S 39

1559

Security updates for Java libraries:

• c3p0 updated from 0.9.5.5 to 0.12.0 (CVE-2026-27830)

• mchange-commons-java updated from 0.2.19 to 0.4.0 (CVE-2026-27727)

• OpenTelemetry Java Agent updated to v2.26.1 incl. API 1.60.0 and new dependency opentelemetry-common (GHSA-72hv-8253-57qq, behebt jackson-core CVE)

1546

Fixed a bug where the server did not check for the ProxyToken message while waiting for the web client connection. As a result, login via OIDC (e.g. Microsoft Entra) was not possible. The server now correctly checks for the ProxyToken message and performs the login accordingly.

1107

The OIDC implementation was revised and the required parameters were reduced. See Server Parameters.

The IdP configuration is read from the well_known configuration endpoint, which makes it easier to use different IdPs. Flow:
The server validates the tokens, including the userId token sent by the web client, using the configured parameters.
If validation is successful, the attribute configured in planta__server__secure__oidc__token_user_attribute is returned as userId and the user is logged in.

For use with Cloudflare, see the following point.

1283

A new authentication mechanism, Cloudflare Access, has been implemented for the PLANTA server. This enables authentication with OIDC and Cloudflare as a provider directly via the web client from version 3.6 onwards without an additional proxy. For more information see Cloudflare mit PLANTA secure

The corresponding Environment Variables are now also available:

planta__server__secure__cloudflare__team_domain
planta__server__secure__cloudflare__audience
planta__server__secure__cloudflare__token_user_attribute

1253

The server respects the order of authentication methods as defined in the configuration settings.

• Premature fallback to the next authentication method is reliably prevented as long as the first method is still being executed.

• Fallback to the next authentication method is only triggered when the current method has clearly failed.

1267

Debug logging for OIDC configurations has been extended.

1342

JDBC driver updated to the latest version Oracle ojdbc11-23.26.0.0.0.
This driver handles CLOBs more strictly regarding the length limit (the 4000 character limit) for the VARCHAR2 data type. If exceeded, the error ORA-01461 is displayed.

1291

The timezone can now be configured in the manager and worker containers:
ENV TZ=Europe/Berlin

944

Migration helper tables are only created when the server starts in migration mode, no longer on every server start.

1149

The projection values below the schedule scale are now correctly updated after the values in the corresponding fields have been changed and the scheduling calculation has been performed.

711

Attributes can now also be read as binary data and stored Base64-encoded.
To do this, the relevant attribute in the ldap section of the manager configuration of the PLANTA server must be added to the list plantaUserData and the value "base64" must be set.
In addition, the attribute must be added to the entry java.naming.ldap.attributes.binary zu ergänzen. This entry can contain a space-separated list.

1128

Performance has been improved, as the default value of the parameter planta__server__database__max_parameters_in_statement has been increased to "500".
This prevents parameters from being outsourced to a temporary table for small queries.

1158

The JDBC driver has been updated to the latest version: mssql-jdbc-13.2.1.jre11
With this version, encryption is enabled by default.

1194

In the current Microsoft JDBC driver, encryption is enabled by default. New parameters are now available for targeted control of encryption:
planta__server__hibernate__connection__encrypt = true
planta__server__hibernate__connection__trustServerCertificate = true
planta__server__hibernate__connection__trustStore = ""
planta__server__hibernate__connection__trustStorePassword = ""

1064

Parameters that are new and "unknown" to the server can now be defined.
All parameters beginning with planta__server__ that are not yet defined are assigned to a new parameter group "unrelated", which can be retrieved in the worker and customizing.
The parameter can be queried via its full name.

704

Parameters in SQL statements are now passed in temporary tables. This also bypasses the maximum parameter count limitation in both MSSQL and Oracle.

875

Hibernate lib updated to version 5.6.15 and Hibernate Validator lib to 6.2.5

1130

The default value of the environment variable planta__server__webservices__apikey_auth_filter_generic has been corrected from "true" to "false".

1197

There is a new server parameter planta__server__database__typename,, with which a database type can be set.
Possible values: "mssql", "oracle", "postgres"
The dependent parameters are automatically set correctly via this:

• planta__server__database__type

• planta__server__hibernate__dialect

• planta__server__hibernate__connection__driver_class

The parameter planta__server__database__type should no longer be used in the future and is set to "Deprecated". Only planta__server__database__typename should be used.

1197

The endpoint of the Prometheus interface can be changed via the parameter planta__server__webservices__prometheus__entrypoint.

The metric prefix is now planta_server and no longer prometheus. This simplifies the assignment.

680

Prometheus lib updated to version V1.3.10

• Changed metric name:
  Old: planta_server_native_memory_pool_allocated_bytes_total
  New: planta_server_native_memory_pool_allocated_bytes

• Changed labels:
  Old format: Labels always with a trailing comma, e.g.
  planta_server_track_active_sessions_by_mode{threadType="scheduler",} 0.0
  New format: Labels without trailing comma, e.g.
  planta_server_track_active_sessions_by_mode{threadType="scheduler"} 0.0

684

The handling of custom deprecation messages has been improved.

1019

ExitCode 253 has been added. This indicates that after the data import, the constraints could not be re-enabled.

38

The web client can now also authenticate via OIDC JWToken. For this purpose, the web client sends the user and access token to the server. The server validates the tokens and uses the contained data for login.

New Environment Variables have been implemented:

• planta__server__secure__oidc__clientSecret

• planta__server__secure__oidc__tenantId

• planta__server__secure__oidc__jwksEndpoint_suffix

• planta__server__secure__oidc__authority_prefix

• planta__server__secure__oidc__idTokenEndpoint_suffix

• planta__server__secure__oidc__scope

• planta__server__secure__oidc__access_token_scope

• planta__server__secure__oidc__issuer_prefix_1

• planta__server__secure__oidc__issuer_prefix_2

• planta__server__secure__oidc__issuer_prefix_3

• planta__server__secure__oidc__jwksEndpoint_suffix_alternate

The URL of the idToken endpoint is composed as follows:
authority_prefix + tenantId + idTokenEndpoint_suffix

The URL of the jwks endpoint is composed as follows:
authority_prefix + tenantId + jwksEndpoint_suffix

1203

It is again possible to generate coredumps in the container in the event of an error.
These are stored in the worker under writeable_path at /coredumps.

1147

Due to a bug fix, DDL statements are never executed with bind variables.

1024

With the new Configuration Parameter planta__server__database__use_underscore_as_wildcard, the option has been implemented to optionally disable the default use of the underscore _ as a wildcard in search queries. In this case, the character _ is interpreted as a normal character. This allows search queries to be executed precisely, which can improve performance. The option is particularly suitable for customers who use underscores in object IDs.

A prerequisite for using this option is updating both server components, i.e. the manager and the worker.

910

The removal of virtual DIs from SQL statements has been improved.

930

Removes a security vulnerability by updating the libraries used for LDAP

880

The worker now starts correctly, even if the variable planta__server__gui__host does not contain the entry 0.0.0.0 but the service hostname.

890

For the MSSQL database, character encoding is enabled and set to utf-8 format.
New environment variables have been implemented for this, which are set automatically for the MSSQL database:

• planta__server__hibernate__connection__useUnicode = true

• planta__server__hibernate__connection__characterEncoding = utf-8

• planta__server__hibernate__connection__CharSet = utf-8

661

Hibernate updated to version 5.6.5

672

Security vulnerabilities have been fixed.

323

Internal server communication has been improved: Protobuf messages can optionally be output in the log, enabling better traceability.

171

The metrics of the Prometheus interface now consistently start with "planta__server__" for unified naming.

37

The server now uses an up-to-date CPython version 3.12.9 for improved stability and security.

332

Die Authentifizierung unterstützt nun den Login via JWT-Token.

110

Die Speicherung der Versionsinformation wurde vereinheitlicht. Versionsinformation wird im JSON-Format erzeugt mit den Attributen:

• Server-Version (Major/Minor/Patch) - Datum - Commit-Hash.

Für jede Komponente wird ein eigener Node erzeugt: (manager / worker / client)
Diese lassen sich aus dem Customizing über die Funktion ppms.version_information auslesen.

532

Exit codes from Linux/Signals have been added and provided with descriptive messages that are output when the process is aborted.

440

Das Logging beim Start einer Client-Session wurde aufgeräumt und unnötige Meldungen entfernt.

293

Mit der Python-Funktion set_user_clipboard(content, mime_type) können Objekte bequem in die Zwischenablage kopiert werden.

272

Der Effekttyp „Round“ wurde in die Liste der verfügbaren Effekte aufgenommen.

365

The execution of migrations has been accelerated by excluding irrelevant packages.

255

Parameters for clientless sessions can now contain nested dictionaries, providing more flexibility.

680

The monitoring interface has been set to deprecated. Instead, the Prometheus Interface or the Health Endpoint should be used.

29

Fixed a bug where the utilization charts displayed incorrect values over the course of the day after various scheduling calculations, which could previously only be corrected by rescheduling.

281

During the LDAP import, UUIDs are now consistently preserved, ensuring unique identification.

76

The user ID is reliably transmitted when using the server adapter without LDAP or OIDC, to ensure correct authentication.

601

The Deviations module now processes data stably and without Python exceptions.

300

Creating statements with virtual data items and relations to parent areas now works as intended.

90

Statement parsing has been optimized so that literals are only replaced at the correct positions.