Skip to content

Commit d9369b6

Browse files
opensearch-trigger-bot[bot]github-actions[bot]
opensearch-trigger-bot[bot]
and
github-actions[bot]
authored
[Backport 3.2] Remove commons-io and commons-lang3 maven metadata from being shaded in opensaml jar (#5559)
Signed-off-by: Darshit Chanpura <dchanp@amazon.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
1 parent 1d2ea3a commit d9369b6

File tree

2 files changed

+3
-0
lines changed

2 files changed

+3
-0
lines changed

CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
7575
- Bump `commons-codec:commons-codec` from 1.18.0 to 1.19.0 ([#5534](https://github.com/opensearch-project/security/pull/5534))
7676
- Bump `commons-cli:commons-cli` from 1.9.0 to 1.10.0 ([#5533](https://github.com/opensearch-project/security/pull/5533))
7777
- Bump `checkstyle` to 11.0.0 and `spotbugs` to 6.2.4 ([#5555](https://github.com/opensearch-project/security/pull/5555))
78+
- Removes `commons-io` and `commons-lang3` maven metadata from shaded opensaml jar to fix CVE-2024-47554 ([#5558](https://github.com/opensearch-project/security/pull/5558))
7879

7980
### Documentation
8081

libs/opensaml/build.gradle

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,8 @@ tasks.shadowJar {
6969
exclude 'org/publicsuffix/**'
7070
exclude 'org/slf4j/**'
7171
exclude 'javax/**'
72+
exclude 'META-INF/maven/commons-io/commons-io/**'
73+
exclude 'META-INF/maven/org.apache.commons/commons-lang3/**'
7274
exclude 'META-INF/versions/**/org/bouncycastle/**'
7375
exclude 'META-INF/services/org.opensaml.security.crypto.ec.NamedCurve'
7476
}

0 commit comments

Comments
 (0)