exasol · github-actions · Oct 17, 2024
diff --git a/dependencies.md b/dependencies.md
diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md
diff --git a/doc/changes/changes_1.7.8.md b/doc/changes/changes_1.7.8.md
@@ -0,0 +1,62 @@
+# Kafka Connector Extension 1.7.8, released 2024-??-??
+
+Code name: Fixed vulnerabilities CVE-2024-6762, CVE-2024-8184
+
+## Summary
+
+This release fixes the following 2 vulnerabilities:
+
+### CVE-2024-6762 (CWE-400) in dependency `org.eclipse.jetty:jetty-servlets:jar:9.4.53.v20231009:test`
+Jetty PushSessionCacheFilter can be exploited by unauthenticated users 
+to launch remote DoS attacks by exhausting the serverâs memory.
+
+Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-6762 for details
+#### References
+* https://ossindex.sonatype.org/vulnerability/CVE-2024-6762?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-servlets&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
+* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-6762
+* https://github.com/jetty/jetty.project/pull/10755
+* https://github.com/jetty/jetty.project/pull/10756
+* https://github.com/jetty/jetty.project/pull/9715
+* https://github.com/jetty/jetty.project/pull/9716
+* https://github.com/jetty/jetty.project/security/advisories/GHSA-r7m4-f9h5-gr79
+
+### CVE-2024-8184 (CWE-400) in dependency `org.eclipse.jetty:jetty-server:jar:9.4.54.v20240208:test`
+There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack.  By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
+#### References
+* https://ossindex.sonatype.org/vulnerability/CVE-2024-8184?component-type=maven&component-name=org.eclipse.jetty%2Fjetty-server&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
+* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-8184
+* https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq
+
+## Security
+
+* #112: Fixed vulnerability CVE-2024-6762 in dependency `org.eclipse.jetty:jetty-servlets:jar:9.4.53.v20231009:test`
+* #113: Fixed vulnerability CVE-2024-8184 in dependency `org.eclipse.jetty:jetty-server:jar:9.4.54.v20240208:test`
+
+## Dependency Updates
+
+### Exasol Kafka Connector Extension
+
+#### Compile Dependency Updates
+
+* Updated `ch.qos.logback:logback-classic:1.5.6` to `1.5.11`
+* Updated `com.fasterxml.jackson.core:jackson-core:2.17.0` to `2.18.0`
+* Updated `com.google.guava:guava:33.1.0-jre` to `33.3.1-jre`
+* Updated `io.confluent:kafka-avro-serializer:7.6.0` to `7.7.1`
+* Updated `org.apache.avro:avro:1.11.3` to `1.12.0`
+* Updated `org.apache.commons:commons-compress:1.26.1` to `1.27.1`
+* Updated `org.scala-lang.modules:scala-collection-compat_2.13:2.11.0` to `2.12.0`
+* Updated `org.xerial.snappy:snappy-java:1.1.10.5` to `1.1.10.7`
+
+#### Test Dependency Updates
+
+* Updated `com.exasol:extension-manager-integration-test-java:0.5.10` to `0.5.12`
+* Updated `com.exasol:hamcrest-resultset-matcher:1.6.5` to `1.7.0`
+* Updated `com.exasol:test-db-builder-java:3.5.4` to `3.6.0`
+* Updated `com.google.protobuf:protobuf-java:3.25.5` to `4.28.2`
+* Updated `io.confluent:kafka-streams-avro-serde:7.6.0` to `7.7.1`
+* Updated `io.github.classgraph:classgraph:4.8.174` to `4.8.177`
+* Updated `io.github.embeddedkafka:embedded-kafka-schema-registry_2.13:7.6.0` to `7.7.1`
+* Updated `joda-time:joda-time:2.12.7` to `2.13.0`
+* Updated `org.apache.kafka:kafka-metadata:3.6.2` to `7.7.1-ce`
+* Updated `org.mockito:mockito-core:5.11.0` to `5.14.2`
+* Updated `org.testcontainers:kafka:1.19.7` to `1.20.2`
diff --git a/doc/user_guide/user_guide.md b/doc/user_guide/user_guide.md
@@ -61,7 +61,7 @@ checksum provided together with the jar file.
 To check the SHA256 sum of the downloaded jar, run the command:
 
 ```sh
-sha256sum exasol-kafka-connector-extension-1.7.7.jar
+sha256sum exasol-kafka-connector-extension-1.7.8.jar
 ```
 
 ### Building From Source
@@ -84,7 +84,7 @@ sbt assembly
 ```
 
 The packaged jar file should be located at
-`target/scala-2.12/exasol-kafka-connector-extension-1.7.7.jar`.
+`target/scala-2.12/exasol-kafka-connector-extension-1.7.8.jar`.
 
 ### Create an Exasol BucketFS Bucket
 
@@ -106,7 +106,7 @@ jar, please make sure the BucketFS ports are open.
 Upload the jar file using the `curl` command:
 
 ```bash
-curl -X PUT -T exasol-kafka-connector-extension-1.7.7.jar \
+curl -X PUT -T exasol-kafka-connector-extension-1.7.8.jar \
   http://w:<WRITE_PASSWORD>@<EXASOL_DATANODE>:2580/<BUCKET_NAME>/
 ```
 
@@ -135,12 +135,12 @@ OPEN SCHEMA KAFKA_EXTENSION;
 
 CREATE OR REPLACE JAVA SET SCRIPT KAFKA_CONSUMER(...) EMITS (...) AS
   %scriptclass com.exasol.cloudetl.kafka.KafkaConsumerQueryGenerator;
-  %jar /buckets/bfsdefault/<BUCKET>/exasol-kafka-connector-extension-1.7.7.jar;
+  %jar /buckets/bfsdefault/<BUCKET>/exasol-kafka-connector-extension-1.7.8.jar;
 /
 
 CREATE OR REPLACE JAVA SET SCRIPT KAFKA_IMPORT(...) EMITS (...) AS
   %scriptclass com.exasol.cloudetl.kafka.KafkaTopicDataImporter;
-  %jar /buckets/bfsdefault/<BUCKET>/exasol-kafka-connector-extension-1.7.7.jar;
+  %jar /buckets/bfsdefault/<BUCKET>/exasol-kafka-connector-extension-1.7.8.jar;
 /
 
 CREATE OR REPLACE JAVA SET SCRIPT KAFKA_METADATA(
@@ -150,7 +150,7 @@ CREATE OR REPLACE JAVA SET SCRIPT KAFKA_METADATA(
 )
 EMITS (partition_index DECIMAL(18, 0), max_offset DECIMAL(36,0)) AS
   %scriptclass com.exasol.cloudetl.kafka.KafkaTopicMetadataReader;
-  %jar /buckets/bfsdefault/<BUCKET>/exasol-kafka-connector-extension-1.7.7.jar;
+  %jar /buckets/bfsdefault/<BUCKET>/exasol-kafka-connector-extension-1.7.8.jar;
 /
 ```
 

diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom
diff --git a/pom.xml b/pom.xml
@@ -3,7 +3,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.exasol</groupId>
     <artifactId>kafka-connector-extension</artifactId>
-    <version>1.7.7</version>
+    <version>1.7.8</version>
     <name>Exasol Kafka Connector Extension</name>
     <description>Exasol Kafka Extension for accessing Apache Kafka</description>
     <url>https://github.com/exasol/kafka-connector-extension/</url>
@@ -50,15 +50,15 @@
         <dependency>
             <groupId>org.apache.avro</groupId>
             <artifactId>avro</artifactId>
-            <version>1.11.3</version>
+            <version>1.12.0</version>
         </dependency>
         <dependency>
             <!-- Fix java.lang.ClassNotFoundException: com.fasterxml.jackson.core.exc.StreamConstraintsException
                     ...
                      at org.apache.avro.SchemaBuilder$FieldBuilder.completeField(SchemaBuilder.java:2249) -->
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-core</artifactId>
-            <version>2.17.0</version>
+            <version>2.18.0</version>
         </dependency>
         <dependency>
             <groupId>com.exasol</groupId>
@@ -68,12 +68,12 @@
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-compress</artifactId>
-            <version>1.26.1</version>
+            <version>1.27.1</version>
         </dependency>
         <dependency>
             <groupId>io.confluent</groupId>
             <artifactId>kafka-avro-serializer</artifactId>
-            <version>7.6.0</version>
+            <version>7.7.1</version>
             <exclusions>
                 <exclusion>
                     <groupId>org.slf4j</groupId>
@@ -104,12 +104,12 @@
         <dependency>
             <groupId>org.scala-lang.modules</groupId>
             <artifactId>scala-collection-compat_${scala.compat.version}</artifactId>
-            <version>2.11.0</version>
+            <version>2.12.0</version>
         </dependency>
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
-            <version>33.1.0-jre</version>
+            <version>33.3.1-jre</version>
         </dependency>
         <!-- Upgrade slf4j-api to allow using the latest logback version -->
         <dependency>
@@ -120,7 +120,7 @@
         <dependency>
             <groupId>ch.qos.logback</groupId>
             <artifactId>logback-classic</artifactId>
-            <version>1.5.6</version>
+            <version>1.5.11</version>
         </dependency>
         <!-- Test Dependencies -->
         <dependency>
@@ -138,7 +138,7 @@
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-core</artifactId>
-            <version>5.11.0</version>
+            <version>5.14.2</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -150,19 +150,19 @@
         <dependency>
             <groupId>com.exasol</groupId>
             <artifactId>test-db-builder-java</artifactId>
-            <version>3.5.4</version>
+            <version>3.6.0</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>com.exasol</groupId>
             <artifactId>hamcrest-resultset-matcher</artifactId>
-            <version>1.6.5</version>
+            <version>1.7.0</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>com.exasol</groupId>
             <artifactId>extension-manager-integration-test-java</artifactId>
-            <version>0.5.10</version>
+            <version>0.5.12</version>
             <scope>test</scope>
             <exclusions>
                 <exclusion>
@@ -175,7 +175,7 @@
         <dependency>
             <groupId>io.github.embeddedkafka</groupId>
             <artifactId>embedded-kafka-schema-registry_${scala.compat.version}</artifactId>
-            <version>7.6.0</version>
+            <version>7.7.1</version>
             <scope>test</scope>
             <exclusions>
                 <exclusion>
@@ -192,7 +192,7 @@
             <!-- Upgrade transitive dependency of io.github.embeddedkafka:embedded-kafka-schema-registry_2.13 to fix CVE-2024-27309 -->
             <groupId>org.apache.kafka</groupId>
             <artifactId>kafka-metadata</artifactId>
-            <version>3.6.2</version>
+            <version>7.7.1-ce</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -226,7 +226,7 @@
         <dependency>
             <groupId>io.confluent</groupId>
             <artifactId>kafka-streams-avro-serde</artifactId>
-            <version>7.6.0</version>
+            <version>7.7.1</version>
             <scope>test</scope>
             <exclusions>
                 <exclusion>
@@ -244,7 +244,7 @@
         <dependency>
             <groupId>org.testcontainers</groupId>
             <artifactId>kafka</artifactId>
-            <version>1.19.7</version>
+            <version>1.20.2</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -256,27 +256,27 @@
             <!-- Upgrade transitive dependency of org.apache.kafka:kafka-clients to fix CVE-2023-43642 -->
             <groupId>org.xerial.snappy</groupId>
             <artifactId>snappy-java</artifactId>
-            <version>1.1.10.5</version>
+            <version>1.1.10.7</version>
         </dependency>
         <dependency>
             <!-- Upgrade transitive dependency of io.github.embeddedkafka:embedded-kafka-schema-registry_2.13 to fix CVE-2024-23080 -->
             <groupId>joda-time</groupId>
             <artifactId>joda-time</artifactId>
-            <version>2.12.7</version>
+            <version>2.13.0</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <!-- Upgrade transitive dependency of io.github.embeddedkafka:embedded-kafka-schema-registry_2.13 to fix CVE-2021-47621 -->
             <groupId>io.github.classgraph</groupId>
             <artifactId>classgraph</artifactId>
-            <version>4.8.174</version>
+            <version>4.8.177</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <!-- Upgrade transitive dependency of io.confluent:kafka-protobuf-provider:jar:7.7.1 to fix CVE-2024-7254 -->
             <groupId>com.google.protobuf</groupId>
             <artifactId>protobuf-java</artifactId>
-            <version>3.25.5</version>
+            <version>4.28.2</version>
             <scope>test</scope>
         </dependency>
     </dependencies>
@@ -628,7 +628,7 @@
     <parent>
         <artifactId>kafka-connector-extension-generated-parent</artifactId>
         <groupId>com.exasol</groupId>
-        <version>1.7.7</version>
+        <version>1.7.8</version>
         <relativePath>pk_generated_parent.pom</relativePath>
     </parent>
 </project>