what-the-diff[bot]
commented
4 months ago PR Summary
-
Update of Application Dependencies In this pull request, we've updated some critical parts of the software that background our applications. We did this in two parts, focused on two separate applications we maintain:
-
For the
consumer-hazelcast-quarkusapplication, we've updated the Hazelcast system to a newer, more secure and potentially more performance-optimized version (5.3.5from5.3.1). -
For the
jaxrs-hazelcast-quarkusapplication, we've made two notable changes. Like in the consumer application, we've also moved the Hazelcast system to version5.3.5. In addition to that, we've updated theslf4j-reload4jcomponent to a newer version. While this new version is not specified here, you can rest assured it's a step up that will provide improvements in how we log and monitor the behavior of this application.
These updates are essential to keep our applications running smoothly and securely. They help us catch and address issues faster, ensuring high service quality for the end users.
-
sonarcloud[bot]
No data about Coverage
codeclimate[bot]
codecov[bot]
datadog-github-app-for-yurake[bot]
This PR contains the following updates:
5.3.1->5.3.5GitHub Vulnerability Alerts
CVE-2023-45860
Impact
In Hazelcast Platform through 5.3.4, a security issue exists within the SQL mapping for the CSV File Source connector. This issue arises from inadequate permission checking, which could enable unauthorized clients to access data from files stored on a member's filesystem.
Patches
Fix versions: 5.3.5, 5.4.0-BETA-1
Workaround
Disabling Hazelcast Jet processing engine in Hazelcast member configuration workarounds the issue. As a result SQL and Jet jobs won't work.
CVE-2023-45859
Impact
In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster.
Patches
Fix versions: 5.2.5, 5.3.5, 5.4.0-BETA-1
Workarounds
There is no known workaround.
Release Notes
hazelcast/hazelcast (com.hazelcast:hazelcast)
### [`v5.3.5`](https://togithub.com/hazelcast/hazelcast/releases/tag/v5.3.5) This document lists the enhancements, fixed issues, and removed or deprecated features for Hazelcast Platform 5.3.5 release. The numbers in the square brackets refer to the issues and pull requests in Hazelcast's GitHub repository. NOTE: Due to an error in the tooling, the Platform releases 5.3.3 and 5.3.4 needed to be skipped numerically. ##### Enhancements - Improved the permission checks by fixing the [CVE-2023-45859](https://nvd.nist.gov/vuln/detail/CVE-2023-45859) and [CVE-2023-45860](https://nvd.nist.gov/vuln/detail/CVE-2023-45860) vulnerabilities. - Changed the exception type from `CancellationException` to `CancellationByUserException` in case the user cancels a job before it is initialized. \[[#25452](https://togithub.com/hazelcast/hazelcast/issues/25452)] - Updated the versions of the following dependencies - gRPC to 1.57.0, \[[#25430](https://togithub.com/hazelcast/hazelcast/issues/25430)] - Netty to 4.1.100, \[[#25670](https://togithub.com/hazelcast/hazelcast/issues/25670)] - Avro to 1.1.13, \[[#25659](https://togithub.com/hazelcast/hazelcast/issues/25659)] - Snappy Java to 1.1.10.5 - Elasticsearch to 7.17.13, \[[#25660](https://togithub.com/hazelcast/hazelcast/issues/25660)] - Renamed the service port for Hazelcast clusters deployed in Kubernetes environments as `hazelcast`. Previously, the name was `hazelcast-service-port` causing the member auto-discovery (for embedded deployments) to fail. \[[#24834](https://togithub.com/hazelcast/hazelcast/issues/24834)] ##### Fixes - Fixed an issue where the map entries' metadata, such as time-to-live and expiration, was not replicated correctly over WAN after updating existing entries. \[[#25505](https://togithub.com/hazelcast/hazelcast/issues/25505)] - Fixed an issue where the member list was not updated after a cluster failover scenario. \[[#25504](https://togithub.com/hazelcast/hazelcast/issues/25504)] - Fixed a memory leak issue happening in Hazelcast members and clients while destroying fenced locks. \[[#25421](https://togithub.com/hazelcast/hazelcast/issues/25421)] ##### Removed/Deprecated Features - Removed the evaluation tool (to try out Platform 5.x features for IMDG 3.x users) and the relevant IMDG 3.x JAR libraries from Hazelcast Platform distributions. \[[#25663](https://togithub.com/hazelcast/hazelcast/issues/25663)] ### [`v5.3.2`](https://togithub.com/hazelcast/hazelcast/releases/tag/v5.3.2) This document lists the enhancements and fixed issues for Hazelcast Platform 5.3.2 release. The numbers in the square brackets refer to the issues and pull requests in Hazelcast's GitHub repository. ##### Enhancements - Updated the Janino dependency version to 3.1.10. \[[#25094](https://togithub.com/hazelcast/hazelcast/issues/25094)] ##### Fixes - Renamed the service port for Hazelcast clusters deployed in Kubernetes environments as `hazelcast`. Previously, the name was `hazelcast-service-port` causing the member auto-discovery (for embedded deployments) to fail. \[[#25228](https://togithub.com/hazelcast/hazelcast/issues/25228)] - Fixed an issue where the `getDistributedObjects()` was returning inconsistent results when multiple members are simultaneously joining to the cluster. \[[#25153](https://togithub.com/hazelcast/hazelcast/issues/25153)] - Fixed an issue where the Hot Restart procedure was failing on Hazelcast Viridian, when the cluster is in the `FROZEN` state. \[[#25081](https://togithub.com/hazelcast/hazelcast/issues/25081)] - Fixed an issue where the retry mechanism for the communications between CP leader and followers was generating too many retries, due to incorrect backoff timeout reset behavior. \[[#25074](https://togithub.com/hazelcast/hazelcast/issues/25074)]Configuration
📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.