Liquibase Secure 5.0.1 release notes
Liquibase Secure 5.0.1 is a routine maintenance release that includes dependency updates, Windows platform improvements.
What's Included
What's new
Liquibase Secure 5.0.1 update addresses reported CVEs in third-party libraries, improves propagation of exit codes on Windows, and resolves path-handling issues when JAVA_HOME contains spaces.
Security Updates
As part of our regular maintenance cycle, several third-party dependencies have been updated to remediate reported security vulnerabilities. These vulnerabilities are not exploitable within Liquibase’s implementation. Updating identified dependencies maintains compliance with security scanning tools and aligns with industry best practices for dependency management.
CVEs and impacted libraries
CVE ID | Security Score | Library and Impact Assessment |
|---|---|---|
CVSS 8.2 High | Status: Not applicable - dependency not used in vulnerable context Customer Impact: None - Liquibase doesn’t run HTTP/2 servers Remediation: Upgrade at your convenience io.netty/netty-codec-http2 (4.1.x) | |
CVSS 7.5 High | Status: Not applicable - dependency not used in vulnerable context Customer Impact: None - Liquibase doesn’t accept incoming SSL/TLS connections Remediation: Upgrade at your convenience io.netty/netty-codec-http2 (4.1.x) | |
CVSS 7.5 High | Status: Minimal risk - limited exposure in specific use case Customer Impact: Minimal - Liquibase only processes JSON from trusted Azure SQL Database Remediation: Upgrade at your convenience io.netty/netty-codec-http2 (4.1.x) |
Windows Platform Improvements
Fixed exit code propagation for Windows installers and GitHub Actions - commands now correctly report success/failure status
Resolved path handling when
JAVA_HOMEcontains spaces, fixingliquibase -vcommand execution in Windows/GitBash environments
Changelog
Updates and Bugfixes
Resolve CVEs by @abrackx
[DAT-20975] Handle spaces in the Java version check by @wwillard7800
[DAT-20879] Exit with error code after running Liquibase by @wwillard7800
OWASP Report and Summary
The OWASP Security Scan is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. These false positives appear in the OWASP report in 5.0.1.
CVE ID | Security Score | Library and Impact Assessment |
CVSS 7.8 High | Status: False positive - incorrect CVE mapping Customer Impact: None - Scanner incorrectly flagged with browser extension CVE. This Java library has no relationship to the browser extension. Remediation: False positive in vulnerability tracking system com.instaclustr/cassandra-driver-kerberos (3.0.0) | |
CVSS 8.8 High | Status: False positive - patched version in use (v1.18.0) Customer Impact: None - Using Azure Identity SDK 1.18.0, well above patched version 1.10.2 Remediation: False positive - vulnerability already patched liquibase-azure.jar / Azure Identity SDK | |
CVSS 5.5 Medium | Status: False positive - patched version in use (v1.23.1) Customer Impact: None - Using MSAL 1.23.1, well above vulnerable range (≤1.15.1) Remediation: False positive - vulnerability already patched liquibase-azure-deps.jar / Microsoft Authentication Library |