exasol · pj-spoelders · Jul 31, 2025 · Jul 31, 2025 · Jul 31, 2025
diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml
diff --git a/.github/workflows/dependencies_check.yml b/.github/workflows/dependencies_check.yml
diff --git a/.github/workflows/dependencies_update.yml b/.github/workflows/dependencies_update.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -18,5 +18,6 @@
     "sonarlint.connectedMode.project": {
         "connectionId": "exasol",
         "projectKey": "com.exasol:udf-debugging-java"
-    }
-}
+    },
+    "java.configuration.updateBuildConfiguration": "automatic"
+}
diff --git a/dependencies.md b/dependencies.md
diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md
diff --git a/doc/changes/changes_0.6.17.md b/doc/changes/changes_0.6.17.md
@@ -0,0 +1,44 @@
+# Udf Debugging Java 0.6.17, released 2025-07-31
+
+Code name: Fix CVE-2025-48924 in `org.apache.commons:commons-lang3:jar:3.16.0:compile`
+
+## Summary
+
+This release fixes the following vulnerabilities:
+
+### CVE-2025-48924 (CWE-674) in dependency `org.apache.commons:commons-lang3:jar:3.16.0:compile`
+
+Uncontrolled Recursion vulnerability in Apache Commons Lang.
+
+This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
+
+The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a 
+StackOverflowError could cause an application to stop.
+
+Users are recommended to upgrade to version 3.18.0, which fixes the issue.
+
+CVE: CVE-2025-48924
+CWE: CWE-674
+
+#### References
+
+- https://ossindex.sonatype.org/vulnerability/CVE-2025-48924?component-type=maven&component-name=org.apache.commons%2Fcommons-lang3&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
+- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-48924
+- https://github.com/advisories/GHSA-j288-q9x7-2f5v
+
+## Security
+
+* #77: Fixed vulnerability CVE-2025-48924 in dependency `org.apache.commons:commons-lang3:jar:3.16.0:compile`
+
+## Dependency Updates
+
+### Compile Dependency Updates
+
+* Updated `org.apache.commons:commons-compress:1.27.1` to `1.28.0`
+
+### Plugin Dependency Updates
+
+* Updated `com.exasol:error-code-crawler-maven-plugin:2.0.3` to `2.0.4`
+* Updated `com.exasol:project-keeper-maven-plugin:5.1.0` to `5.2.3`
+* Added `org.sonatype.central:central-publishing-maven-plugin:0.7.0`
+* Removed `org.sonatype.plugins:nexus-staging-maven-plugin:1.7.0`
diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom
diff --git a/pom.xml b/pom.xml
@@ -1,8 +1,8 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <artifactId>udf-debugging-java</artifactId>
-    <version>0.6.16</version>
+    <version>0.6.17</version>
     <name>udf-debugging-java</name>
     <description>Utilities for debugging, profiling and code coverage measure for UDFs.</description>
     <url>https://github.com/exasol/udf-debugging-java/</url>
@@ -57,7 +57,7 @@
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-compress</artifactId>
-            <version>1.27.1</version>
+            <version>1.28.0</version>
         </dependency>
         <!-- test dependencies -->
         <dependency>
@@ -139,7 +139,7 @@
             <plugin>
                 <groupId>com.exasol</groupId>
                 <artifactId>project-keeper-maven-plugin</artifactId>
-                <version>5.1.0</version>
+                <version>5.2.3</version>
                 <executions>
                     <execution>
                         <goals>
@@ -168,7 +168,7 @@
                         <!-- Dependency fr.turri:aXMLRPC used for connecting to ExaOperation.
                              We accept this vulnerability (CWE-833: Deadlock) as we assume that we only connect to the known endpoint ExaOperations. -->
                         <exclude>CVE-2017-10355</exclude>
-                         <!-- False positive in OSS Index for Exasol's JDBC driver because the fix version is missing. -->
+                        <!-- False positive in OSS Index for Exasol's JDBC driver because the fix version is missing. -->
                         <exclude>CVE-2024-55551</exclude>
                     </excludeVulnerabilityIds>
                 </configuration>
@@ -178,7 +178,7 @@
     <parent>
         <artifactId>udf-debugging-java-generated-parent</artifactId>
         <groupId>com.exasol</groupId>
-        <version>0.6.16</version>
+        <version>0.6.17</version>
         <relativePath>pk_generated_parent.pom</relativePath>
     </parent>
 </project>