fix(deps): update dependency org.postgresql:postgresql to v42.7.11

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.postgresql:postgresql (source)	42.7.3 → 42.7.11

---

Release Notes

pgjdbc/pgjdbc (org.postgresql:postgresql)

v42.7.11

Security

• fix: Limit SCRAM PBKDF2 iterations accepted from the server.
  pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins.
  See the Security Advisory for more detail.
  The following CVE-2026-42198 has been issued.

Added

• feat: implement require_auth connection property, aligning with libpq behavior PR #​3895

Changed

• chore: replace Appveyor CI with ikalnytskyi/action-setup-postgres PR #​3966
• chore: upgrade Gradle to v9 PR #​3978

Fixed

• fix: ensure extended protocol messages end with Sync message PR #​3728
• fix: enable cursor-based fetching in extended protocol when transaction started via SQL command PR #​3996
• fix: retry with SSL on IOException when sslMode=ALLOW PR #​3973
• fix: make sure the driver honours connectTimeout when retrying the connection PR #​3968
• fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in PR #​3968
• fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers PR #​3962
• fix: use compareTo for LogSequenceNumber comparison to handle unsigned values correctly PR #​3961
• fix: release COPY lock on IOException to prevent connection hang PR #​3957
• fix: return jsonb as PGObject instead of String PR #​3956
• fix: align SSL key file permission check with libpq PR #​3952
• fix: guard connection closed flag with a reentrant lock to protect against concurrent close PR #​3905

v42.7.10

Changed

• chore: Migrate to Shadow 9 PR 3931
• style: fix empty line before javadoc for checkstyle compliance PR #​3925
• style: fix lambda argument indentation for checkstyle compliance PR #​3922
• test: add autosave=always|never|conservative and cleanupSavepoints=true|false to the randomized CI jobs PR #​3917

Fixed

• fix: non-standard strings failing test for version 19 PR #​3934
• fix: small issues in ConnectionFactoryImpl PR #​3929
• fix: process pending responses before fastpath to avoid protocol errors PR # 3913
• doc: use.md, fix typos PR #​3911
• doc: datasource.md, fix minor formatting issue PR #​3912
• doc: add the new PGP signing key to the official documentation PR #​3912

Reverted

• Revert "fix: make all Calendar instances proleptic Gregorian (#​3837) (#​3887)" PR #​3932

v42.7.9

Added

• feat: query timeout property PR #​3705
• feat: Add PEMKeyManager to handle PEM based certs and keys PR #​3700

Changed

• perf: optimize PGInterval.getValue() by replacing String.format with StringBuilder
• doc: update property quoteReturningIdentifiers default value PR #​3847
• security: Use a static method forName to load all user supplied classes. Use the Class.forName 3 parameter method and do not initilize it unless it is a subclass of the expected class

Fixed

• fix: incorrect pg_stat_replication.reply_time calculation PR #​3906
• fix: close temporary lob descriptors that are used internally in PreparedStatement#setBlob
• fix: PGXAConnection.prepare(Xid) should return XA_RDONLY if the connection is read only PR #​3897
• fix: make all Calendar instances proleptic Gregorian PR #​3837
• fix: Simplify concurrency guards on QueryExecutorBase#transaction and QueryExecutorBase#standardConformingStrings PR #​3897
• fix: avoid memory leaks in Java <= 21 caused by Thread.inheritedAccessControlContext PR #​3886
• fix: Issue #​3784 pgjdbc can't decode numeric arrays containing special numbers like NaN PR #​3838
• fix: use ssl_is_used() to check for ssl connection PR #​3867
• fix: the classloader is nullable PR #​3907

v42.7.8

Added

• feat: Add configurable boolean-to-numeric conversion for ResultSet getters PR #​3796

Changed

• perf: remove QUERY_ONESHOT flag when calling getMetaData PR #​3783
• perf: use BufferedInputStream with FileInputStream PR #​3750
• perf: enable server-prepared statements for DatabaseMetaData

Fixed

• fix: avoid NullPointerException when cancelling a query if cancel key is not known yet
• fix: Change "PST" timezone in TimestampTest to "Pacific Standard Time" PR #​3774
• fix: traverse the current dimension to get the correct pos in PgArray#calcRemainingDataLength PR #​3746
• fix: make sure getImportedExportedKeys returns columns in consistent order
• fix: Add "SELF_REFERENCING_COL_NAME" field to getTables' ResultSetMetaData to fix NullPointerException PR #​3660
• fix: unable to open replication connection to servers < 12
• fix: avoid closing statement caused by driver's internal ResultSet#close()
• fix: return empty metadata for empty catalog names as it was before
• fix: Incorrect class comparison in PGXmlFactoryFactory validation

v42.7.7

Security

• security: Client Allows Fallback to Insecure Authentication Despite channelBinding=require configuration.
  Fix channel binding required handling to reject non-SASL authentication
  Previously, when channel binding was set to "require", the driver would silently ignore this
  requirement for non-SASL authentication methods. This could lead to a false sense of security
  when channel binding was explicitly requested but not actually enforced. The fix ensures that when
  channel binding is set to "require", the driver will reject connections that use
  non-SASL authentication methods or when SASL authentication has not completed properly.
  See the Security Advisory for more detail. Reported by George MacKerron
  The following CVE-2025-49146 has been issued

Added

• test: Added ChannelBindingRequiredTest to verify proper behavior of channel binding settings

v42.7.6

Features

• fix: Enhanced DatabaseMetadata.getIndexInfo() method, added index comment as REMARKS property PR #​3513

Performance Improvements

• performance: Improve ResultSetMetadata.fetchFieldMetaData by using IN row values instead of UNION ALL for improved query performance (later reverted) PR #​3510
• feat:Use a single simple query for all startup parameters, so groupStartupParameters is no longer needed PR #​3613

v42.7.5

Added

• ci: Test with Java 23 PR #​3381

Fixed

• regression: revert change in fc60537 PR #​3476
• fix: PgDatabaseMetaData implementation of catalog as param and return value PR #​3390
• fix: Support default GSS credentials in the Java Postgres client PR #​3451
• fix: return only the transactions accessible by the current_user in XAResource.recover PR #​3450
• feat: don't force send extra_float_digits for PostgreSQL >= 12 fix Issue #​3432 PR #​3446
• fix: exclude "include columns" from the list of primary keys PR #​3434
• perf: Enhance the meta query performance by specifying the oid. PR #​3427
• feat: support getObject(int, byte[].class) for bytea PR #​3274
• docs: document infinity and some minor edits PR #​3407
• fix: Added way to check for major server version, fixed check for RULE PR #​3402
• docs: fixed remaining paragraphs PR #​3398
• docs: fixed paragraphs in javadoc comments PR #​3397
• fix: Reuse buffers and reduce allocations in GSSInputStream addresses Issue #​3251 PR #​3255
• chore: Update Gradle to 8.10.2 PR #​3388
• fix: getSchemas() PR #​3386
• fix: Update rpm postgresql-jdbc.spec.tpl with scram-client PR #​3324
• fix: Clearing thisRow and rowBuffer on close() of ResultSet Issue #​3383 PR #​3384
• fix: Package was renamed to maven-bundle-plugin PR #​3382
• fix: As of version 18 the RULE privilege has been removed PR #​3378
• fix: use buffered inputstream to create GSSInputStream PR #​3373
• test: get rid of 8.4, 9.0 pg versions and use >= jdk version 17 PR #​3372
• Changed docker-compose version and renamed script file in instructions to match the real file name PR #​3363
• test:Do not assume "test" database in DatabaseMetaDataTransactionIsolationTest PR #​3364
• try to categorize dependencies PR #​3362

v42.7.4

Added

• chore: SCRAM dependency to 3.1 and support channel binding PR #​3188
• chore: Add PostgreSQL 15, 16, and 17beta1 to CI tests PR #​3299
• test: Update to 17beta3 PR #​3308
• chore: Implement direct SSL ALPN connections PR #​3252
• translation: Add Korean translation file PR #​3276

Fixed

• fix: PgInterval ignores case for represented interval string PR #​3344
• perf: Avoid extra copies when receiving int4 and int2 in PGStream PR #​3295
• fix: Add support for Infinity::numeric values in ResultSet.getObject PR #​3304
• fix: Ensure order of results for getDouble PR #​3301
• perf: Replace BufferedOutputStream with unsynchronized PgBufferedOutputStream, allow configuring different Java and SO_SNDBUF buffer sizes PR #​3248
• fix: Fix SSL tests PR #​3260
• fix: Support bytea in preferQueryMode=simple PR #​3243
• fix: Fix #​3234 - Return -1 as update count for stored procedure calls PR #​3235
• fix: Fix #​3224 - conversion for TIME '24:00' to LocalTime breaks in binary-mode PR #​3225
• perf: Speed up getDate by parsing bytes instead of String PR #​3141
• fix: support PreparedStatement.setBlob(1, Blob) and PreparedStatement.setClob(1, Clob) for lobs that return -1 for length PR #​3136
• fix: Validates resultset Params in PGStatement constructor. uses assertThro… PR #​3171
• fix: Validates resultset parameters PR #​3167
• docs: Replace greater to with greater than PR #​3315
• docs: Clarify binaryTransfer and prepareThreshold PR #​3338
• docs: use.md, typo PR #​3314
• test: Use docker v2 which changes docker-compose to docker compose #​3339
• refactor: Merge PgPreparedStatement#setBinaryStream int and long methods PR #​3165
• test: Test both binaryMode=true,false when creating connections in DatabaseMetaDataTest PR #​3231
• docs: Fixed typos in all source code and documentations PR #​3242
• chore: Remove self-hosted runner PR #​3227
• docs: Add cancelSignalTimeout in README PR #​3190
• docs: Document READ_ONLY_MODE in README PR #​3175
• test: Test for +/- infinity double values PR #​3294
• test: Switch localhost and auth-test around for test-gss PR #​3343
• fix: remove preDescribe from internalExecuteBatch PR #​2883
• deps: Update dependency om.ongres.scram:scram-client to 3.2

Deprecated

• test: Deprecate all PostgreSQL versions older than 9.1 PR #​3335

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.