New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update pom.xml related to CVE-2024-1597 #4007
Conversation
Fix Postgres version related to CVE-2024-1597
Update Postgres related to CVE-2024-1597
Update the Hash also
h2/pom.xml
Outdated
@@ -44,7 +44,7 @@ | |||
<lucene.version>9.7.0</lucene.version> | |||
<osgi.version>5.0.0</osgi.version> | |||
<osgi.jdbc.version>1.1.0</osgi.jdbc.version> | |||
<pgjdbc.version>42.5.4</pgjdbc.version> | |||
<pgjdbc.version>[42.5.5,)</pgjdbc.version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We use exact versions here to make sure that attempts to launch unit tests from Maven will use configuration at least similar to the main configuration.
PgJDBC isn't included into distribution of H2 and H2 doesn't depend on it, so neither we nor users of H2 are affected by security issues in libraries used only in our unit tests, alerts about them can be ignored.
Please, try latest 42.7.2 instead of this old 42.5.*, it will be more reasonable to upgrade to some modern version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the feedback, I have adopted 42.7.2 as advised.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PgJDBC isn't included into distribution of H2 and H2 doesn't depend on it, so neither we nor users of H2 are affected by security issues in libraries used only in our unit tests, alerts about them can be ignored.
From what I can see, the Maven build file (which is not effective) is defining the dependency and so any security scanner will think that H2 was affected by this vulnerability. Unfortunately even a wrong security report is still a report and that's why I have tried to fix it.
Update to 42.7.2
Update to 42.7.2
Fix the SHA checksum
Fix Postgres version related to CVE-2024-1597