FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

PostgresSQL JDBC -- Silent channel-binding authentication downgrade via unsupported certificate algorithms

Affected packages
postgresql-jdbc < 47.7.12
47.7.4 <= postgresql-jdbc

Details

VuXML ID 7701f760-745c-11f1-bc50-6cc21735f730
Discovery 2026-06-30
Entry 2026-06-30

PostgreSQL project reports:

channelBinding=require connections can be silently downgraded from SCRAM-SHA-256-PLUS (with channel binding) to plain SCRAM-SHA-256 (without it), losing the man-in-the-middle protection the setting is meant to guarantee. An attacker who can intercept the TLS connection triggers the downgrade with a certificate whose signature algorithm has no tls-server-end-point channel-binding hash. Examples are Ed25519, Ed448, and post-quantum algorithms.

References

CVE Name CVE-2026-54291
URL https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-j92g-9f8w-j867