dependabot[bot] opened a new pull request, #6792:
URL: https://github.com/apache/incubator-kie-drools/pull/6792

   Bumps [com.ongres.scram:scram-client](https://github.com/ongres/scram) from 
3.2 to 3.3.
   <details>
   <summary>Release notes</summary>
   <p><em>Sourced from <a 
href="https://github.com/ongres/scram/releases";>com.ongres.scram:scram-client's 
releases</a>.</em></p>
   <blockquote>
   <h2>SCRAM Java 3.3</h2>
   <h3>:lock: Security</h3>
   <ul>
   <li>Prevent silent downgrade attacks during channel binding negotiation via 
unsupported certificate algorithms. <a 
href="https://github.com/ongres/scram/security/advisories/GHSA-p9jg-fcr6-3mhf";>GHSA-p9jg-fcr6-3mhf</a></li>
   <li>Harden memory security by explicitly zeroing out highly sensitive 
cryptographic keys (<code>saltedPassword</code>, <code>clientKey</code>, and 
<code>serverKey</code>) immediately following the client final message exchange 
to prevent lingering material in heap memory.</li>
   </ul>
   <h3>:rocket: New features</h3>
   <ul>
   <li>Implement an interrupt-aware implementation of the PBKDF2 'hi' function 
introducing <code>ScramInterruptedException</code>, utilizing a stride-based 
check to allow long-running cryptographic operations to safely abort without 
blocking thread shutdown.</li>
   <li>Introduce <code>.channelBindingPolicy()</code> to the client builder to 
explicitly configure <code>DISABLE</code>, <code>ALLOW</code> (default), and 
<code>REQUIRE</code> enforcement modes.</li>
   <li>Introduce <code>MechanismNegotiationException</code> and 
<code>ChannelBindingException</code> runtime exception hierarchy to provide 
granular, precise failure types for driver integration loops instead of relying 
on generic <code>IllegalArgumentException</code> throws.</li>
   <li>Add support for <code>RSASSA-PSS</code> server certificate signature 
extraction to ensure modern cryptographic algorithms are supported during 
<code>tls-server-end-point</code> channel binding computations.</li>
   <li>Add support for <code>SCRAM-SHA3-512</code> and 
<code>SCRAM-SHA3-512-PLUS</code> SASL mechanisms to provide modern NIST SHA-3 
hashing standards with higher cryptographic resilience against length-extension 
attacks (supported on modern JVMs only).</li>
   </ul>
   <h3>:building_construction: Improvements</h3>
   <ul>
   <li>Update the <code>saslprep</code> dependency to 2.4.</li>
   <li>Updated internal Maven plugins and project dependencies to their latest 
stable versions.</li>
   </ul>
   </blockquote>
   </details>
   <details>
   <summary>Changelog</summary>
   <p><em>Sourced from <a 
href="https://github.com/ongres/scram/blob/main/CHANGELOG.md";>com.ongres.scram:scram-client's
 changelog</a>.</em></p>
   <blockquote>
   <h2>[3.3] - 2026-06-04</h2>
   <h3>:lock: Security</h3>
   <ul>
   <li>Prevent silent downgrade attacks during channel binding negotiation via 
unsupported certificate algorithms. <a 
href="https://github.com/ongres/scram/security/advisories/GHSA-p9jg-fcr6-3mhf";>GHSA-p9jg-fcr6-3mhf</a></li>
   <li>Harden memory security by explicitly zeroing out highly sensitive 
cryptographic keys (<code>saltedPassword</code>, <code>clientKey</code>, and 
<code>serverKey</code>) immediately following the client final message exchange 
to prevent lingering material in heap memory.</li>
   </ul>
   <h3>:rocket: New features</h3>
   <ul>
   <li>Implement an interrupt-aware implementation of the PBKDF2 'hi' function 
introducing <code>ScramInterruptedException</code>, utilizing a stride-based 
check to allow long-running cryptographic operations to safely abort without 
blocking thread shutdown.</li>
   <li>Introduce <code>.channelBindingPolicy()</code> to the client builder to 
explicitly configure <code>DISABLE</code>, <code>ALLOW</code> (default), and 
<code>REQUIRE</code> enforcement modes.</li>
   <li>Introduce <code>MechanismNegotiationException</code> and 
<code>ChannelBindingException</code> runtime exception hierarchy to provide 
granular, precise failure types for driver integration loops instead of relying 
on generic <code>IllegalArgumentException</code> throws.</li>
   <li>Add support for <code>RSASSA-PSS</code> server certificate signature 
extraction to ensure modern cryptographic algorithms are supported during 
<code>tls-server-end-point</code> channel binding computations.</li>
   <li>Add support for <code>SCRAM-SHA3-512</code> and 
<code>SCRAM-SHA3-512-PLUS</code> SASL mechanisms to provide modern NIST SHA-3 
hashing standards with higher cryptographic resilience against length-extension 
attacks (supported on modern JVMs only).</li>
   </ul>
   <h3>:building_construction: Improvements</h3>
   <ul>
   <li>Update the <code>saslprep</code> dependency to 2.4.</li>
   <li>Updated internal Maven plugins and project dependencies to their latest 
stable versions.</li>
   </ul>
   </blockquote>
   </details>
   <details>
   <summary>Commits</summary>
   <ul>
   <li><a 
href="https://github.com/ongres/scram/commit/f6bd6e20e34d4989ee34b06825791657a2cfd4fe";><code>f6bd6e2</code></a>
 chore(release): SCRAM Java 3.3</li>
   <li><a 
href="https://github.com/ongres/scram/commit/5d780f3cd6b8d9c7dbec8900e68b8440177d6c61";><code>5d780f3</code></a>
 feat(security): introduce ChannelBindingPolicy for configurable 
negotiation</li>
   <li><a 
href="https://github.com/ongres/scram/commit/caff8ca931020cae9101fc8c7583b12b06b15186";><code>caff8ca</code></a>
 feat(crypto): add RSASSA-PSS support for tls-server-end-point channel 
binding</li>
   <li><a 
href="https://github.com/ongres/scram/commit/da713cf4e9d15cb355dccd55af9505d1b67e760f";><code>da713cf</code></a>
 chore(deps): Bump the all-maven-dependencies group across 2 directories with 
...</li>
   <li><a 
href="https://github.com/ongres/scram/commit/5ac43849c022022de7aa5caf9b2384b48c215cbd";><code>5ac4384</code></a>
 feat(crypto): add support for SCRAM-SHA3-512 mechanisms</li>
   <li><a 
href="https://github.com/ongres/scram/commit/03d312269dfef241f46866ef40ef8474bfb3c6d3";><code>03d3122</code></a>
 fix(security): zero out cryptographic keys after SCRAM exchange</li>
   <li><a 
href="https://github.com/ongres/scram/commit/31f610423dd89a99eda40d9e9141f3fde76f3579";><code>31f6104</code></a>
 Merge pull request <a 
href="https://redirect.github.com/ongres/scram/issues/127";>#127</a> from 
ongres/dependabot/maven/all-maven-dependencies-9...</li>
   <li><a 
href="https://github.com/ongres/scram/commit/9027e7166096bb594c79f55bcda9fc797518f605";><code>9027e71</code></a>
 chore(deps): Bump the all-maven-dependencies group across 2 directories with 
...</li>
   <li><a 
href="https://github.com/ongres/scram/commit/76762513d7323468acfeafe7aec156d8686e6b77";><code>7676251</code></a>
 Merge pull request <a 
href="https://redirect.github.com/ongres/scram/issues/126";>#126</a> from 
ongres/fix/maven-3.9.16</li>
   <li><a 
href="https://github.com/ongres/scram/commit/38342853120922087cb71cb913fd984726071480";><code>3834285</code></a>
 fix(deps): update apache maven to 3.9.16</li>
   <li>Additional commits viewable in <a 
href="https://github.com/ongres/scram/compare/3.2...3.3";>compare view</a></li>
   </ul>
   </details>
   <br />
   
   
   [![Dependabot compatibility 
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.ongres.scram:scram-client&package-manager=maven&previous-version=3.2&new-version=3.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
   
   Dependabot will resolve any conflicts with this PR as long as you don't 
alter it yourself. You can also trigger a rebase manually by commenting 
`@dependabot rebase`.
   
   [//]: # (dependabot-automerge-start)
   [//]: # (dependabot-automerge-end)
   
   ---
   
   <details>
   <summary>Dependabot commands and options</summary>
   <br />
   
   You can trigger Dependabot actions by commenting on this PR:
   - `@dependabot rebase` will rebase this PR
   - `@dependabot recreate` will recreate this PR, overwriting any edits that 
have been made to it
   - `@dependabot show <dependency name> ignore conditions` will show all of 
the ignore conditions of the specified dependency
   - `@dependabot ignore this major version` will close this PR and stop 
Dependabot creating any more for this major version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this minor version` will close this PR and stop 
Dependabot creating any more for this minor version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this dependency` will close this PR and stop 
Dependabot creating any more for this dependency (unless you reopen the PR or 
upgrade to it yourself)
   You can disable automated security fix PRs for this repo from the [Security 
Alerts page](https://github.com/apache/incubator-kie-drools/network/alerts).
   
   </details>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to