replication.reply_time calculation PR #​3906
• fix: close temporary lob descriptors that are used internally in PreparedStatement#setBlob
• fix: PGXAConnection.prepare(Xid) should return XA_RDONLY if the connection is read only PR #​3897
• fix: make all Calendar instances proleptic Gregorian PR #​3837
• fix: Simplify concurrency guards on QueryExecutorBase#transaction and QueryExecutorBase#standardConformingStrings PR #​3897
• fix: avoid memory leaks in Java <= 21 caused by Thread.inheritedAccessControlContext PR #​3886
• fix: Issue #​3784 pgjdbc can't decode numeric arrays containing special numbers like NaN PR #​3838
• fix: use ssl_is_used() to check for ssl connection PR #​3867
• fix: the classloader is nullable PR #​3907

v42.7.8

Added

• feat: Add configurable boolean-to-numeric conversion for ResultSet getters PR #​3796

Changed

• perf: remove QUERY_ONESHOT flag when calling getMetaData PR #​3783
• perf: use BufferedInputStream with FileInputStream PR #​3750
• perf: enable server-prepared statements for DatabaseMetaData

Fixed

• fix: avoid NullPointerException when cancelling a query if cancel key is not known yet
• fix: Change "PST" timezone in TimestampTest to "Pacific Standard Time" PR #​3774
• fix: traverse the current dimension to get the correct pos in PgArray#calcRemainingDataLength PR #​3746
• fix: make sure getImportedExportedKeys returns columns in consistent order
• fix: Add "SELF_REFERENCING_COL_NAME" field to getTables' ResultSetMetaData to fix NullPointerException PR #​3660
• fix: unable to open replication connection to servers < 12
• fix: avoid closing statement caused by driver's internal ResultSet#close()
• fix: return empty metadata for empty catalog names as it was before
• fix: Incorrect class comparison in PGXmlFactoryFactory validation

v42.7.7

Security

• security: Client Allows Fallback to Insecure Authentication Despite channelBinding=require configuration.
  Fix channel binding required handling to reject non-SASL authentication
  Previously, when channel binding was set to "require", the driver would silently ignore this
  requirement for non-SASL authentication methods. This could lead to a false sense of security
  when channel binding was explicitly requested but not actually enforced. The fix ensures that when
  channel binding is set to "require", the driver will reject connections that use
  non-SASL authentication methods or when SASL authentication has not completed properly.
  See the Security Advisory for more detail. Reported by George MacKerron
  The following CVE-2025-49146 has been issued

Added

• test: Added ChannelBindingRequiredTest to verify proper behavior of channel binding settings

v42.7.6

Features

• fix: Enhanced DatabaseMetadata.getIndexInfo() method, added index comment as REMARKS property PR #​3513

Performance Improvements

• performance: Improve ResultSetMetadata.fetchFieldMetaData by using IN row values instead of UNION ALL for improved query performance (later reverted) PR #​3510
• feat:Use a single simple query for all startup parameters, so groupStartupParameters is no longer needed PR #​3613

v42.7.5

Added

• ci: Test with Java 23 PR #​3381

Fixed

• regression: revert change in fc60537 PR #​3476
• fix: PgDatabaseMetaData implementation of catalog as param and return value PR #​3390
• fix: Support default GSS credentials in the Java Postgres client PR #​3451
• fix: return only the transactions accessible by the current_user in XAResource.recover PR #​3450
• feat: don't force send extra_float_digits for PostgreSQL >= 12 fix Issue #​3432 PR #​3446
• fix: exclude "include columns" from the list of primary keys PR #​3434
• perf: Enhance the meta query performance by specifying the oid. PR #​3427
• feat: support getObject(int, byte[].class) for bytea PR #​3274
• docs: document infinity and some minor edits PR #​3407
• fix: Added way to check for major server version, fixed check for RULE PR #​3402
• docs: fixed remaining paragraphs PR #​3398
• docs: fixed paragraphs in javadoc comments PR #​3397
• fix: Reuse buffers and reduce allocations in GSSInputStream addresses Issue #​3251 PR #​3255
• chore: Update Gradle to 8.10.2 PR #​3388
• fix: getSchemas() PR #​3386
• fix: Update rpm postgresql-jdbc.spec.tpl with scram-client PR #​3324
• fix: Clearing thisRow and rowBuffer on close() of ResultSet Issue #​3383 PR #​3384
• fix: Package was renamed to maven-bundle-plugin PR #​3382
• fix: As of version 18 the RULE privilege has been removed PR #​3378
• fix: use buffered inputstream to create GSSInputStream PR #​3373
• test: get rid of 8.4, 9.0 pg versions and use >= jdk version 17 PR #​3372
• Changed docker-compose version and renamed script file in instructions to match the real file name PR #​3363
• test:Do not assume "test" database in DatabaseMetaDataTransactionIsolationTest PR #​3364
• try to categorize dependencies PR #​3362

v42.7.4

Added

• chore: SCRAM dependency to 3.1 and support channel binding PR #​3188
• chore: Add PostgreSQL 15, 16, and 17beta1 to CI tests PR #​3299
• test: Update to 17beta3 PR #​3308
• chore: Implement direct SSL ALPN connections PR #​3252
• translation: Add Korean translation file PR #​3276

Fixed

• fix: PgInterval ignores case for represented interval string PR #​3344
• perf: Avoid extra copies when receiving int4 and int2 in PGStream PR #​3295
• fix: Add support for Infinity::numeric values in ResultSet.getObject PR #​3304
• fix: Ensure order of results for getDouble PR #​3301
• perf: Replace BufferedOutputStream with unsynchronized PgBufferedOutputStream, allow configuring different Java and SO_SNDBUF buffer sizes PR #​3248
• fix: Fix SSL tests PR #​3260
• fix: Support bytea in preferQueryMode=simple PR #​3243
• fix: Fix #​3234 - Return -1 as update count for stored procedure calls PR #​3235
• fix: Fix #​3224 - conversion for TIME '24:00' to LocalTime breaks in binary-mode PR #​3225
• perf: Speed up getDate by parsing bytes instead of String PR #​3141
• fix: support PreparedStatement.setBlob(1, Blob) and PreparedStatement.setClob(1, Clob) for lobs that return -1 for length PR #​3136
• fix: Validates resultset Params in PGStatement constructor. uses assertThro… PR #​3171
• fix: Validates resultset parameters PR #​3167
• docs: Replace greater to with greater than PR #​3315
• docs: Clarify binaryTransfer and prepareThreshold PR #​3338
• docs: use.md, typo PR #​3314
• test: Use docker v2 which changes docker-compose to docker compose #​3339
• refactor: Merge PgPreparedStatement#setBinaryStream int and long methods PR #​3165
• test: Test both binaryMode=true,false when creating connections in DatabaseMetaDataTest PR #​3231
• docs: Fixed typos in all source code and documentations PR #​3242
• chore: Remove self-hosted runner PR #​3227
• docs: Add cancelSignalTimeout in README PR #​3190
• docs: Document READ_ONLY_MODE in README PR #​3175
• test: Test for +/- infinity double values PR #​3294
• test: Switch localhost and auth-test around for test-gss PR #​3343
• fix: remove preDescribe from internalExecuteBatch PR #​2883
• deps: Update dependency om.ongres.scram:scram-client to 3.2

Deprecated

• test: Deprecate all PostgreSQL versions older than 9.1 PR #​3335

v42.7.3

Changed

• chore: gradle config enforces 17+ PR #​3147

Fixed

• fix: boolean types not handled in SimpleQuery mode PR #​3146
  • make sure we handle boolean types in simple query mode
  • support uuid as well
  • handle all well known types in text mode and change else if to switch
• fix: released new versions of 42.2.29, 42.3.10, 42.4.5, 42.5.6, 42.6.2 to deal with NoSuchMethodError on ByteBuffer#position when running on Java 8

v42.7.2

Security

• security: SQL Injection via line comment generation, it is possible in SimpleQuery mode to generate a line comment by having a placeholder for a numeric with a -
  such as -?. There must be second placeholder for a string immediately after. Setting the parameter to a -ve value creates a line comment.
  This has been fixed in this version fixes CVE-2024-1597. Reported by Paul Gerste. See the security advisory for more details. This has been fixed in versions 42.7.2, 42.6.1 42.5.5, 42.4.4, 42.3.9, 42.2.28.jre7. See the security advisory for work arounds.

Changed

• fix: Use simple query for isValid. Using Extended query sends two messages checkConnectionQuery was never ever set or used, removed PR #​3101
• perf: Avoid autoboxing bind indexes by @​bokken in PR #​1244
• refactor: Document that encodePassword will zero out the password array, and remove driver's default encodePassword by @​vlsi in PR #​3084

Added

• feat: Add PasswordUtil for encrypting passwords client side PR #​3082

v42.7.1

Security

Added

• feat: invalidate the prepared-statement cache after CREATE/DROP/ALTER so callers no longer trip on "cached plan must not change result type" without opting into autosave=ALWAYS. Controlled by the new flushCacheOnDdl connection property (default true); set to false for the prior behaviour.
• feat: add connectExecutor connection property to customize the Executor used to run the worker task that performs the connection attempt when loginTimeout is in effect. The value is the fully qualified name of a class implementing java.util.concurrent.Executor. With a null value, the default, the driver retains the prior behavior of running the connection attempt on a daemon thread named "PostgreSQL JDBC driver connection thread". The executor must run the task on a thread other than the caller's. Running the attempt on a named thread lets applications that monitor driver-created threads identify it.
• feat: add connectThreadFactory connection property to customize the ThreadFactory used to spawn the worker thread that runs the connection attempt when loginTimeout is in effect. The value is the fully qualified name of a class implementing java.util.concurrent.ThreadFactory. With a null value, the default, the driver retains the prior behavior of using a daemon thread named "PostgreSQL JDBC driver connection thread". Useful for testing timeout behaviour or for applications that want detailed control of all driver-created threads.
• feat: add classLoaderStrategy connection property to control which classloaders the driver searches when loading a class named by a connection property, for example socketFactory. The default driver-first now falls back to the thread context classloader when the driver's classloader cannot resolve the class, which fixes class loading in non-flat class paths such as Quarkus and OSGi. Set driver to keep the previous driver-classloader-only behaviour, or context-first to prefer the thread context classloader Issue #​2112

Changed

• refactor: the worker that runs the connection attempt under loginTimeout is now a FutureTask (ConnectTask) instead of the hand-rolled ConnectThread. When the caller hits the timeout, the task is now cancelled with cancel(true), which interrupts the worker thread rather than letting it run to completion. This makes the connection attempt interruptible, so loginTimeout can stop a slow connection attempt instead of leaking a thread. As before, a connection that the worker still manages to establish after the caller gives up is closed by the worker so that it does not leak. There are no public API changes and this should only lead to faster background resource cleanup for connections that time out.
• chore: PGXAConnection.ConnectionHandler now rejects setAutoCommit(false) and setSavepoint(...) during an active XA branch, in addition to the long-rejected setAutoCommit(true) / commit() / rollback(). The setSavepoint rejection was already meant to be in place but the guard misspelled the method name as setSavePoint, so savepoints silently went through. Both changes bring the proxy in line with JTA 1.2 §3.4.
• chore: commitPrepared / rollback-of-prepared now return XAER_RMFAIL instead of XAER_RMERR when the underlying connection is left in a non-idle TransactionState. Transaction managers (Geronimo, Narayana, Atomikos) treat XAER_RMFAIL as retryable on a fresh XAResource; the prepared transaction is no longer abandoned.

Fixed

• fix: the driver no longer nulls the contextClassLoader of shared ForkJoinPool.commonPool() worker threads, which previously left unrelated tasks on those threads running with a null classloader Issue #​4155
• fix: getCharacterStream wraps String in StringReader PR #​4063
• fix: PGXAConnection no longer saves and restores the underlying connection's JDBC autoCommit flag. All XA-protocol SQL (BEGIN, PREPARE TRANSACTION, COMMIT, ROLLBACK, COMMIT PREPARED, ROLLBACK PREPARED, the recover() SELECT) is sent through QUERY_SUPPRESS_BEGIN, so the caller's autoCommit value is invariant across every XAResource call. Fixes the "2nd phase commit must be issued using an idle connection" failure during recovery on managed datasources that pool connections with autoCommit=false (TomEE, WildFly, WebSphere Liberty).
• fix: PGXAConnection.prepare() now mutates XA state only after PREPARE TRANSACTION succeeds. A failed PREPARE previously left the driver thinking the branch was already prepared, so the follow-up rollback(xid) tried ROLLBACK PREPARED against a non-existent gid and returned XAER_RMERR. Transaction managers (Narayana) escalated this to HeuristicMixedException. With the fix, rollback(xid) takes the active-branch path and issues a plain ROLLBACK, which the server accepts cleanly. Fixes Issue #​3153, Issue #​3123.

v42.7.0

Changed

• fix: Deprecate for removal PGPoint.setLocation(java.awt.Point) to cut dependency to java.desktop module. PR #​2967
• feat: return all catalogs for getCatalogs metadata query closes ISSUE #​2949 PR #​2953
• feat: support SET statements combining with other queries with semicolon in PreparedStatement PR ##​2973

Fixed

• chore: add styleCheck Gradle task to report style violations PR #​2980
• fix: Include currentXid in "Error rolling back prepared transaction" exception message PR #​2978
• fix: add varbit as a basic type inside the TypeInfoCache PR #​2960
• fix: Fix failing tests for version 16. PR #​2962
• fix: allow setting arrays with ANSI type name PR #​2952
• feat: Use KeepAlive to confirm LSNs PR #​2941
• fix: put double ' around log parameter PR #​2936 fixes ISSUE #​2935
• fix: Fix Issue #​2928 number of ports not equal to number of servers in datasource PR #​2929
• fix: Use canonical DateStyle name (#​2925) fixes pgbouncer issue
• fix: Method getFastLong should be able to parse all longs PR #​2881
• docs: Fix typos in info.html PR #​2860
• fix: Return correct default from PgDatabaseMetaData.getDefaultTransactionIsolation PR #​2992 fixes Issue #​2991
• test: fix assertion in RefCursorFetchTestultFetchSize rows
• test: use try-with-resources in LogicalReplicationStatusTest

---

• If you want to rebase/retry this PR, check this box