Skip to content

3.5.4: Fix CVE-2024-25710, CVE-2024-1597 and CVE-2024-26308 in test dependencies
Compare
Choose a tag to compare
@redcatbear redcatbear released this 11 Mar 14:12
· 5 commits to main since this release
3.5.4
730cad4
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

Summary

This is a security release in which we updated test dependencies commons-compress and postgresql to fix the following CVEs:

CVE-2024-25710

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

References

CVE-2024-1597

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.

References

CVE-2024-26308

Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.

Users are recommended to upgrade to version 1.26, which fixes the issue.

References

Bugfixes

Dependency Updates

Test Dependency Updates

  • Updated com.exasol:exasol-testcontainers:7.0.0 to 7.0.1
  • Updated com.exasol:hamcrest-resultset-matcher:1.6.3 to 1.6.5
  • Updated com.mysql:mysql-connector-j:8.2.0 to 8.3.0
  • Updated nl.jqno.equalsverifier:equalsverifier:3.15.3 to 3.15.8
  • Updated org.junit.jupiter:junit-jupiter-api:5.10.1 to 5.10.2
  • Updated org.junit.jupiter:junit-jupiter-engine:5.10.1 to 5.10.2
  • Updated org.mockito:mockito-junit-jupiter:5.7.0 to 5.11.0
  • Updated org.postgresql:postgresql:42.7.0 to 42.7.2
  • Updated org.slf4j:slf4j-jdk14:2.0.9 to 2.0.12
  • Updated org.testcontainers:junit-jupiter:1.19.3 to 1.19.7
  • Updated org.testcontainers:mysql:1.19.3 to 1.19.7
  • Updated org.testcontainers:oracle-xe:1.19.3 to 1.19.7
  • Updated org.testcontainers:postgresql:1.19.3 to 1.19.7

Plugin Dependency Updates

  • Updated com.exasol:error-code-crawler-maven-plugin:1.3.1 to 2.0.0
  • Updated com.exasol:project-keeper-maven-plugin:2.9.16 to 4.1.0
  • Updated org.apache.maven.plugins:maven-compiler-plugin:3.11.0 to 3.12.1
  • Updated org.apache.maven.plugins:maven-failsafe-plugin:3.2.2 to 3.2.5
  • Updated org.apache.maven.plugins:maven-javadoc-plugin:3.6.2 to 3.6.3
  • Updated org.apache.maven.plugins:maven-surefire-plugin:3.2.2 to 3.2.5
  • Added org.apache.maven.plugins:maven-toolchains-plugin:3.1.0
  • Updated org.codehaus.mojo:flatten-maven-plugin:1.5.0 to 1.6.0
  • Updated org.codehaus.mojo:versions-maven-plugin:2.16.1 to 2.16.2
  • Updated org.itsallcode:openfasttrace-maven-plugin:1.6.1 to 1.8.0
Assets 9
Loading