Notable changes

Security

• fix: CVE-2022-31197 Fixes SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection.
  • Previously, the column names for both key and data columns in the table were copied as-is into the generated SQL. This allowed a malicious table with column names that include statement terminator to be parsed and executed as multiple separate commands.
  • Also adds a new test class ResultSetRefreshTest to verify this change.
  • Reported by Sho Kato

Changed

• chore: skip publishing pgjdbc-osgi-test to Central
• chore: bump Gradle to 7.5
• test: update JUnit to 5.8.2

Added

• chore: added Gradle Wrapper Validation for verifying gradle-wrapper.jar
• chore: added "permissions: contents: read" for GitHub Actions to avoid unintentional modifications by the CI
• chore: support building pgjdbc with Java 17

Notable changes

Changed

• fix: added GROUP_STARTUP_PARAMETERS boolean property to determine whether or not to group startup parameters in a transaction (default=false like 42.2.x) fixes Issue #2425 pgbouncer cannot deal with transactions in statement pooling mode PR #2425

Fixed

• fix: queries with up to 65535 (inclusive) parameters are supported now (previous limit was 32767) PR #2525, Issue #1311
• fix: workaround JarIndex parsing issue by using groupId/artifactId-version directory namings. Regression since 42.2.13. PR #2531, issue #2527
• fix: use Locale.ROOT for toUpperCase() toLowerCase() calls
• doc: add Vladimir Sitnikov's PGP key
• fix: return correct base type for domain from getUDTs PR #2520 Issue #2522
• perf: utcTz static and renamed to UTC_TIMEZONE PR #2519
• doc: fix release version for #2377 (it should be 42.3.6, not 42.3.5)

Notable changes

Changed

Added

Fixed

• fix: close refcursors when underlying cursor==null instead of relying on defaultRowFetchSize PR #2377