-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade pac4j-oidc to 4.5.7 to address CVE-2021-44878 #15522
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
KeerthanaSrikanth
changed the title
Upgrade pac4j-oidc to 4.5.5 to address CVE-2021-44878
Upgrade pac4j-oidc to 4.5.7 to address CVE-2021-44878
Dec 12, 2023
...ns-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java
Fixed
Show fixed
Hide fixed
...ns-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java
Fixed
Show fixed
Hide fixed
...ns-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java
Fixed
Show fixed
Hide fixed
...ns-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java
Show resolved
Hide resolved
...ns-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java
Fixed
Show fixed
Hide fixed
...ns-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java
Fixed
Show fixed
Hide fixed
...ns-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/Pac4jSessionStoreTest.java
Dismissed
Show dismissed
Hide dismissed
xvrl
approved these changes
Dec 13, 2023
This was referenced Dec 13, 2023
Pankaj260100
pushed a commit
to confluentinc/druid
that referenced
this pull request
Dec 18, 2023
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878 * add CVE suppression and notes, since vulnerability scan still shows this CVE * Add tests to improve coverage
Pankaj260100
pushed a commit
to confluentinc/druid
that referenced
this pull request
Dec 19, 2023
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878 * add CVE suppression and notes, since vulnerability scan still shows this CVE * Add tests to improve coverage
Pankaj260100
pushed a commit
to confluentinc/druid
that referenced
this pull request
Dec 19, 2023
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878 * add CVE suppression and notes, since vulnerability scan still shows this CVE * Add tests to improve coverage
pagrawal10
pushed a commit
to confluentinc/druid
that referenced
this pull request
Jan 19, 2024
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878 * add CVE suppression and notes, since vulnerability scan still shows this CVE * Add tests to improve coverage
Pankaj260100
added a commit
to confluentinc/druid
that referenced
this pull request
Jan 24, 2024
…apache#15522)"" This reverts commit 285b1d2.
Pankaj260100
added a commit
to confluentinc/druid
that referenced
this pull request
Jan 24, 2024
10 tasks
xvrl
pushed a commit
that referenced
this pull request
Feb 1, 2024
- After upgrading the pac4j version in: #15522. We were not able to access the druid ui. - Upgraded the Nimbus libraries version to a compatible version to pac4j. - In the older pac4j version, when we return RedirectAction there we also update the webcontext Response status code and add the authentication URL to the header. But in the newer pac4j version, we just simply return the RedirectAction. So that's why it was not getting redirected to the generated authentication URL. - To fix the above, I have updated the NOOP_HTTP_ACTION_ADAPTER to JEE_HTTP_ACTION_ADAPTER and it updates the HTTP Response in context as per the HTTP Action.
Pankaj260100
pushed a commit
to confluentinc/druid
that referenced
this pull request
Feb 2, 2024
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878 * add CVE suppression and notes, since vulnerability scan still shows this CVE * Add tests to improve coverage
Pankaj260100
added a commit
to confluentinc/druid
that referenced
this pull request
Feb 2, 2024
…he#15753) - After upgrading the pac4j version in: apache#15522. We were not able to access the druid ui. - Upgraded the Nimbus libraries version to a compatible version to pac4j. - In the older pac4j version, when we return RedirectAction there we also update the webcontext Response status code and add the authentication URL to the header. But in the newer pac4j version, we just simply return the RedirectAction. So that's why it was not getting redirected to the generated authentication URL. - To fix the above, I have updated the NOOP_HTTP_ACTION_ADAPTER to JEE_HTTP_ACTION_ADAPTER and it updates the HTTP Response in context as per the HTTP Action.
10 tasks
pagrawal10
pushed a commit
to confluentinc/druid
that referenced
this pull request
Feb 6, 2024
* Upgrade pac4j-oidc to 4.5.7 to address CVE-2021-44878 (apache#15522) * Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878 * add CVE suppression and notes, since vulnerability scan still shows this CVE * Add tests to improve coverage * pac4j: fix incompatible dependencies + authorization regression (apache#15753) - After upgrading the pac4j version in: apache#15522. We were not able to access the druid ui. - Upgraded the Nimbus libraries version to a compatible version to pac4j. - In the older pac4j version, when we return RedirectAction there we also update the webcontext Response status code and add the authentication URL to the header. But in the newer pac4j version, we just simply return the RedirectAction. So that's why it was not getting redirected to the generated authentication URL. - To fix the above, I have updated the NOOP_HTTP_ACTION_ADAPTER to JEE_HTTP_ACTION_ADAPTER and it updates the HTTP Response in context as per the HTTP Action. --------- Co-authored-by: Keerthana Srikanth <[email protected]>
LakshSingla
pushed a commit
to LakshSingla/druid
that referenced
this pull request
Feb 7, 2024
…he#15753) - After upgrading the pac4j version in: apache#15522. We were not able to access the druid ui. - Upgraded the Nimbus libraries version to a compatible version to pac4j. - In the older pac4j version, when we return RedirectAction there we also update the webcontext Response status code and add the authentication URL to the header. But in the newer pac4j version, we just simply return the RedirectAction. So that's why it was not getting redirected to the generated authentication URL. - To fix the above, I have updated the NOOP_HTTP_ACTION_ADAPTER to JEE_HTTP_ACTION_ADAPTER and it updates the HTTP Response in context as per the HTTP Action.
cryptoe
pushed a commit
that referenced
this pull request
Feb 7, 2024
…) (#15851) - After upgrading the pac4j version in: #15522. We were not able to access the druid ui. - Upgraded the Nimbus libraries version to a compatible version to pac4j. - In the older pac4j version, when we return RedirectAction there we also update the webcontext Response status code and add the authentication URL to the header. But in the newer pac4j version, we just simply return the RedirectAction. So that's why it was not getting redirected to the generated authentication URL. - To fix the above, I have updated the NOOP_HTTP_ACTION_ADAPTER to JEE_HTTP_ACTION_ADAPTER and it updates the HTTP Response in context as per the HTTP Action. Co-authored-by: PANKAJ KUMAR <[email protected]>
pagrawal10
pushed a commit
to confluentinc/druid
that referenced
this pull request
Feb 15, 2024
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878 * add CVE suppression and notes, since vulnerability scan still shows this CVE * Add tests to improve coverage
pagrawal10
added a commit
to confluentinc/druid
that referenced
this pull request
Mar 8, 2024
* Upgrade pac4j-oidc to 4.5.7 to address CVE-2021-44878 (apache#15522) * Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878 * add CVE suppression and notes, since vulnerability scan still shows this CVE * Add tests to improve coverage * CVE Fix: Update json-path version (apache#15772) Apache Druid brings the dependency json-path which is affected by CVE-2023-51074. Its latest version 2.9.0 fixes the above CVE. Append function has been added to json-path and so the unit test to check for the append function not present has been updated. --------- Co-authored-by: Xavier Léauté <[email protected]> * Update protocol for MemcachedCache (apache#16035) --------- Co-authored-by: Keerthana Srikanth <[email protected]> Co-authored-by: Xavier Léauté <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Currently, Druid is using
org.pac4j:pac4j-oidc
version 3.8.3. Upgrade to 4.5.7 to address CVE-2021-44878.This PR has: