diff --git a/dependencies.md b/dependencies.md index 8fcd3d6..4becf75 100644 --- a/dependencies.md +++ b/dependencies.md @@ -7,7 +7,7 @@ | -------------------------------- | ------------------------------------------------------------------------------------------------------------ | | [error-reporting-java][0] | [MIT License][1] | | [Jakarta JSON Processing API][2] | [Eclipse Public License 2.0][3]; [GNU General Public License, version 2 with the GNU Classpath Exception][4] | -| [JSON-B API][5] | [Eclipse Public License 2.0][3]; [GNU General Public License, version 2 with the GNU Classpath Exception][4] | +| [Jakarta JSON Binding API][5] | [Eclipse Public License 2.0][3]; [GNU General Public License, version 2 with the GNU Classpath Exception][4] | ## Test Dependencies @@ -64,7 +64,7 @@ [2]: https://github.com/eclipse-ee4j/jsonp [3]: https://projects.eclipse.org/license/epl-2.0 [4]: https://projects.eclipse.org/license/secondary-gpl-2.0-cp -[5]: https://jakartaee.github.io/jsonb-api +[5]: https://projects.eclipse.org/projects/ee4j.jsonb/jakarta.json.bind-api [6]: https://junit.org/ [7]: https://www.eclipse.org/legal/epl-v20.html [8]: http://hamcrest.org/JavaHamcrest/ diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md index d77d98a..79702b7 100644 --- a/doc/changes/changelog.md +++ b/doc/changes/changelog.md @@ -1,5 +1,6 @@ # Changes +* [4.0.1](changes_4.0.1.md) * [4.0.0](changes_4.0.0.md) * [3.2.4](changes_3.2.4.md) * [3.2.3](changes_3.2.3.md) diff --git a/doc/changes/changes_4.0.1.md b/doc/changes/changes_4.0.1.md new file mode 100644 index 0000000..cf5ca58 --- /dev/null +++ b/doc/changes/changes_4.0.1.md @@ -0,0 +1,43 @@ +# BucketFS Java 4.0.1, released 2026-??-?? + +Code name: Fixed vulnerability CVE-2026-9563 in org.eclipse.parsson:parsson:jar:1.1.7:runtime + +## Summary + +This release fixes the following vulnerability: + +### CVE-2026-9563 (CWE-400) in dependency `org.eclipse.parsson:parsson:jar:1.1.7:runtime` +In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications that parse attacker- controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, including large arrays, objects, strings, numbers, whitespace, or nested structures, resulting in a denial of service. Eclipse Parsson 1.1.8 introduces a configurable maximum parsing limit with a default limit of 15 million parser-consumed characters. +#### References +* https://guide.sonatype.com/vulnerability/CVE-2026-9563?component-type=maven&component-name=org.eclipse.parsson%2Fparsson&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1 +* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2026-9563 +* https://github.com/eclipse-ee4j/parsson/pull/169 +* https://gitlab.eclipse.org/security/vulnerability-reports/-/work_items/444 + +## Security + +* #85: Fixed vulnerability CVE-2026-9563 in dependency `org.eclipse.parsson:parsson:jar:1.1.7:runtime` + +## Dependency Updates + +### Compile Dependency Updates + +* Updated `com.exasol:error-reporting-java:1.0.1` to `1.0.2` +* Updated `jakarta.json.bind:jakarta.json.bind-api:3.0.1` to `3.0.2` + +### Runtime Dependency Updates + +* Updated `org.eclipse.parsson:parsson:1.1.7` to `1.1.9` + +### Test Dependency Updates + +* Updated `com.exasol:exasol-testcontainers:7.1.7` to `7.3.0` +* Updated `org.junit.jupiter:junit-jupiter-api:5.13.4` to `6.1.1` +* Updated `org.junit.jupiter:junit-jupiter-params:5.13.4` to `6.1.1` +* Updated `org.mockito:mockito-junit-jupiter:5.20.0` to `5.23.0` +* Updated `org.slf4j:slf4j-jdk14:2.0.17` to `2.0.18` +* Updated `org.testcontainers:junit-jupiter:1.21.3` to `1.21.4` + +### Plugin Dependency Updates + +* Updated `com.exasol:project-keeper-maven-plugin:5.4.2` to `5.7.2` diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom index 6887f5b..e796741 100644 --- a/pk_generated_parent.pom +++ b/pk_generated_parent.pom @@ -3,7 +3,7 @@ 4.0.0 com.exasol bucketfs-java-generated-parent - 4.0.0 + 4.0.1 pom UTF-8 diff --git a/pom.xml b/pom.xml index 50edb07..5aa340c 100644 --- a/pom.xml +++ b/pom.xml @@ -2,7 +2,7 @@ 4.0.0 bucketfs-java - 4.0.0 + 4.0.1 BucketFS Java Java library for automating tasks on Exasol's BucketFS. https://github.com/exasol/bucketfs-java/ @@ -33,7 +33,7 @@ com.exasol error-reporting-java - 1.0.1 + 1.0.2 @@ -44,14 +44,14 @@ org.eclipse.parsson parsson - 1.1.7 + 1.1.9 runtime jakarta.json.bind jakarta.json.bind-api - 3.0.1 + 3.0.2 org.eclipse @@ -63,13 +63,13 @@ org.junit.jupiter junit-jupiter-api - 5.13.4 + 6.1.1 test org.junit.jupiter junit-jupiter-params - 5.13.4 + 6.1.1 test @@ -81,26 +81,26 @@ org.mockito mockito-junit-jupiter - 5.20.0 + 5.23.0 test com.exasol exasol-testcontainers - 7.1.7 + 7.3.0 test org.testcontainers junit-jupiter - 1.21.3 + 1.21.4 test org.slf4j slf4j-jdk14 - 2.0.17 + 2.0.18 test @@ -122,7 +122,7 @@ com.exasol project-keeper-maven-plugin - 5.4.2 + 5.7.2 @@ -147,7 +147,7 @@ bucketfs-java-generated-parent com.exasol - 4.0.0 + 4.0.1 pk_generated_parent.pom