Merge pull request #32 from exasol/security-fixes-week-32

Fix for CVE-2025-48924

Author: pj-spoelders

.github/workflows/ci-build.yml

@@ -0,0 +1,44 @@
+# Exasol UDF API for Java 1.0.7, released 2025-08-08
+
+Code name: Fixes for vulnerability CVE-2025-48924
+
+## Summary
+
+This release fixes the following vulnerability:
+
+### CVE-2025-48924 (CWE-674) in dependency `org.apache.commons:commons-lang3:jar:3.16.0:test`
+
+Uncontrolled Recursion vulnerability in Apache Commons Lang.
+
+This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
+
+The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a 
+StackOverflowError could cause an application to stop.
+
+Users are recommended to upgrade to version 3.18.0, which fixes the issue.
+
+CVE: CVE-2025-48924
+CWE: CWE-674
+
+#### References
+
+- https://ossindex.sonatype.org/vulnerability/CVE-2025-48924?component-type=maven&component-name=org.apache.commons%2Fcommons-lang3&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
+- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-48924
+- https://github.com/advisories/GHSA-j288-q9x7-2f5v
+
+## Security
+
+* #30: Fixed vulnerability CVE-2025-48924 in dependency `org.apache.commons:commons-lang3:jar:3.16.0:test`
+
+## Dependency Updates
+
+### Test Dependency Updates
+
+* Updated `com.exasol:exasol-testcontainers:7.1.5` to `7.1.7`
+
+### Plugin Dependency Updates
+
+* Updated `com.exasol:error-code-crawler-maven-plugin:2.0.3` to `2.0.4`
+* Updated `com.exasol:project-keeper-maven-plugin:5.1.0` to `5.2.3`
+* Added `org.sonatype.central:central-publishing-maven-plugin:0.7.0`
+* Removed `org.sonatype.plugins:nexus-staging-maven-plugin:1.7.0`

.github/workflows/dependencies_check.yml

@@ -1,17 +1,16 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <artifactId>udf-api-java</artifactId>
-    <version>1.0.6</version>
+    <version>1.0.7</version>
     <name>Exasol UDF API for Java</name>
     <description>Interface between User Defined Functions (UDFs) written in Java and the Exasol database.</description>
     <url>https://github.com/exasol/udf-api-java/</url>
     <dependencies>
         <dependency>
             <groupId>com.exasol</groupId>
             <artifactId>exasol-testcontainers</artifactId>
-            <version>7.1.5</version>
+            <version>7.1.7</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -74,7 +73,7 @@
             <plugin>
                 <groupId>com.exasol</groupId>
                 <artifactId>project-keeper-maven-plugin</artifactId>
-                <version>5.1.0</version>
+                <version>5.2.3</version>
                 <executions>
                     <execution>
                         <goals>
@@ -117,7 +116,7 @@
     <parent>
         <artifactId>udf-api-java-generated-parent</artifactId>
         <groupId>com.exasol</groupId>
-        <version>1.0.6</version>
+        <version>1.0.7</version>
         <relativePath>pk_generated_parent.pom</relativePath>
     </parent>
 </project>