dependabot[bot] opened a new pull request, #6792: URL: https://github.com/apache/incubator-kie-drools/pull/6792
Bumps [com.ongres.scram:scram-client](https://github.com/ongres/scram) from 3.2 to 3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/ongres/scram/releases">com.ongres.scram:scram-client's releases</a>.</em></p> <blockquote> <h2>SCRAM Java 3.3</h2> <h3>:lock: Security</h3> <ul> <li>Prevent silent downgrade attacks during channel binding negotiation via unsupported certificate algorithms. <a href="https://github.com/ongres/scram/security/advisories/GHSA-p9jg-fcr6-3mhf">GHSA-p9jg-fcr6-3mhf</a></li> <li>Harden memory security by explicitly zeroing out highly sensitive cryptographic keys (<code>saltedPassword</code>, <code>clientKey</code>, and <code>serverKey</code>) immediately following the client final message exchange to prevent lingering material in heap memory.</li> </ul> <h3>:rocket: New features</h3> <ul> <li>Implement an interrupt-aware implementation of the PBKDF2 'hi' function introducing <code>ScramInterruptedException</code>, utilizing a stride-based check to allow long-running cryptographic operations to safely abort without blocking thread shutdown.</li> <li>Introduce <code>.channelBindingPolicy()</code> to the client builder to explicitly configure <code>DISABLE</code>, <code>ALLOW</code> (default), and <code>REQUIRE</code> enforcement modes.</li> <li>Introduce <code>MechanismNegotiationException</code> and <code>ChannelBindingException</code> runtime exception hierarchy to provide granular, precise failure types for driver integration loops instead of relying on generic <code>IllegalArgumentException</code> throws.</li> <li>Add support for <code>RSASSA-PSS</code> server certificate signature extraction to ensure modern cryptographic algorithms are supported during <code>tls-server-end-point</code> channel binding computations.</li> <li>Add support for <code>SCRAM-SHA3-512</code> and <code>SCRAM-SHA3-512-PLUS</code> SASL mechanisms to provide modern NIST SHA-3 hashing standards with higher cryptographic resilience against length-extension attacks (supported on modern JVMs only).</li> </ul> <h3>:building_construction: Improvements</h3> <ul> <li>Update the <code>saslprep</code> dependency to 2.4.</li> <li>Updated internal Maven plugins and project dependencies to their latest stable versions.</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/ongres/scram/blob/main/CHANGELOG.md">com.ongres.scram:scram-client's changelog</a>.</em></p> <blockquote> <h2>[3.3] - 2026-06-04</h2> <h3>:lock: Security</h3> <ul> <li>Prevent silent downgrade attacks during channel binding negotiation via unsupported certificate algorithms. <a href="https://github.com/ongres/scram/security/advisories/GHSA-p9jg-fcr6-3mhf">GHSA-p9jg-fcr6-3mhf</a></li> <li>Harden memory security by explicitly zeroing out highly sensitive cryptographic keys (<code>saltedPassword</code>, <code>clientKey</code>, and <code>serverKey</code>) immediately following the client final message exchange to prevent lingering material in heap memory.</li> </ul> <h3>:rocket: New features</h3> <ul> <li>Implement an interrupt-aware implementation of the PBKDF2 'hi' function introducing <code>ScramInterruptedException</code>, utilizing a stride-based check to allow long-running cryptographic operations to safely abort without blocking thread shutdown.</li> <li>Introduce <code>.channelBindingPolicy()</code> to the client builder to explicitly configure <code>DISABLE</code>, <code>ALLOW</code> (default), and <code>REQUIRE</code> enforcement modes.</li> <li>Introduce <code>MechanismNegotiationException</code> and <code>ChannelBindingException</code> runtime exception hierarchy to provide granular, precise failure types for driver integration loops instead of relying on generic <code>IllegalArgumentException</code> throws.</li> <li>Add support for <code>RSASSA-PSS</code> server certificate signature extraction to ensure modern cryptographic algorithms are supported during <code>tls-server-end-point</code> channel binding computations.</li> <li>Add support for <code>SCRAM-SHA3-512</code> and <code>SCRAM-SHA3-512-PLUS</code> SASL mechanisms to provide modern NIST SHA-3 hashing standards with higher cryptographic resilience against length-extension attacks (supported on modern JVMs only).</li> </ul> <h3>:building_construction: Improvements</h3> <ul> <li>Update the <code>saslprep</code> dependency to 2.4.</li> <li>Updated internal Maven plugins and project dependencies to their latest stable versions.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ongres/scram/commit/f6bd6e20e34d4989ee34b06825791657a2cfd4fe"><code>f6bd6e2</code></a> chore(release): SCRAM Java 3.3</li> <li><a href="https://github.com/ongres/scram/commit/5d780f3cd6b8d9c7dbec8900e68b8440177d6c61"><code>5d780f3</code></a> feat(security): introduce ChannelBindingPolicy for configurable negotiation</li> <li><a href="https://github.com/ongres/scram/commit/caff8ca931020cae9101fc8c7583b12b06b15186"><code>caff8ca</code></a> feat(crypto): add RSASSA-PSS support for tls-server-end-point channel binding</li> <li><a href="https://github.com/ongres/scram/commit/da713cf4e9d15cb355dccd55af9505d1b67e760f"><code>da713cf</code></a> chore(deps): Bump the all-maven-dependencies group across 2 directories with ...</li> <li><a href="https://github.com/ongres/scram/commit/5ac43849c022022de7aa5caf9b2384b48c215cbd"><code>5ac4384</code></a> feat(crypto): add support for SCRAM-SHA3-512 mechanisms</li> <li><a href="https://github.com/ongres/scram/commit/03d312269dfef241f46866ef40ef8474bfb3c6d3"><code>03d3122</code></a> fix(security): zero out cryptographic keys after SCRAM exchange</li> <li><a href="https://github.com/ongres/scram/commit/31f610423dd89a99eda40d9e9141f3fde76f3579"><code>31f6104</code></a> Merge pull request <a href="https://redirect.github.com/ongres/scram/issues/127">#127</a> from ongres/dependabot/maven/all-maven-dependencies-9...</li> <li><a href="https://github.com/ongres/scram/commit/9027e7166096bb594c79f55bcda9fc797518f605"><code>9027e71</code></a> chore(deps): Bump the all-maven-dependencies group across 2 directories with ...</li> <li><a href="https://github.com/ongres/scram/commit/76762513d7323468acfeafe7aec156d8686e6b77"><code>7676251</code></a> Merge pull request <a href="https://redirect.github.com/ongres/scram/issues/126">#126</a> from ongres/fix/maven-3.9.16</li> <li><a href="https://github.com/ongres/scram/commit/38342853120922087cb71cb913fd984726071480"><code>3834285</code></a> fix(deps): update apache maven to 3.9.16</li> <li>Additional commits viewable in <a href="https://github.com/ongres/scram/compare/3.2...3.3">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/incubator-kie-drools/network/alerts). </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
