diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md index fbf6452..d5b04f9 100644 --- a/doc/changes/changelog.md +++ b/doc/changes/changelog.md @@ -1,5 +1,6 @@ # Changes +* [1.0.11](changes_1.0.11.md) * [1.0.10](changes_1.0.10.md) * [1.0.9](changes_1.0.9.md) * [1.0.8](changes_1.0.8.md) diff --git a/doc/changes/changes_1.0.11.md b/doc/changes/changes_1.0.11.md new file mode 100644 index 0000000..98e05b1 --- /dev/null +++ b/doc/changes/changes_1.0.11.md @@ -0,0 +1,29 @@ +# Exasol UDF API for Java 1.0.11, released 2026-??-?? + +Code name: Fixed vulnerability CVE-2026-9563 in org.eclipse.parsson:parsson:jar:1.1.7:test + +## Summary + +This release fixes the following vulnerability: + +### CVE-2026-9563 (CWE-400) in dependency `org.eclipse.parsson:parsson:jar:1.1.7:test` +In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications that parse attacker- controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, including large arrays, objects, strings, numbers, whitespace, or nested structures, resulting in a denial of service. Eclipse Parsson 1.1.8 introduces a configurable maximum parsing limit with a default limit of 15 million parser-consumed characters. +#### References +* https://guide.sonatype.com/vulnerability/CVE-2026-9563?component-type=maven&component-name=org.eclipse.parsson%2Fparsson&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1 +* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2026-9563 +* https://github.com/eclipse-ee4j/parsson/pull/169 +* https://gitlab.eclipse.org/security/vulnerability-reports/-/work_items/444 + +## Security + +* #42: Fixed vulnerability CVE-2026-9563 in dependency `org.eclipse.parsson:parsson:jar:1.1.7:test` + +## Dependency Updates + +### Test Dependency Updates + +* Updated `org.junit.jupiter:junit-jupiter-params:5.14.4` to `6.1.2` + +### Plugin Dependency Updates + +* Updated `com.exasol:project-keeper-maven-plugin:5.6.2` to `5.7.3` diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom index 5852c10..41e63eb 100644 --- a/pk_generated_parent.pom +++ b/pk_generated_parent.pom @@ -3,7 +3,7 @@ 4.0.0 com.exasol udf-api-java-generated-parent - 1.0.10 + 1.0.11 pom UTF-8 diff --git a/pom.xml b/pom.xml index 26ed262..0f31e84 100644 --- a/pom.xml +++ b/pom.xml @@ -2,7 +2,7 @@ 4.0.0 udf-api-java - 1.0.10 + 1.0.11 Exasol UDF API for Java Interface between User Defined Functions (UDFs) written in Java and the Exasol database. https://github.com/exasol/udf-api-java/ @@ -39,7 +39,7 @@ org.junit.jupiter junit-jupiter-params - 5.14.4 + 6.1.2 test @@ -85,7 +85,7 @@ com.exasol project-keeper-maven-plugin - 5.6.2 + 5.7.3 @@ -119,7 +119,7 @@ udf-api-java-generated-parent com.exasol - 1.0.10 + 1.0.11 pk_generated_parent.pom