chore(deps): update maven#45
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
renovate
Bot
force-pushed
the
renovate-main/maven
branch
4 times, most recently
from
c184f4d to
f81035d
Compare
renovate
Bot
force-pushed
the
renovate-main/maven
branch
from
f81035d to
5e93d49
Compare
renovate
Bot
force-pushed
the
renovate-main/maven
branch
5 times, most recently
from
c049086 to
baa11e0
Compare
|
renovate
Bot
force-pushed
the
renovate-main/maven
branch
from
baa11e0 to
a06ef0d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.18.44→1.18.462.0.4→2.0.516.7.1→16.9.07.2.0→7.2.22.25.3→2.25.42.25.3→2.25.42.25.3→2.26.05.6.4→5.6.51.16.4→1.16.51.16.4→1.16.54.0.5→4.0.64.0.5→4.0.6Warning
Some dependencies could not be looked up. Check the warning logs for more information.
Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters
CVE-2026-34480 / GHSA-3pxv-7cmr-fjr4
More information
Details
Apache Log4j Core's
XmlLayout, in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification, producing invalid XML output whenever a log message or MDC value contains such characters.The impact depends on the StAX implementation in use:
Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Apache Log4j Core:
verifyHostNameattribute silently ignored in TLS configurationCVE-2026-34477 / GHSA-6hg6-v5c8-fphq
More information
Details
The fix for CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the
log4j2.sslVerifyHostNamesystem property, but not when configured through theverifyHostNameattribute of the<Ssl>element.Although the
verifyHostNameconfiguration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met:
This issue does not affect users of the HTTP appender, which uses a separate
verifyHostnameattribute that was not subject to this bug and verifies host names by default.Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.
Severity
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Apache Log4j Core: log injection in
Rfc5424Layoutdue to silent configuration incompatibilityCVE-2026-34478 / GHSA-445c-vh5m-36rj
More information
Details
Apache Log4j Core's
Rfc5424Layout, in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:
newLineEscapeattribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.useTlsMessageFormatattribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.Users of the
SyslogAppenderare not affected, as its configuration attributes were not modified.Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
projectlombok/lombok (org.projectlombok:lombok)
v1.18.46testcontainers/testcontainers-java (org.testcontainers:testcontainers-bom)
v2.0.5Compare Source
What's Changed
🚀 Features & Enhancements
apache/artemisin ArtemisContainer (#11590) @eddumelendez🐛 Bug Fixes
📖 Documentation
🧹 Housekeeping
📦 Dependency updates
16 changes
kagkarlsson/db-scheduler (com.github.kagkarlsson:db-scheduler)
v16.9.0Compare Source
Special mentions
timestamp with time zonetype for timestamps, for which.alwaysPersistTimestampInUTC()must not be enabled.Changelog
🚀 Features
49a51c0bind TIMESTAMP WITH TIME ZONE via setObject(OffsetDateTime) (#812)🐛 Fixes
41ec746Update schema and jdbc-customizaztion to fix MS SQL task_data corruption for odd-length byte arrays (#798), closes #7987d90ab2custom deadExecution applying is fixed in builder executeStateful (#802), closes #790 #802🧰 Tasks
c3285dadeps: bump Spring Boot BOMs to pull in patched Jackson (fixes #805)🛠 Build
761963ddeps: bump testcontainers-bom from 1.21.3 to 2.0.5 (#844)f5578f4deps: bump org.junit:junit-bom from 5.14.0 to 6.0.3 (#839)b2009f6deps: bump io.micrometer:micrometer-bom from 1.15.3 to 1.16.5 (#841)a2dcff3deps: bump com.google.guava:guava from 33.5.0-jre to 33.6.0-jre (#843)d1bac26deps: bump net.java.dev.jna:jna from 5.17.0 to 5.18.1 (#833)cf0d389deps: bump the maven-plugins group with 5 updates (#837)576d92bdeps: bump serialization.version from 1.9.0 to 1.11.0 (#830)0dbe60fdeps: bump jackson.version from 2.21.2 to 2.21.3 (#831), closes #831148741cdeps-dev: bump org.assertj:assertj-core from 3.27.6 to 3.27.7 in /db-scheduler (#834),2118be2deps: bump org.postgresql:postgresql from 42.5.5 to 42.7.11 in /test/benchmark (#835)9293090deps-dev: bump the test-dependencies group across 1 directory with 13 updates (#829)650cd47rename spring-boot.version to spring-boot-3.version, closes #832fcf8537deps: bump the github-actions group with 4 updates (#828)214638bconfigure dependabot grouping and pin embedded-postgres binaries (#827)📝 Documentation
921c05aAdding 'AI Contribution Policy' to contributor guidelinesContributors
We'd like to thank the following people for their contributions:
v16.8.1Compare Source
Changelog
🛠 Build
3f309a9do not use maven-gpg-plugin to sign on release📝 Documentation
7f52cb4remove snapshotRepositoryContributors
We'd like to thank the following people for their contributions:
v16.8.0Compare Source
Changelog
🐛 Fixes
23b94bdremove duplicated "while" in heartbeat-failure log (#814), closes #730 #814116b86ecronStyle getter is added to CronSchedule (#793), closes #792 #7938572342pass execution interceptors to ManualScheduler (#795), closes #79514df9c3Add ManualSchedulerBuilder overrides for tableName and alwaysPersistTimestampInUTC (#788), closes #788🔄️ Changes
9a24e9fhelper for updating rows (executions) (#808), closes #808d83c85dUse JsonMapper instead of ObjectMapper in Jackson3Serializer (#789), closes #7894a2da67add organization to pom.xmlContributors
We'd like to thank the following people for their contributions:
micrometer-metrics/micrometer (io.micrometer:micrometer-core)
v1.16.5: 1.16.5Compare Source
🐞 Bug Fixes
🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@Joowon-Seo, and @ribafish
spring-projects/spring-boot (org.springframework.boot:spring-boot-dependencies)
v4.0.6Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.