Skip to content

[Security] Bump quartz from 2.2.3 to 2.3.2 in /AnsibleMiddleware #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Security] Bump quartz from 2.2.3 to 2.3.2 in /AnsibleMiddleware #5

wants to merge 1 commit into from

Conversation

@dependabot-preview
Copy link

@dependabot-preview dependabot-preview bot commented Jul 29, 2020

Bumps quartz from 2.2.3 to 2.3.2. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

XML external entity injection in Terracotta Quartz Scheduler initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

Affected versions: < 2.3.2

Release notes

Sourced from quartz's releases.

Quartz 2.3.2

This a bug fix release containing fixes for:

  • #508 : Error with H2 1.4.200
  • #505 : CronTrigger.getTriggerBuilder() changes misfire instruction from "ignore misfire" to "smart"
  • #491 : StdJDBCDelegate.selectTriggerToAcquire may not respect maxCount
  • #490 : Return at most maxCount triggers
  • #482 : Update C3P0 version to 0.9.5.4 (CVE-2019-5427)
  • #474 : StdSchedulerFactory ConcurrentModificationException reading system properties
  • #467 : Security: XXE in initDocumentParser

quartz-2.3.1

THIS RELEASE REQUIRES JDK7

  • #294 depen: Update hikaricp-java6:2.3.13 to hikaricp-java7:2.4.13
  • #316 depen: Updated C3P0 version to 0.9.5.3
  • #147 bugfix: Fix BINARY to BLOG type for job data for hsqldb
  • #156 bugfix: Fix null string used in thread name with DirectSchedulerFactory
  • #159 bugfix: Fix extra bad char tick on drop table qurtz_fired_triggers for postgres
  • #146 bugfix: Release BLOCKED triggers in releaseAcquiredTrigger
  • #212 bugfix: QuartzInitializerListener: fix a typo
  • #193 bugfix: Job execution context impl returns incorrect recovering job key
  • #172 bugfix: Miss notify SchedulerListeners in QuartzScheduler.java
  • #220 bugifx: DailyTimeIntervalTrigger failed to set endingDailyAfterCount = 1
  • #160 improv: Add drop table if exists check in sql script for postgres
  • #214 improv: Reuse JobBuilder.storeDurably(boolean) in JobBuilder
  • #281 improv: Fix no setter for dataSource property validateOnCheckout
  • #264 improv: Fix no setter for dataSource property discardIdleConnectionsSeconds
  • #245 improv: Sybase: Changed varchar length TRIGGER_NAME from 80 to 200
  • #340 improv: Use all-caps table names in the liquibase script
  • #189 improv: NPE thrown when acquiring next trigger due to null next fire time value
  • #268 improv: Add configurable params for StdRowLockSemaphore for Failure obtaining db row lock
  • #293 build: Setup Azure CI server for Quartz project
  • #66 build: Remove unused 'svn' requirement during maven package build
  • #301 build: Improve project with readme, and license changes log
  • #302 build: Update mvnw wrapper to use Maven 3.6.0
  • #226 build: Replace maven-forge-plugin with maven-jar-plugin
  • #170 docs: Minor fix and improvement on Javadoc
  • #203 docs: Minor fix and improvement on Javadoc
  • #360 docs: Update docs and migrate it into main source repository
Changelog

Sourced from quartz's changelog.

== quartz-2.3.2

This release is still work in progress under quartz-2.3.x branch!

== quartz-2.3.1

Released on 25-Mar-2018

THIS RELEASE REQUIRES JDK7

  • #294 depen: Update hikaricp-java6:2.3.13 to hikaricp-java7:2.4.13
  • #316 depen: Updated C3P0 version to 0.9.5.3
  • #147 bugfix: Fix BINARY to BLOG type for job data for hsqldb
  • #156 bugfix: Fix null string used in thread name with DirectSchedulerFactory
  • #159 bugfix: Fix extra bad char tick on drop table qurtz_fired_triggers for postgres
  • #146 bugfix: Release BLOCKED triggers in releaseAcquiredTrigger
  • #212 bugfix: QuartzInitializerListener: fix a typo
  • #193 bugfix: Job execution context impl returns incorrect recovering job key
  • #172 bugfix: Miss notify SchedulerListeners in QuartzScheduler.java
  • #220 bugifx: DailyTimeIntervalTrigger failed to set endingDailyAfterCount = 1
  • #160 improv: Add drop table if exists check in sql script for postgres
  • #214 improv: Reuse JobBuilder.storeDurably(boolean) in JobBuilder
  • #281 improv: Fix no setter for dataSource property validateOnCheckout
  • #264 improv: Fix no setter for dataSource property discardIdleConnectionsSeconds
  • #245 improv: Sybase: Changed varchar length TRIGGER_NAME from 80 to 200
  • #340 improv: Use all-caps table names in the liquibase script
  • #189 improv: NPE thrown when acquiring next trigger due to null next fire time value
  • #268 improv: Add configurable params for StdRowLockSemaphore for Failure obtaining db row lock
  • #293 build: Setup Azure CI server for Quartz project
  • #66 build: Remove unused 'svn' requirement during maven package build
  • #301 build: Improve project with readme, and license changes log
  • #302 build: Update mvnw wrapper to use Maven 3.6.0
  • #226 build: Replace maven-forge-plugin with maven-jar-plugin
  • #170 docs: Minor fix and improvement on Javadoc
  • #203 docs: Minor fix and improvement on Javadoc
  • #360 docs: Update docs and migrate it into main source repository

== quartz-2.3.0

Released on 19-Apr-2017

THIS RELEASE REQUIRES JDK7

  • #9 build: Fix the Java 8 javadoc issue with 'doclint:none'
  • #6 bugfix: Fix cannot create tables in MySQL with InnoDB and UTF8mb4
  • #93 bugfix: Fix the jobs recovering (on scheduler startup)
  • #76 improv: Add missing foreign key for BLOB triggers table for ms sql server
  • #114 improv: Add 'if exists' clause to drop tables command for postgres
  • #25 feat: Add resetTriggerFromErrorState functionality
  • #126 feat: Add support for hikari cp, upgrade c3p0 library, break static dependencies
Commits
  • 3533e40 Release 2.3.2 from quartz-2.3.x
  • 789afce Merge pull request #517 from chrisdennis/issue-508-2.3.x
  • 941d184 Merge branch 'issue-508' into issue-508-2.3.x
  • c069965 Merge pull request #520 from chrisdennis/issue-491-2.3.x
  • de69c46 Issue #491 : Added unit test coverage
  • bc6be51 Merge branch 'issue-491' into issue-491-2.3.x
  • e990cd1 Merge pull request #521 from chrisdennis/c3p0-upgrade-2.3.x
  • 99077cd Merge branch 'c3p0-upgrade' into c3p0-upgrade-2.3.x
  • 8552008 Merge pull request #522 from chrisdennis/trigger-javadoc-fix
  • 8ab547f Merge pull request #519 from chrisdennis/issue-505
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels Jul 29, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant