Avoid vulnerable Oracle JDBC versions

[rukayaj]

GBIF Norway needs to deploy this because of an Oracle Critical Security Patch Update Advisory note, just putting this in a PR in case it's of use to anyone else.

Downgrade com.oracle.database.jdbc:ojdbc8 from 23.26.2.0.0 to 23.2.0.0.
Add a Renovate allowedVersions guard to avoid reintroducing Oracle JDBC 23.4.x through 23.26.x.

Oracle Critical Security Patch Update Advisory - May 2026 lists Oracle Database Server/client-only installations versions 23.4.0-23.26.2 as affected by TLS Net Service vulnerabilities, including CVE-2026-46833, CVE-2026-46834, and CVE-2026-46835.

Maven Central currently lists 23.26.2.0.0 as the latest published ojdbc8 release, so there is no newer fixed Maven artifact to upgrade to yet. 23.2.0.0 is before the affected range.

Once Oracle publishes a fixed version above 23.26.2, such as 23.27.x or later, Renovate can propose that update.

[mike-podolskiy90]

Thanks for reporting this @rukayaj
Is ojdbc11 also affected?

[rukayaj]

Yeah it is, well i mean ojdbc11 can be used but we need to make it ojdbc11:23.2.0.0, we can't use the latest ojdbc11 23.26.x release (https://mvnrepository.com/artifact/com.oracle.database.jdbc/ojdbc11/23.26.2.0.0) .

I'm checking for security patch updates every day but so far nothing :(

[mike-podolskiy90]

I've added this to the upcoming 3.3.3 release.