Liquibase Secure 5.0.1 release notes
Liquibase Secure 5.0.1 is a routine maintenance release that includes dependency updates, Windows platform improvements.
What's Included
What's new
Liquibase Secure 5.0.1 update addresses reported CVEs in third-party libraries, improves propagation of exit codes on Windows, and resolves path-handling issues when JAVA_HOME contains spaces.
Security Updates
As part of our regular maintenance cycle, several third-party dependencies have been updated to remediate reported security vulnerabilities. These vulnerabilities are not exploitable within Liquibase’s implementation. Updating identified dependencies maintains compliance with security scanning tools and aligns with industry best practices for dependency management.
CVEs and impacted libraries
CVE ID | Security Score | Library and Impact Assessment |
|---|---|---|
CVSS 8.2 High | Status: Not applicable - dependency not used in vulnerable context Customer Impact: None - Liquibase doesn’t run HTTP/2 servers Remediation: Upgrade at your convenience io.netty/netty-codec-http2 (4.1.x) | |
CVSS 7.5 High | Status: Not applicable - dependency not used in vulnerable context Customer Impact: None - Liquibase doesn’t accept incoming SSL/TLS connections Remediation: Upgrade at your convenience io.netty/netty-codec-http2 (4.1.x) | |
CVSS 7.5 High | Status: Minimal risk - limited exposure in specific use case Customer Impact: Minimal - Liquibase only processes JSON from trusted Azure SQL Database Remediation: Upgrade at your convenience io.netty/netty-codec-http2 (4.1.x) |
Breaking changes
There are breaking changes in the Liquibase Secure 5.0 major release that users should be aware of. These include the installation and download changes, where Liquibase Community and Liquibase Secure are separate distributions. Liquibase Secure now requires Java 17 and later, and these drivers are not included in the Secure installation.
Breaking change: Installation & download updates
With Liquibase 5.0, we introduced separate distribution channels for Liquibase Community and Liquibase Secure.
The installer locations for Liquibase Secure have changed. To continue using your Secure license and features, you need to update to the new distribution source for your deployment method.
What You Need to Do
Review the table below to identify your deployment method and follow the migration guide link:
Deployment Method | New 5.0 locations that require action | Migration Guide |
CLI Binaries (.zip, .tar.gz, .exe) | Download from the new location: liquibase.com/download-secure | |
Docker | Update image to liquibase/liquibase-secure:latest | |
GitHub Actions | Migrate to liquibase/setup-liquibase@v1 with edition: 'secure' | |
Maven | Update to com.liquibase:liquibase-maven-plugin | |
Package Managers | Install liquibase-secure-* packages |
Important: Previous distribution sources now point to Liquibase Community and will not apply Secure licenses or enable commercial features.
Verification
After updating, run liquibase --version to confirm you see:
Liquibase Secure Version: 5.0.1
Liquibase Secure license issued to [Your Organization]...
Breaking change: Technology Updates
Support for Java 8 and Java 11 has been deprecated. Liquibase Secure now requires Java 17 and later, providing improved performance, stability, and long-term support.
Breaking change: Driver not included
The MySQL driver is not included in the Liquibase Secure download. If you are a MySQL user, obtain the driver here. We recommend using the platform-independent version.
Windows Platform Improvements
Fixed exit code propagation for Windows installers and GitHub Actions - commands now correctly report success/failure status
Resolved path handling when
JAVA_HOMEcontains spaces, fixingliquibase -vcommand execution in Windows/GitBash environments
Changelog
Updates and Bugfixes
Resolve CVEs by @abrackx
[DAT-20975] Handle spaces in the Java version check by @wwillard7800
[DAT-20879] Exit with error code after running Liquibase by @wwillard7800
Additional Resources
The OWASP Security Scan is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. These false positives appear in the OWASP report in 5.0.1.
CVE ID | Security Score | Library and Impact Assessment |
CVSS 7.8 High | Status: False positive - incorrect CVE mapping Customer Impact: None - Scanner incorrectly flagged with browser extension CVE. This Java library has no relationship to the browser extension. Remediation: False positive in vulnerability tracking system com.instaclustr/cassandra-driver-kerberos (3.0.0) | |
CVSS 8.8 High | Status: False positive - patched version in use (v1.18.0) Customer Impact: None - Using Azure Identity SDK 1.18.0, well above patched version 1.10.2 Remediation: False positive - vulnerability already patched liquibase-azure.jar / Azure Identity SDK | |
CVSS 5.5 Medium | Status: False positive - patched version in use (v1.23.1) Customer Impact: None - Using MSAL 1.23.1, well above vulnerable range (≤1.15.1) Remediation: False positive - vulnerability already patched liquibase-azure-deps.jar / Microsoft Authentication Library |