Generate changelog (#2431)

davecramer · web-flow · commit 2de239ff6f16 · 2022-02-01T07:42:39.000-05:00
* Generate Changelog

* add detail after author in the author section
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,19 @@ Notable changes since version 42.0.0, read the complete [History of Changes](htt
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
 ## [Unreleased]
+### Changed
+
+### Added
+
+### Fixed
+
+[42.3.2] (2022-02-01 07:35:41 -0500)
+### Security
+- CVE-2022-21724 pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName, 
+sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties.
+However, the driver did not verify if the class implements the expected interface before instantiating the class. This
+would allow a malicious class to be instantiated that could execute arbitrary code from the JVM. Fixed in [commit](https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813)
+
 ### Changed
 - perf: read in_hot_standby GUC on connection [PR #2334](https://github.com/pgjdbc/pgjdbc/pull/2334)
 - test: materialized view privileges [PR #2209](https://github.com/pgjdbc/pgjdbc/pull/2209) fixes [Issue #2060](https://github.com/pgjdbc/pgjdbc/issues/2060)
@@ -25,6 +38,7 @@ remove the user and password arguments. Any locations that required those fields
 - perf: read in_hot_standby GUC on connection [PR #2334](https://github.com/pgjdbc/pgjdbc/pull/2334)
 - doc: improv doc around binary decoding of numeric data [#2331](https://github.com/pgjdbc/pgjdbc/pull/2331)
 - Add cert key type checking to chooseClientAlias [PR #2417](https://github.com/pgjdbc/pgjdbc/pull/2417)
+
 ### Added
 - feat: Add authenticationPluginClassName option to provide passwords at runtime
 Adds authenticationPluginClassName connection property that allows end users to specify a class
@@ -35,6 +49,7 @@ This includes direct usage in the GSS authentication code paths that internally
 This allows configuring a connection with a password that must be generated on the fly or periodically changes. [PR #2369](https://github.com/pgjdbc/pgjdbc/pull/2369) original issue [Issue #2102](https://github.com/pgjdbc/pgjdbc/issues/2102)
 - feat: add tcpNoDelay option [PR #2341](https://github.com/pgjdbc/pgjdbc/pull/2341) fixes [Issue #2324](https://github.com/pgjdbc/pgjdbc/issues/2324)
 - feat: pg_service.conf and .pgpass support (jdbc:postgresql://?service=my-service) [PR #2260](https://github.com/pgjdbc/pgjdbc/pull/2260) fixes [Issue #2278](https://github.com/pgjdbc/pgjdbc/issues/2278)
+
 ### Fixed
 - Use local TimestampUtil in PgStatement and PgResultset for thread safety [PR #2291](https://github.com/pgjdbc/pgjdbc/pull/2291)
   fixes [Issue #921](https://github.com/pgjdbc/pgjdbc/issues/921) synchronize modification of shared calendar
@@ -608,4 +623,5 @@ thrown to caller to be dealt with so no need to log at this verbosity by pgjdbc
 [42.2.24]: https://github.com/pgjdbc/pgjdbc/compare/REL42.2.23...REL42.2.24
 [42.3.0]: https://github.com/pgjdbc/pgjdbc/compare/REL42.2.24...REL42.3.1
 [42.3.1]: https://github.com/pgjdbc/pgjdbc/compare/REL42.3.0...REL42.3.1
-[Unreleased]: https://github.com/pgjdbc/pgjdbc/compare/REL42.3.1...HEAD
+[42.3.1]: https://github.com/pgjdbc/pgjdbc/compare/REL42.3.1...REL42.3.2
+[Unreleased]: https://github.com/pgjdbc/pgjdbc/compare/REL42.3.2...HEAD
diff --git a/contributors.json b/contributors.json
@@ -180,5 +180,14 @@
    "Álvaro Hernández Tortosa" : "https://github.com/ahachete",
    "Árpád Magosányi" : "https://github.com/magwas",
    "Étienne BERSAC" : "https://github.com/bersace",
-   "吴伟杰" : "https://github.com/TeslaCN"
+   "吴伟杰" : "https://github.com/TeslaCN",
+   "Andrei Paikin" : "andreypaykin@gmail.com",
+   "JoelRabinovitch" : "joel.rabinovitch@tecsys.com",
+   "Marek Läll" : "42849684+MarekUniq@users.noreply.github.com",
+   "Mark Grobaker" : "5614366+mgrobaker@users.noreply.github.com",
+   "Michał Wyrzykowski" : "w.michal1@gmail.com",
+   "Nick Burgan" : "13688219+nmburgan@users.noreply.github.com",
+   "Sergey Prytkov" : "shallowstack@gmail.com",
+   "Zuzana Miklankova" : "90186537+zmiklank@users.noreply.github.com",
+   "marcmuel" : "marcus.mueller@schwarz-infosysteme.de"
 }
diff --git a/docs/_posts/2022-02-01-42.3.2-release.md b/docs/_posts/2022-02-01-42.3.2-release.md
@@ -0,0 +1,154 @@
+---
+title:  PostgreSQL JDBC Driver 42.3.2 Released
+date:   2022-02-01 07:35:28 -0500
+categories:
+    - new_release
+version: 42.3.2
+---
+**Notable changes**
+### Security
+- CVE-2022-21724 pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName,
+  sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties.
+  However, the driver did not verify if the class implements the expected interface before instantiating the class. This
+  would allow a malicious class to be instantiated that could execute arbitrary code from the JVM. Fixed in [commit](https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813)
+
+### Changed
+- perf: read in_hot_standby GUC on connection [PR #2334](https://github.com/pgjdbc/pgjdbc/pull/2334)
+- test: materialized view privileges [PR #2209](https://github.com/pgjdbc/pgjdbc/pull/2209) fixes [Issue #2060](https://github.com/pgjdbc/pgjdbc/issues/2060)
+- docs: add info about convenience maven project [PR #2407](https://github.com/pgjdbc/pgjdbc/pull/2407)
+- docs: Document timezone reversal from POSIX to ISO [PR #2413](https://github.com/pgjdbc/pgjdbc/pull/2413)
+- fix: we will ask the server if it supports GSS Encryption if gssEncryption 
+is prefer or require [PR #2396](https://github.com/pgjdbc/pgjdbc/pull/2396) remove the need to have a ticket in the cache before asking the server if gss encryptions are supported
+- docs: remove Java 6 and 7 references from contributing [PR #2385](https://github.com/pgjdbc/pgjdbc/pull/2385)
+- style: remove Java 8 / JDBC 4.2 checks [PR #2383](https://github.com/pgjdbc/pgjdbc/pull/2383) Remove all remaining checks whether the source is lower than Java 8
+or JDBC 4.2.
+- fix: throw SQLException for #getBoolean BIT(>1) [PR #2386](https://github.com/pgjdbc/pgjdbc/pull/2386) Throw SQLException instead of ClassCastException when calling
+CallableStatement#getBoolean(int) on BIT(>1).
+- style: import java.time types in more classes [PR #2382](https://github.com/pgjdbc/pgjdbc/pull/2382) Use imports for java.time types in all remaining classes.
+- style: import java.time types in TimestampUtils [PR #2380](https://github.com/pgjdbc/pgjdbc/pull/2380) Use imports for java.time types in TimestampUtils.
+- refactor: Change internal constructors to pass only connection Properties
+Changes internal constructors for PgConnection and related classes to only accept the connection properties object and 
+remove the user and password arguments. Any locations that required those fields can retrieve them from the properties map.
+- test: Fix DatabaseMetadataTest to perform mview tests only on 9.3+
+- perf: read in_hot_standby GUC on connection [PR #2334](https://github.com/pgjdbc/pgjdbc/pull/2334)
+- doc: improv doc around binary decoding of numeric data [#2331](https://github.com/pgjdbc/pgjdbc/pull/2331)
+- Add cert key type checking to chooseClientAlias [PR #2417](https://github.com/pgjdbc/pgjdbc/pull/2417)
+
+### Added
+- feat: Add authenticationPluginClassName option to provide passwords at runtime
+Adds authenticationPluginClassName connection property that allows end users to specify a class
+that will provide the connection passwords at runtime. Users implementing that interface must
+ensure that each invocation of the method provides a new char[] array as the contents
+will be filled with zeroes by the driver after use.Call sites within the driver have been updated to use the char[] directly wherever possible.
+This includes direct usage in the GSS authentication code paths that internally were already converting the String password into a char[] for internal usage.
+This allows configuring a connection with a password that must be generated on the fly or periodically changes. [PR #2369](https://github.com/pgjdbc/pgjdbc/pull/2369) original issue [Issue #2102](https://github.com/pgjdbc/pgjdbc/issues/2102)
+- feat: add tcpNoDelay option [PR #2341](https://github.com/pgjdbc/pgjdbc/pull/2341) fixes [Issue #2324](https://github.com/pgjdbc/pgjdbc/issues/2324)
+- feat: pg_service.conf and .pgpass support (jdbc:postgresql://?service=my-service) [PR #2260](https://github.com/pgjdbc/pgjdbc/pull/2260) fixes [Issue #2278](https://github.com/pgjdbc/pgjdbc/issues/2278)
+
+### Fixed
+- Use local TimestampUtil in PgStatement and PgResultset for thread safety [PR #2291](https://github.com/pgjdbc/pgjdbc/pull/2291)
+  fixes [Issue #921](https://github.com/pgjdbc/pgjdbc/issues/921) synchronize modification of shared calendar
+- fix: PgObject isNull() was reporting the opposite fixes [Issue #2411](https://github.com/pgjdbc/pgjdbc/issues/2411) [PR #2414](https://github.com/pgjdbc/pgjdbc/pull/2414)
+- fix: default file name is ".pg_service.conf" on Windows (not "pg_service.conf") [PR #2398](https://github.com/pgjdbc/pgjdbc/pull/2398) fixes [Issue #2278](https://github.com/pgjdbc/pgjdbc/issues/2278)
+- test: Fix RefCursorFetchTest on older platforms
+- fix: do not close refcursor after reading if fetchsize has been set fixes [Issue #2227](https://github.com/pgjdbc/pgjdbc/issues/2227) [PR #2371](https://github.com/pgjdbc/pgjdbc/pull/2371)
+- fix: rework gss authentication to use the principal name to get the credentials fixes [Issue #2235](https://github.com/pgjdbc/pgjdbc/issues/2235) [PR #2352](https://github.com/pgjdbc/pgjdbc/pull/2352)
+- fix: return getIndexInfo metadata columns in UPPER CASE [PR #2368](https://github.com/pgjdbc/pgjdbc/pull/2368)
+- fix: Connection leak in ConnectionFactoryImpl#tryConnect [PR #2350](https://github.com/pgjdbc/pgjdbc/pull/2350) [Issue #2351](https://github.com/pgjdbc/pgjdbc/issues/2351)
+- fix: Fix For IS_AUTOGENERATED Flag [PR #2348](https://github.com/pgjdbc/pgjdbc/pull/2348)
+- fix: parsing service file tests for windows [PR #2347](https://github.com/pgjdbc/pgjdbc/pull/2347)
+- fix: The spec says that calling close() on a closed connection is a noop. [PR #2345](https://github.com/pgjdbc/pgjdbc/pull/2345) fixes [Issue #2300](https://github.com/pgjdbc/pgjdbc/issues/2300)
+- fix: add microsecond precision to getTimestamp() called on sql TIME(6) Currently, "when fetching a value of type TIME(6) through
+resultSet.getTimestamp() only ms precision is retained, the microsecond fractional digits are lost." This change will retain the microsecond
+precision when .getTimestamp() is called on TIME(6). [PR #2181](https://github.com/pgjdbc/pgjdbc/pull/2181) Closes [Issue #1537](https://github.com/pgjdbc/pgjdbc/issues/1537)
+- test: materialized view privileges [PR #2209](https://github.com/pgjdbc/pgjdbc/pull/2209) add and drop a materialized view
+Add to TestUtil and also to DatabaseMetaData setup and teardown fixes [Issue #2060](https://github.com/pgjdbc/pgjdbc/issues/2060)
+- fix: typo in connect.md [PR #2338](https://github.com/pgjdbc/pgjdbc/pull/2238) `OutOfMemoryException` => `OutOfMemoryError`
+- fix: use local TimestampUtil in PgStatement and PgResultset for thread
+safety TimestampUtil is not thread safe. It raises exceptions when multiple threads use ResultSets of one connection. [PR #2291](https://github.com/pgjdbc/pgjdbc/pull/2291) 
+fixes [Issue #921](https://github.com/pgjdbc/pgjdbc/issues/921)
+If PgStatement and PgResultSet use their own TimestampUtil no synchronize is needed.
+- fix: typo in CONTRIBUTING.md [PR #2332](https://github.com/pgjdbc/pgjdbc/pull/2332) seccion => section
+
+<!--more-->
+
+**Commits by author**
+
+Andrei Paikin (1):
+      minor: fix checkstyle violations for empty lines in enum [PR 2426](https://github.com/pgjdbc/pgjdbc/pull/2426)
+
+Brett Okken (1):
+      doc: improv doc around binary decoding of numeric data [PR 2331](https://github.com/pgjdbc/pgjdbc/pull/2331)
+
+Dave Cramer (21):
+      move comment to appropriate place and add explanation [PR 2336](https://github.com/pgjdbc/pgjdbc/pull/2336)
+      bump version in readme and gradle.properties [PR 2335](https://github.com/pgjdbc/pgjdbc/pull/2335)
+      add entries for latest changes [PR 2339](https://github.com/pgjdbc/pgjdbc/pull/2339)
+      Ms goodman time gettimestamp micros [PR 2181](https://github.com/pgjdbc/pgjdbc/pull/2181)
+      add TCP No Delay option fixes Issue [PR 2324](https://github.com/pgjdbc/pgjdbc/pull/2324) (#2341)
+      fix Issue [PR 2300](https://github.com/pgjdbc/pgjdbc/pull/2300). The spec says that calling close() on a closed connection is a noop. (#2345)
+      fix: parsing service file tests for windows [PR 2347](https://github.com/pgjdbc/pgjdbc/pull/2347)
+      fix: return getIndexInfo metadata columns in UPPER CASE [PR 2368](https://github.com/pgjdbc/pgjdbc/pull/2368)
+      fix: rework gss authentication to use the principal name to get the credentials fixes Issue [PR 2235](https://github.com/pgjdbc/pgjdbc/pull/2235) (#2352)
+      Removed unsafe package and native kerberos ticket check [PR 2363](https://github.com/pgjdbc/pgjdbc/pull/2363)
+      log4jmessage [PR 2370](https://github.com/pgjdbc/pgjdbc/pull/2370)
+      Put back GSSCallbackHandler. Avoid using forbidden api [PR 2373](https://github.com/pgjdbc/pgjdbc/pull/2373)
+      fix: do not close refcursor after reading if fetchsize has been set fixes ISSUE [PR 2227](https://github.com/pgjdbc/pgjdbc/pull/2227) (#2371)
+      perf: add read(b,o,l) to BlobInputStream [PR 2376](https://github.com/pgjdbc/pgjdbc/pull/2376)
+      change the default directory returned on windows to APPDATA/postgresql since that is what we end up using anyway [PR 2402](https://github.com/pgjdbc/pgjdbc/pull/2402)
+      fix: we will ask the server if it supports GSS Encryption if gssEncryption is prefer or require [PR 2396](https://github.com/pgjdbc/pgjdbc/pull/2396)
+      docs: Document timezone reversal from POSIX to ISO [PR 2413](https://github.com/pgjdbc/pgjdbc/pull/2413)
+      fix: PgObject isNull() was reporting the opposite fixes Issue [PR 2411](https://github.com/pgjdbc/pgjdbc/pull/2411) (#2414)
+      remove skipjre6 and skipjre7 [PR 2415](https://github.com/pgjdbc/pgjdbc/pull/2415)
+      Revert "perf: add read(b,o,l) to BlobInputStream [PR 2376](https://github.com/pgjdbc/pgjdbc/pull/2376)" (#2422)
+      Changelog42.3.2 [PR 2418](https://github.com/pgjdbc/pgjdbc/pull/2418)
+
+JoelRabinovitch (1):
+      fixForIsAutoGenerated Fix For IS_AUTOGENERATED Flag [PR 2348](https://github.com/pgjdbc/pgjdbc/pull/2348)
+
+Marek Läll (2):
+      Issue 2278 ; jdbc:postgresql://?service= ; pg_service.conf ; .pgpass [PR 2282](https://github.com/pgjdbc/pgjdbc/pull/2282)
+      fix: default file name is ".pg_service.conf" on Windows (not "pg_service.conf") [PR 2398](https://github.com/pgjdbc/pgjdbc/pull/2398)
+
+Mark Grobaker (1):
+      test: materialized view privileges [PR 2209](https://github.com/pgjdbc/pgjdbc/pull/2209)
+
+Michał Wyrzykowski (1):
+      fix: Connection leak in ConnectionFactoryImpl#tryConnect [PR 2350](https://github.com/pgjdbc/pgjdbc/pull/2350) (#2351)
+
+Nick Burgan (1):
+      Add cert key type checking to chooseClientAlias [PR 2417](https://github.com/pgjdbc/pgjdbc/pull/2417)
+
+Philippe Marschall (6):
+      style: fix typos in pgobject javadoc [PR 2379](https://github.com/pgjdbc/pgjdbc/pull/2379)
+      style: import java.time types in TimestampUtils [PR 2380](https://github.com/pgjdbc/pgjdbc/pull/2380)
+      style: import java.time types in more classes [PR 2382](https://github.com/pgjdbc/pgjdbc/pull/2382)
+      fix: throw SQLException for #getBoolean BIT(>1) [PR 2386](https://github.com/pgjdbc/pgjdbc/pull/2386)
+      style: remove Java 8 / JDBC 4.2 checks [PR 2383](https://github.com/pgjdbc/pgjdbc/pull/2383)
+      docs: remove Java 6 and 7 references from contributing [PR 2385](https://github.com/pgjdbc/pgjdbc/pull/2385)
+
+Sehrope Sarkuni (9):
+      feat: Change AuthenticationPlugin interface to use char[] rather than String [PR 2420](https://github.com/pgjdbc/pgjdbc/pull/2420)
+      test: Disable no-arg callable statement tests in simple query mode [PR 2419](https://github.com/pgjdbc/pgjdbc/pull/2419)
+      test: Remove extra catch-fail in RefCursorFetchTest [PR 2391](https://github.com/pgjdbc/pgjdbc/pull/2391)
+      test: Fix RefCursorFetchTest on older platforms [PR 2391](https://github.com/pgjdbc/pgjdbc/pull/2391)
+      feat: Add authenticationPluginClassName option to provide passwords at runtime [PR 2369](https://github.com/pgjdbc/pgjdbc/pull/2369)
+      test: Add TestUtil.assumeHaveMinimumServerVersion(...) helper [PR 2369](https://github.com/pgjdbc/pgjdbc/pull/2369)
+      refactor: Change internal constructors to pass only connection Properties [PR 2369](https://github.com/pgjdbc/pgjdbc/pull/2369)
+      refactor: Use multi-catch for exceptions in ConnectionFactoryImpl [PR 2369](https://github.com/pgjdbc/pgjdbc/pull/2369)
+      test: Fix DatabaseMetadataTest to perform mview tests only on 9.3+ [PR 2340](https://github.com/pgjdbc/pgjdbc/pull/2340)
+
+Sergey Nuyanzin (4):
+      [typo] typo in CONTRIBUTING.md [PR 2332](https://github.com/pgjdbc/pgjdbc/pull/2332)
+      [typo] in connect.md [PR 2338](https://github.com/pgjdbc/pgjdbc/pull/2338)
+      Misprint in messages_ru.java [PR 2358](https://github.com/pgjdbc/pgjdbc/pull/2358)
+
+Sergey Prytkov (1):
+      perf: read in_hot_standby GUC on connection [PR 2334](https://github.com/pgjdbc/pgjdbc/pull/2334)
+
+Zuzana Miklankova (1):
+      docs: add info about convenience maven project [PR 2407](https://github.com/pgjdbc/pgjdbc/pull/2407)
+
+marcmuel (1):
+      fix: use local TimestampUtil in PgStatement and PgResultset for thread safety [PR 2291](https://github.com/pgjdbc/pgjdbc/pull/2291)
+
