Update pom.xml related to CVE-2024-1597 #4007
Conversation
Fix Postgres version related to CVE-2024-1597
Update Postgres related to CVE-2024-1597
Update the Hash also
h2/pom.xml
Outdated
| @@ -44,7 +44,7 @@ | |||
| <lucene.version>9.7.0</lucene.version> | |||
| <osgi.version>5.0.0</osgi.version> | |||
| <osgi.jdbc.version>1.1.0</osgi.jdbc.version> | |||
| <pgjdbc.version>42.5.4</pgjdbc.version> | |||
| <pgjdbc.version>[42.5.5,)</pgjdbc.version> | |||
There was a problem hiding this comment.
We use exact versions here to make sure that attempts to launch unit tests from Maven will use configuration at least similar to the main configuration.
PgJDBC isn't included into distribution of H2 and H2 doesn't depend on it, so neither we nor users of H2 are affected by security issues in libraries used only in our unit tests, alerts about them can be ignored.
Please, try latest 42.7.2 instead of this old 42.5.*, it will be more reasonable to upgrade to some modern version.
There was a problem hiding this comment.
Thank you for the feedback, I have adopted 42.7.2 as advised.
There was a problem hiding this comment.
PgJDBC isn't included into distribution of H2 and H2 doesn't depend on it, so neither we nor users of H2 are affected by security issues in libraries used only in our unit tests, alerts about them can be ignored.
From what I can see, the Maven build file (which is not effective) is defining the dependency and so any security scanner will think that H2 was affected by this vulnerability. Unfortunately even a wrong security report is still a report and that's why I have tried to fix it.
Update to 42.7.2
Update to 42.7.2
Fix the SHA checksum
Fix Postgres version related to CVE-2024-1597