Upgrade pac4j-oidc to 4.5.7 to address CVE-2021-44878 #15522
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
KeerthanaSrikanth
changed the title
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
...ns-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java
Fixed
Show fixed
Hide fixed
...ns-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java
Fixed
Show fixed
Hide fixed
...ns-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java
Fixed
Show fixed
Hide fixed
...ns-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java
Show resolved
Hide resolved
...ns-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java
Fixed
Show fixed
Hide fixed
...ns-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java
Fixed
Show fixed
Hide fixed
...ns-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java
Dismissed
Show dismissed
Hide dismissed
xvrl
approved these changes
Dec 13, 2023
This was referenced Dec 13, 2023
Pankaj260100
pushed a commit
to confluentinc/druid
that referenced
this pull request
Dec 18, 2023
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878 * add CVE suppression and notes, since vulnerability scan still shows this CVE * Add tests to improve coverage
Pankaj260100
pushed a commit
to confluentinc/druid
that referenced
this pull request
Dec 19, 2023
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878 * add CVE suppression and notes, since vulnerability scan still shows this CVE * Add tests to improve coverage
Pankaj260100
pushed a commit
to confluentinc/druid
that referenced
this pull request
Dec 19, 2023
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878 * add CVE suppression and notes, since vulnerability scan still shows this CVE * Add tests to improve coverage
pagrawal10
pushed a commit
to confluentinc/druid
that referenced
this pull request
Jan 19, 2024
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878 * add CVE suppression and notes, since vulnerability scan still shows this CVE * Add tests to improve coverage
Pankaj260100
added a commit
to confluentinc/druid
that referenced
this pull request
Jan 24, 2024
…apache#15522)"" This reverts commit 285b1d2.
Pankaj260100
added a commit
to confluentinc/druid
that referenced
this pull request
Jan 24, 2024
10 tasks
xvrl
pushed a commit
that referenced
this pull request
Feb 1, 2024
- After upgrading the pac4j version in: #15522. We were not able to access the druid ui. - Upgraded the Nimbus libraries version to a compatible version to pac4j. - In the older pac4j version, when we return RedirectAction there we also update the webcontext Response status code and add the authentication URL to the header. But in the newer pac4j version, we just simply return the RedirectAction. So that's why it was not getting redirected to the generated authentication URL. - To fix the above, I have updated the NOOP_HTTP_ACTION_ADAPTER to JEE_HTTP_ACTION_ADAPTER and it updates the HTTP Response in context as per the HTTP Action.
Pankaj260100
pushed a commit
to confluentinc/druid
that referenced
this pull request
Feb 2, 2024
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878 * add CVE suppression and notes, since vulnerability scan still shows this CVE * Add tests to improve coverage
Pankaj260100
added a commit
to confluentinc/druid
that referenced
this pull request
Feb 2, 2024
…he#15753) - After upgrading the pac4j version in: apache#15522. We were not able to access the druid ui. - Upgraded the Nimbus libraries version to a compatible version to pac4j. - In the older pac4j version, when we return RedirectAction there we also update the webcontext Response status code and add the authentication URL to the header. But in the newer pac4j version, we just simply return the RedirectAction. So that's why it was not getting redirected to the generated authentication URL. - To fix the above, I have updated the NOOP_HTTP_ACTION_ADAPTER to JEE_HTTP_ACTION_ADAPTER and it updates the HTTP Response in context as per the HTTP Action.
10 tasks
pagrawal10
pushed a commit
to confluentinc/druid
that referenced
this pull request
Feb 6, 2024
* Upgrade pac4j-oidc to 4.5.7 to address CVE-2021-44878 (apache#15522) * Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878 * add CVE suppression and notes, since vulnerability scan still shows this CVE * Add tests to improve coverage * pac4j: fix incompatible dependencies + authorization regression (apache#15753) - After upgrading the pac4j version in: apache#15522. We were not able to access the druid ui. - Upgraded the Nimbus libraries version to a compatible version to pac4j. - In the older pac4j version, when we return RedirectAction there we also update the webcontext Response status code and add the authentication URL to the header. But in the newer pac4j version, we just simply return the RedirectAction. So that's why it was not getting redirected to the generated authentication URL. - To fix the above, I have updated the NOOP_HTTP_ACTION_ADAPTER to JEE_HTTP_ACTION_ADAPTER and it updates the HTTP Response in context as per the HTTP Action. --------- Co-authored-by: Keerthana Srikanth <ksrikanth@confluent.io>
LakshSingla
pushed a commit
to LakshSingla/druid
that referenced
this pull request
Feb 7, 2024
…he#15753) - After upgrading the pac4j version in: apache#15522. We were not able to access the druid ui. - Upgraded the Nimbus libraries version to a compatible version to pac4j. - In the older pac4j version, when we return RedirectAction there we also update the webcontext Response status code and add the authentication URL to the header. But in the newer pac4j version, we just simply return the RedirectAction. So that's why it was not getting redirected to the generated authentication URL. - To fix the above, I have updated the NOOP_HTTP_ACTION_ADAPTER to JEE_HTTP_ACTION_ADAPTER and it updates the HTTP Response in context as per the HTTP Action.
cryptoe
pushed a commit
that referenced
this pull request
Feb 7, 2024
…) (#15851) - After upgrading the pac4j version in: #15522. We were not able to access the druid ui. - Upgraded the Nimbus libraries version to a compatible version to pac4j. - In the older pac4j version, when we return RedirectAction there we also update the webcontext Response status code and add the authentication URL to the header. But in the newer pac4j version, we just simply return the RedirectAction. So that's why it was not getting redirected to the generated authentication URL. - To fix the above, I have updated the NOOP_HTTP_ACTION_ADAPTER to JEE_HTTP_ACTION_ADAPTER and it updates the HTTP Response in context as per the HTTP Action. Co-authored-by: PANKAJ KUMAR <87029331+Pankaj260100@users.noreply.github.com>
pagrawal10
pushed a commit
to confluentinc/druid
that referenced
this pull request
Feb 15, 2024
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878 * add CVE suppression and notes, since vulnerability scan still shows this CVE * Add tests to improve coverage
pagrawal10
added a commit
to confluentinc/druid
that referenced
this pull request
Mar 8, 2024
* Upgrade pac4j-oidc to 4.5.7 to address CVE-2021-44878 (apache#15522) * Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878 * add CVE suppression and notes, since vulnerability scan still shows this CVE * Add tests to improve coverage * CVE Fix: Update json-path version (apache#15772) Apache Druid brings the dependency json-path which is affected by CVE-2023-51074. Its latest version 2.9.0 fixes the above CVE. Append function has been added to json-path and so the unit test to check for the append function not present has been updated. --------- Co-authored-by: Xavier Léauté <xvrl@apache.org> * Update protocol for MemcachedCache (apache#16035) --------- Co-authored-by: Keerthana Srikanth <ksrikanth@confluent.io> Co-authored-by: Xavier Léauté <xvrl@apache.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Currently, Druid is using
org.pac4j:pac4j-oidcversion 3.8.3. Upgrade to 4.5.7 to address CVE-2021-44878.This PR has: