Notable Changes
Notable changes
Security
- security: SQL Injection via line comment generation, it is possible in
SimpleQuerymode to generate a line comment by having a placeholder for a numeric with a-such as-?. There must be second placeholder for a string immediately after. Setting the parameter to a -ve value creates a line comment. This has been fixed in this version fixes CVE-2024-1597 . Reported by Paul Gerste . See the security advisory for more details. This has been fixed in versions 42.7.2, 42.6.1 42.5.5, 42.4.4, 42.3.9, 42.2.28.jre7. See the security advisory for work arounds.
Changed
- fix: Use simple query for isValid. Using Extended query sends two messages checkConnectionQuery was never ever set or used, removed PR #3101
- perf: Avoid autoboxing bind indexes PR #1244
- refactor: Document that encodePassword will zero out the password array, and remove driver’s default encodePassword PR #3084
Added
- feat: Add PasswordUtil for encrypting passwords client side PR #3082
Commits by author
Vladimir Sitnikov (1): refactor: Document that encodePassword will zero out the password array, and remove driver’s default encodePassword PR #3084
Brett Okken (1): perf: Avoid autoboxing bind indexes PR #1244
Dave Cramer (1):
- fix: Apply connectTimeout before SSLSocket.startHandshake to avoid infinite wait in case the connection is broken PR #3040
Sehrope Sarkini (1):
- feat: Add PasswordUtil for encrypting passwords client side PR #3082