2.8.4 Fix vulnerabilities CVE-2024-23454 & CVE-2024-47561 & CVE-2024-47554 & CVE-2024-51504 & CVE-2024-47535

This release fixes the following vulnerabilities in dependencies:

• CVE-2024-23454 in org.apache.hadoop:hadoop-common:jar:3.3.6:compile
• CVE-2024-47561 in org.apache.avro:avro:jar:1.11.3:compile
• CVE-2024-47554 in commons-io:commons-io:jar:2.8.0:compile
• CVE-2024-51504 in org.apache.zookeeper:zookeeper:jar:3.9.2:compile
• CVE-2024-47535 in io.netty:netty-common:jar:4.1.112.Final:compile

Security

• #327: Fixed CVE-2024-23454 in org.apache.hadoop:hadoop-common:jar:3.3.6:compile
• #329: Fixed CVE-2024-47561 in org.apache.avro:avro:jar:1.11.3:compile
• #330: Fixed CVE-2024-47554 in commons-io:commons-io:jar:2.8.0:compile
• #333: Fixed CVE-2024-51504 in org.apache.zookeeper:zookeeper:jar:3.9.2:compile
• #334: Fixed CVE-2024-47535 in io.netty:netty-common:jar:4.1.112.Final:compile

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

• Updated com.exasol:parquet-io-java:2.0.10 to 2.0.12
• Updated com.github.mwiede:jsch:0.2.18 to 0.2.21
• Updated com.google.guava:guava:33.2.1-jre to 33.3.1-jre
• Updated com.nimbusds:nimbus-jose-jwt:9.40 to 9.47
• Added commons-io:commons-io:2.18.0
• Updated dnsjava:dnsjava:3.6.1 to 3.6.2
• Updated io.dropwizard.metrics:metrics-core:4.2.26 to 4.2.28
• Updated io.netty:netty-codec-http2:4.1.112.Final to 4.1.115.Final
• Updated org.apache.avro:avro:1.11.3 to 1.12.0
• Updated org.apache.commons:commons-compress:1.26.2 to 1.27.1
• Updated org.apache.commons:commons-lang3:3.15.0 to 3.17.0
• Updated org.apache.logging.log4j:log4j-1.2-api:2.23.1 to 2.24.1
• Updated org.apache.logging.log4j:log4j-api:2.23.1 to 2.24.1
• Updated org.apache.logging.log4j:log4j-core:2.23.1 to 2.24.1
• Updated org.apache.orc:orc-core:1.9.4 to 1.9.5
• Updated org.apache.zookeeper:zookeeper:3.9.2 to 3.9.3
• Added org.codehaus.janino:janino:3.1.12
• Updated org.glassfish.jersey.containers:jersey-container-servlet-core:2.43 to 2.45
• Updated org.glassfish.jersey.containers:jersey-container-servlet:2.43 to 2.45
• Updated org.glassfish.jersey.core:jersey-client:2.43 to 2.45
• Updated org.glassfish.jersey.core:jersey-common:2.43 to 2.45
• Updated org.glassfish.jersey.core:jersey-server:2.43 to 2.45
• Updated org.glassfish.jersey.inject:jersey-hk2:2.43 to 2.45
• Updated org.slf4j:jul-to-slf4j:2.0.13 to 2.0.16
• Updated org.xerial.snappy:snappy-java:1.1.10.5 to 1.1.10.7

Runtime Dependency Updates

• Updated ch.qos.logback:logback-classic:1.5.6 to 1.5.12
• Updated ch.qos.logback:logback-core:1.5.6 to 1.5.12

Test Dependency Updates

• Updated com.exasol:extension-manager-integration-test-java:0.5.12 to 0.5.13
• Updated nl.jqno.equalsverifier:equalsverifier:3.16.1 to 3.17.3
• Updated org.hamcrest:hamcrest:2.2 to 3.0
• Added org.junit.jupiter:junit-jupiter-api:5.10.3
• Removed org.junit.jupiter:junit-jupiter-engine:5.10.3
• Updated org.testcontainers:localstack:1.20.0 to 1.20.3

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:4.3.3 to 4.4.0
• Added com.exasol:quality-summarizer-maven-plugin:0.2.0
• Updated io.github.zlika:reproducible-build-maven-plugin:0.16 to 0.17
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.2.5 to 3.5.1
• Updated org.apache.maven.plugins:maven-install-plugin:2.4 to 3.1.3
• Updated org.apache.maven.plugins:maven-jar-plugin:3.4.1 to 3.4.2
• Updated org.apache.maven.plugins:maven-resources-plugin:2.6 to 3.3.1
• Updated org.apache.maven.plugins:maven-site-plugin:3.3 to 3.9.1
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.2.5 to 3.5.1
• Updated org.codehaus.mojo:versions-maven-plugin:2.16.2 to 2.17.1
• Removed org.itsallcode:openfasttrace-maven-plugin:1.6.2

Extension

Compile Dependency Updates

• Updated @exasol/extension-manager-interface:0.4.2 to 0.4.3

Development Dependency Updates

• Updated eslint:^8.56.0 to 9.14.0
• Updated @types/node:^20.12.12 to ^22.9.1
• Updated ts-jest:^29.1.2 to ^29.2.5
• Added typescript-eslint:^8.14.0
• Updated typescript:^5.4.5 to ^5.6.3
• Updated esbuild:^0.21.2 to ^0.24.0
• Removed @typescript-eslint/parser:^7.9.0
• Removed @typescript-eslint/eslint-plugin:^7.9.0

2.8.3 Fixed vulnerability CVE-2024-7254 in com.google.protobuf:protobuf-java:jar:3.19.6:test

This release fixes the following vulnerability:

CVE-2024-7254 (CWE-20) in dependency com.google.protobuf:protobuf-java:jar:3.19.6:test

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-7254?component-type=maven&component-name=com.google.protobuf%2Fprotobuf-java&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-7254
• GHSA-735f-pc8j-v9w8

Security

• #324: CVE-2024-7254: com.google.protobuf:protobuf-java:jar:3.25.4:compile

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

• Updated com.google.protobuf:protobuf-java:3.25.4 to 3.25.5

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:7.1.0 to 7.1.1
• Updated com.exasol:hamcrest-resultset-matcher:1.6.5 to 1.7.0
• Updated com.exasol:test-db-builder-java:3.5.4 to 3.6.0

2.8.2 Fix CVE-2024-25638 in `dnsjava:dnsjava:jar:3.4.0:compile`

This release fixes vulnerability CVE-2024-25638 in dnsjava:dnsjava:jar:3.4.0:compile.

Security

• #322: Fixed vulnerability CVE-2024-25638 in dnsjava:dnsjava:jar:3.4.0:compile

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

• Updated com.exasol:parquet-io-java:2.0.8 to 2.0.10
• Updated com.github.mwiede:jsch:0.2.17 to 0.2.18
• Updated com.google.guava:guava:33.2.0-jre to 33.2.1-jre
• Updated com.google.protobuf:protobuf-java:3.25.1 to 3.25.4
• Updated com.nimbusds:nimbus-jose-jwt:9.39.1 to 9.40
• Added dnsjava:dnsjava:3.6.1
• Updated io.dropwizard.metrics:metrics-core:4.2.25 to 4.2.26
• Updated io.grpc:grpc-netty:1.63.0 to 1.65.1
• Updated io.netty:netty-codec-http2:4.1.109.Final to 4.1.112.Final
• Updated org.apache.commons:commons-compress:1.26.1 to 1.26.2
• Updated org.apache.commons:commons-configuration2:2.10.1 to 2.11.0
• Updated org.apache.commons:commons-lang3:3.14.0 to 3.15.0
• Updated org.apache.orc:orc-core:1.9.2 to 1.9.4
• Updated org.glassfish.jersey.containers:jersey-container-servlet-core:2.41 to 2.43
• Updated org.glassfish.jersey.containers:jersey-container-servlet:2.41 to 2.43
• Updated org.glassfish.jersey.core:jersey-client:2.41 to 2.43
• Updated org.glassfish.jersey.core:jersey-common:2.41 to 2.43
• Updated org.glassfish.jersey.core:jersey-server:2.41 to 2.43
• Updated org.glassfish.jersey.inject:jersey-hk2:2.41 to 2.43
• Updated org.jetbrains.kotlin:kotlin-stdlib:1.9.24 to 1.9.25

Test Dependency Updates

• Updated com.dimafeng:testcontainers-scala-scalatest_2.13:0.41.3 to 0.41.4
• Updated com.exasol:extension-manager-integration-test-java:0.5.11 to 0.5.12
• Updated org.junit.jupiter:junit-jupiter-engine:5.10.2 to 5.10.3
• Updated org.testcontainers:localstack:1.19.8 to 1.20.0

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:4.3.2 to 4.3.3

2.8.1 Security update - fix for CVE-2024-36114

Fixed CVE-2024-36114 GHSA-973x-65j7-xcf4 via transitive version update.
Updated dependencies.

Security

• #318: CVE-2024-36114: io.airlift:aircompressor:jar:0.21:compile

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

• Added io.airlift:aircompressor:0.27

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:4.3.1 to 4.3.2
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.4.1 to 3.5.0
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.11.0.3922 to 4.0.0.4121

2.8.0: Simplify GCS Configuration

This release allows configuring Google Cloud Storage (GCS) via a CONNECTION instead of uploading the credentials JSON file to BucketFS. This avoids exposing GCP credentials as file in BucketFS and simplifies configuration. See the user guide for details.
Please note for backwards compatibility you can still provide the GCS credentials as a file although CSE recommends configuring Google Cloud Storage (GCS) via a CONNECTION.

Features

• #316: Allowed specifying GCS credentials via CONNECTION

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

• Added com.github.mwiede:jsch:0.2.17
• Updated com.google.guava:guava:32.1.3-jre to 33.2.0-jre
• Updated com.google.oauth-client:google-oauth-client:1.34.1 to 1.36.0
• Updated com.nimbusds:nimbus-jose-jwt:9.37.3 to 9.39.1
• Updated io.dropwizard.metrics:metrics-core:4.2.23 to 4.2.25
• Updated io.grpc:grpc-netty:1.60.0 to 1.63.0
• Updated io.netty:netty-codec-http2:4.1.108.Final to 4.1.109.Final
• Updated org.apache.commons:commons-compress:1.26.0 to 1.26.1
• Updated org.apache.logging.log4j:log4j-1.2-api:2.22.0 to 2.23.1
• Updated org.apache.logging.log4j:log4j-api:2.22.0 to 2.23.1
• Updated org.apache.logging.log4j:log4j-core:2.22.0 to 2.23.1
• Updated org.jetbrains.kotlin:kotlin-stdlib:1.9.21 to 1.9.24
• Updated org.slf4j:jul-to-slf4j:2.0.9 to 2.0.13

Runtime Dependency Updates

• Updated ch.qos.logback:logback-classic:1.2.13 to 1.5.6
• Updated ch.qos.logback:logback-core:1.2.13 to 1.5.6

Test Dependency Updates

• Updated com.dimafeng:testcontainers-scala-scalatest_2.13:0.41.0 to 0.41.3
• Updated com.exasol:exasol-testcontainers:7.0.1 to 7.1.0
• Updated com.exasol:extension-manager-integration-test-java:0.5.7 to 0.5.11
• Updated nl.jqno.equalsverifier:equalsverifier:3.15.4 to 3.16.1
• Updated org.junit.jupiter:junit-jupiter-engine:5.10.1 to 5.10.2
• Updated org.mockito:mockito-core:5.8.0 to 5.12.0
• Updated org.testcontainers:localstack:1.19.3 to 1.19.8

Plugin Dependency Updates

• Updated com.diffplug.spotless:spotless-maven-plugin:2.41.0 to 2.43.0
• Updated com.exasol:error-code-crawler-maven-plugin:2.0.2 to 2.0.3
• Updated com.exasol:project-keeper-maven-plugin:4.3.0 to 4.3.1
• Updated net.alchim31.maven:scala-maven-plugin:4.8.1 to 4.9.1
• Updated org.apache.maven.plugins:maven-jar-plugin:3.3.0 to 3.4.1
• Updated org.apache.maven.plugins:maven-toolchains-plugin:3.1.0 to 3.2.0
• Updated org.codehaus.mojo:exec-maven-plugin:3.1.1 to 3.2.0

Extension

Compile Dependency Updates

• Updated @exasol/extension-manager-interface:0.4.1 to 0.4.2

Development Dependency Updates

• Updated eslint:^8.55.0 to ^8.56.0
• Updated @types/node:^20.10.4 to ^20.12.12
• Updated @typescript-eslint/parser:^6.13.2 to ^7.9.0
• Updated ts-jest:^29.1.1 to ^29.1.2
• Updated typescript:^5.3.3 to ^5.4.5
• Updated @typescript-eslint/eslint-plugin:^6.13.2 to ^7.9.0
• Updated ts-node:^10.9.1 to ^10.9.2
• Updated esbuild:^0.19.8 to ^0.21.2

2.7.12 Dependency upgrades

Dependencies upgraded to fix CVE-2024-29131, CVE-2024-29133 and CVE-2024-29025

Features

• #303: CVE-2024-29131: org.apache.commons:commons-configuration2:jar:2.8.0:compile
• #304: CVE-2024-29133: org.apache.commons:commons-configuration2:jar:2.8.0:compile
• #306: CVE-2024-29025: io.netty:netty-codec-http:jar:4.1.100.Final:compile

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

• Updated com.exasol:parquet-io-java:2.0.6 to 2.0.8
• Added io.netty:netty-codec-http2:4.1.108.Final
• Removed io.netty:netty-handler:4.1.101.Final
• Added org.apache.commons:commons-configuration2:2.10.1
• Added org.glassfish.jersey.containers:jersey-container-servlet-core:2.41
• Added org.glassfish.jersey.containers:jersey-container-servlet:2.41
• Added org.glassfish.jersey.core:jersey-client:2.41
• Added org.glassfish.jersey.core:jersey-common:2.41
• Added org.glassfish.jersey.core:jersey-server:2.41
• Added org.glassfish.jersey.inject:jersey-hk2:2.41

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:7.0.0 to 7.0.1
• Updated com.exasol:hamcrest-resultset-matcher:1.6.3 to 1.6.5
• Updated com.exasol:test-db-builder-java:3.5.3 to 3.5.4
• Removed org.glassfish.jersey.core:jersey-common:2.41

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:2.0.0 to 2.0.2
• Updated com.exasol:project-keeper-maven-plugin:4.1.0 to 4.3.0
• Updated org.apache.maven.plugins:maven-assembly-plugin:3.6.0 to 3.7.1
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.12.1 to 3.13.0
• Updated org.jacoco:jacoco-maven-plugin:0.8.11 to 0.8.12
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.10.0.2594 to 3.11.0.3922

2.7.11: upgrade zookeeper to fix CVE-2024-23944

Summary

Zookeeper dependency was upgraded to address CVE-2024-23944.

Security

• #300: Fixed CVE-2024-23944 in org.apache.zookeeper:zookeeper:jar:3.9.1:compile

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

• Updated org.apache.zookeeper:zookeeper:3.9.1 to 3.9.2

2.7.10: Security fixes in transitive dependencies

Summary

Fix CVEs in transitive dependencies, upgrade of PK to 4.1.0

Features

• #294: CVE-2023-52428: com.nimbusds:nimbus-jose-jwt:jar:9.8.1:compile
• #295: CVE-2024-25710: org.apache.commons:commons-compress
• #296: CVE-2024-26308: org.apache.commons:commons-compress

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

• Added com.nimbusds:nimbus-jose-jwt:9.37.3
• Updated org.apache.commons:commons-compress:1.25.0 to 1.26.0

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:1.3.1 to 2.0.0
• Updated com.exasol:project-keeper-maven-plugin:2.9.17 to 4.1.0
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.11.0 to 3.12.1
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.2.2 to 3.2.5
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.2.2 to 3.2.5
• Added org.apache.maven.plugins:maven-toolchains-plugin:3.1.0
• Updated org.codehaus.mojo:flatten-maven-plugin:1.5.0 to 1.6.0

2.7.9: Fix CVE-2023-6378

Summary

This release fixes vulnerability CVE-2023-6378 (CWE-502: Deserialization of Untrusted Data (7.1)) in the following dependencies:

• ch.qos.logback:logback-classic:jar:1.2.10:compile
• ch.qos.logback:logback-core:jar:1.2.10:compile

Security

• #288: Fixed CVE-2023-6378 in ch.qos.logback:logback-core:jar:1.2.10:compile
• #289: Fixed CVE-2023-6378 in ch.qos.logback:logback-classic:jar:1.2.10:compile

Refactoring

• #290: Added tests to verify importing many files works

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

• Updated com.exasol:import-export-udf-common-scala_2.13:1.1.1 to 2.0.0
• Updated com.google.protobuf:protobuf-java:3.25.0 to 3.25.1
• Updated io.dropwizard.metrics:metrics-core:4.2.22 to 4.2.23
• Updated io.grpc:grpc-netty:1.59.0 to 1.60.0
• Updated io.netty:netty-handler:4.1.100.Final to 4.1.101.Final
• Updated org.apache.commons:commons-compress:1.24.0 to 1.25.0
• Updated org.apache.commons:commons-lang3:3.13.0 to 3.14.0
• Updated org.apache.logging.log4j:log4j-1.2-api:2.21.1 to 2.22.0
• Updated org.apache.logging.log4j:log4j-api:2.21.1 to 2.22.0
• Updated org.apache.logging.log4j:log4j-core:2.21.1 to 2.22.0
• Updated org.apache.orc:orc-core:1.9.1 to 1.9.2
• Updated org.jetbrains.kotlin:kotlin-stdlib:1.9.20 to 1.9.21
• Removed org.slf4j:slf4j-reload4j:2.0.9

Runtime Dependency Updates

• Added ch.qos.logback:logback-classic:1.2.13
• Added ch.qos.logback:logback-core:1.2.13

Test Dependency Updates

• Updated com.exasol:exasol-testcontainers:6.6.3 to 7.0.0
• Updated com.exasol:extension-manager-integration-test-java:0.5.5 to 0.5.7
• Updated com.exasol:hamcrest-resultset-matcher:1.6.2 to 1.6.3
• Updated com.exasol:test-db-builder-java:3.5.1 to 3.5.3
• Updated nl.jqno.equalsverifier:equalsverifier:3.15.3 to 3.15.4
• Updated org.mockito:mockito-core:5.7.0 to 5.8.0
• Updated org.testcontainers:localstack:1.19.1 to 1.19.3

Plugin Dependency Updates

• Updated com.diffplug.spotless:spotless-maven-plugin:2.40.0 to 2.41.0
• Updated com.exasol:project-keeper-maven-plugin:2.9.15 to 2.9.17
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.1.2 to 3.2.2
• Updated org.apache.maven.plugins:maven-javadoc-plugin:3.6.2 to 3.6.3
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.1.2 to 3.2.2
• Updated org.codehaus.mojo:exec-maven-plugin:3.1.0 to 3.1.1
• Updated org.codehaus.mojo:versions-maven-plugin:2.16.1 to 2.16.2

Extension

Compile Dependency Updates

• Updated @exasol/extension-manager-interface:0.4.0 to 0.4.1

Development Dependency Updates

• Updated eslint:^8.53.0 to ^8.55.0
• Updated @types/node:^20.8.10 to ^20.10.4
• Updated @typescript-eslint/parser:^6.9.1 to ^6.13.2
• Updated typescript:^5.2.2 to ^5.3.3
• Updated @typescript-eslint/eslint-plugin:^6.9.1 to ^6.13.2
• Updated esbuild:^0.19.5 to ^0.19.8

2.7.8: Access to public S3 buckets without credentials

Summary

Implemented an option to access public S3 buckets without credentials.

Features

• #283: Support publicly available S3 buckets without credentials