Skip to content

Bump com.ongres.scram:scram-client from 3.2 to 3.3#7

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/com.ongres.scram-scram-client-3.3
Open

Bump com.ongres.scram:scram-client from 3.2 to 3.3#7
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/com.ongres.scram-scram-client-3.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown

Bumps com.ongres.scram:scram-client from 3.2 to 3.3.

Release notes

Sourced from com.ongres.scram:scram-client's releases.

SCRAM Java 3.3

🔒 Security

  • Prevent silent downgrade attacks during channel binding negotiation via unsupported certificate algorithms. GHSA-p9jg-fcr6-3mhf
  • Harden memory security by explicitly zeroing out highly sensitive cryptographic keys (saltedPassword, clientKey, and serverKey) immediately following the client final message exchange to prevent lingering material in heap memory.

🚀 New features

  • Implement an interrupt-aware implementation of the PBKDF2 'hi' function introducing ScramInterruptedException, utilizing a stride-based check to allow long-running cryptographic operations to safely abort without blocking thread shutdown.
  • Introduce .channelBindingPolicy() to the client builder to explicitly configure DISABLE, ALLOW (default), and REQUIRE enforcement modes.
  • Introduce MechanismNegotiationException and ChannelBindingException runtime exception hierarchy to provide granular, precise failure types for driver integration loops instead of relying on generic IllegalArgumentException throws.
  • Add support for RSASSA-PSS server certificate signature extraction to ensure modern cryptographic algorithms are supported during tls-server-end-point channel binding computations.
  • Add support for SCRAM-SHA3-512 and SCRAM-SHA3-512-PLUS SASL mechanisms to provide modern NIST SHA-3 hashing standards with higher cryptographic resilience against length-extension attacks (supported on modern JVMs only).

🏗️ Improvements

  • Update the saslprep dependency to 2.4.
  • Updated internal Maven plugins and project dependencies to their latest stable versions.
Changelog

Sourced from com.ongres.scram:scram-client's changelog.

[3.3] - 2026-06-04

🔒 Security

  • Prevent silent downgrade attacks during channel binding negotiation via unsupported certificate algorithms. GHSA-p9jg-fcr6-3mhf
  • Harden memory security by explicitly zeroing out highly sensitive cryptographic keys (saltedPassword, clientKey, and serverKey) immediately following the client final message exchange to prevent lingering material in heap memory.

🚀 New features

  • Implement an interrupt-aware implementation of the PBKDF2 'hi' function introducing ScramInterruptedException, utilizing a stride-based check to allow long-running cryptographic operations to safely abort without blocking thread shutdown.
  • Introduce .channelBindingPolicy() to the client builder to explicitly configure DISABLE, ALLOW (default), and REQUIRE enforcement modes.
  • Introduce MechanismNegotiationException and ChannelBindingException runtime exception hierarchy to provide granular, precise failure types for driver integration loops instead of relying on generic IllegalArgumentException throws.
  • Add support for RSASSA-PSS server certificate signature extraction to ensure modern cryptographic algorithms are supported during tls-server-end-point channel binding computations.
  • Add support for SCRAM-SHA3-512 and SCRAM-SHA3-512-PLUS SASL mechanisms to provide modern NIST SHA-3 hashing standards with higher cryptographic resilience against length-extension attacks (supported on modern JVMs only).

🏗️ Improvements

  • Update the saslprep dependency to 2.4.
  • Updated internal Maven plugins and project dependencies to their latest stable versions.
Commits
  • f6bd6e2 chore(release): SCRAM Java 3.3
  • 5d780f3 feat(security): introduce ChannelBindingPolicy for configurable negotiation
  • caff8ca feat(crypto): add RSASSA-PSS support for tls-server-end-point channel binding
  • da713cf chore(deps): Bump the all-maven-dependencies group across 2 directories with ...
  • 5ac4384 feat(crypto): add support for SCRAM-SHA3-512 mechanisms
  • 03d3122 fix(security): zero out cryptographic keys after SCRAM exchange
  • 31f6104 Merge pull request #127 from ongres/dependabot/maven/all-maven-dependencies-9...
  • 9027e71 chore(deps): Bump the all-maven-dependencies group across 2 directories with ...
  • 7676251 Merge pull request #126 from ongres/fix/maven-3.9.16
  • 3834285 fix(deps): update apache maven to 3.9.16
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [com.ongres.scram:scram-client](https://github.com/ongres/scram) from 3.2 to 3.3.
- [Release notes](https://github.com/ongres/scram/releases)
- [Changelog](https://github.com/ongres/scram/blob/main/CHANGELOG.md)
- [Commits](ongres/scram@3.2...3.3)

---
updated-dependencies:
- dependency-name: com.ongres.scram:scram-client
  dependency-version: '3.3'
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Development

Successfully merging this pull request may close these issues.

0 participants