From cd38dd3c2eb8ae193dcf419b817a52b125efb009 Mon Sep 17 00:00:00 2001 From: Automatic Dependency Updater Date: Tue, 7 Jul 2026 03:02:16 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=90=20Update=20dependencies=20to=20fix?= =?UTF-8?q?=20vulnerabilities?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- doc/changes/changelog.md | 1 + doc/changes/changes_0.6.19.md | 60 +++++++++++++++++++++++++++++++++++ pk_generated_parent.pom | 2 +- pom.xml | 26 +++++++-------- 4 files changed, 75 insertions(+), 14 deletions(-) create mode 100644 doc/changes/changes_0.6.19.md diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md index 85c329d..3a9335b 100644 --- a/doc/changes/changelog.md +++ b/doc/changes/changelog.md @@ -1,5 +1,6 @@ # Changes +* [0.6.19](changes_0.6.19.md) * [0.6.18](changes_0.6.18.md) * [0.6.17](changes_0.6.17.md) * [0.6.16](changes_0.6.16.md) diff --git a/doc/changes/changes_0.6.19.md b/doc/changes/changes_0.6.19.md new file mode 100644 index 0000000..7201171 --- /dev/null +++ b/doc/changes/changes_0.6.19.md @@ -0,0 +1,60 @@ +# Udf Debugging Java 0.6.19, released 2026-??-?? + +Code name: Fixed vulnerabilities CVE-2017-7503, CVE-2017-10355, CVE-2026-9563 + +## Summary + +This release fixes the following 3 vulnerabilities: + +### CVE-2017-7503 (CWE-611) in dependency `xerces:xercesImpl:jar:2.12.2:provided` +It was found that the Red Hat JBoss EAP 7.0.5 implementation of javax.xml.transform.TransformerFactory is vulnerable to XXE. An attacker could use this flaw to launch DoS or SSRF attacks, or read files from the server where EAP is deployed. +#### References +* https://guide.sonatype.com/vulnerability/CVE-2017-7503?component-type=maven&component-name=xerces%2FxercesImpl&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1 +* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7503 +* https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7503 + +### CVE-2017-10355 (CWE-833) in dependency `xerces:xercesImpl:jar:2.12.2:provided` +sonatype-2017-0348 - xerces:xercesImpl - Denial of Service (DoS) +#### References +* https://guide.sonatype.com/vulnerability/CVE-2017-10355?component-type=maven&component-name=xerces%2FxercesImpl&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1 +* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10355 +* https://blogs.securiteam.com/index.php/archives/3271 + +### CVE-2026-9563 (CWE-400) in dependency `org.eclipse.parsson:parsson:jar:1.1.7:runtime` +In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications that parse attacker- controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, including large arrays, objects, strings, numbers, whitespace, or nested structures, resulting in a denial of service. Eclipse Parsson 1.1.8 introduces a configurable maximum parsing limit with a default limit of 15 million parser-consumed characters. +#### References +* https://guide.sonatype.com/vulnerability/CVE-2026-9563?component-type=maven&component-name=org.eclipse.parsson%2Fparsson&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1 +* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2026-9563 +* https://github.com/eclipse-ee4j/parsson/pull/169 +* https://gitlab.eclipse.org/security/vulnerability-reports/-/work_items/444 + +## Security + +* #81: Fixed vulnerability CVE-2017-7503 in dependency `xerces:xercesImpl:jar:2.12.2:provided` +* #82: Fixed vulnerability CVE-2017-10355 in dependency `xerces:xercesImpl:jar:2.12.2:provided` +* #83: Fixed vulnerability CVE-2026-9563 in dependency `org.eclipse.parsson:parsson:jar:1.1.7:runtime` + +## Dependency Updates + +### Compile Dependency Updates + +* Updated `org.jacoco:org.jacoco.core:0.8.14` to `0.8.15` +* Updated `org.slf4j:slf4j-jdk14:2.0.17` to `2.0.18` + +### Runtime Dependency Updates + +* Updated `org.eclipse.parsson:parsson:1.1.7` to `1.1.9` + +### Test Dependency Updates + +* Updated `com.exasol:exasol-testcontainers:7.2.0` to `7.3.0` +* Updated `com.exasol:test-db-builder-java:3.6.4` to `4.0.1` +* Updated `org.itsallcode:junit5-system-extensions:1.2.2` to `1.2.3` +* Updated `org.jacoco:org.jacoco.agent:0.8.14` to `0.8.15` +* Updated `org.junit.jupiter:junit-jupiter-params:5.13.4` to `6.1.1` +* Updated `org.mockito:mockito-junit-jupiter:5.20.0` to `5.23.0` +* Updated `org.testcontainers:testcontainers-junit-jupiter:2.0.1` to `2.0.5` + +### Plugin Dependency Updates + +* Updated `com.exasol:project-keeper-maven-plugin:5.4.3` to `5.7.2` diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom index 3215806..8344d86 100644 --- a/pk_generated_parent.pom +++ b/pk_generated_parent.pom @@ -3,7 +3,7 @@ 4.0.0 com.exasol udf-debugging-java-generated-parent - 0.6.18 + 0.6.19 pom UTF-8 diff --git a/pom.xml b/pom.xml index a83255b..b825c3a 100644 --- a/pom.xml +++ b/pom.xml @@ -2,12 +2,12 @@ 4.0.0 udf-debugging-java - 0.6.18 + 0.6.19 udf-debugging-java Utilities for debugging, profiling and code coverage measure for UDFs. https://github.com/exasol/udf-debugging-java/ - 0.8.14 + 0.8.15 @@ -18,7 +18,7 @@ org.eclipse.parsson parsson - 1.1.7 + 1.1.9 runtime @@ -46,7 +46,7 @@ com.exasol exasol-test-setup-abstraction-java - 2.1.10 + 2.1.11 - 5.13.4 + 6.1.1 test org.mockito mockito-junit-jupiter - 5.20.0 + 5.23.0 test @@ -82,32 +82,32 @@ com.exasol exasol-testcontainers - 7.2.0 + 7.3.0 test org.testcontainers testcontainers-junit-jupiter - 2.0.1 + 2.0.5 test com.exasol test-db-builder-java - 3.6.4 + 4.0.1 test org.itsallcode junit5-system-extensions - 1.2.2 + 1.2.3 test org.slf4j slf4j-jdk14 - 2.0.17 + 2.0.18 @@ -133,7 +133,7 @@ com.exasol project-keeper-maven-plugin - 5.4.3 + 5.7.2 @@ -172,7 +172,7 @@ udf-debugging-java-generated-parent com.exasol - 0.6.18 + 0.6.19 pk_generated_parent.pom