github phax/phoss-smp phoss-smp-parent-pom-8.1.6
v8.1.6
on GitHub

9 hours ago
  • Updated to peppol-commons 12.5.0
  • Updated to ph-schedule 6.1.1 - the internal scheduler thread no longer dies silently on Errors like OutOfMemoryError, and a previously possible 100% CPU busy spin on external interruption was fixed
  • Updated to ph-web 11.4.1 - the HTTP proxy is now activated by the presence of http.proxy.host and http.proxy.port; http.proxy.enabled only acts as an explicit kill-switch when set to false
  • Updated to ph-oton 10.2.3 - the default password hash algorithm for new users was changed to PBKDF2_SHA256_100000_48
  • (SQL) Updated the PostgreSQL JDBC driver to 42.7.11
  • (SQL) Updated to ph-db 8.4.0 - Flyway 12.6.2 is included
  • Fixed a potential NPE when invalid Participant Identifiers are present in the data store
  • Added specific UI error handlers on the public start page and the secure Service Group page to avoid showing the generic Internal Error UI
  • Tightened endpoint validation: the Endpoint Reference URL in Peppol mode may no longer be empty
  • Fixed a potential NPE if a Business Card uses an invalid country code
  • Removed the Peppol G2 certificates from the default PeppolTrustedCA objects (via peppol-commons 12.4.3)
  • Hardened the CRL download path: connect timeout 10s and read timeout 60s are now applied (was unbounded). Added an optional CRLAllowList to mitigate SSRF against attacker-controlled certificate URLs (via ph-commons 12.2.4)
  • Certificate revocation checks no longer return REVOKED when the CRL distribution point is unreachable - a new REVOCATION_STATUS_UNKNOWN result is reported instead, so valid certificates are no longer blocked during a CRL endpoint outage (via ph-commons 12.2.4)
  • HTTP timeout configuration properties (http.retry.interval, http.timeout.connectionrequest, http.timeout.connect, http.timeout.response) now accept duration grammar (e.g. 21s, 34m, 2h, 2d 5m 23ms). The per-unit-suffix variants (.millis, .seconds, .minutes, .hours) are still read but now log a deprecation warning when used (via ph-web 11.4.0)
  • (SQL) The JDBC connection pool configuration properties (jdbc.pooling.max-wait, jdbc.pooling.between-evictions-runs, jdbc.pooling.min-evictable-idle, jdbc.pooling.remove-abandoned-timeout, jdbc.execution-time-warning) now accept duration grammar (e.g. 5s, 2m, 1h 30m). The legacy *.millis/*.ms keys remain supported but are deprecated and log a WARN message at runtime when used (via ph-db 8.3.0)
  • (SMP client) The legacy configuration properties truststore.type, truststore.path, truststore.location and truststore.password have been removed - the smpclient.truststore.* variants must be used instead. A value for smpclient.truststore.type is now mandatory.
  • (SMP client) SMP-specific HTTP settings are now read from configuration keys with the smpclient.http.* prefix (e.g. smpclient.http.timeout.connect, smpclient.http.proxy.host, smpclient.http.tls.revocation.mode). The previous keys are deprecated for removal.
  • (SMP client) The previously hardcoded "trust all" TrustManager was removed; TLS validation now uses the configured trust store. TLS certificate revocation checking is enabled by default. TLS 1.3 is now supported in addition to TLS 1.2.

What's Changed

  • Bump org.postgresql:postgresql from 42.7.10 to 42.7.11 in /phoss-smp-webapp-sql in the maven group across 1 directory by @dependabot[bot] in #480

Full Changelog: phoss-smp-parent-pom-8.1.5...phoss-smp-parent-pom-8.1.6

Check out latest releases or
releases around phax/phoss-smp phoss-smp-parent-pom-8.1.6

Don't miss a new phoss-smp release

NewReleases is sending notifications on new releases.

Get notifications