#76 fixed vulnerability CVE 2024 47561 in org.apache.avro avro (#78)

* Updated version to 2.0.11

* Updated dependencies

* Updated changes file

Author: ckunki

dependencies.md

@@ -0,0 +1,31 @@
+# Parquet for Java 2.0.11, released 2024-10-17
+
+Code name: Fix CVE-2024-47561 in dependency
+
+## Summary
+
+This release fixes vulnerability CVE-2024-47561 by updating transitive dependency `org.apache.avro:avro` via `org.apache.hadoop:hadoop-client`.
+
+## Security
+
+* #76: Fixed vulnerability CVE-2024-47561 in `org.apache.avro:avro`
+
+## Dependency Updates
+
+### Compile Dependency Updates
+
+* Updated `dnsjava:dnsjava:3.6.0` to `3.6.2`
+* Removed `io.airlift:aircompressor:0.27`
+* Updated `org.apache.avro:avro:1.11.3` to `1.12.0`
+* Removed `org.apache.commons:commons-compress:1.26.2`
+* Updated `org.apache.parquet:parquet-hadoop:1.14.1` to `1.14.3`
+* Updated `org.scala-lang:scala-library:2.13.14` to `2.13.15`
+* Removed `org.xerial.snappy:snappy-java:1.1.10.5`
+
+### Test Dependency Updates
+
+* Updated `nl.jqno.equalsverifier:equalsverifier:3.16.1` to `3.17.1`
+* Updated `org.hamcrest:hamcrest:2.2` to `3.0`
+* Updated `org.junit.jupiter:junit-jupiter:5.10.3` to `5.11.2`
+* Updated `org.mockito:mockito-core:5.12.0` to `5.14.2`
+* Updated `org.mockito:mockito-junit-jupiter:5.12.0` to `5.14.2`

doc/changes/changelog.md

@@ -3,38 +3,26 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.exasol</groupId>
     <artifactId>parquet-io-java</artifactId>
-    <version>2.0.10</version>
+    <version>2.0.11</version>
     <name>Parquet for Java</name>
     <description>This project provides a library that reads Parquet files into Java objects.</description>
     <url>https://github.com/exasol/parquet-io-java/</url>
     <parent>
         <artifactId>parquet-io-java-generated-parent</artifactId>
         <groupId>com.exasol</groupId>
-        <version>2.0.10</version>
+        <version>2.0.11</version>
         <relativePath>pk_generated_parent.pom</relativePath>
     </parent>
     <properties>
-        <scala.version>2.13.14</scala.version>
+        <scala.version>2.13.15</scala.version>
         <scala.compat.version>2.13</scala.compat.version>
-        <mockito.version>5.12.0</mockito.version>
+        <mockito.version>5.14.2</mockito.version>
     </properties>
     <dependencies>
         <dependency>
             <groupId>org.apache.parquet</groupId>
             <artifactId>parquet-hadoop</artifactId>
-            <version>1.14.1</version>
-        </dependency>
-        <!-- Update transitive dependency of org.apache.parquet:parquet-hadoop to fix CVE-2024-36114 -->
-        <dependency>
-            <groupId>io.airlift</groupId>
-            <artifactId>aircompressor</artifactId>
-            <version>0.27</version>
-        </dependency>
-        <dependency>
-            <!-- Update transitive dependency of org.apache.parquet:parquet-hadoop to fix CVE-2023-34453, CVE-2023-34454, CVE-2023-34455, CVE-2023-43642 -->
-            <groupId>org.xerial.snappy</groupId>
-            <artifactId>snappy-java</artifactId>
-            <version>1.1.10.5</version>
+            <version>1.14.3</version>
         </dependency>
         <dependency>
             <groupId>org.apache.hadoop</groupId>
@@ -133,13 +121,7 @@
             <!-- Upgrade transitive dependency of org.apache.hadoop:hadoop-client to fix CVE-2023-39410 -->
             <groupId>org.apache.avro</groupId>
             <artifactId>avro</artifactId>
-            <version>1.11.3</version>
-        </dependency>
-        <dependency>
-            <!-- Upgrade transitive dependency of org.apache.avro:avro to fix CVE-2023-42503 -->
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-compress</artifactId>
-            <version>1.26.2</version>
+            <version>1.12.0</version>
         </dependency>
         <!-- Upgrade transitive dependency of org.apache.hadoop:hadoop-client to fix CVE-2024-29131 & CVE-2024-29133 -->
         <dependency>
@@ -151,7 +133,7 @@
         <dependency>
             <groupId>dnsjava</groupId>
             <artifactId>dnsjava</artifactId>
-            <version>3.6.0</version>
+            <version>3.6.2</version>
         </dependency>
         <dependency>
             <groupId>org.scala-lang</groupId>
@@ -167,7 +149,7 @@
         <dependency>
             <groupId>org.junit.jupiter</groupId>
             <artifactId>junit-jupiter</artifactId>
-            <version>5.10.3</version>
+            <version>5.11.2</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -185,7 +167,7 @@
         <dependency>
             <groupId>org.hamcrest</groupId>
             <artifactId>hamcrest</artifactId>
-            <version>2.2</version>
+            <version>3.0</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -197,7 +179,7 @@
         <dependency>
             <groupId>nl.jqno.equalsverifier</groupId>
             <artifactId>equalsverifier</artifactId>
-            <version>3.16.1</version>
+            <version>3.17.1</version>
             <scope>test</scope>
         </dependency>
     </dependencies>