Bump com.unboundid:unboundid-ldapsdk from 3.1.1 to 4.0.5

[dependabot[bot]]

Bumps com.unboundid:unboundid-ldapsdk from 3.1.1 to 4.0.5.

Release notes

Sourced from com.unboundid:unboundid-ldapsdk's releases.

UnboundID LDAP SDK for Java 4.0.5

We have just released the UnboundID LDAP SDK for Java version 4.0.5, available for download from the LDAP.com website, from the releases page of our GitHub repository, from the Files page of our SourceForge project, and from the Maven Central Repository.

The most significant change in this release is the fix for a vulnerability described in CVE-2018-1000134. In an application that uses the LDAP SDK in synchronous mode, that uses the LDAP simple bind operation to authenticate users, that does not properly check to ensure that the user actually provided a password, and that sends its request to a directory server that does not follow the RFC 4513 section 5.1.2 recommendation to reject simple bind requests with a DN but no password, this bug could have allowed the application to mistakenly grant access to an attacker who identified themselves as a legitimate user but supplied an empty password. See CVE-2018-1000134 and the UnboundID LDAP SDK for Java for more information about this issue.

Other changes in the 4.0.5 release of the LDAP SDK include:

• Updated the command-line argument parser so that it will not assign a value from a properties file to an argument if that argument is part of an exclusive argument set and another argument in that set was provided on the command line.

• Fixed a manage-certificates bug in which the validity start time and validity duration values would be ignored when generating a self-signed certificate intended to replace an existing certificate. In that case, the tool would have always used the current time as the start time and a duration of one year.

• Updated the manage-certificates tool to change the primary name for the existing --replace-existing-certificate argument in the generate-certificate-signing-request subcommand to be --use-existing-key-pair, and updated the usage information to make it clearer that using this option will not cause the keystore to be updated. The former --replace-existing-certificate identifier can still be used and will behave in exactly the same way as before, so there is no change in functionality.

• Improved the usability of the ldap-debugger tool when using the --listenUsingSSL argument by ensuring that the --keyStorePath argument is also provided, along with one of the --keyStorePassword, --keyStorePasswordFile, and --promptForKeyStorePassword arguments.

• Fixed a number of cases in which there was a mismatch between the arguments provided to a message format string and the arguments expected by that format string. Unit tests have been added to help prevent this from recurring.

• Added a new PassphraseEncryptedOutputStream class that can be used to write encrypted data with a key generated from a provided passphrase. Also added a new PassphraseEncryptedInputStream class that can be used to read encrypted data written with the PassphraseEncryptedOutputStream when provided with the correct passphrase.

• Added new RateLimitedInputStream and RateLimitedOutputStream classes that can be used to impose a maximum rate (in bytes per second) at which data can be read from a wrapped input stream or written to a wrapped output stream.

• Added new CloseableLock and CloseableReadWriteLock classes that provide the same basic functionality as Java's ReentrantLock and ReentrantReadWriteLock classes, but that can also be used with Java's try-with-resources facility.

• Added a new FixedBarrier.await(int) method that can be used to request rate limiting for the specified number of occurrences, rather than just a single occurrence. This can be used to make it easier to impose rate limiting in instances where the event that you're limiting doesn't fit into the existing paradigm. For example, it could be used to implement a rate-limited output stream in which you want to be able to specify the number of bytes being written at a time, instead of requiring a separate await() call for each byte being written.

• Updated the ldapsearch, ldapmodify, split-ldif, transform-ldif, and validate-ldif tools to add support for encrypted LDIF files. The passphrase used to generate the encryption key can be provided interactively or read from a file.

• Added support for two new UnboundID/Ping-proprietary request controls that can help clients prevent inadvertently requesting unindexed searches. The reject unindexed search request control can be used to indicate that the server should reject a search request if it cannot be efficiently processed using server indexes, even if the requester has the unindexed-search privilege. The permit unindexed search request control can be used to indicate that the server should process the search request even if it is unindexed, as long as the requester has the unindexed-search-with-control privilege. The ldapsearch tool has also been updated allow these controls to be included in the search requests that it generates.

• Added support for a new UnboundID/Ping-proprietary request control that can be included in a search request to indicate that the client wishes to override an internal limit that might otherwise be in effect for that operation. The ldapsearch tool has been updated to allow this control to be included in the search requests that it generates.

• Updated the summarize-access-log tool to add support for encrypted log files. The passphrase used to generate the encryption key can be provided interactively or read from a file.

UnboundID LDAP SDK for Java 4.0.4

We have just released the UnboundID LDAP SDK for Java version 4.0.4, available for download from the LDAP.com website, from the releases page of our GitHub repository, from the Files page of our SourceForge project, and from the Maven Central Repository.

There are a few noteworthy changes included in this release. The release notes go into more detail, but the highlights of these changes include:

• We updated the way that the LDAP SDK generates exception messages to make them more user-friendly. They are now less likely to include stack traces, and they are less likely to include repeated information (like LDAP SDK build information, and information duplicated from an exception’s cause).
• We fixed an issue that could cause multiple application threads to block in the course of closing a connection pool.
• We updated the way that the LDAP SDK sends LDAP messages so that it is more resilient to stalls in the TLS negotiation process.
• We updated the LDAP SDK’s ServerSet implementations so that they can perform authentication and post-connect processing, which can make health checks against newly established connections more reliable.
• We updated the GetEntryLDAPConnectionPoolHealthCheck class to provide support for invoking the health check after a pooled connection has been authenticated.
• We fixed a bug in the GetEntryLDAPConnectionPoolHealthCheck class that could cause it to behave incorrectly when checking the validity of a connection after an LDAPException was caught.
• We updated the Attribute.hasValue method to be more efficient for attributes with multiple values, and especially for attributes with a lot of values or with more complicated matching rules. This will also improve the Filter.matchesEntry method for equality filters that target similar types of attributes.
• We updated the prompt trust manager to provide better output formatting, and to provide additional warnings about conditions that may make a server certificate chain less trustworthy.
• We updated the LDAPConnectionOptions class to adjust the initial default connect timeout and operation response timeout, and the default operation response timeout can now be set differently for each type of operation. Most of the default values for options in the LDAPConnectionOptions class can now be set via system properties.

UnboundID LDAP SDK for Java 4.0.3

The 4.0.3 release of the LDAP SDK contains a single bugfix over the 4.0.2 version. Just after releasing the 4.0.2 version, we found a bug in the way that the LDAP SDK generated and verified signatures for X.509 certificates and PKCS10 certificate signing requests. That has been corrected, and the 4.0.3 release is available for download from the LDAP.com website, from our GitHub repository, from the SourceForge project, or from the Maven Central Repository.

... (truncated)

Changelog

Sourced from com.unboundid:unboundid-ldapsdk's changelog.

          <div align="right">

${TARGET="offline"} LDAP SDK Home Page ${TARGET="offline"} Product Information

          <h2>Release Notes</h2>
      &lt;h3&gt;Version 7.0.0&lt;/h3&gt;

      &lt;p&gt;
        The following changes were made between the 6.0.11 and 7.0.0 releases:
      &lt;/p&gt;

      &lt;ul&gt;
        &lt;li&gt;
          Updated the LDAP SDK to require Java SE 8 or later.  As of the 7.0.0 release,
          Java 7 is no longer supported.
          &lt;br&gt;&lt;br&gt;
        &lt;/li&gt;
      &lt;/ul&gt;

      &lt;p&gt;&lt;/p&gt;

      &lt;h3&gt;Version 6.0.11&lt;/h3&gt;

      &lt;p&gt;
        The following changes were made between the 6.0.10 and 6.0.11 releases:
      &lt;/p&gt;

      &lt;ul&gt;
        &lt;li&gt;
          Note that this is the last release that will support Java 7.  The next release
          (expected to have a version number of 7.0.0) will only support Java 8 and later.
          &lt;br&gt;&lt;br&gt;
        &lt;/li&gt;

        &lt;li&gt;
          Updated the ldapsearch and ldapmodify command-line tools to provide better
          validation for the value of the --proxyAs argument.  The tools will now reject
          attempts to use the argument with a value that doesn't start with either &quot;dn:&quot; or
          &quot;u:&quot;, and they will also reject attempts to use a value that starts with &quot;dn:&quot;
          but is not followed by a valid LDAP DN.
          &lt;br&gt;&lt;br&gt;
        &lt;/li&gt;

        &lt;li&gt;
          Updated the Filter methods for creating substring filters to better support empty

... (truncated)

Commits

• b28fb50 Update the release notes for the 4.0.5 release
• 7d02fa0 Add an override search limits request control
• e30ae57 Add forName methods to enum classes
• 58a46d0 Fix an OS-specific issue in ToolInvocationLogger
• 8c77d1e Make a number of format string fixes
• 2e65024 Update ToolUtils.promptForEncryptionPassphrase
• 8471904 Fix a SimpleBindRequest bug
• 41df758 Better summarize-access-log encryption support
• 900ff84 Minor update in ToolUtils
• cdb139e Add tool compression and encryption support
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/2lambda123/JNDI-Exploit-Kit/network/alerts).

[coderabbitai[bot]]

[!IMPORTANT]

Auto Review Skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on X ?

---

Tips

### Chat with CodeRabbit Bot (`@coderabbitai`) - You can directly reply to a review comment made by CodeRabbit. Example: - _I pushed a fix in commit ``._ - You can tag CodeRabbit on specific lines of code or entire files in the PR by tagging `@coderabbitai` in a comment. Examples: - _@coderabbitai generate unit tests for this file_ - _@coderabbitai modularize this function_ - You can tag `@coderabbitai` in a PR comment and ask questions about the PR and the codebase. Use quoted replies to pass the context for follow-up questions. Examples: - _@coderabbitai render interesting statistics about this repository as a table_. - _@coderabbitai show all the `console.log` statements in this repository_. - _@coderabbitai generate unit tests for the `src/utils.ts` file_. ### CodeRabbit Commands (invoked as PR comments) - `@coderabbitai pause` to pause the reviews on a PR. - `@coderabbitai resume` to resume the paused reviews. - `@coderabbitai review` to trigger a review. This is useful when automatic reviews are disabled for the repository. - `@coderabbitai resolve` resolve all the CodeRabbit review comments. - `@coderabbitai help` to get help. Additionally, you can add `@coderabbitai ignore` anywhere in the PR description to prevent this PR from being reviewed. ### CodeRabbit Configration File (`.coderabbit.yaml`) - You can programmatically configure CodeRabbit by adding a `.coderabbit.yaml` file to the root of your repository. - The JSON schema for the configuration file is available [here](https://coderabbit.ai/integrations/coderabbit-overrides.v2.json). - If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: `# yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json` ### CodeRabbit Discord Community Join our [Discord Community](https://discord.com/invite/GsXnASn26c) to get help, request features, and share feedback.

[guardrails[bot]]

:warning: We detected 4 security issues in this pull request:

Vulnerable Libraries (4)

Severity | Details :-: | :-- Critical | [pkg:maven/dom4j/dom4j@1.6.1](https://github.com/2lambda123/JNDI-Exploit-Kit/blob/0bf23d11e84d0f22fe9eb9221e7758517e744b5d/pom.xml) (t) upgrade to: *2.0.3,2.1.3* Medium | [pkg:maven/com.google.guava/guava@15.0](https://github.com/2lambda123/JNDI-Exploit-Kit/blob/0bf23d11e84d0f22fe9eb9221e7758517e744b5d/pom.xml) (t) upgrade to: *32.0.0* Medium | [pkg:maven/commons-io/commons-io@2.2](https://github.com/2lambda123/JNDI-Exploit-Kit/blob/0bf23d11e84d0f22fe9eb9221e7758517e744b5d/pom.xml) (t) upgrade to: *2.7* Medium | [pkg:maven/org.jsoup/jsoup@1.8.3](https://github.com/2lambda123/JNDI-Exploit-Kit/blob/0bf23d11e84d0f22fe9eb9221e7758517e744b5d/pom.xml) (t) upgrade to: *1.15.3* More info on how to fix Vulnerable Libraries in [Java](https://docs.guardrails.io/docs/en/vulnerabilities/java/using_vulnerable_libraries.html?utm_source=ghpr).

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

[sweep-ai[bot]]

Apply Sweep Rules to your PR?