Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions dependencies.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/changes/changelog.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

43 changes: 43 additions & 0 deletions doc/changes/changes_4.0.1.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
# BucketFS Java 4.0.1, released 2026-??-??

Code name: Fixed vulnerability CVE-2026-9563 in org.eclipse.parsson:parsson:jar:1.1.7:runtime

## Summary

This release fixes the following vulnerability:

### CVE-2026-9563 (CWE-400) in dependency `org.eclipse.parsson:parsson:jar:1.1.7:runtime`
In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications that parse attacker- controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, including large arrays, objects, strings, numbers, whitespace, or nested structures, resulting in a denial of service. Eclipse Parsson 1.1.8 introduces a configurable maximum parsing limit with a default limit of 15 million parser-consumed characters.
#### References
* https://guide.sonatype.com/vulnerability/CVE-2026-9563?component-type=maven&component-name=org.eclipse.parsson%2Fparsson&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2026-9563
* https://github.com/eclipse-ee4j/parsson/pull/169
* https://gitlab.eclipse.org/security/vulnerability-reports/-/work_items/444

## Security

* #85: Fixed vulnerability CVE-2026-9563 in dependency `org.eclipse.parsson:parsson:jar:1.1.7:runtime`

## Dependency Updates

### Compile Dependency Updates

* Updated `com.exasol:error-reporting-java:1.0.1` to `1.0.2`
* Updated `jakarta.json.bind:jakarta.json.bind-api:3.0.1` to `3.0.2`

### Runtime Dependency Updates

* Updated `org.eclipse.parsson:parsson:1.1.7` to `1.1.9`

### Test Dependency Updates

* Updated `com.exasol:exasol-testcontainers:7.1.7` to `7.3.0`
* Updated `org.junit.jupiter:junit-jupiter-api:5.13.4` to `6.1.1`
* Updated `org.junit.jupiter:junit-jupiter-params:5.13.4` to `6.1.1`
* Updated `org.mockito:mockito-junit-jupiter:5.20.0` to `5.23.0`
* Updated `org.slf4j:slf4j-jdk14:2.0.17` to `2.0.18`
* Updated `org.testcontainers:junit-jupiter:1.21.3` to `1.21.4`

### Plugin Dependency Updates

* Updated `com.exasol:project-keeper-maven-plugin:5.4.2` to `5.7.2`
2 changes: 1 addition & 1 deletion pk_generated_parent.pom

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

24 changes: 12 additions & 12 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>bucketfs-java</artifactId>
<version>4.0.0</version>
<version>4.0.1</version>
<name>BucketFS Java</name>
<description>Java library for automating tasks on Exasol's BucketFS.</description>
<url>https://github.com/exasol/bucketfs-java/</url>
Expand Down Expand Up @@ -33,7 +33,7 @@
<dependency>
<groupId>com.exasol</groupId>
<artifactId>error-reporting-java</artifactId>
<version>1.0.1</version>
<version>1.0.2</version>
</dependency>
<!-- JSON processing -->
<dependency>
Expand All @@ -44,14 +44,14 @@
<dependency>
<groupId>org.eclipse.parsson</groupId>
<artifactId>parsson</artifactId>
<version>1.1.7</version>
<version>1.1.9</version>
<scope>runtime</scope>
</dependency>
<!-- JSON-Bind -->
<dependency>
<groupId>jakarta.json.bind</groupId>
<artifactId>jakarta.json.bind-api</artifactId>
<version>3.0.1</version>
<version>3.0.2</version>
</dependency>
<dependency>
<groupId>org.eclipse</groupId>
Expand All @@ -63,13 +63,13 @@
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-api</artifactId>
<version>5.13.4</version>
<version>6.1.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-params</artifactId>
<version>5.13.4</version>
<version>6.1.1</version>
<scope>test</scope>
</dependency>
<dependency>
Expand All @@ -81,26 +81,26 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-junit-jupiter</artifactId>
<version>5.20.0</version>
<version>5.23.0</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.exasol</groupId>
<artifactId>exasol-testcontainers</artifactId>
<version>7.1.7</version>
<version>7.3.0</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.testcontainers</groupId>
<artifactId>junit-jupiter</artifactId>
<version>1.21.3</version>
<version>1.21.4</version>
<scope>test</scope>
</dependency>
<dependency>
<!-- Enable log output from integration tests -->
<groupId>org.slf4j</groupId>
<artifactId>slf4j-jdk14</artifactId>
<version>2.0.17</version>
<version>2.0.18</version>
<scope>test</scope>
</dependency>
</dependencies>
Expand All @@ -122,7 +122,7 @@
<plugin>
<groupId>com.exasol</groupId>
<artifactId>project-keeper-maven-plugin</artifactId>
<version>5.4.2</version>
<version>5.7.2</version>
<executions>
<execution>
<goals>
Expand All @@ -147,7 +147,7 @@
<parent>
<artifactId>bucketfs-java-generated-parent</artifactId>
<groupId>com.exasol</groupId>
<version>4.0.0</version>
<version>4.0.1</version>
<relativePath>pk_generated_parent.pom</relativePath>
</parent>
</project>