diff --git a/dependencies.md b/dependencies.md index 94082d02..e4d184ad 100644 --- a/dependencies.md +++ b/dependencies.md @@ -61,43 +61,50 @@ | [Extension integration tests library][61] | [MIT License][62] | | [jersey-core-common][63] | [EPL 2.0][64]; [The GNU General Public License (GPL), Version 2, With Classpath Exception][65]; [Apache License, 2.0][30]; [Public Domain][66] | +### Runtime Dependencies + +| Dependency | License | +| ---------------------------- | ----------------------------------------------------------------------------- | +| [Logback Classic Module][67] | [Eclipse Public License - v 1.0][68]; [GNU Lesser General Public License][69] | +| [Logback Core Module][70] | [Eclipse Public License - v 1.0][68]; [GNU Lesser General Public License][69] | + ### Plugin Dependencies | Dependency | License | | ------------------------------------------------------- | --------------------------------------------- | -| [SonarQube Scanner for Maven][67] | [GNU LGPL 3][68] | -| [Apache Maven Compiler Plugin][69] | [Apache-2.0][3] | -| [Apache Maven Enforcer Plugin][70] | [Apache-2.0][3] | -| [Maven Flatten Plugin][71] | [Apache Software Licenese][3] | -| [org.sonatype.ossindex.maven:ossindex-maven-plugin][72] | [ASL2][5] | -| [scala-maven-plugin][73] | [Public domain (Unlicense)][74] | -| [ScalaTest Maven Plugin][75] | [the Apache License, ASL Version 2.0][28] | -| [Apache Maven Javadoc Plugin][76] | [Apache-2.0][3] | -| [Maven Surefire Plugin][77] | [Apache-2.0][3] | -| [Versions Maven Plugin][78] | [Apache License, Version 2.0][3] | -| [duplicate-finder-maven-plugin Maven Mojo][79] | [Apache License 2.0][30] | -| [Apache Maven Assembly Plugin][80] | [Apache-2.0][3] | -| [Apache Maven JAR Plugin][81] | [Apache License, Version 2.0][3] | -| [Artifact reference checker and unifier][82] | [MIT License][83] | -| [Maven Failsafe Plugin][84] | [Apache-2.0][3] | -| [JaCoCo :: Maven Plugin][85] | [Eclipse Public License 2.0][86] | -| [error-code-crawler-maven-plugin][87] | [MIT License][88] | -| [Reproducible Build Maven Plugin][89] | [Apache 2.0][5] | -| [Project Keeper Maven plugin][90] | [The MIT License][91] | -| [OpenFastTrace Maven Plugin][92] | [GNU General Public License v3.0][93] | -| [Scalastyle Maven Plugin][94] | [Apache 2.0][30] | -| [spotless-maven-plugin][95] | [The Apache Software License, Version 2.0][3] | -| [scalafix-maven-plugin][96] | [BSD-3-Clause][21] | -| [Exec Maven Plugin][97] | [Apache License 2][3] | -| [Apache Maven Clean Plugin][98] | [Apache-2.0][3] | +| [SonarQube Scanner for Maven][71] | [GNU LGPL 3][72] | +| [Apache Maven Compiler Plugin][73] | [Apache-2.0][3] | +| [Apache Maven Enforcer Plugin][74] | [Apache-2.0][3] | +| [Maven Flatten Plugin][75] | [Apache Software Licenese][3] | +| [org.sonatype.ossindex.maven:ossindex-maven-plugin][76] | [ASL2][5] | +| [scala-maven-plugin][77] | [Public domain (Unlicense)][78] | +| [ScalaTest Maven Plugin][79] | [the Apache License, ASL Version 2.0][28] | +| [Apache Maven Javadoc Plugin][80] | [Apache-2.0][3] | +| [Maven Surefire Plugin][81] | [Apache-2.0][3] | +| [Versions Maven Plugin][82] | [Apache License, Version 2.0][3] | +| [duplicate-finder-maven-plugin Maven Mojo][83] | [Apache License 2.0][30] | +| [Apache Maven Assembly Plugin][84] | [Apache-2.0][3] | +| [Apache Maven JAR Plugin][85] | [Apache License, Version 2.0][3] | +| [Artifact reference checker and unifier][86] | [MIT License][87] | +| [Maven Failsafe Plugin][88] | [Apache-2.0][3] | +| [JaCoCo :: Maven Plugin][89] | [Eclipse Public License 2.0][90] | +| [error-code-crawler-maven-plugin][91] | [MIT License][92] | +| [Reproducible Build Maven Plugin][93] | [Apache 2.0][5] | +| [Project Keeper Maven plugin][94] | [The MIT License][95] | +| [OpenFastTrace Maven Plugin][96] | [GNU General Public License v3.0][97] | +| [Scalastyle Maven Plugin][98] | [Apache 2.0][30] | +| [spotless-maven-plugin][99] | [The Apache Software License, Version 2.0][3] | +| [scalafix-maven-plugin][100] | [BSD-3-Clause][21] | +| [Exec Maven Plugin][101] | [Apache License 2][3] | +| [Apache Maven Clean Plugin][102] | [Apache-2.0][3] | ## Extension ### Compile Dependencies -| Dependency | License | -| ----------------------------------------- | ------- | -| [@exasol/extension-manager-interface][99] | MIT | +| Dependency | License | +| ------------------------------------------ | ------- | +| [@exasol/extension-manager-interface][103] | MIT | [0]: https://www.scala-lang.org/ [1]: https://www.apache.org/licenses/LICENSE-2.0 @@ -166,36 +173,40 @@ [64]: http://www.eclipse.org/legal/epl-2.0 [65]: https://www.gnu.org/software/classpath/license.html [66]: https://creativecommons.org/publicdomain/zero/1.0/ -[67]: http://sonarsource.github.io/sonar-scanner-maven/ -[68]: http://www.gnu.org/licenses/lgpl.txt -[69]: https://maven.apache.org/plugins/maven-compiler-plugin/ -[70]: https://maven.apache.org/enforcer/maven-enforcer-plugin/ -[71]: https://www.mojohaus.org/flatten-maven-plugin/ -[72]: https://sonatype.github.io/ossindex-maven/maven-plugin/ -[73]: http://github.com/davidB/scala-maven-plugin -[74]: http://unlicense.org/ -[75]: https://www.scalatest.org/user_guide/using_the_scalatest_maven_plugin -[76]: https://maven.apache.org/plugins/maven-javadoc-plugin/ -[77]: https://maven.apache.org/surefire/maven-surefire-plugin/ -[78]: https://www.mojohaus.org/versions/versions-maven-plugin/ -[79]: https://basepom.github.io/duplicate-finder-maven-plugin -[80]: https://maven.apache.org/plugins/maven-assembly-plugin/ -[81]: https://maven.apache.org/plugins/maven-jar-plugin/ -[82]: https://github.com/exasol/artifact-reference-checker-maven-plugin/ -[83]: https://github.com/exasol/artifact-reference-checker-maven-plugin/blob/main/LICENSE -[84]: https://maven.apache.org/surefire/maven-failsafe-plugin/ -[85]: https://www.jacoco.org/jacoco/trunk/doc/maven.html -[86]: https://www.eclipse.org/legal/epl-2.0/ -[87]: https://github.com/exasol/error-code-crawler-maven-plugin/ -[88]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE -[89]: http://zlika.github.io/reproducible-build-maven-plugin -[90]: https://github.com/exasol/project-keeper/ -[91]: https://github.com/exasol/project-keeper/blob/main/LICENSE -[92]: https://github.com/itsallcode/openfasttrace-maven-plugin -[93]: https://www.gnu.org/licenses/gpl-3.0.html -[94]: http://www.scalastyle.org -[95]: https://github.com/diffplug/spotless -[96]: https://github.com/evis/scalafix-maven-plugin -[97]: https://www.mojohaus.org/exec-maven-plugin -[98]: https://maven.apache.org/plugins/maven-clean-plugin/ -[99]: https://registry.npmjs.org/@exasol/extension-manager-interface/-/extension-manager-interface-0.4.0.tgz +[67]: http://logback.qos.ch/logback-classic +[68]: http://www.eclipse.org/legal/epl-v10.html +[69]: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html +[70]: http://logback.qos.ch/logback-core +[71]: http://sonarsource.github.io/sonar-scanner-maven/ +[72]: http://www.gnu.org/licenses/lgpl.txt +[73]: https://maven.apache.org/plugins/maven-compiler-plugin/ +[74]: https://maven.apache.org/enforcer/maven-enforcer-plugin/ +[75]: https://www.mojohaus.org/flatten-maven-plugin/ +[76]: https://sonatype.github.io/ossindex-maven/maven-plugin/ +[77]: http://github.com/davidB/scala-maven-plugin +[78]: http://unlicense.org/ +[79]: https://www.scalatest.org/user_guide/using_the_scalatest_maven_plugin +[80]: https://maven.apache.org/plugins/maven-javadoc-plugin/ +[81]: https://maven.apache.org/surefire/maven-surefire-plugin/ +[82]: https://www.mojohaus.org/versions/versions-maven-plugin/ +[83]: https://basepom.github.io/duplicate-finder-maven-plugin +[84]: https://maven.apache.org/plugins/maven-assembly-plugin/ +[85]: https://maven.apache.org/plugins/maven-jar-plugin/ +[86]: https://github.com/exasol/artifact-reference-checker-maven-plugin/ +[87]: https://github.com/exasol/artifact-reference-checker-maven-plugin/blob/main/LICENSE +[88]: https://maven.apache.org/surefire/maven-failsafe-plugin/ +[89]: https://www.jacoco.org/jacoco/trunk/doc/maven.html +[90]: https://www.eclipse.org/legal/epl-2.0/ +[91]: https://github.com/exasol/error-code-crawler-maven-plugin/ +[92]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE +[93]: http://zlika.github.io/reproducible-build-maven-plugin +[94]: https://github.com/exasol/project-keeper/ +[95]: https://github.com/exasol/project-keeper/blob/main/LICENSE +[96]: https://github.com/itsallcode/openfasttrace-maven-plugin +[97]: https://www.gnu.org/licenses/gpl-3.0.html +[98]: http://www.scalastyle.org +[99]: https://github.com/diffplug/spotless +[100]: https://github.com/evis/scalafix-maven-plugin +[101]: https://www.mojohaus.org/exec-maven-plugin +[102]: https://maven.apache.org/plugins/maven-clean-plugin/ +[103]: https://registry.npmjs.org/@exasol/extension-manager-interface/-/extension-manager-interface-0.4.0.tgz diff --git a/doc/changes/changes_2.7.9.md b/doc/changes/changes_2.7.9.md index 5b09a872..6c160727 100644 --- a/doc/changes/changes_2.7.9.md +++ b/doc/changes/changes_2.7.9.md @@ -1,9 +1,13 @@ # Cloud Storage Extension 2.7.9, released 2023-??-?? -Code name: +Code name: Fix CVE-2023-6378 ## Summary +This release fixes vulnerability CVE-2023-6378 (CWE-502: Deserialization of Untrusted Data (7.1)) in the following dependencies: +* `ch.qos.logback:logback-classic:jar:1.2.10:compile` +* `ch.qos.logback:logback-core:jar:1.2.10:compile` + ## Features * ISSUE_NUMBER: description @@ -26,6 +30,11 @@ Code name: * Updated `org.apache.orc:orc-core:1.9.1` to `1.9.2` * Updated `org.jetbrains.kotlin:kotlin-stdlib:1.9.20` to `1.9.21` +#### Runtime Dependency Updates + +* Added `ch.qos.logback:logback-classic:1.2.13` +* Added `ch.qos.logback:logback-core:1.2.13` + #### Test Dependency Updates * Updated `com.exasol:exasol-testcontainers:6.6.3` to `7.0.0` diff --git a/pom.xml b/pom.xml index 5959f853..6c863f66 100644 --- a/pom.xml +++ b/pom.xml @@ -191,11 +191,25 @@ ${hadoop.version} - + org.apache.zookeeper zookeeper 3.9.1 + + + ch.qos.logback + logback-classic + 1.2.13 + runtime + + + + ch.qos.logback + logback-core + 1.2.13 + runtime + org.apache.hadoop hadoop-azure