Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions doc/changes/changelog.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

60 changes: 60 additions & 0 deletions doc/changes/changes_0.6.19.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
# Udf Debugging Java 0.6.19, released 2026-??-??

Code name: Fixed vulnerabilities CVE-2017-7503, CVE-2017-10355, CVE-2026-9563

## Summary

This release fixes the following 3 vulnerabilities:

### CVE-2017-7503 (CWE-611) in dependency `xerces:xercesImpl:jar:2.12.2:provided`
It was found that the Red Hat JBoss EAP 7.0.5 implementation of javax.xml.transform.TransformerFactory is vulnerable to XXE. An attacker could use this flaw to launch DoS or SSRF attacks, or read files from the server where EAP is deployed.
#### References
* https://guide.sonatype.com/vulnerability/CVE-2017-7503?component-type=maven&component-name=xerces%2FxercesImpl&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7503
* https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7503

### CVE-2017-10355 (CWE-833) in dependency `xerces:xercesImpl:jar:2.12.2:provided`
sonatype-2017-0348 - xerces:xercesImpl - Denial of Service (DoS)
#### References
* https://guide.sonatype.com/vulnerability/CVE-2017-10355?component-type=maven&component-name=xerces%2FxercesImpl&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10355
* https://blogs.securiteam.com/index.php/archives/3271

### CVE-2026-9563 (CWE-400) in dependency `org.eclipse.parsson:parsson:jar:1.1.7:runtime`
In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications that parse attacker- controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, including large arrays, objects, strings, numbers, whitespace, or nested structures, resulting in a denial of service. Eclipse Parsson 1.1.8 introduces a configurable maximum parsing limit with a default limit of 15 million parser-consumed characters.
#### References
* https://guide.sonatype.com/vulnerability/CVE-2026-9563?component-type=maven&component-name=org.eclipse.parsson%2Fparsson&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2026-9563
* https://github.com/eclipse-ee4j/parsson/pull/169
* https://gitlab.eclipse.org/security/vulnerability-reports/-/work_items/444

## Security

* #81: Fixed vulnerability CVE-2017-7503 in dependency `xerces:xercesImpl:jar:2.12.2:provided`
* #82: Fixed vulnerability CVE-2017-10355 in dependency `xerces:xercesImpl:jar:2.12.2:provided`
* #83: Fixed vulnerability CVE-2026-9563 in dependency `org.eclipse.parsson:parsson:jar:1.1.7:runtime`

## Dependency Updates

### Compile Dependency Updates

* Updated `org.jacoco:org.jacoco.core:0.8.14` to `0.8.15`
* Updated `org.slf4j:slf4j-jdk14:2.0.17` to `2.0.18`

### Runtime Dependency Updates

* Updated `org.eclipse.parsson:parsson:1.1.7` to `1.1.9`

### Test Dependency Updates

* Updated `com.exasol:exasol-testcontainers:7.2.0` to `7.3.0`
* Updated `com.exasol:test-db-builder-java:3.6.4` to `4.0.1`
* Updated `org.itsallcode:junit5-system-extensions:1.2.2` to `1.2.3`
* Updated `org.jacoco:org.jacoco.agent:0.8.14` to `0.8.15`
* Updated `org.junit.jupiter:junit-jupiter-params:5.13.4` to `6.1.1`
* Updated `org.mockito:mockito-junit-jupiter:5.20.0` to `5.23.0`
* Updated `org.testcontainers:testcontainers-junit-jupiter:2.0.1` to `2.0.5`

### Plugin Dependency Updates

* Updated `com.exasol:project-keeper-maven-plugin:5.4.3` to `5.7.2`
2 changes: 1 addition & 1 deletion pk_generated_parent.pom

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

26 changes: 13 additions & 13 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,12 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>udf-debugging-java</artifactId>
<version>0.6.18</version>
<version>0.6.19</version>
<name>udf-debugging-java</name>
<description>Utilities for debugging, profiling and code coverage measure for UDFs.</description>
<url>https://github.com/exasol/udf-debugging-java/</url>
<properties>
<jacoco.version>0.8.14</jacoco.version>
<jacoco.version>0.8.15</jacoco.version>
</properties>
<dependencies>
<dependency>
Expand All @@ -18,7 +18,7 @@
<dependency>
<groupId>org.eclipse.parsson</groupId>
<artifactId>parsson</artifactId>
<version>1.1.7</version>
<version>1.1.9</version>
<scope>runtime</scope>
</dependency>
<dependency>
Expand Down Expand Up @@ -46,7 +46,7 @@
<dependency>
<groupId>com.exasol</groupId>
<artifactId>exasol-test-setup-abstraction-java</artifactId>
<version>2.1.10</version>
<version>2.1.11</version>
<!-- This is not a compile-dependency since it would pull a lot of transitive
dependencies (like the AWS SDK) into project where it's absolutely not
needed. That's possible since we only use the classes from this dependencies
Expand All @@ -63,13 +63,13 @@
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-params</artifactId>
<!-- Version 6 requires Java 17 -->
<version>5.13.4</version>
<version>6.1.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-junit-jupiter</artifactId>
<version>5.20.0</version>
<version>5.23.0</version>
<scope>test</scope>
</dependency>
<dependency>
Expand All @@ -82,32 +82,32 @@
<dependency>
<groupId>com.exasol</groupId>
<artifactId>exasol-testcontainers</artifactId>
<version>7.2.0</version>
<version>7.3.0</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.testcontainers</groupId>
<artifactId>testcontainers-junit-jupiter</artifactId>
<version>2.0.1</version>
<version>2.0.5</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.exasol</groupId>
<artifactId>test-db-builder-java</artifactId>
<version>3.6.4</version>
<version>4.0.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.itsallcode</groupId>
<artifactId>junit5-system-extensions</artifactId>
<version>1.2.2</version>
<version>1.2.3</version>
<scope>test</scope>
</dependency>
<dependency>
<!-- Enable log output for integration tests -->
<groupId>org.slf4j</groupId>
<artifactId>slf4j-jdk14</artifactId>
<version>2.0.17</version>
<version>2.0.18</version>
</dependency>
</dependencies>
<build>
Expand All @@ -133,7 +133,7 @@
<plugin>
<groupId>com.exasol</groupId>
<artifactId>project-keeper-maven-plugin</artifactId>
<version>5.4.3</version>
<version>5.7.2</version>
<executions>
<execution>
<goals>
Expand Down Expand Up @@ -172,7 +172,7 @@
<parent>
<artifactId>udf-debugging-java-generated-parent</artifactId>
<groupId>com.exasol</groupId>
<version>0.6.18</version>
<version>0.6.19</version>
<relativePath>pk_generated_parent.pom</relativePath>
</parent>
</project>