Update dependency org.postgresql:postgresql to v42.7.11

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.postgresql:postgresql (source)	42.7.5 → 42.7.11

---

Release Notes

pgjdbc/pgjdbc (org.postgresql:postgresql)

v42.7.11

Security

• fix: Limit SCRAM PBKDF2 iterations accepted from the server.
  pgjdbc was vulnerable to a client-side denial of service in SCRAM-SHA-256 authentication, where a malicious or compromised PostgreSQL server could specify an extremely large PBKDF2 iteration count, causing the client to consume unbounded CPU and potentially exhaust connection pools. The fix introduces a new scramMaxIterations connection property (defaulting to 100,000) to cap iteration counts before computation begins.
  See the Security Advisory for more detail.
  The following CVE-2026-42198 has been issued.

Added

• feat: implement require_auth connection property, aligning with libpq behavior PR #​3895

Changed

• chore: replace Appveyor CI with ikalnytskyi/action-setup-postgres PR #​3966
• chore: upgrade Gradle to v9 PR #​3978

Fixed

• fix: ensure extended protocol messages end with Sync message PR #​3728
• fix: enable cursor-based fetching in extended protocol when transaction started via SQL command PR #​3996
• fix: retry with SSL on IOException when sslMode=ALLOW PR #​3973
• fix: make sure the driver honours connectTimeout when retrying the connection PR #​3968
• fix: allow fallback to non-SSL connection when sslMode=prefer and sslResponseTimeout kicks in PR #​3968
• fix: catch SecurityException from setContextClassLoader on ForkJoinPool workers PR #​3962
• fix: use compareTo for LogSequenceNumber comparison to handle unsigned values correctly PR #​3961
• fix: release COPY lock on IOException to prevent connection hang PR #​3957
• fix: return jsonb as PGObject instead of String PR #​3956
• fix: align SSL key file permission check with libpq PR #​3952
• fix: guard connection closed flag with a reentrant lock to protect against concurrent close PR #​3905

v42.7.10

Changed

• chore: Migrate to Shadow 9 PR 3931
• style: fix empty line before javadoc for checkstyle compliance PR #​3925
• style: fix lambda argument indentation for checkstyle compliance PR #​3922
• test: add autosave=always|never|conservative and cleanupSavepoints=true|false to the randomized CI jobs PR #​3917

Fixed

• fix: non-standard strings failing test for version 19 PR #​3934
• fix: small issues in ConnectionFactoryImpl PR #​3929
• fix: process pending responses before fastpath to avoid protocol errors PR # 3913
• doc: use.md, fix typos PR #​3911
• doc: datasource.md, fix minor formatting issue PR #​3912
• doc: add the new PGP signing key to the official documentation PR #​3912

Reverted

• Revert "fix: make all Calendar instances proleptic Gregorian (#​3837) (#​3887)" PR #​3932

v42.7.9

Added

• feat: query timeout property PR #​3705
• feat: Add PEMKeyManager to handle PEM based certs and keys PR #​3700

Changed

• perf: optimize PGInterval.getValue() by replacing String.format with StringBuilder
• doc: update property quoteReturningIdentifiers default value PR #​3847
• security: Use a static method forName to load all user supplied classes. Use the Class.forName 3 parameter method and do not initilize it unless it is a subclass of the expected class

Fixed

• fix: incorrect pg_stat_replication.reply_time calculation PR #​3906
• fix: close temporary lob descriptors that are used internally in PreparedStatement#setBlob
• fix: PGXAConnection.prepare(Xid) should return XA_RDONLY if the connection is read only PR #​3897
• fix: make all Calendar instances proleptic Gregorian PR #​3837
• fix: Simplify concurrency guards on QueryExecutorBase#transaction and QueryExecutorBase#standardConformingStrings PR #​3897
• fix: avoid memory leaks in Java <= 21 caused by Thread.inheritedAccessControlContext PR #​3886
• fix: Issue #​3784 pgjdbc can't decode numeric arrays containing special numbers like NaN PR #​3838
• fix: use ssl_is_used() to check for ssl connection PR #​3867
• fix: the classloader is nullable PR #​3907

v42.7.8

Added

• feat: Add configurable boolean-to-numeric conversion for ResultSet getters PR #​3796

Changed

• perf: remove QUERY_ONESHOT flag when calling getMetaData PR #​3783
• perf: use BufferedInputStream with FileInputStream PR #​3750
• perf: enable server-prepared statements for DatabaseMetaData

Fixed

• fix: avoid NullPointerException when cancelling a query if cancel key is not known yet
• fix: Change "PST" timezone in TimestampTest to "Pacific Standard Time" PR #​3774
• fix: traverse the current dimension to get the correct pos in PgArray#calcRemainingDataLength PR #​3746
• fix: make sure getImportedExportedKeys returns columns in consistent order
• fix: Add "SELF_REFERENCING_COL_NAME" field to getTables' ResultSetMetaData to fix NullPointerException PR #​3660
• fix: unable to open replication connection to servers < 12
• fix: avoid closing statement caused by driver's internal ResultSet#close()
• fix: return empty metadata for empty catalog names as it was before
• fix: Incorrect class comparison in PGXmlFactoryFactory validation

v42.7.7

Security

• security: Client Allows Fallback to Insecure Authentication Despite channelBinding=require configuration.
  Fix channel binding required handling to reject non-SASL authentication
  Previously, when channel binding was set to "require", the driver would silently ignore this
  requirement for non-SASL authentication methods. This could lead to a false sense of security
  when channel binding was explicitly requested but not actually enforced. The fix ensures that when
  channel binding is set to "require", the driver will reject connections that use
  non-SASL authentication methods or when SASL authentication has not completed properly.
  See the Security Advisory for more detail. Reported by George MacKerron
  The following CVE-2025-49146 has been issued

Added

• test: Added ChannelBindingRequiredTest to verify proper behavior of channel binding settings

v42.7.6

Features

• fix: Enhanced DatabaseMetadata.getIndexInfo() method, added index comment as REMARKS property PR #​3513

Performance Improvements

• performance: Improve ResultSetMetadata.fetchFieldMetaData by using IN row values instead of UNION ALL for improved query performance (later reverted) PR #​3510
• feat:Use a single simple query for all startup parameters, so groupStartupParameters is no longer needed PR #​3613

---

Configuration

📅 Schedule: (in timezone America/Toronto)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.