Skip to content

Releases: exasol/azure-blob-storage-document-files-virtual-schema

3.0.1 Fixed vulnerabilities CVE-2026-47244, CVE-2026-44249, CVE-2026-45416, CVE-2026-47691, CVE-2026-45674, CVE-2026-45673, CVE-2026-45536, CVE-2026-45536, CVE-2026-42587, CVE-2026-48043, CVE-2026-50560, CVE-2026-41715

11 Jun 13:11
@github-actions github-actions
3.0.1
230e313
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
3.0.1 Fixed vulnerabilities CVE-2026-47244, CVE-2026-44249, CVE-2026-45416, CVE-2026-47691, CVE-2026-45674, CVE-2026-45673, CVE-2026-45536, CVE-2026-45536, CVE-2026-42587, CVE-2026-48043, CVE-2026-50560, CVE-2026-41715 Latest
Latest

This release fixes the following 12 vulnerabilities:

CVE-2026-47244 (CWE-400) in dependency io.netty:netty-codec-http2:jar:4.2.13.Final:compile

Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced

References

CVE-2026-44249 (CWE-284, CWE-697) in dependency io.netty:netty-handler:jar:4.2.13.Final:compile

Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking

References

CVE-2026-45416 (CWE-770) in dependency io.netty:netty-handler:jar:4.2.13.Final:compile

Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes

References

CVE-2026-47691 (CWE-345) in dependency io.netty:netty-resolver-dns:jar:4.2.13.Final:compile

Netty has Insufficient Bailiwick Validation for NS Records

References

CVE-2026-45674 (CWE-345) in dependency io.netty:netty-resolver-dns:jar:4.2.13.Final:compile

Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records

References

CVE-2026-45673 (CWE-330, CWE-340) in dependency io.netty:netty-resolver-dns:jar:4.2.13.Final:compile

Netty: DNS Cache Poisoning due to Predictable PRNG and Default Static Source Port

References

CVE-2026-45536 (CWE-200, CWE-772) in dependency io.netty:netty-transport-native-epoll:jar:4.2.13.Final:compile

Netty: Unix-socket fd receive leaks descriptors when peer sends two at once

References

CVE-2026-45536 (CWE-200, CWE-772) in dependency io.netty:netty-transport-native-kqueue:jar:4.2.13.Final:compile

Netty: Unix-socket fd receive leaks descriptors when peer sends two at once

References

CVE-2026-42587 (CWE-400) in dependency io.netty:netty-codec-http:jar:4.2.13.Final:compile

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://guide.sonatype.com/vulnerability/CVE-2026-42587 for details

References

CVE-2026-48043 (CWE-400) in dependency io.netty:netty-codec-http2:jar:4.2.13.Final:compile

io.netty : netty-codec-http2 - Denial of Service (DoS)

References

CVE-2026-50560 (CWE-770) in dependency io.netty:netty-codec-http2:jar:4.2.13.Final:compile

Netty - HTTP/2 SETTINGS_MAX_HEADER_LIST_SIZE Handling Denial of Service

References

CVE-2026-41715 (CWE-522) in dependency io.projectreactor.netty:reactor-netty-http:jar:1.2.16:compile

In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.

Affected versions:
Reactor Netty 1.0.0 through 1.0.51; 1.1.0 through 1.1.35; 1.2.0 through 1.2.17; 1.3.0 through 1.3.5.

References

Security

  • #99: Fixed vulnerability CVE-2026-47244 in dependency io.netty:netty-codec-http2:jar:4.2.13.Final:compile
  • #100: Fixed vulnerability CVE-2026-44249 in dependency io.netty:netty-handler:jar:4.2.13.Final:compile
  • #101: Fixed vulnerability CVE-2026-45416 in dependency io.netty:netty-handler:jar:4.2.13.Final:compile
  • #102: Fixed vulnerability CVE-2026-47691 in dependency io.netty:netty-resolver-dns:jar:4.2.13.Final:compile
  • #103: Fixed vulnerability CVE-2026-45674 in dependency io.netty:netty-resolver-dns:jar:4.2.13.Final:compile
  • #104: Fixed vulnerability CVE-2026-45673 in dependency io.netty:netty-resolver-dns:jar:4.2.13.Final:compile
  • #105: Fixed vulnerability CVE-2026-45536 in dependency io.netty:netty-transport-native-epoll:jar:4.2.13.Final:compile
  • #105: Fixed vulnerability CVE-2026-45536 in dependency io.netty:netty-transport-native-kqueue:jar:4.2.13.Final:compile
  • #97: Fixed vulnerability CVE-2026-42587 in dependency io.netty:netty-codec-http:jar:4.2.13.Final:compile
  • #106: Fixed vulnerability CVE-2026-48043 in dependency io.netty:netty-codec-http2:jar:4.2.13.Final:compile
  • #107: Fixed vulnerability CVE-2026-50560 in dependency io.netty:netty-codec-http2:jar:4.2.13.Final:compile
  • #108: Fixed vulnerability CVE-2026-41715 in dependency io.projectreactor.netty:reactor-netty-http:jar:1.2.16:compile
Assets 6
Loading

3.0.0 Anonymous telemetry & fixed vulnerability CVE-2026-41417

08 May 13:29
@github-actions github-actions
3.0.0
8637d95
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
3.0.0 Anonymous telemetry & fixed vulnerability CVE-2026-41417

This release adds anonymous feature-usage telemetry via telemetry-java. See the documentation for details on collected data and opt-out behavior.

Breaking Change

Starting with this release, the Azure Blob Storage Virtual Schema does not support Exasol version 7.1 anymore. Only LTS version 2025.1.x and the current version are supported.

This release also fixes the following vulnerability:

CVE-2026-41417 (CWE-93) in dependency io.netty:netty-codec-http:jar:4.2.12.Final:compile

io.netty:netty-codec-http - CRLF Injection

References

Security

  • #95: Fixed vulnerability CVE-2026-41417 in dependency io.netty:netty-codec-http:jar:4.2.12.Final:compile

Dependency Updates

Compile Dependency Updates

  • Updated com.azure:azure-storage-blob:12.29.1 to 12.33.4
  • Updated com.exasol:virtual-schema-common-document-files:8.1.14 to 9.0.0

Test Dependency Updates

  • Updated com.exasol:test-db-builder-java:3.6.4 to 4.0.0
  • Updated com.exasol:virtual-schema-common-document-files:8.1.14 to 9.0.0
  • Updated org.junit.jupiter:junit-jupiter-params:5.14.3 to 5.14.4
  • Updated org.testcontainers:testcontainers-junit-jupiter:2.0.4 to 2.0.5

Plugin Dependency Updates

  • Updated com.exasol:error-code-crawler-maven-plugin:2.0.6 to 2.0.7
  • Updated com.exasol:project-keeper-maven-plugin:5.4.6 to 5.6.2
  • Updated io.github.git-commit-id:git-commit-id-maven-plugin:9.0.2 to 10.0.0
  • Updated org.apache.maven.plugins:maven-failsafe-plugin:3.5.4 to 3.5.5
  • Updated org.apache.maven.plugins:maven-resources-plugin:3.4.0 to 3.5.0
  • Updated org.apache.maven.plugins:maven-surefire-plugin:3.5.4 to 3.5.5
Loading

2.1.8 Fixed vulnerabilities CVE-2026-33870, CVE-2026-33871

01 Apr 09:08
@github-actions github-actions
2.1.8
392f718
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2.1.8 Fixed vulnerabilities CVE-2026-33870, CVE-2026-33871

This release fixes the following 2 vulnerabilities:

CVE-2026-33870 (CWE-444) in dependency io.netty:netty-codec-http:jar:4.1.131.Final:compile

netty-codec-http - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

References

CVE-2026-33871 (CWE-770) in dependency io.netty:netty-codec-http2:jar:4.1.131.Final:compile

io.netty:netty-codec-http2 - Allocation of Resources Without Limits or Throttling

References

Security

  • #92: Fixed vulnerability CVE-2026-33870 in dependency io.netty:netty-codec-http:jar:4.1.131.Final:compile
  • #93: Fixed vulnerability CVE-2026-33871 in dependency io.netty:netty-codec-http2:jar:4.1.131.Final:compile

Dependency Updates

Compile Dependency Updates

  • Updated com.azure:azure-storage-blob:12.29.0 to 12.29.1
  • Updated com.exasol:error-reporting-java:1.0.1 to 1.0.2
  • Updated org.slf4j:slf4j-jdk14:2.0.16 to 2.0.17

Test Dependency Updates

  • Updated com.exasol:hamcrest-resultset-matcher:1.7.0 to 1.7.2
  • Updated com.exasol:performance-test-recorder-java:0.1.4 to 0.1.5
  • Updated com.exasol:test-db-builder-java:3.6.0 to 3.6.4
  • Updated com.exasol:udf-debugging-java:0.6.17 to 0.6.18
  • Updated org.junit.jupiter:junit-jupiter-params:5.11.4 to 5.14.3
  • Updated org.mockito:mockito-core:5.15.2 to 5.23.0
  • Removed org.testcontainers:junit-jupiter:1.20.4
  • Added org.testcontainers:testcontainers-junit-jupiter:2.0.4
Loading

2.1.7 Fixes for vulnerabilities CVE-2025-58056 and CVE-2025-58057

20 Feb 14:19
@github-actions github-actions
2.1.7
f2b975d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2.1.7 Fixes for vulnerabilities CVE-2025-58056 and CVE-2025-58057

This release fixes the following vulnerabilities:

CVE-2025-58056 (CWE-444) in dependency io.netty:netty-codec-http:jar:4.1.124.Final:compile

Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.

CVE: CVE-2025-58056
CWE: CWE-444

References

CVE-2025-58057 (CWE-409) in dependency io.netty:netty-codec:jar:4.1.124.Final:compile

netty-codec - Improper Handling of Highly Compressed Data (Data Amplification)

CVE: CVE-2025-58057
CWE: CWE-409

References

CVE-2025-67721 (CWE-125) Out-of-bounds Read in dependency io.airlift:aircompressor:jar:2.0.2:compile

Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffer contents via crafted compressed input. With certain crafted compressed inputs, elements from the output buffer can end up in the uncompressed output, potentially leaking sensitive data. This is relevant for applications that reuse the same output buffer to uncompress multiple inputs. This can be the case of a web server that allocates a fix-sized buffer for performance purposes. There is similar vulnerability in GHSA-cmp6-m4wj-q63q. This issue is fixed in version 3.4.

CVE: CVE-2025-67721
CWE: CWE-125

References

GHSA-vx9q-rhv9-3jvg
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-67721

Security

  • #87: Fixed vulnerability CVE-2025-58056 in dependency io.netty:netty-codec-http:jar:4.1.124.Final:compile
  • #85: Fixed vulnerability CVE-2025-58057 in dependency io.netty:netty-codec:jar:4.1.124.Final:compile
  • #91: Fixed vulnerability CVE-2025-67721 in dependency io.airlift:aircompressor:jar:2.0.2:compile

Dependency Updates

Compile Dependency Updates

  • Updated com.exasol:virtual-schema-common-document-files:8.1.7 to 8.1.14

Test Dependency Updates

  • Updated com.exasol:exasol-test-setup-abstraction-java:2.1.7 to 2.1.11
  • Updated com.exasol:virtual-schema-common-document-files:8.1.7 to 8.1.14
  • Updated org.jacoco:org.jacoco.agent:0.8.13 to 0.8.14

Plugin Dependency Updates

  • Updated com.exasol:artifact-reference-checker-maven-plugin:0.4.3 to 0.4.4
  • Updated com.exasol:error-code-crawler-maven-plugin:2.0.4 to 2.0.6
  • Updated com.exasol:project-keeper-maven-plugin:5.2.3 to 5.4.6
  • Updated com.exasol:quality-summarizer-maven-plugin:0.2.0 to 0.2.1
  • Updated io.github.git-commit-id:git-commit-id-maven-plugin:9.0.1 to 9.0.2
  • Updated org.apache.maven.plugins:maven-artifact-plugin:3.6.0 to 3.6.1
  • Updated org.apache.maven.plugins:maven-assembly-plugin:3.7.1 to 3.8.0
  • Updated org.apache.maven.plugins:maven-clean-plugin:3.4.1 to 3.5.0
  • Updated org.apache.maven.plugins:maven-compiler-plugin:3.14.0 to 3.15.0
  • Updated org.apache.maven.plugins:maven-dependency-plugin:3.8.1 to 3.10.0
  • Updated org.apache.maven.plugins:maven-enforcer-plugin:3.5.0 to 3.6.2
  • Updated org.apache.maven.plugins:maven-failsafe-plugin:3.5.3 to 3.5.4
  • Updated org.apache.maven.plugins:maven-jar-plugin:3.4.2 to 3.5.0
  • Updated org.apache.maven.plugins:maven-resources-plugin:3.3.1 to 3.4.0
  • Updated org.apache.maven.plugins:maven-surefire-plugin:3.5.3 to 3.5.4
  • Updated org.codehaus.mojo:flatten-maven-plugin:1.7.0 to 1.7.3
  • Updated org.codehaus.mojo:versions-maven-plugin:2.18.0 to 2.21.0
  • Updated org.jacoco:jacoco-maven-plugin:0.8.13 to 0.8.14
  • Updated org.sonarsource.scanner.maven:sonar-maven-plugin:5.1.0.4751 to 5.5.0.6356
Loading

2.1.6 Fixes for vulnerability CVE-2025-55163

26 Aug 12:28
@github-actions github-actions
2.1.6
a6e006d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2.1.6 Fixes for vulnerability CVE-2025-55163

This release fixes the following vulnerability:

CVE-2025-55163 (CWE-770) in dependency io.netty:netty-codec-http2:jar:4.1.118.Final:compile

Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.

CVE: CVE-2025-55163
CWE: CWE-770

References

Security

  • #82: Fixed vulnerability CVE-2025-55163 in dependency io.netty:netty-codec-http2:jar:4.1.118.Final:compile
Loading

2.1.5 Fixes for vulnerabilities CVE-2025-22227 and CVE-2025-48924

01 Aug 11:08
@github-actions github-actions
2.1.5
7e60b12
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2.1.5 Fixes for vulnerabilities CVE-2025-22227 and CVE-2025-48924

This release fixes the following vulnerabilities:

CVE-2025-22227 (CWE-200) in dependency io.projectreactor.netty:reactor-netty-http:jar:1.0.48:compile

In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.

CVE: CVE-2025-22227
CWE: CWE-200

References

CVE-2025-48924 (CWE-674) in dependency org.apache.commons:commons-lang3:jar:3.16.0:test

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

CVE: CVE-2025-48924
CWE: CWE-674

References

Security

  • #80: Fixed vulnerability CVE-2025-22227 in dependency io.projectreactor.netty:reactor-netty-http:jar:1.0.48:compile
  • #79: Fixed vulnerability CVE-2025-48924 in dependency org.apache.commons:commons-lang3:jar:3.16.0:test

Dependency Updates

Test Dependency Updates

  • Updated com.exasol:udf-debugging-java:0.6.14 to 0.6.17

Plugin Dependency Updates

  • Updated com.exasol:error-code-crawler-maven-plugin:2.0.3 to 2.0.4
  • Updated com.exasol:project-keeper-maven-plugin:5.1.0 to 5.2.3
Loading

2.1.4 Fixed vulnerabilities CVE-2025-48734, CVE-2025-4949 and CVE-2024-55551 in test dependencies

03 Jun 13:43
@github-actions github-actions
2.1.4
a277a0e
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2.1.4 Fixed vulnerabilities CVE-2025-48734, CVE-2025-4949 and CVE-2024-55551 in test dependencies

This release is a security update. We updated the dependencies of the project to fix transitive security issues.

We also added an exception for the OSSIndex for CVE-2024-55551, which is a false positive in Exasol's JDBC driver.
This issue has been fixed quite a while back now, but the OSSIndex unfortunately does not contain the fix version of 24.2.1 (2024-12-10) set.

Security

Dependency Updates

Compile Dependency Updates

  • Updated com.exasol:virtual-schema-common-document-files:8.1.5 to 8.1.7

Test Dependency Updates

  • Updated com.exasol:performance-test-recorder-java:0.1.3 to 0.1.4
  • Updated com.exasol:virtual-schema-common-document-files:8.1.5 to 8.1.7
  • Updated org.jacoco:org.jacoco.agent:0.8.12 to 0.8.13

Plugin Dependency Updates

  • Updated com.exasol:artifact-reference-checker-maven-plugin:0.4.2 to 0.4.3
  • Updated com.exasol:project-keeper-maven-plugin:4.5.0 to 5.1.0
  • Added io.github.git-commit-id:git-commit-id-maven-plugin:9.0.1
  • Removed io.github.zlika:reproducible-build-maven-plugin:0.17
  • Added org.apache.maven.plugins:maven-artifact-plugin:3.6.0
  • Updated org.apache.maven.plugins:maven-clean-plugin:3.4.0 to 3.4.1
  • Updated org.apache.maven.plugins:maven-compiler-plugin:3.13.0 to 3.14.0
  • Updated org.apache.maven.plugins:maven-failsafe-plugin:3.5.2 to 3.5.3
  • Updated org.apache.maven.plugins:maven-install-plugin:3.1.3 to 3.1.4
  • Updated org.apache.maven.plugins:maven-surefire-plugin:3.5.2 to 3.5.3
  • Updated org.codehaus.mojo:flatten-maven-plugin:1.6.0 to 1.7.0
  • Updated org.jacoco:jacoco-maven-plugin:0.8.12 to 0.8.13
  • Updated org.sonarsource.scanner.maven:sonar-maven-plugin:5.0.0.4389 to 5.1.0.4751
Loading

2.1.3 Fix vulnerabilities CVE-2025-25193 and CVE-2025-24970 in dependencies

12 Feb 15:02
@github-actions github-actions
2.1.3
d9b2df6
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2.1.3 Fix vulnerabilities CVE-2025-25193 and CVE-2025-24970 in dependencies

This release fixes the following vulnerabilities in dependencies:

Security

Dependency Updates

Compile Dependency Updates

  • Removed com.azure:azure-core-http-netty:1.15.7

Test Dependency Updates

  • Removed com.exasol:bucketfs-java:3.2.1
  • Updated com.exasol:exasol-test-setup-abstraction-java:2.1.6 to 2.1.7
  • Updated com.exasol:udf-debugging-java:0.6.13 to 0.6.14
  • Updated org.junit.jupiter:junit-jupiter-params:5.11.3 to 5.11.4
  • Updated org.mockito:mockito-core:5.14.2 to 5.15.2
  • Updated org.testcontainers:junit-jupiter:1.20.3 to 1.20.4

Plugin Dependency Updates

  • Updated com.exasol:project-keeper-maven-plugin:4.4.0 to 4.5.0
  • Updated org.apache.maven.plugins:maven-dependency-plugin:3.8.0 to 3.8.1
  • Updated org.apache.maven.plugins:maven-failsafe-plugin:3.5.1 to 3.5.2
  • Updated org.apache.maven.plugins:maven-site-plugin:3.9.1 to 3.21.0
  • Updated org.apache.maven.plugins:maven-surefire-plugin:3.5.1 to 3.5.2
  • Updated org.codehaus.mojo:versions-maven-plugin:2.17.1 to 2.18.0
  • Updated org.sonarsource.scanner.maven:sonar-maven-plugin:4.0.0.4121 to 5.0.0.4389
Loading

2.1.2 Fixed vulnerabilities CVE-2024-47535 and CVE-2024-47561

19 Nov 09:59
@github-actions github-actions
2.1.2
765a4a6
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2.1.2 Fixed vulnerabilities CVE-2024-47535 and CVE-2024-47561

This release fixes the following vulnerability:

CVE-2024-47535 (CWE-400) in dependency io.netty:netty-common:jar:4.1.110.Final:compile

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.

References

CVE-2024-47561 (CWE-502) in dependency org.apache.avro:avro:jar:1.11.3:compile

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.
Users are recommended to upgrade to version 1.11.4Â or 1.12.0, which fix this issue.

References

Security

  • #65: Fixed vulnerability CVE-2024-47535 in dependency io.netty:netty-common:jar:4.1.110.Final:compile
  • #63: Fixed vulnerability CVE-2024-47561 in dependency org.apache.avro:avro:jar:1.11.3:compile

Dependency Updates

Compile Dependency Updates

  • Added com.azure:azure-core-http-netty:1.15.7
  • Updated com.azure:azure-storage-blob:12.27.0 to 12.29.0
  • Updated com.exasol:virtual-schema-common-document-files:8.1.2 to 8.1.5
  • Updated org.slf4j:slf4j-jdk14:2.0.13 to 2.0.16

Test Dependency Updates

  • Added com.exasol:bucketfs-java:3.2.1
  • Updated com.exasol:exasol-test-setup-abstraction-java:2.1.4 to 2.1.6
  • Updated com.exasol:hamcrest-resultset-matcher:1.6.5 to 1.7.0
  • Updated com.exasol:test-db-builder-java:3.5.4 to 3.6.0
  • Updated com.exasol:virtual-schema-common-document-files:8.1.2 to 8.1.5
  • Updated org.hamcrest:hamcrest:2.2 to 3.0
  • Updated org.junit.jupiter:junit-jupiter-params:5.10.3 to 5.11.3
  • Updated org.mockito:mockito-core:5.12.0 to 5.14.2
  • Updated org.testcontainers:junit-jupiter:1.20.0 to 1.20.3

Plugin Dependency Updates

  • Updated com.exasol:project-keeper-maven-plugin:4.3.3 to 4.4.0
  • Added com.exasol:quality-summarizer-maven-plugin:0.2.0
  • Updated io.github.zlika:reproducible-build-maven-plugin:0.16 to 0.17
  • Updated org.apache.maven.plugins:maven-clean-plugin:2.5 to 3.4.0
  • Updated org.apache.maven.plugins:maven-dependency-plugin:3.6.1 to 3.8.0
  • Updated org.apache.maven.plugins:maven-failsafe-plugin:3.2.5 to 3.5.1
  • Updated org.apache.maven.plugins:maven-install-plugin:2.4 to 3.1.3
  • Updated org.apache.maven.plugins:maven-jar-plugin:3.4.1 to 3.4.2
  • Updated org.apache.maven.plugins:maven-resources-plugin:2.6 to 3.3.1
  • Updated org.apache.maven.plugins:maven-site-plugin:3.3 to 3.9.1
  • Updated org.apache.maven.plugins:maven-surefire-plugin:3.2.5 to 3.5.1
  • Updated org.codehaus.mojo:versions-maven-plugin:2.16.2 to 2.17.1
Loading

2.1.1 Fix CVE-2024-25638 in `dnsjava:dnsjava:jar:3.4.0:compile`

30 Jul 09:03
@github-actions github-actions
2.1.1
a73489f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2.1.1 Fix CVE-2024-25638 in `dnsjava:dnsjava:jar:3.4.0:compile`

This release fixes vulnerability CVE-2024-25638 in dnsjava:dnsjava:jar:3.4.0:compile.

Security

Dependency Updates

Compile Dependency Updates

  • Updated com.azure:azure-storage-blob:12.26.1 to 12.27.0
  • Updated com.exasol:virtual-schema-common-document-files:8.1.0 to 8.1.2

Test Dependency Updates

  • Updated com.exasol:virtual-schema-common-document-files:8.1.0 to 8.1.2
  • Updated org.junit.jupiter:junit-jupiter-params:5.10.2 to 5.10.3
  • Updated org.testcontainers:junit-jupiter:1.19.8 to 1.20.0
Loading