2.0.12 Fixed vulnerability CVE-2024-47535 in io.netty:netty-common:jar:4.1.100.Final:compile

This release fixes the following vulnerability:

CVE-2024-47535 (CWE-400) in dependency io.netty:netty-common:jar:4.1.100.Final:compile

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-47535?component-type=maven&component-name=io.netty%2Fnetty-common&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-47535
• GHSA-xq3w-v528-46rv

Security

• #79: Fixed vulnerability CVE-2024-47535 in dependency io.netty:netty-common:jar:4.1.100.Final:compile

Dependency Updates

Compile Dependency Updates

• Updated org.apache.hadoop:hadoop-client:3.4.0 to 3.4.1
• Updated org.apache.parquet:parquet-hadoop:1.14.3 to 1.14.4

Runtime Dependency Updates

• Added io.netty:netty-transport-native-epoll:4.1.115.Final

Test Dependency Updates

• Updated nl.jqno.equalsverifier:equalsverifier:3.17.1 to 3.17.3
• Updated org.junit.jupiter:junit-jupiter:5.11.2 to 5.11.3

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:4.3.3 to 4.4.0
• Added com.exasol:quality-summarizer-maven-plugin:0.2.0
• Updated io.github.zlika:reproducible-build-maven-plugin:0.16 to 0.17
• Updated org.apache.maven.plugins:maven-clean-plugin:2.5 to 3.4.0
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.2.5 to 3.5.1
• Updated org.apache.maven.plugins:maven-gpg-plugin:3.2.4 to 3.2.7
• Updated org.apache.maven.plugins:maven-install-plugin:2.4 to 3.1.3
• Updated org.apache.maven.plugins:maven-javadoc-plugin:3.7.0 to 3.10.1
• Updated org.apache.maven.plugins:maven-resources-plugin:2.6 to 3.3.1
• Updated org.apache.maven.plugins:maven-site-plugin:3.3 to 3.9.1
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.2.5 to 3.5.1
• Updated org.codehaus.mojo:versions-maven-plugin:2.16.2 to 2.17.1

2.0.11 Fix CVE-2024-47561 in dependency

This release fixes vulnerability CVE-2024-47561 by updating transitive dependency org.apache.avro:avro via org.apache.hadoop:hadoop-client.

Security

• #76: Fixed vulnerability CVE-2024-47561 in org.apache.avro:avro

Dependency Updates

Compile Dependency Updates

• Updated dnsjava:dnsjava:3.6.0 to 3.6.2
• Removed io.airlift:aircompressor:0.27
• Updated org.apache.avro:avro:1.11.3 to 1.12.0
• Removed org.apache.commons:commons-compress:1.26.2
• Updated org.apache.parquet:parquet-hadoop:1.14.1 to 1.14.3
• Updated org.scala-lang:scala-library:2.13.14 to 2.13.15
• Removed org.xerial.snappy:snappy-java:1.1.10.5

Test Dependency Updates

• Updated nl.jqno.equalsverifier:equalsverifier:3.16.1 to 3.17.1
• Updated org.hamcrest:hamcrest:2.2 to 3.0
• Updated org.junit.jupiter:junit-jupiter:5.10.3 to 5.11.2
• Updated org.mockito:mockito-core:5.12.0 to 5.14.2
• Updated org.mockito:mockito-junit-jupiter:5.12.0 to 5.14.2

2.0.10 Fix CVE-2024-25638 in dependency

This release fixes vulnerability CVE-2024-25638 by updating transitive dependency dnsjava:dnsjava:jar:3.4.0.

Security Issues

• #74: Fixed vulnerability CVE-2024-25638 by updating dependency dnsjava:dnsjava:jar:3.4.0.

Dependency Updates

Compile Dependency Updates

• Added dnsjava:dnsjava:3.6.0
• Updated org.apache.commons:commons-configuration2:2.10.1 to 2.11.0
• Updated org.apache.parquet:parquet-hadoop:1.13.1 to 1.14.1
• Updated org.scala-lang:scala-library:2.13.13 to 2.13.14

Test Dependency Updates

• Updated org.junit.jupiter:junit-jupiter:5.10.2 to 5.10.3

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:4.3.2 to 4.3.3

2.0.9 Security update - fix for CVE-2024-36114

Fixed CVE-2024-36114 GHSA-973x-65j7-xcf4 via transitive version update.
Updated dependencies.

Security

• #72: CVE-2024-36114: io.airlift:aircompressor:jar:0.21:compile

Dependency Updates

Compile Dependency Updates

• Added io.airlift:aircompressor:0.27
• Updated org.apache.commons:commons-compress:1.26.1 to 1.26.2

Test Dependency Updates

• Updated org.mockito:mockito-core:5.11.0 to 5.12.0
• Updated org.mockito:mockito-junit-jupiter:5.11.0 to 5.12.0

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:2.0.2 to 2.0.3
• Updated com.exasol:project-keeper-maven-plugin:4.3.0 to 4.3.2
• Updated org.apache.maven.plugins:maven-deploy-plugin:3.1.1 to 3.1.2
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.4.1 to 3.5.0
• Updated org.apache.maven.plugins:maven-gpg-plugin:3.2.2 to 3.2.4
• Updated org.apache.maven.plugins:maven-javadoc-plugin:3.6.3 to 3.7.0
• Updated org.apache.maven.plugins:maven-toolchains-plugin:3.1.0 to 3.2.0
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.11.0.3922 to 4.0.0.4121
• Updated org.sonatype.plugins:nexus-staging-maven-plugin:1.6.13 to 1.7.0

2.0.8 Fix CVE-2024-29131 & CVE-2024-29133 in `org.apache.commons:commons-configuration2:jar:2.8.0:compile`

This release fixes vulnerabilities CVE-2024-29131 & CVE-2024-29133 in org.apache.commons:commons-configuration2:jar:2.8.0:compile.

Security

• #68: Fixed CVE-2024-29131 in org.apache.commons:commons-configuration2:jar:2.8.0:compile
• #69: Fixed CVE-2024-29133 in org.apache.commons:commons-configuration2:jar:2.8.0:compile

Dependency Updates

Compile Dependency Updates

• Added org.apache.commons:commons-configuration2:2.10.1
• Updated org.apache.hadoop:hadoop-client:3.3.6 to 3.4.0

Test Dependency Updates

• Updated nl.jqno.equalsverifier:equalsverifier:3.15.8 to 3.16.1

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:2.0.0 to 2.0.2
• Updated com.exasol:project-keeper-maven-plugin:4.1.0 to 4.3.0
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.12.1 to 3.13.0
• Updated org.apache.maven.plugins:maven-gpg-plugin:3.1.0 to 3.2.2
• Updated org.jacoco:jacoco-maven-plugin:0.8.11 to 0.8.12
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.10.0.2594 to 3.11.0.3922

2.0.7: Fix vulnerabilities CVE-2024-25710, CVE-2024-26308 and CVE-2023-52428 in compile dependencies

Summary

This release fixes vulnerabilities in the following compile dependencies:

• org.apache.commons:commons-compress
  • CVE-2024-25710: CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') (8.1)
  • CVE-2024-26308: CWE-770: Allocation of Resources Without Limits or Throttling (7.5)
• com.nimbusds:nimbus-jose-jwt
  • CVE-2023-52428: CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') (7.5)

Security

• #66: Fixed vulnerabilities

Dependency Updates

Compile Dependency Updates

• Updated org.apache.commons:commons-compress:1.24.0 to 1.26.1
• Updated org.scala-lang:scala-library:2.13.12 to 2.13.13

Test Dependency Updates

• Updated nl.jqno.equalsverifier:equalsverifier:3.15.2 to 3.15.8
• Updated org.junit.jupiter:junit-jupiter:5.10.0 to 5.10.2
• Updated org.mockito:mockito-core:5.6.0 to 5.11.0
• Updated org.mockito:mockito-junit-jupiter:5.6.0 to 5.11.0

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:1.3.0 to 2.0.0
• Updated com.exasol:project-keeper-maven-plugin:2.9.12 to 4.1.0
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.11.0 to 3.12.1
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.4.0 to 3.4.1
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.1.2 to 3.2.5
• Updated org.apache.maven.plugins:maven-javadoc-plugin:3.5.0 to 3.6.3
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.1.2 to 3.2.5
• Added org.apache.maven.plugins:maven-toolchains-plugin:3.1.0
• Updated org.codehaus.mojo:flatten-maven-plugin:1.5.0 to 1.6.0
• Updated org.codehaus.mojo:versions-maven-plugin:2.16.0 to 2.16.2
• Updated org.jacoco:jacoco-maven-plugin:0.8.10 to 0.8.11
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.1.2184 to 3.10.0.2594

2.0.6: Fix CVE-2023-39410 and CVE-2023-42503

Summary

This release fixes the following vulnerabilities:

• CVE-2023-39410 in compile dependency org.apache.avro:avro
• CVE-2023-42503 in compile dependency org.apache.commons:commons-compress

Security

• #64: Fixed CVE-2023-39410 in org.apache.avro:avro

Dependency Updates

Compile Dependency Updates

• Added org.apache.avro:avro:1.11.3
• Added org.apache.commons:commons-compress:1.24.0

Test Dependency Updates

• Added nl.jqno.equalsverifier:equalsverifier:3.15.2
• Updated org.mockito:mockito-core:5.5.0 to 5.6.0
• Updated org.mockito:mockito-junit-jupiter:5.5.0 to 5.6.0

2.0.5: Fixed CVE-2023-43642

Summary

This release fixes CVE-2023-43642 in org.xerial.snappy:snappy-java.

Security

• #62: Fixed CVE-2023-43642 in org.xerial.snappy:snappy-java

Dependency Updates

Compile Dependency Updates

• Updated org.scala-lang:scala-library:2.13.11 to 2.13.12
• Updated org.xerial.snappy:snappy-java:1.1.10.1 to 1.1.10.5

Test Dependency Updates

• Updated org.junit.jupiter:junit-jupiter:5.9.3 to 5.10.0
• Updated org.mockito:mockito-core:5.4.0 to 5.5.0
• Updated org.mockito:mockito-junit-jupiter:5.4.0 to 5.5.0
• Updated org.scalatest:scalatest_2.13:3.2.15 to 3.3.0-SNAP4

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:1.2.3 to 1.3.0
• Updated com.exasol:project-keeper-maven-plugin:2.9.7 to 2.9.12
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.3.0 to 3.4.0
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.0.0 to 3.1.2
• Updated org.apache.maven.plugins:maven-gpg-plugin:3.0.1 to 3.1.0
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.0.0 to 3.1.2
• Updated org.basepom.maven:duplicate-finder-maven-plugin:1.5.1 to 2.0.1
• Updated org.codehaus.mojo:flatten-maven-plugin:1.4.1 to 1.5.0
• Updated org.codehaus.mojo:versions-maven-plugin:2.15.0 to 2.16.0
• Updated org.jacoco:jacoco-maven-plugin:0.8.9 to 0.8.10

2.0.4: Updated dependencies to fix CVE vulnerabilities

Summary

This release updates Hadoop dependency to fix CVE vulnerabilities.

Security

• #50: Upgraded Hadoop dependency to fix CVE vulnerabilities

Dependency Updates

Compile Dependency Updates

• Updated org.apache.hadoop:hadoop-client:3.3.5 to 3.3.6
• Updated org.apache.parquet:parquet-hadoop:1.13.0 to 1.13.1
• Updated org.scala-lang:scala-library:2.13.10 to 2.13.11
• Added org.xerial.snappy:snappy-java:1.1.10.1

Test Dependency Updates

• Updated org.junit.jupiter:junit-jupiter:5.9.2 to 5.9.3
• Updated org.mockito:mockito-core:5.3.1 to 5.4.0
• Updated org.mockito:mockito-junit-jupiter:5.3.1 to 5.4.0

Plugin Dependency Updates

• Updated org.itsallcode:openfasttrace-maven-plugin:1.6.1 to 1.6.2

2.0.3: Fix CVE-2023-26048

Summary

This release fixes vulnerability CVE-2023-26048 (Uncontrolled Resource Consumption) in transitive dependency org.eclipse.jetty:jetty-util:jar:9.4.48.v20220622 by excluding it as it is not used.

Security

• #57: Fixed CVE-2023-26048

Dependency Updates

Test Dependency Updates

• Updated org.mockito:mockito-core:5.3.0 to 5.3.1
• Updated org.mockito:mockito-junit-jupiter:5.3.0 to 5.3.1