From 36fb5718c595feda39daaf69ec41f0bfb0a45e81 Mon Sep 17 00:00:00 2001 From: Automatic Dependency Updater Date: Tue, 7 Jul 2026 03:04:26 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=90=20Update=20dependencies=20to=20fix?= =?UTF-8?q?=20vulnerabilities?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- doc/changes/changes_2.1.5.md | 25 ++++++++++++++++++++----- pom.xml | 8 ++++---- 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/doc/changes/changes_2.1.5.md b/doc/changes/changes_2.1.5.md index e56dfd2..c335e06 100644 --- a/doc/changes/changes_2.1.5.md +++ b/doc/changes/changes_2.1.5.md @@ -1,12 +1,22 @@ # Error Code Model Java 2.1.5, released 2026-??-?? -Code name: +Code name: Fixed vulnerability CVE-2026-9563 in org.eclipse.parsson:parsson:jar:1.1.7:runtime ## Summary -## Features +This release fixes the following vulnerability: -* ISSUE_NUMBER: description +### CVE-2026-9563 (CWE-400) in dependency `org.eclipse.parsson:parsson:jar:1.1.7:runtime` +In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications that parse attacker- controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, including large arrays, objects, strings, numbers, whitespace, or nested structures, resulting in a denial of service. Eclipse Parsson 1.1.8 introduces a configurable maximum parsing limit with a default limit of 15 million parser-consumed characters. +#### References +* https://guide.sonatype.com/vulnerability/CVE-2026-9563?component-type=maven&component-name=org.eclipse.parsson%2Fparsson&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1 +* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2026-9563 +* https://github.com/eclipse-ee4j/parsson/pull/169 +* https://gitlab.eclipse.org/security/vulnerability-reports/-/work_items/444 + +## Security + +* #29: Fixed vulnerability CVE-2026-9563 in dependency `org.eclipse.parsson:parsson:jar:1.1.7:runtime` ## Dependency Updates @@ -14,14 +24,19 @@ Code name: * Updated `com.exasol:error-reporting-java:1.0.1` to `1.0.2` +### Runtime Dependency Updates + +* Updated `org.eclipse.parsson:parsson:1.1.7` to `1.1.9` + ### Test Dependency Updates -* Updated `org.junit.jupiter:junit-jupiter-params:5.13.4` to `5.14.3` +* Updated `nl.jqno.equalsverifier:equalsverifier:3.19.4` to `4.5` +* Updated `org.junit.jupiter:junit-jupiter-params:5.13.4` to `6.1.1` ### Plugin Dependency Updates * Updated `com.exasol:error-code-crawler-maven-plugin:2.0.5` to `2.0.6` -* Updated `com.exasol:project-keeper-maven-plugin:5.4.3` to `5.4.6` +* Updated `com.exasol:project-keeper-maven-plugin:5.4.3` to `5.7.2` * Updated `org.apache.maven.plugins:maven-compiler-plugin:3.14.1` to `3.15.0` * Updated `org.apache.maven.plugins:maven-resources-plugin:3.3.1` to `3.4.0` * Updated `org.apache.maven.plugins:maven-source-plugin:3.2.1` to `3.4.0` diff --git a/pom.xml b/pom.xml index 1b11775..69f14ff 100644 --- a/pom.xml +++ b/pom.xml @@ -20,7 +20,7 @@ org.eclipse.parsson parsson - 1.1.7 + 1.1.9 runtime @@ -34,14 +34,14 @@ nl.jqno.equalsverifier equalsverifier - 3.19.4 + 4.5 test org.junit.jupiter junit-jupiter-params - 5.14.3 + 6.1.1 test @@ -50,7 +50,7 @@ com.exasol project-keeper-maven-plugin - 5.4.6 + 5.7.2