Skip to content

Releases: exasol/kafka-connector-extension

1.7.9 Fixed vulnerabilities CVE-2024-47535 and CVE-2023-1932

20 Nov 15:58
6da3096
Compare
Choose a tag to compare

This release fixes the following vulnerability:

CVE-2024-47535 (CWE-400) in dependency io.netty:netty-common:jar:4.1.108.Final:test

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.

References

CVE-2023-1932 (CWE-79) in dependency org.hibernate.validator:hibernate-validator:jar:6.1.7.Final:test

A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.

References

Security

  • #118: Fixed vulnerability CVE-2024-47535 in dependency io.netty:netty-common:jar:4.1.108.Final:test
  • #116: Fixed vulnerability CVE-2023-1932 in dependency org.hibernate.validator:hibernate-validator:jar:6.1.7.Final:test

Dependency Updates

Exasol Kafka Connector Extension

Compile Dependency Updates

  • Updated ch.qos.logback:logback-classic:1.5.6 to 1.5.12
  • Added com.exasol:import-export-udf-common-scala:2.0.1
  • Removed com.exasol:import-export-udf-common-scala_2.13:2.0.0
  • Updated com.fasterxml.jackson.core:jackson-core:2.17.0 to 2.18.1
  • Updated com.google.guava:guava:33.1.0-jre to 33.3.1-jre
  • Updated org.apache.avro:avro:1.11.4 to 1.12.0
  • Updated org.apache.commons:commons-compress:1.26.1 to 1.27.1
  • Updated org.scala-lang.modules:scala-collection-compat_2.13:2.11.0 to 2.12.0
  • Updated org.scala-lang:scala-library:2.13.12 to 2.13.15

Test Dependency Updates

  • Updated com.exasol:extension-manager-integration-test-java:0.5.10 to 0.5.13
  • Updated com.exasol:hamcrest-resultset-matcher:1.6.5 to 1.7.0
  • Added com.exasol:maven-project-version-getter:1.2.0
  • Updated com.exasol:test-db-builder-java:3.5.4 to 3.6.0
  • Updated com.google.protobuf:protobuf-java:3.25.5 to 4.28.3
  • Updated io.github.classgraph:classgraph:4.8.174 to 4.8.179
  • Added io.netty:netty-codec:4.1.115.Final
  • Removed org.eclipse.jetty:jetty-http:9.4.56.v20240826
  • Removed org.eclipse.jetty:jetty-server:9.4.56.v20240826
  • Removed org.eclipse.jetty:jetty-servlets:9.4.56.v20240826
  • Added org.hibernate.validator:hibernate-validator:6.2.5.Final
  • Updated org.mockito:mockito-core:5.11.0 to 5.14.2
  • Updated org.testcontainers:kafka:1.19.7 to 1.20.3

Plugin Dependency Updates

  • Updated io.github.evis:scalafix-maven-plugin_2.13:0.1.8_0.11.0 to 0.1.10_0.11.0
  • Updated net.alchim31.maven:scala-maven-plugin:4.8.1 to 4.9.2
  • Updated org.apache.maven.plugins:maven-javadoc-plugin:3.6.3 to 3.11.1
  • Updated org.codehaus.mojo:exec-maven-plugin:3.2.0 to 3.5.0
  • Updated org.itsallcode:openfasttrace-maven-plugin:2.0.0 to 2.3.0

Extension

Compile Dependency Updates

  • Updated @exasol/extension-manager-interface:0.4.1 to 0.4.3

Development Dependency Updates

  • Updated eslint:^8.57.0 to 9.14.0
  • Updated @types/node:^20.11.28 to ^22.9.1
  • Updated ts-jest:^29.1.2 to ^29.2.5
  • Added typescript-eslint:^8.14.0
  • Updated typescript:^5.4.2 to ^5.6.3
  • Updated esbuild:^0.20.2 to ^0.24.0
  • Removed @typescript-eslint/parser:^7.2.0
  • Removed @typescript-eslint/eslint-plugin:^7.2.0

1.7.8 Fix several CVEs in transitive dependencies, upgrade version of Kafka libs

24 Oct 12:58
bd009fc
Compare
Choose a tag to compare

This release upgrades kafka client dependency (to 7.7.1) and fixes several CVEs in transitive dependencies:

Security

Dependency Updates

Exasol Kafka Connector Extension

Compile Dependency Updates

  • Updated io.confluent:kafka-avro-serializer:7.6.0 to 7.7.1
  • Updated org.apache.avro:avro:1.11.3 to 1.11.4
  • Updated org.apache.kafka:kafka-clients:3.6.0 to 3.7.1
  • Removed org.xerial.snappy:snappy-java:1.1.10.5

Test Dependency Updates

  • Updated io.confluent:kafka-streams-avro-serde:7.6.0 to 7.7.1
  • Updated io.github.embeddedkafka:embedded-kafka-schema-registry_2.13:7.6.0 to 7.7.1
  • Removed joda-time:joda-time:2.12.7
  • Removed org.apache.kafka:kafka-metadata:3.6.2
  • Removed org.apache.zookeeper:zookeeper:3.9.2
  • Removed org.bitbucket.b_c:jose4j:0.9.6
  • Removed org.eclipse.jetty.http2:http2-server:9.4.54.v20240208
  • Added org.eclipse.jetty:jetty-http:9.4.56.v20240826
  • Added org.eclipse.jetty:jetty-server:9.4.56.v20240826
  • Added org.eclipse.jetty:jetty-servlets:9.4.56.v20240826
  • Removed org.json:json:20240303

Plugin Dependency Updates

  • Updated com.exasol:project-keeper-maven-plugin:4.3.3 to 4.4.0
  • Added com.exasol:quality-summarizer-maven-plugin:0.2.0
  • Updated io.github.zlika:reproducible-build-maven-plugin:0.16 to 0.17
  • Updated org.apache.maven.plugins:maven-clean-plugin:2.5 to 3.4.0
  • Updated org.apache.maven.plugins:maven-failsafe-plugin:3.2.5 to 3.5.1
  • Updated org.apache.maven.plugins:maven-install-plugin:2.4 to 3.1.3
  • Updated org.apache.maven.plugins:maven-jar-plugin:3.4.1 to 3.4.2
  • Updated org.apache.maven.plugins:maven-resources-plugin:2.6 to 3.3.1
  • Updated org.apache.maven.plugins:maven-site-plugin:3.3 to 3.9.1
  • Updated org.apache.maven.plugins:maven-surefire-plugin:3.2.5 to 3.5.1
  • Updated org.codehaus.mojo:versions-maven-plugin:2.16.2 to 2.17.1

1.7.7 Fix logging, fixed vulnerability CVE-2024-7254 in com.google.protobuf:protobuf-java:jar:3.19.6:test

25 Sep 12:38
56a1a5b
Compare
Choose a tag to compare

This release fixes logging of the UDF by adding required libraries. The log level is WARN by default and can be changed by rebuilding the adapter JAR. See the Exasol documentation for how to configure logging of UDFs.

This release fixes the following vulnerability:

CVE-2024-7254 (CWE-20) in dependency com.google.protobuf:protobuf-java:jar:3.19.6:test

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

References

Security

  • #101: Fixed vulnerability CVE-2024-7254 in dependency com.google.protobuf:protobuf-java:jar:3.19.6:test

Dependency Updates

Exasol Kafka Connector Extension

Compile Dependency Updates

  • Added ch.qos.logback:logback-classic:1.5.6
  • Added org.slf4j:slf4j-api:2.0.16

Test Dependency Updates

  • Removed ch.qos.logback:logback-classic:1.5.3
  • Removed ch.qos.logback:logback-core:1.5.3
  • Updated com.exasol:exasol-testcontainers:7.0.1 to 7.1.1
  • Added com.google.protobuf:protobuf-java:3.25.5

Plugin Dependency Updates

  • Updated org.itsallcode:openfasttrace-maven-plugin:1.8.0 to 2.0.0

1.7.6 Fix CVE-2021-47621

05 Jul 11:04
fbb4faa
Compare
Choose a tag to compare

Fixes CVE-2021-47621.

Security

Dependency Updates

Exasol Kafka Connector Extension

Test Dependency Updates

  • Added io.github.classgraph:classgraph:4.8.174

Plugin Dependency Updates

  • Updated com.exasol:error-code-crawler-maven-plugin:2.0.2 to 2.0.3
  • Updated com.exasol:project-keeper-maven-plugin:4.3.0 to 4.3.3
  • Updated org.apache.maven.plugins:maven-enforcer-plugin:3.4.1 to 3.5.0
  • Updated org.apache.maven.plugins:maven-jar-plugin:3.3.0 to 3.4.1
  • Updated org.apache.maven.plugins:maven-toolchains-plugin:3.1.0 to 3.2.0
  • Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.11.0.3922 to 4.0.0.4121

1.7.5 Fix CVEs in compile and test dependencies

07 May 12:49
f13e8fa
Compare
Choose a tag to compare

This release fixes the following vulnerabilities in dependencies:

Security

Dependency Updates

Exasol Kafka Connector Extension

Test Dependency Updates

  • Updated com.exasol:extension-manager-integration-test-java:0.5.8 to 0.5.10
  • Added joda-time:joda-time:2.12.7
  • Added org.apache.kafka:kafka-metadata:3.6.2

Plugin Dependency Updates

  • Updated com.exasol:error-code-crawler-maven-plugin:2.0.0 to 2.0.2
  • Updated com.exasol:project-keeper-maven-plugin:4.1.0 to 4.3.0
  • Updated org.apache.maven.plugins:maven-assembly-plugin:3.6.0 to 3.7.1
  • Updated org.apache.maven.plugins:maven-compiler-plugin:3.12.1 to 3.13.0
  • Updated org.jacoco:jacoco-maven-plugin:0.8.11 to 0.8.12
  • Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.10.0.2594 to 3.11.0.3922

1.7.4: Fix CVE-2024-25710 in compile dependency

15 Mar 09:12
32506d5
Compare
Choose a tag to compare

Summary

This release fixes the following vulnerabilities in dependencies:

  • CVE-2024-25710 in org.apache.commons:commons-compress:jar:1.21:compile
  • CVE-2024-22201 in org.eclipse.jetty.http2:http2-common:jar:9.4.53.v20231009:test
  • CVE-2023-51775 in org.bitbucket.b_c:jose4j:jar:0.9.3:test

Security

Dependency Updates

Exasol Kafka Connector Extension

Compile Dependency Updates

  • Updated com.exasol:import-export-udf-common-scala_2.13:1.1.1 to 2.0.0
  • Added com.fasterxml.jackson.core:jackson-core:2.17.0
  • Updated com.google.guava:guava:33.0.0-jre to 33.1.0-jre
  • Updated io.confluent:kafka-avro-serializer:7.5.2 to 7.6.0
  • Added org.apache.avro:avro:1.11.3
  • Updated org.apache.commons:commons-compress:1.26.0 to 1.26.1
  • Updated org.apache.kafka:kafka-clients:3.5.1 to 3.6.0
  • Updated org.scala-lang:scala-library:2.13.3 to 2.13.12

Test Dependency Updates

  • Updated ch.qos.logback:logback-classic:1.4.14 to 1.5.3
  • Updated ch.qos.logback:logback-core:1.4.14 to 1.5.3
  • Updated com.exasol:exasol-testcontainers:7.0.0 to 7.0.1
  • Updated com.exasol:extension-manager-integration-test-java:0.5.7 to 0.5.8
  • Updated com.exasol:hamcrest-resultset-matcher:1.6.3 to 1.6.5
  • Updated com.exasol:test-db-builder-java:3.5.3 to 3.5.4
  • Updated com.sksamuel.avro4s:avro4s-core_2.13:4.1.1 to 4.1.2
  • Updated io.confluent:kafka-streams-avro-serde:7.5.2 to 7.6.0
  • Updated io.github.embeddedkafka:embedded-kafka-schema-registry_2.13:7.5.2 to 7.6.0
  • Removed org.apache.avro:avro:1.11.3
  • Updated org.apache.zookeeper:zookeeper:3.9.1 to 3.9.2
  • Added org.bitbucket.b_c:jose4j:0.9.6
  • Added org.eclipse.jetty.http2:http2-server:9.4.54.v20240208
  • Updated org.json:json:20231013 to 20240303
  • Updated org.mockito:mockito-core:5.8.0 to 5.11.0
  • Updated org.testcontainers:kafka:1.19.3 to 1.19.7

Plugin Dependency Updates

  • Updated com.diffplug.spotless:spotless-maven-plugin:2.40.0 to 2.43.0
  • Updated com.exasol:error-code-crawler-maven-plugin:1.3.1 to 2.0.0
  • Updated com.exasol:project-keeper-maven-plugin:3.0.1 to 4.1.0
  • Updated org.apache.maven.plugins:maven-compiler-plugin:3.11.0 to 3.12.1
  • Updated org.apache.maven.plugins:maven-failsafe-plugin:3.2.3 to 3.2.5
  • Updated org.apache.maven.plugins:maven-javadoc-plugin:3.6.2 to 3.6.3
  • Updated org.apache.maven.plugins:maven-surefire-plugin:3.2.3 to 3.2.5
  • Updated org.codehaus.mojo:exec-maven-plugin:3.1.0 to 3.2.0
  • Updated org.codehaus.mojo:flatten-maven-plugin:1.5.0 to 1.6.0
  • Updated org.itsallcode:openfasttrace-maven-plugin:1.6.2 to 1.8.0

Extension

Development Dependency Updates

  • Updated eslint:^8.53.0 to ^8.57.0
  • Updated @types/node:^20.9.0 to ^20.11.28
  • Updated @typescript-eslint/parser:^6.10.0 to ^7.2.0
  • Updated ts-jest:^29.1.1 to ^29.1.2
  • Updated typescript:^5.2.2 to ^5.4.2
  • Updated @typescript-eslint/eslint-plugin:^6.10.0 to ^7.2.0
  • Updated ts-node:^10.9.1 to ^10.9.2
  • Updated esbuild:^0.19.5 to ^0.20.2

1.7.3: Custom `krb5.conf` files support.

20 Feb 13:01
a831fdc
Compare
Choose a tag to compare

Summary

Implemented support for custom krb5.conf files.
Updated transient dependency to fix CVE-2024-25710 and CVE-2024-26308.

Features

  • #86: Add support for custom krb5.conf

Dependency Updates

Compile Dependency Updates

  • Added org.apache.commons:commons-compress:1.26.0

Plugin Dependency Updates

  • Updated com.exasol:project-keeper-maven-plugin:3.0.0 to 3.0.1

1.7.2: Fix CVE-2023-6378 in `logback` test dependencies

21 Dec 08:51
7a1fc9f
Compare
Choose a tag to compare

This release fixes CVE-2023-6378 in dependencies ch.qos.logback/logback-core@1.2.10 and ch.qos.logback/logback-classic@1.2.10 with scope test.

Security

Dependency Updates

Compile Dependency Updates

  • Updated com.google.guava:guava:32.1.3-jre to 33.0.0-jre

Test Dependency Updates

  • Added ch.qos.logback:logback-classic:1.4.14
  • Added ch.qos.logback:logback-core:1.4.14
  • Updated com.exasol:exasol-testcontainers:6.6.3 to 7.0.0
  • Updated com.exasol:hamcrest-resultset-matcher:1.6.2 to 1.6.3
  • Updated com.exasol:test-db-builder-java:3.5.1 to 3.5.3
  • Updated io.github.embeddedkafka:embedded-kafka-schema-registry_2.13:7.5.1 to 7.5.2
  • Removed io.netty:netty-handler:4.1.101.Final
  • Updated org.mockito:mockito-core:5.7.0 to 5.8.0
  • Updated org.testcontainers:kafka:1.19.1 to 1.19.3

Plugin Dependency Updates

  • Updated com.exasol:project-keeper-maven-plugin:2.9.16 to 3.0.0
  • Updated org.apache.maven.plugins:maven-failsafe-plugin:3.2.2 to 3.2.3
  • Updated org.apache.maven.plugins:maven-surefire-plugin:3.2.2 to 3.2.3
  • Added org.apache.maven.plugins:maven-toolchains-plugin:3.1.0
  • Updated org.codehaus.mojo:versions-maven-plugin:2.16.1 to 2.16.2

1.7.1: Test with Exasol v8

21 Nov 08:28
9e0ad08
Compare
Choose a tag to compare

Summary

This release adds integration tests with Exasol DB version 8.

Features

  • #77: Added tests with Exasol v8

Documentation

  • #79: Added example of JAAS config in docs

Dependency Updates

Compile Dependency Updates

  • Updated io.confluent:kafka-avro-serializer:7.5.1 to 7.5.2

Test Dependency Updates

  • Updated com.exasol:exasol-testcontainers:6.6.2 to 6.6.3
  • Updated com.exasol:extension-manager-integration-test-java:0.5.1 to 0.5.7
  • Updated com.exasol:hamcrest-resultset-matcher:1.6.1 to 1.6.2
  • Updated io.confluent:kafka-streams-avro-serde:7.5.1 to 7.5.2
  • Updated io.netty:netty-handler:4.1.100.Final to 4.1.101.Final
  • Updated org.mockito:mockito-core:5.6.0 to 5.7.0

Plugin Dependency Updates

  • Updated com.exasol:project-keeper-maven-plugin:2.9.14 to 2.9.16
  • Updated org.apache.maven.plugins:maven-failsafe-plugin:3.1.2 to 3.2.2
  • Updated org.apache.maven.plugins:maven-javadoc-plugin:3.6.0 to 3.6.2
  • Updated org.apache.maven.plugins:maven-surefire-plugin:3.1.2 to 3.2.2

1.7.0: Extension manager support

25 Oct 10:20
28218a8
Compare
Choose a tag to compare

Summary

Adds extension manager support.

Note This release contains the following known vulnerabilities in dependencies:

  • Compile dependencies:
  • Test dependencies:

Features

  • #72: Added extension manager support.

Dependency Updates

Compile Dependency Updates

  • Updated com.google.guava:guava:32.1.1-jre to 32.1.3-jre
  • Updated io.confluent:kafka-avro-serializer:7.4.1 to 7.5.1
  • Added org.apache.kafka:kafka-clients:3.5.1
  • Added org.xerial.snappy:snappy-java:1.1.10.5

Test Dependency Updates

  • Updated com.exasol:exasol-testcontainers:6.6.1 to 6.6.2
  • Added com.exasol:extension-manager-integration-test-java:0.5.1
  • Updated com.exasol:hamcrest-resultset-matcher:1.6.0 to 1.6.1
  • Updated com.exasol:test-db-builder-java:3.4.2 to 3.5.1
  • Updated io.confluent:kafka-streams-avro-serde:7.4.1 to 7.5.1
  • Updated io.github.embeddedkafka:embedded-kafka-schema-registry_2.13:7.4.1 to 7.5.1
  • Updated io.netty:netty-handler:4.1.95.Final to 4.1.100.Final
  • Added org.apache.avro:avro:1.11.3
  • Added org.apache.zookeeper:zookeeper:3.9.1
  • Added org.json:json:20231013
  • Updated org.mockito:mockito-core:5.4.0 to 5.6.0
  • Updated org.scalatestplus:scalatestplus-mockito_2.13:1.0.0-M2 to 1.0.0-SNAP5
  • Updated org.scalatest:scalatest_2.13:3.2.16 to 3.3.0-SNAP4
  • Added org.testcontainers:kafka:1.19.1

Plugin Dependency Updates

  • Updated com.diffplug.spotless:spotless-maven-plugin:2.37.0 to 2.40.0
  • Updated com.exasol:error-code-crawler-maven-plugin:1.3.0 to 1.3.1
  • Updated com.exasol:project-keeper-maven-plugin:2.9.9 to 2.9.14
  • Updated org.apache.maven.plugins:maven-enforcer-plugin:3.3.0 to 3.4.1
  • Updated org.apache.maven.plugins:maven-javadoc-plugin:3.5.0 to 3.6.0
  • Added org.codehaus.mojo:exec-maven-plugin:3.1.0
  • Updated org.codehaus.mojo:versions-maven-plugin:2.16.0 to 2.16.1
  • Updated org.jacoco:jacoco-maven-plugin:0.8.10 to 0.8.11
  • Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.1.2184 to 3.10.0.2594