From f7fa9adce5850bd24aa46a1901865c6f5fff3080 Mon Sep 17 00:00:00 2001
From: Automatic Dependency Updater <opensource@exasol.com>
Date: Thu, 9 May 2024 02:19:02 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=90=20Update=20dependencies=20to=20fix?=
 =?UTF-8?q?=20vulnerabilities?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 doc/changes/changelog.md                 |  1 +
 doc/changes/changes_2.1.6.md             | 67 ++++++++++++++++++++++++
 doc/developers_guide/developers_guide.md |  4 +-
 pk_generated_parent.pom                  |  2 +-
 pom.xml                                  | 21 ++++----
 5 files changed, 81 insertions(+), 14 deletions(-)
 create mode 100644 doc/changes/changes_2.1.6.md

diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md
index 6a4cb81..74db648 100644
--- a/doc/changes/changelog.md
+++ b/doc/changes/changelog.md
@@ -1,5 +1,6 @@
 # Changes
 
+* [2.1.6](changes_2.1.6.md)
 * [2.1.5](changes_2.1.5.md)
 * [2.1.4](changes_2.1.4.md)
 * [2.1.3](changes_2.1.3.md)
diff --git a/doc/changes/changes_2.1.6.md b/doc/changes/changes_2.1.6.md
new file mode 100644
index 0000000..5a48dc2
--- /dev/null
+++ b/doc/changes/changes_2.1.6.md
@@ -0,0 +1,67 @@
+# Exasol AWS Glue Connector 2.1.6, released 2024-??-??
+
+Code name: Fixed vulnerabilities CVE-2023-33201, CVE-2023-33202, CVE-2024-29857, CVE-2024-30171, CVE-2024-34447
+
+## Summary
+
+This release fixes the following 5 vulnerabilities:
+
+### CVE-2023-33201 (CWE-295) in dependency `org.bouncycastle:bcprov-jdk15on:jar:1.70:provided`
+Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.
+#### References
+* https://ossindex.sonatype.org/vulnerability/CVE-2023-33201?component-type=maven&component-name=org.bouncycastle%2Fbcprov-jdk15on&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
+* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-33201
+* https://github.com/bcgit/bc-java/wiki/CVE-2023-33201
+
+### CVE-2023-33202 (CWE-400) in dependency `org.bouncycastle:bcprov-jdk15on:jar:1.70:provided`
+Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)
+#### References
+* https://ossindex.sonatype.org/vulnerability/CVE-2023-33202?component-type=maven&component-name=org.bouncycastle%2Fbcprov-jdk15on&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
+* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-33202
+* https://github.com/bcgit/bc-java/wiki/CVE-2023-33202
+
+### CVE-2024-29857 (CWE-400) in dependency `org.bouncycastle:bcprov-jdk15on:jar:1.70:provided`
+bouncycastle - Denial of Service (DoS)
+#### References
+* https://ossindex.sonatype.org/vulnerability/CVE-2024-29857?component-type=maven&component-name=org.bouncycastle%2Fbcprov-jdk15on&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
+* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-29857
+* https://www.bouncycastle.org/releasenotes.html#:~:text=the%20following%20CVEs%3A-,CVE%2D2024%2D29857,-%2D%20Importing%20an%20EC
+
+### CVE-2024-30171 (CWE-208) in dependency `org.bouncycastle:bcprov-jdk15on:jar:1.70:provided`
+bouncycastle - Observable Timing Discrepancy [ aka CVE-2024-20952 ]
+#### References
+* https://ossindex.sonatype.org/vulnerability/CVE-2024-30171?component-type=maven&component-name=org.bouncycastle%2Fbcprov-jdk15on&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
+* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-30171
+* https://github.com/bcgit/bc-java/issues/1528
+* https://www.bouncycastle.org/releasenotes.html#:~:text=during%20parameter%20evaluation.-,CVE%2D2024%2D30171,-%2D%20Possible%20timing%20based
+
+### CVE-2024-34447 (CWE-297) in dependency `org.bouncycastle:bcprov-jdk15on:jar:1.70:provided`
+bouncycastle - Improper Validation of Certificate with Host Mismatch
+
+The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host.
+#### References
+* https://ossindex.sonatype.org/vulnerability/CVE-2024-34447?component-type=maven&component-name=org.bouncycastle%2Fbcprov-jdk15on&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
+* https://www.bouncycastle.org/releasenotes.html#:~:text=CVE%2D2024%2D301XX%20%2D%20When%20endpoint%20identification%20is%20enabled%20in%20the%20BCJSSE%20and%20an%20SSL%20socket%20is%20not%20created%20with%20an%20explicit%20hostname%20(as%20happens%20with%20HttpsURLConnection)%2C%20hostname%20verification%20could%20be%20performed%20against%20a%20DNS%2Dresolved%20IP%20address.%20This%20has%20been%20fixed.
+
+## Security
+
+* #100: Fixed vulnerability CVE-2023-33201 in dependency `org.bouncycastle:bcprov-jdk15on:jar:1.70:provided`
+* #101: Fixed vulnerability CVE-2023-33202 in dependency `org.bouncycastle:bcprov-jdk15on:jar:1.70:provided`
+* #102: Fixed vulnerability CVE-2024-29857 in dependency `org.bouncycastle:bcprov-jdk15on:jar:1.70:provided`
+* #103: Fixed vulnerability CVE-2024-30171 in dependency `org.bouncycastle:bcprov-jdk15on:jar:1.70:provided`
+* #104: Fixed vulnerability CVE-2024-34447 in dependency `org.bouncycastle:bcprov-jdk15on:jar:1.70:provided`
+
+## Dependency Updates
+
+### Compile Dependency Updates
+
+* Updated `com.exasol:spark-connector-common-java:2.0.4` to `2.0.5`
+* Updated `software.amazon.awssdk:s3:2.25.29` to `2.25.48`
+
+### Test Dependency Updates
+
+* Updated `com.amazon.ion:ion-java:1.11.4` to `1.11.7`
+* Updated `com.amazonaws:aws-java-sdk-s3:1.12.699` to `1.12.718`
+* Updated `com.exasol:exasol-testcontainers:7.0.1` to `7.1.0`
+* Updated `org.testcontainers:junit-jupiter:1.19.7` to `1.19.8`
+* Updated `org.testcontainers:localstack:1.19.7` to `1.19.8`
diff --git a/doc/developers_guide/developers_guide.md b/doc/developers_guide/developers_guide.md
index 3264493..802fd0c 100644
--- a/doc/developers_guide/developers_guide.md
+++ b/doc/developers_guide/developers_guide.md
@@ -40,11 +40,11 @@ To test connector by creating a custom connector, please follow these steps.
 
 ### Creating an Assembly Jar
 
-By running `mvn verify` or `mvn package` create a connector artifact. For example, `target/exasol-glue-connector-2.1.5-assembly.jar`.
+By running `mvn verify` or `mvn package` create a connector artifact. For example, `target/exasol-glue-connector-2.1.6-assembly.jar`.
 
 ### Uploading the Artifact to S3 Bucket
 
-Upload the JAR artifact from previous step into an S3 bucket. For instance, `s3://exasol-artifacts/glue-connector/exasol-glue-connector-2.1.5-assembly.jar`.
+Upload the JAR artifact from previous step into an S3 bucket. For instance, `s3://exasol-artifacts/glue-connector/exasol-glue-connector-2.1.6-assembly.jar`.
 
 ### Creating a Glue Studio Custom Connector
 
diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom
index 935668b..13791bb 100644
--- a/pk_generated_parent.pom
+++ b/pk_generated_parent.pom
@@ -3,7 +3,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.exasol</groupId>
     <artifactId>glue-connector-generated-parent</artifactId>
-    <version>2.1.5</version>
+    <version>2.1.6</version>
     <packaging>pom</packaging>
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
diff --git a/pom.xml b/pom.xml
index 223a821..7491b87 100644
--- a/pom.xml
+++ b/pom.xml
@@ -3,14 +3,14 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.exasol</groupId>
     <artifactId>glue-connector</artifactId>
-    <version>2.1.5</version>
+    <version>2.1.6</version>
     <name>Exasol AWS Glue Connector</name>
     <description>An AWS Glue connector for accessing Exasol database</description>
     <url>https://github.com/exasol/glue-connector/</url>
     <parent>
         <artifactId>glue-connector-generated-parent</artifactId>
         <groupId>com.exasol</groupId>
-        <version>2.1.5</version>
+        <version>2.1.6</version>
         <relativePath>pk_generated_parent.pom</relativePath>
     </parent>
     <properties>
@@ -217,7 +217,7 @@
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
-            <version>33.1.0-jre</version>
+            <version>33.2.0-jre</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
@@ -229,7 +229,7 @@
         <dependency>
             <groupId>software.amazon.awssdk</groupId>
             <artifactId>s3</artifactId>
-            <version>2.25.29</version>
+            <version>2.25.48</version>
         </dependency>
         <dependency>
             <groupId>com.exasol</groupId>
@@ -244,7 +244,7 @@
         <dependency>
             <groupId>com.exasol</groupId>
             <artifactId>spark-connector-common-java</artifactId>
-            <version>2.0.4</version>
+            <version>2.0.5</version>
         </dependency>
         <dependency>
             <groupId>com.exasol</groupId>
@@ -285,13 +285,13 @@
         <dependency>
             <groupId>org.testcontainers</groupId>
             <artifactId>junit-jupiter</artifactId>
-            <version>1.19.7</version>
+            <version>1.19.8</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.testcontainers</groupId>
             <artifactId>localstack</artifactId>
-            <version>1.19.7</version>
+            <version>1.19.8</version>
             <scope>test</scope>
         </dependency>
         <!--
@@ -301,7 +301,7 @@
         <dependency>
             <groupId>com.amazonaws</groupId>
             <artifactId>aws-java-sdk-s3</artifactId>
-            <version>1.12.699</version>
+            <version>1.12.718</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -420,13 +420,13 @@
             <!-- Upgrade transtivie dependency of AWSGlueETL to fix CVE-2024-21634 -->
             <groupId>com.amazon.ion</groupId>
             <artifactId>ion-java</artifactId>
-            <version>1.11.4</version>
+            <version>1.11.7</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>com.exasol</groupId>
             <artifactId>exasol-testcontainers</artifactId>
-            <version>7.0.1</version>
+            <version>7.1.0</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -654,7 +654,6 @@
                              runtime Spark cluster.
                         -->
                         <exclude>CVE-2023-52428</exclude>
-
                         <!-- Ignore vulnerabilities from org.bouncycastle:bcprov-jdk15on:jar:1.70:provided via org.apache.hadoop:hadoop-client.
                              This is a "provided" library that is not included in the built JAR and must be fixed in the runtime environment. -->
                         <exclude>CVE-2023-33201</exclude>