Notable Changes

Notable changes

Security

• fix: Limit SCRAM PBKDF2 iterations accepted from the server. pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins. See the Security Advisory for more detail. The following CVE-2026-42198 has been issued.

Added

• feat: implement require_auth connection property, aligning with libpq behavior PR #3895

Changed

• chore: replace Appveyor CI with ikalnytskyi/action-setup-postgres PR #3966
• chore: upgrade Gradle to v9 PR #3978

Fixed

• fix: ensure extended protocol messages end with Sync message PR #3728
• fix: enable cursor-based fetching in extended protocol when transaction started via SQL command PR #3996
• fix: retry with SSL on IOException when sslMode=ALLOW PR #3973
• fix: make sure the driver honours connectTimeout when retrying the connection PR #3968
• fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in PR #3968
• fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers PR #3962
• fix: use compareTo for LogSequenceNumber comparison to handle unsigned values correctly PR #3961
• fix: release COPY lock on IOException to prevent connection hang PR #3957
• fix: return jsonb as PGObject instead of String PR #3956
• fix: align SSL key file permission check with libpq PR #3952
• fix: guard connection closed flag with a reentrant lock to protect against concurrent close PR #3905

Commits by author

Dave Cramer (5 commits)

• implement require_auth, this is pretty much how libpq does this
• Return jsonb as PGObject fixes Issue #3926
• remove old comment about finalize, guard closed flag with a reentrant lock to protect against concurrent close
• add users to pg_hba.conf file for head for the require_auth tests to pass
• Update docker scripts

Vladimir Sitnikov (18 commits)

• fix: ensure extended protocol messages end with Sync message
• fix: enable cursor-based fetching in extended protocol when transaction started via SQL command
• fix: retry with SSL on IOException when sslMode=ALLOW
• fix: make sure the driver honours connectTimeout when retrying the connection
• fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in
• fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers
• fix: use compareTo for LogSequenceNumber comparison
• fix: release COPY lock on IOException to prevent connection hang
• fix: fix flaky CopyBothResponseTest by using WAL flush LSN
• fix: fix flaky replication restart tests by waiting for confirmed_flush_lsn
• chore: replace Appveyor with ikalnytskyi/action-setup-postgres

Sehrope Sarkuni (7 commits)

• fix: Limit SCRAM PBKDF2 iterations accepted from the server
• Fix scram fix location in changelog and update published artifact developer list
• test: Add EnabledForServerVersionRange and Disabled annotation to specify mandatory server version ranges
• test: Add SCRAM max iteration tests

Harinath Kanchu (1 commit)

• ssl: align key file permission check with libpq

Emmanuel Oppong (1 commit)

• docs: add SCRAM authentication test setup section to TESTING.md