Releases: exasol/kafka-connector-extension
1.7.9 Fixed vulnerabilities CVE-2024-47535 and CVE-2023-1932
This release fixes the following vulnerability:
CVE-2024-47535 (CWE-400) in dependency io.netty:netty-common:jar:4.1.108.Final:test
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
References
- https://ossindex.sonatype.org/vulnerability/CVE-2024-47535?component-type=maven&component-name=io.netty%2Fnetty-common&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-47535
- GHSA-xq3w-v528-46rv
CVE-2023-1932 (CWE-79) in dependency org.hibernate.validator:hibernate-validator:jar:6.1.7.Final:test
A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.
References
- https://ossindex.sonatype.org/vulnerability/CVE-2023-1932?component-type=maven&component-name=org.hibernate.validator%2Fhibernate-validator&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1932
- GHSA-x83m-pf6f-pf9g
Security
- #118: Fixed vulnerability CVE-2024-47535 in dependency
io.netty:netty-common:jar:4.1.108.Final:test
- #116: Fixed vulnerability CVE-2023-1932 in dependency
org.hibernate.validator:hibernate-validator:jar:6.1.7.Final:test
Dependency Updates
Exasol Kafka Connector Extension
Compile Dependency Updates
- Updated
ch.qos.logback:logback-classic:1.5.6
to1.5.12
- Added
com.exasol:import-export-udf-common-scala:2.0.1
- Removed
com.exasol:import-export-udf-common-scala_2.13:2.0.0
- Updated
com.fasterxml.jackson.core:jackson-core:2.17.0
to2.18.1
- Updated
com.google.guava:guava:33.1.0-jre
to33.3.1-jre
- Updated
org.apache.avro:avro:1.11.4
to1.12.0
- Updated
org.apache.commons:commons-compress:1.26.1
to1.27.1
- Updated
org.scala-lang.modules:scala-collection-compat_2.13:2.11.0
to2.12.0
- Updated
org.scala-lang:scala-library:2.13.12
to2.13.15
Test Dependency Updates
- Updated
com.exasol:extension-manager-integration-test-java:0.5.10
to0.5.13
- Updated
com.exasol:hamcrest-resultset-matcher:1.6.5
to1.7.0
- Added
com.exasol:maven-project-version-getter:1.2.0
- Updated
com.exasol:test-db-builder-java:3.5.4
to3.6.0
- Updated
com.google.protobuf:protobuf-java:3.25.5
to4.28.3
- Updated
io.github.classgraph:classgraph:4.8.174
to4.8.179
- Added
io.netty:netty-codec:4.1.115.Final
- Removed
org.eclipse.jetty:jetty-http:9.4.56.v20240826
- Removed
org.eclipse.jetty:jetty-server:9.4.56.v20240826
- Removed
org.eclipse.jetty:jetty-servlets:9.4.56.v20240826
- Added
org.hibernate.validator:hibernate-validator:6.2.5.Final
- Updated
org.mockito:mockito-core:5.11.0
to5.14.2
- Updated
org.testcontainers:kafka:1.19.7
to1.20.3
Plugin Dependency Updates
- Updated
io.github.evis:scalafix-maven-plugin_2.13:0.1.8_0.11.0
to0.1.10_0.11.0
- Updated
net.alchim31.maven:scala-maven-plugin:4.8.1
to4.9.2
- Updated
org.apache.maven.plugins:maven-javadoc-plugin:3.6.3
to3.11.1
- Updated
org.codehaus.mojo:exec-maven-plugin:3.2.0
to3.5.0
- Updated
org.itsallcode:openfasttrace-maven-plugin:2.0.0
to2.3.0
Extension
Compile Dependency Updates
- Updated
@exasol/extension-manager-interface:0.4.1
to0.4.3
Development Dependency Updates
- Updated
eslint:^8.57.0
to9.14.0
- Updated
@types/node:^20.11.28
to^22.9.1
- Updated
ts-jest:^29.1.2
to^29.2.5
- Added
typescript-eslint:^8.14.0
- Updated
typescript:^5.4.2
to^5.6.3
- Updated
esbuild:^0.20.2
to^0.24.0
- Removed
@typescript-eslint/parser:^7.2.0
- Removed
@typescript-eslint/eslint-plugin:^7.2.0
1.7.8 Fix several CVEs in transitive dependencies, upgrade version of Kafka libs
This release upgrades kafka client dependency (to 7.7.1) and fixes several CVEs in transitive dependencies:
- CVE-2024-47561 in org.apache.avro:avro:jar:1.11.3:compile
- CVE-2024-9823 and CVE-2024-6762 in org.eclipse.jetty:jetty-servlets:jar:9.4.53.v20231009:test
- CVE-2024-8184 in org.eclipse.jetty:jetty-server:jar:9.4.54.v20240208:test
Security
- #106: CVE-2024-47561: org.apache.avro:avro:jar:1.11.3:compile
- #109: CVE-2024-9823: org.eclipse.jetty:jetty-servlets:jar:9.4.53.v20231009:test
- #112: CVE-2024-6762: org.eclipse.jetty:jetty-servlets:jar:9.4.53.v20231009:test
- #113: CVE-2024-8184: org.eclipse.jetty:jetty-server:jar:9.4.54.v20240208:test
Dependency Updates
Exasol Kafka Connector Extension
Compile Dependency Updates
- Updated
io.confluent:kafka-avro-serializer:7.6.0
to7.7.1
- Updated
org.apache.avro:avro:1.11.3
to1.11.4
- Updated
org.apache.kafka:kafka-clients:3.6.0
to3.7.1
- Removed
org.xerial.snappy:snappy-java:1.1.10.5
Test Dependency Updates
- Updated
io.confluent:kafka-streams-avro-serde:7.6.0
to7.7.1
- Updated
io.github.embeddedkafka:embedded-kafka-schema-registry_2.13:7.6.0
to7.7.1
- Removed
joda-time:joda-time:2.12.7
- Removed
org.apache.kafka:kafka-metadata:3.6.2
- Removed
org.apache.zookeeper:zookeeper:3.9.2
- Removed
org.bitbucket.b_c:jose4j:0.9.6
- Removed
org.eclipse.jetty.http2:http2-server:9.4.54.v20240208
- Added
org.eclipse.jetty:jetty-http:9.4.56.v20240826
- Added
org.eclipse.jetty:jetty-server:9.4.56.v20240826
- Added
org.eclipse.jetty:jetty-servlets:9.4.56.v20240826
- Removed
org.json:json:20240303
Plugin Dependency Updates
- Updated
com.exasol:project-keeper-maven-plugin:4.3.3
to4.4.0
- Added
com.exasol:quality-summarizer-maven-plugin:0.2.0
- Updated
io.github.zlika:reproducible-build-maven-plugin:0.16
to0.17
- Updated
org.apache.maven.plugins:maven-clean-plugin:2.5
to3.4.0
- Updated
org.apache.maven.plugins:maven-failsafe-plugin:3.2.5
to3.5.1
- Updated
org.apache.maven.plugins:maven-install-plugin:2.4
to3.1.3
- Updated
org.apache.maven.plugins:maven-jar-plugin:3.4.1
to3.4.2
- Updated
org.apache.maven.plugins:maven-resources-plugin:2.6
to3.3.1
- Updated
org.apache.maven.plugins:maven-site-plugin:3.3
to3.9.1
- Updated
org.apache.maven.plugins:maven-surefire-plugin:3.2.5
to3.5.1
- Updated
org.codehaus.mojo:versions-maven-plugin:2.16.2
to2.17.1
1.7.7 Fix logging, fixed vulnerability CVE-2024-7254 in com.google.protobuf:protobuf-java:jar:3.19.6:test
This release fixes logging of the UDF by adding required libraries. The log level is WARN
by default and can be changed by rebuilding the adapter JAR. See the Exasol documentation for how to configure logging of UDFs.
This release fixes the following vulnerability:
CVE-2024-7254 (CWE-20) in dependency com.google.protobuf:protobuf-java:jar:3.19.6:test
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
References
- https://ossindex.sonatype.org/vulnerability/CVE-2024-7254?component-type=maven&component-name=com.google.protobuf%2Fprotobuf-java&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-7254
- GHSA-735f-pc8j-v9w8
Security
- #101: Fixed vulnerability CVE-2024-7254 in dependency
com.google.protobuf:protobuf-java:jar:3.19.6:test
Dependency Updates
Exasol Kafka Connector Extension
Compile Dependency Updates
- Added
ch.qos.logback:logback-classic:1.5.6
- Added
org.slf4j:slf4j-api:2.0.16
Test Dependency Updates
- Removed
ch.qos.logback:logback-classic:1.5.3
- Removed
ch.qos.logback:logback-core:1.5.3
- Updated
com.exasol:exasol-testcontainers:7.0.1
to7.1.1
- Added
com.google.protobuf:protobuf-java:3.25.5
Plugin Dependency Updates
- Updated
org.itsallcode:openfasttrace-maven-plugin:1.8.0
to2.0.0
1.7.6 Fix CVE-2021-47621
Fixes CVE-2021-47621.
Security
- #98: CVE-2021-47621: io.github.classgraph:classgraph:jar:4.8.21:test
Dependency Updates
Exasol Kafka Connector Extension
Test Dependency Updates
- Added
io.github.classgraph:classgraph:4.8.174
Plugin Dependency Updates
- Updated
com.exasol:error-code-crawler-maven-plugin:2.0.2
to2.0.3
- Updated
com.exasol:project-keeper-maven-plugin:4.3.0
to4.3.3
- Updated
org.apache.maven.plugins:maven-enforcer-plugin:3.4.1
to3.5.0
- Updated
org.apache.maven.plugins:maven-jar-plugin:3.3.0
to3.4.1
- Updated
org.apache.maven.plugins:maven-toolchains-plugin:3.1.0
to3.2.0
- Updated
org.sonarsource.scanner.maven:sonar-maven-plugin:3.11.0.3922
to4.0.0.4121
1.7.5 Fix CVEs in compile and test dependencies
This release fixes the following vulnerabilities in dependencies:
- CVE-2024-27309 in
org.apache.kafka:kafka-server-common:jar:3.6.0:test
- CVE-2024-27309 in
org.apache.kafka:kafka-clients:jar:3.6.0:compile
- CVE-2024-23080 in
joda-time:joda-time:jar:2.10.8:test
- CVE-2024-29025 in
io.netty:netty-codec-http:jar:4.1.107.Final:test
Security
- #92: Fixed CVE-2024-29025
- #93: Fixed CVE-2024-23080
- #94: Fixed CVE-2024-27309
- #95: Fixed CVE-2024-27309
Dependency Updates
Exasol Kafka Connector Extension
Test Dependency Updates
- Updated
com.exasol:extension-manager-integration-test-java:0.5.8
to0.5.10
- Added
joda-time:joda-time:2.12.7
- Added
org.apache.kafka:kafka-metadata:3.6.2
Plugin Dependency Updates
- Updated
com.exasol:error-code-crawler-maven-plugin:2.0.0
to2.0.2
- Updated
com.exasol:project-keeper-maven-plugin:4.1.0
to4.3.0
- Updated
org.apache.maven.plugins:maven-assembly-plugin:3.6.0
to3.7.1
- Updated
org.apache.maven.plugins:maven-compiler-plugin:3.12.1
to3.13.0
- Updated
org.jacoco:jacoco-maven-plugin:0.8.11
to0.8.12
- Updated
org.sonarsource.scanner.maven:sonar-maven-plugin:3.10.0.2594
to3.11.0.3922
1.7.4: Fix CVE-2024-25710 in compile dependency
Summary
This release fixes the following vulnerabilities in dependencies:
- CVE-2024-25710 in
org.apache.commons:commons-compress:jar:1.21:compile
- CVE-2024-22201 in
org.eclipse.jetty.http2:http2-common:jar:9.4.53.v20231009:test
- CVE-2023-51775 in
org.bitbucket.b_c:jose4j:jar:0.9.3:test
Security
- #88: Fixed CVE-2024-25710 in
org.apache.commons:commons-compress:jar:1.21:compile
- #89: Fixed CVE-2024-22201 in
org.eclipse.jetty.http2:http2-common:jar:9.4.53.v20231009:test
- #90: Fixed CVE-2023-51775 in
org.bitbucket.b_c:jose4j:jar:0.9.3:test
Dependency Updates
Exasol Kafka Connector Extension
Compile Dependency Updates
- Updated
com.exasol:import-export-udf-common-scala_2.13:1.1.1
to2.0.0
- Added
com.fasterxml.jackson.core:jackson-core:2.17.0
- Updated
com.google.guava:guava:33.0.0-jre
to33.1.0-jre
- Updated
io.confluent:kafka-avro-serializer:7.5.2
to7.6.0
- Added
org.apache.avro:avro:1.11.3
- Updated
org.apache.commons:commons-compress:1.26.0
to1.26.1
- Updated
org.apache.kafka:kafka-clients:3.5.1
to3.6.0
- Updated
org.scala-lang:scala-library:2.13.3
to2.13.12
Test Dependency Updates
- Updated
ch.qos.logback:logback-classic:1.4.14
to1.5.3
- Updated
ch.qos.logback:logback-core:1.4.14
to1.5.3
- Updated
com.exasol:exasol-testcontainers:7.0.0
to7.0.1
- Updated
com.exasol:extension-manager-integration-test-java:0.5.7
to0.5.8
- Updated
com.exasol:hamcrest-resultset-matcher:1.6.3
to1.6.5
- Updated
com.exasol:test-db-builder-java:3.5.3
to3.5.4
- Updated
com.sksamuel.avro4s:avro4s-core_2.13:4.1.1
to4.1.2
- Updated
io.confluent:kafka-streams-avro-serde:7.5.2
to7.6.0
- Updated
io.github.embeddedkafka:embedded-kafka-schema-registry_2.13:7.5.2
to7.6.0
- Removed
org.apache.avro:avro:1.11.3
- Updated
org.apache.zookeeper:zookeeper:3.9.1
to3.9.2
- Added
org.bitbucket.b_c:jose4j:0.9.6
- Added
org.eclipse.jetty.http2:http2-server:9.4.54.v20240208
- Updated
org.json:json:20231013
to20240303
- Updated
org.mockito:mockito-core:5.8.0
to5.11.0
- Updated
org.testcontainers:kafka:1.19.3
to1.19.7
Plugin Dependency Updates
- Updated
com.diffplug.spotless:spotless-maven-plugin:2.40.0
to2.43.0
- Updated
com.exasol:error-code-crawler-maven-plugin:1.3.1
to2.0.0
- Updated
com.exasol:project-keeper-maven-plugin:3.0.1
to4.1.0
- Updated
org.apache.maven.plugins:maven-compiler-plugin:3.11.0
to3.12.1
- Updated
org.apache.maven.plugins:maven-failsafe-plugin:3.2.3
to3.2.5
- Updated
org.apache.maven.plugins:maven-javadoc-plugin:3.6.2
to3.6.3
- Updated
org.apache.maven.plugins:maven-surefire-plugin:3.2.3
to3.2.5
- Updated
org.codehaus.mojo:exec-maven-plugin:3.1.0
to3.2.0
- Updated
org.codehaus.mojo:flatten-maven-plugin:1.5.0
to1.6.0
- Updated
org.itsallcode:openfasttrace-maven-plugin:1.6.2
to1.8.0
Extension
Development Dependency Updates
- Updated
eslint:^8.53.0
to^8.57.0
- Updated
@types/node:^20.9.0
to^20.11.28
- Updated
@typescript-eslint/parser:^6.10.0
to^7.2.0
- Updated
ts-jest:^29.1.1
to^29.1.2
- Updated
typescript:^5.2.2
to^5.4.2
- Updated
@typescript-eslint/eslint-plugin:^6.10.0
to^7.2.0
- Updated
ts-node:^10.9.1
to^10.9.2
- Updated
esbuild:^0.19.5
to^0.20.2
1.7.3: Custom `krb5.conf` files support.
Summary
Implemented support for custom krb5.conf
files.
Updated transient dependency to fix CVE-2024-25710 and CVE-2024-26308.
Features
- #86: Add support for custom krb5.conf
Dependency Updates
Compile Dependency Updates
- Added
org.apache.commons:commons-compress:1.26.0
Plugin Dependency Updates
- Updated
com.exasol:project-keeper-maven-plugin:3.0.0
to3.0.1
1.7.2: Fix CVE-2023-6378 in `logback` test dependencies
This release fixes CVE-2023-6378 in dependencies ch.qos.logback/logback-core@1.2.10
and ch.qos.logback/logback-classic@1.2.10
with scope test
.
Security
- #83: Fixed CVE-2023-6378 in
ch.qos.logback/logback-classic@1.2.10
- #84: Fixed CVE-2023-6378 in
ch.qos.logback/logback-core@1.2.10
Dependency Updates
Compile Dependency Updates
- Updated
com.google.guava:guava:32.1.3-jre
to33.0.0-jre
Test Dependency Updates
- Added
ch.qos.logback:logback-classic:1.4.14
- Added
ch.qos.logback:logback-core:1.4.14
- Updated
com.exasol:exasol-testcontainers:6.6.3
to7.0.0
- Updated
com.exasol:hamcrest-resultset-matcher:1.6.2
to1.6.3
- Updated
com.exasol:test-db-builder-java:3.5.1
to3.5.3
- Updated
io.github.embeddedkafka:embedded-kafka-schema-registry_2.13:7.5.1
to7.5.2
- Removed
io.netty:netty-handler:4.1.101.Final
- Updated
org.mockito:mockito-core:5.7.0
to5.8.0
- Updated
org.testcontainers:kafka:1.19.1
to1.19.3
Plugin Dependency Updates
- Updated
com.exasol:project-keeper-maven-plugin:2.9.16
to3.0.0
- Updated
org.apache.maven.plugins:maven-failsafe-plugin:3.2.2
to3.2.3
- Updated
org.apache.maven.plugins:maven-surefire-plugin:3.2.2
to3.2.3
- Added
org.apache.maven.plugins:maven-toolchains-plugin:3.1.0
- Updated
org.codehaus.mojo:versions-maven-plugin:2.16.1
to2.16.2
1.7.1: Test with Exasol v8
Summary
This release adds integration tests with Exasol DB version 8.
Features
- #77: Added tests with Exasol v8
Documentation
- #79: Added example of JAAS config in docs
Dependency Updates
Compile Dependency Updates
- Updated
io.confluent:kafka-avro-serializer:7.5.1
to7.5.2
Test Dependency Updates
- Updated
com.exasol:exasol-testcontainers:6.6.2
to6.6.3
- Updated
com.exasol:extension-manager-integration-test-java:0.5.1
to0.5.7
- Updated
com.exasol:hamcrest-resultset-matcher:1.6.1
to1.6.2
- Updated
io.confluent:kafka-streams-avro-serde:7.5.1
to7.5.2
- Updated
io.netty:netty-handler:4.1.100.Final
to4.1.101.Final
- Updated
org.mockito:mockito-core:5.6.0
to5.7.0
Plugin Dependency Updates
- Updated
com.exasol:project-keeper-maven-plugin:2.9.14
to2.9.16
- Updated
org.apache.maven.plugins:maven-failsafe-plugin:3.1.2
to3.2.2
- Updated
org.apache.maven.plugins:maven-javadoc-plugin:3.6.0
to3.6.2
- Updated
org.apache.maven.plugins:maven-surefire-plugin:3.1.2
to3.2.2
1.7.0: Extension manager support
Summary
Adds extension manager support.
Note This release contains the following known vulnerabilities in dependencies:
- Compile dependencies:
org.scala-lang:scala-library:jar:2.13.3
: CVE-2022-36944
- Test dependencies:
io.netty:netty-handler:jar:4.1.95.Final
: CVE-2023-4586fr.turri:aXMLRPC:jar:1.13.0
: CVE-2020-36641org.eclipse.jetty:jetty-http:jar:9.4.51.v20230217:test
: CVE-2023-40167org.eclipse.jetty.http2:http2-common:jar:9.4.51.v20230217:test
: CVE-2023-44487org.eclipse.jetty:jetty-servlets:jar:9.4.51.v20230217:test
: CVE-2023-36479org.eclipse.jetty.http2:http2-hpack:jar:9.4.51.v20230217:test
: CVE-2023-36478
Features
- #72: Added extension manager support.
Dependency Updates
Compile Dependency Updates
- Updated
com.google.guava:guava:32.1.1-jre
to32.1.3-jre
- Updated
io.confluent:kafka-avro-serializer:7.4.1
to7.5.1
- Added
org.apache.kafka:kafka-clients:3.5.1
- Added
org.xerial.snappy:snappy-java:1.1.10.5
Test Dependency Updates
- Updated
com.exasol:exasol-testcontainers:6.6.1
to6.6.2
- Added
com.exasol:extension-manager-integration-test-java:0.5.1
- Updated
com.exasol:hamcrest-resultset-matcher:1.6.0
to1.6.1
- Updated
com.exasol:test-db-builder-java:3.4.2
to3.5.1
- Updated
io.confluent:kafka-streams-avro-serde:7.4.1
to7.5.1
- Updated
io.github.embeddedkafka:embedded-kafka-schema-registry_2.13:7.4.1
to7.5.1
- Updated
io.netty:netty-handler:4.1.95.Final
to4.1.100.Final
- Added
org.apache.avro:avro:1.11.3
- Added
org.apache.zookeeper:zookeeper:3.9.1
- Added
org.json:json:20231013
- Updated
org.mockito:mockito-core:5.4.0
to5.6.0
- Updated
org.scalatestplus:scalatestplus-mockito_2.13:1.0.0-M2
to1.0.0-SNAP5
- Updated
org.scalatest:scalatest_2.13:3.2.16
to3.3.0-SNAP4
- Added
org.testcontainers:kafka:1.19.1
Plugin Dependency Updates
- Updated
com.diffplug.spotless:spotless-maven-plugin:2.37.0
to2.40.0
- Updated
com.exasol:error-code-crawler-maven-plugin:1.3.0
to1.3.1
- Updated
com.exasol:project-keeper-maven-plugin:2.9.9
to2.9.14
- Updated
org.apache.maven.plugins:maven-enforcer-plugin:3.3.0
to3.4.1
- Updated
org.apache.maven.plugins:maven-javadoc-plugin:3.5.0
to3.6.0
- Added
org.codehaus.mojo:exec-maven-plugin:3.1.0
- Updated
org.codehaus.mojo:versions-maven-plugin:2.16.0
to2.16.1
- Updated
org.jacoco:jacoco-maven-plugin:0.8.10
to0.8.11
- Updated
org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.1.2184
to3.10.0.2594