sonarcloud[bot]
commented
5 months ago 
Quality Gate passed
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code
This PR contains the following updates:
5.3.1->5.3.5GitHub Vulnerability Alerts
CVE-2023-45860
Impact
In Hazelcast Platform through 5.3.4, a security issue exists within the SQL mapping for the CSV File Source connector. This issue arises from inadequate permission checking, which could enable unauthorized clients to access data from files stored on a member's filesystem.
Patches
Fix versions: 5.3.5, 5.4.0-BETA-1
Workaround
Disabling Hazelcast Jet processing engine in Hazelcast member configuration workarounds the issue. As a result SQL and Jet jobs won't work.
CVE-2023-45859
Impact
In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster.
Patches
Fix versions: 5.2.5, 5.3.5, 5.4.0-BETA-1
Workarounds
There is no known workaround.
Release Notes
hazelcast/hazelcast (com.hazelcast:hazelcast)
### [`v5.3.5`](https://togithub.com/hazelcast/hazelcast/releases/tag/v5.3.5) This document lists the enhancements, fixed issues, and removed or deprecated features for Hazelcast Platform 5.3.5 release. The numbers in the square brackets refer to the issues and pull requests in Hazelcast's GitHub repository. NOTE: Due to an error in the tooling, the Platform releases 5.3.3 and 5.3.4 needed to be skipped numerically. ##### Enhancements - Improved the permission checks by fixing the [CVE-2023-45859](https://nvd.nist.gov/vuln/detail/CVE-2023-45859) and [CVE-2023-45860](https://nvd.nist.gov/vuln/detail/CVE-2023-45860) vulnerabilities. - Changed the exception type from `CancellationException` to `CancellationByUserException` in case the user cancels a job before it is initialized. \[[#25452](https://togithub.com/hazelcast/hazelcast/issues/25452)] - Updated the versions of the following dependencies - gRPC to 1.57.0, \[[#25430](https://togithub.com/hazelcast/hazelcast/issues/25430)] - Netty to 4.1.100, \[[#25670](https://togithub.com/hazelcast/hazelcast/issues/25670)] - Avro to 1.1.13, \[[#25659](https://togithub.com/hazelcast/hazelcast/issues/25659)] - Snappy Java to 1.1.10.5 - Elasticsearch to 7.17.13, \[[#25660](https://togithub.com/hazelcast/hazelcast/issues/25660)] - Renamed the service port for Hazelcast clusters deployed in Kubernetes environments as `hazelcast`. Previously, the name was `hazelcast-service-port` causing the member auto-discovery (for embedded deployments) to fail. \[[#24834](https://togithub.com/hazelcast/hazelcast/issues/24834)] ##### Fixes - Fixed an issue where the map entries' metadata, such as time-to-live and expiration, was not replicated correctly over WAN after updating existing entries. \[[#25505](https://togithub.com/hazelcast/hazelcast/issues/25505)] - Fixed an issue where the member list was not updated after a cluster failover scenario. \[[#25504](https://togithub.com/hazelcast/hazelcast/issues/25504)] - Fixed a memory leak issue happening in Hazelcast members and clients while destroying fenced locks. \[[#25421](https://togithub.com/hazelcast/hazelcast/issues/25421)] ##### Removed/Deprecated Features - Removed the evaluation tool (to try out Platform 5.x features for IMDG 3.x users) and the relevant IMDG 3.x JAR libraries from Hazelcast Platform distributions. \[[#25663](https://togithub.com/hazelcast/hazelcast/issues/25663)] ### [`v5.3.2`](https://togithub.com/hazelcast/hazelcast/releases/tag/v5.3.2) This document lists the enhancements and fixed issues for Hazelcast Platform 5.3.2 release. The numbers in the square brackets refer to the issues and pull requests in Hazelcast's GitHub repository. ##### Enhancements - Updated the Janino dependency version to 3.1.10. \[[#25094](https://togithub.com/hazelcast/hazelcast/issues/25094)] ##### Fixes - Renamed the service port for Hazelcast clusters deployed in Kubernetes environments as `hazelcast`. Previously, the name was `hazelcast-service-port` causing the member auto-discovery (for embedded deployments) to fail. \[[#25228](https://togithub.com/hazelcast/hazelcast/issues/25228)] - Fixed an issue where the `getDistributedObjects()` was returning inconsistent results when multiple members are simultaneously joining to the cluster. \[[#25153](https://togithub.com/hazelcast/hazelcast/issues/25153)] - Fixed an issue where the Hot Restart procedure was failing on Hazelcast Viridian, when the cluster is in the `FROZEN` state. \[[#25081](https://togithub.com/hazelcast/hazelcast/issues/25081)] - Fixed an issue where the retry mechanism for the communications between CP leader and followers was generating too many retries, due to incorrect backoff timeout reset behavior. \[[#25074](https://togithub.com/hazelcast/hazelcast/issues/25074)]Configuration
📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.