{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2026-42198: fix unbounded SCRAM PBKDF2 iteration count accepted from the server", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2026:1781092532", "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1781092532" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/advisories/2026/clsa-2026_1781092532.json" } ], "tracking": { "current_release_date": "2026-06-10T12:04:51Z", "generator": { "date": "2026-06-10T12:04:51Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1781092532", "initial_release_date": "2026-06-10T12:04:51Z", "revision_history": [ { "date": "2026-06-10T12:04:51Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "postgresql-jdbc: Fix of CVE-2026-42198" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "postgresql-jdbc-javadoc-0:42.2.28-1.el9.tuxcare.els2.noarch", "product": { "name": "postgresql-jdbc-javadoc-0:42.2.28-1.el9.tuxcare.els2.noarch", "product_id": "postgresql-jdbc-javadoc-0:42.2.28-1.el9.tuxcare.els2.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/postgresql-jdbc-javadoc@42.2.28-1.el9.tuxcare.els2?arch=noarch" } } }, { "category": "product_version", "name": "postgresql-jdbc-0:42.2.28-1.el9.tuxcare.els2.noarch", "product": { "name": "postgresql-jdbc-0:42.2.28-1.el9.tuxcare.els2.noarch", "product_id": "postgresql-jdbc-0:42.2.28-1.el9.tuxcare.els2.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/postgresql-jdbc@42.2.28-1.el9.tuxcare.els2?arch=noarch" } } }, { "category": "product_version", "name": "postgresql-jdbc-javadoc-0:42.2.28-1.el9.tuxcare.els1.noarch", "product": { "name": "postgresql-jdbc-javadoc-0:42.2.28-1.el9.tuxcare.els1.noarch", "product_id": "postgresql-jdbc-javadoc-0:42.2.28-1.el9.tuxcare.els1.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/postgresql-jdbc-javadoc@42.2.28-1.el9.tuxcare.els1?arch=noarch" } } }, { "category": "product_version", "name": "postgresql-jdbc-0:42.2.28-1.el9.tuxcare.els1.noarch", "product": { "name": "postgresql-jdbc-0:42.2.28-1.el9.tuxcare.els1.noarch", "product_id": "postgresql-jdbc-0:42.2.28-1.el9.tuxcare.els1.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/postgresql-jdbc@42.2.28-1.el9.tuxcare.els1?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "postgresql-jdbc-javadoc-0:42.2.28-1.el9.tuxcare.els2.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:postgresql-jdbc-javadoc-0:42.2.28-1.el9.tuxcare.els2.noarch" }, "product_reference": "postgresql-jdbc-javadoc-0:42.2.28-1.el9.tuxcare.els2.noarch", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql-jdbc-0:42.2.28-1.el9.tuxcare.els2.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:postgresql-jdbc-0:42.2.28-1.el9.tuxcare.els2.noarch" }, "product_reference": "postgresql-jdbc-0:42.2.28-1.el9.tuxcare.els2.noarch", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql-jdbc-javadoc-0:42.2.28-1.el9.tuxcare.els1.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:postgresql-jdbc-javadoc-0:42.2.28-1.el9.tuxcare.els1.noarch" }, "product_reference": "postgresql-jdbc-javadoc-0:42.2.28-1.el9.tuxcare.els1.noarch", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql-jdbc-0:42.2.28-1.el9.tuxcare.els1.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:postgresql-jdbc-0:42.2.28-1.el9.tuxcare.els1.noarch" }, "product_reference": "postgresql-jdbc-0:42.2.28-1.el9.tuxcare.els1.noarch", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-42198", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "notes": [ { "category": "description", "text": "A flaw was found in pgjdbc, an open-source PostgreSQL JDBC Driver. A malicious server can exploit this vulnerability by instructing the driver to perform SCRAM-SHA-256 (Salted Challenge Response Authentication Mechanism Secure Hash Algorithm 256) authentication with an excessively large iteration count. This causes the client to spend an unbounded amount of CPU time performing PBKDF2 (Password-Based Key Derivation Function 2) computations, leading to a client-side Denial of Service (DoS). This can exhaust client CPU resources and wedge connection pools.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:postgresql-jdbc-0:42.2.28-1.el9.tuxcare.els2.noarch", "AlmaLinux-9.2:postgresql-jdbc-javadoc-0:42.2.28-1.el9.tuxcare.els2.noarch" ], "known_affected": [ "AlmaLinux-9.2:postgresql-jdbc-0:42.2.28-1.el9.tuxcare.els1.noarch", "AlmaLinux-9.2:postgresql-jdbc-javadoc-0:42.2.28-1.el9.tuxcare.els1.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-42198" } ], "release_date": "2026-04-29T15:58:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-06-10T11:56:10.137944Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1781092532", "product_ids": [ "AlmaLinux-9.2:postgresql-jdbc-0:42.2.28-1.el9.tuxcare.els2.noarch", "AlmaLinux-9.2:postgresql-jdbc-javadoc-0:42.2.28-1.el9.tuxcare.els2.noarch" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1781092532" }, { "category": "none_available", "date": "2026-04-29T15:58:00Z", "details": "Affected", "product_ids": [ "AlmaLinux-9.2:postgresql-jdbc-0:42.2.28-1.el9.tuxcare.els1.noarch", "AlmaLinux-9.2:postgresql-jdbc-javadoc-0:42.2.28-1.el9.tuxcare.els1.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:postgresql-jdbc-0:42.2.28-1.el9.tuxcare.els2.noarch", "AlmaLinux-9.2:postgresql-jdbc-javadoc-0:42.2.28-1.el9.tuxcare.els2.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] } ] }