Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade pac4j-oidc to 4.5.7 to address CVE-2021-44878 #15522

Merged
merged 11 commits into from
Dec 13, 2023

Conversation

KeerthanaSrikanth
Copy link
Contributor

@KeerthanaSrikanth KeerthanaSrikanth commented Dec 8, 2023

Description

Currently, Druid is using org.pac4j:pac4j-oidc version 3.8.3. Upgrade to 4.5.7 to address CVE-2021-44878.

This PR has:

  • been self-reviewed.
  • added or updated version, license, or notice information in licenses.yaml

@KeerthanaSrikanth KeerthanaSrikanth marked this pull request as draft December 8, 2023 11:15
@KeerthanaSrikanth KeerthanaSrikanth marked this pull request as ready for review December 11, 2023 14:40
@KeerthanaSrikanth KeerthanaSrikanth changed the title Upgrade pac4j-oidc to 4.5.5 to address CVE-2021-44878 Upgrade pac4j-oidc to 4.5.7 to address CVE-2021-44878 Dec 12, 2023
@xvrl xvrl merged commit f32dbd4 into apache:master Dec 13, 2023
89 checks passed
Pankaj260100 pushed a commit to confluentinc/druid that referenced this pull request Dec 18, 2023
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878
* add CVE suppression and notes, since vulnerability scan still shows this CVE
* Add tests to improve coverage
Pankaj260100 pushed a commit to confluentinc/druid that referenced this pull request Dec 19, 2023
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878
* add CVE suppression and notes, since vulnerability scan still shows this CVE
* Add tests to improve coverage
Pankaj260100 pushed a commit to confluentinc/druid that referenced this pull request Dec 19, 2023
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878
* add CVE suppression and notes, since vulnerability scan still shows this CVE
* Add tests to improve coverage
Pankaj260100 added a commit to confluentinc/druid that referenced this pull request Jan 10, 2024
Pankaj260100 added a commit to confluentinc/druid that referenced this pull request Jan 11, 2024
pagrawal10 pushed a commit to confluentinc/druid that referenced this pull request Jan 19, 2024
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878
* add CVE suppression and notes, since vulnerability scan still shows this CVE
* Add tests to improve coverage
pagrawal10 added a commit to confluentinc/druid that referenced this pull request Jan 19, 2024
Pankaj260100 added a commit to confluentinc/druid that referenced this pull request Jan 24, 2024
Pankaj260100 added a commit to confluentinc/druid that referenced this pull request Jan 24, 2024
@LakshSingla LakshSingla added this to the 29.0.0 milestone Jan 29, 2024
xvrl pushed a commit that referenced this pull request Feb 1, 2024
- After upgrading the pac4j version in: #15522. We were not able to access the druid ui. 
- Upgraded the Nimbus libraries version to a compatible version to pac4j.
- In the older pac4j version, when we return RedirectAction there we also update the webcontext Response status code and add the authentication URL to the header. But in the newer pac4j version, we just simply return the RedirectAction. So that's why it was not getting redirected to the generated authentication URL.
- To fix the above, I have updated the NOOP_HTTP_ACTION_ADAPTER to JEE_HTTP_ACTION_ADAPTER and it updates the HTTP Response in context as per the HTTP Action.
Pankaj260100 pushed a commit to confluentinc/druid that referenced this pull request Feb 2, 2024
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878
* add CVE suppression and notes, since vulnerability scan still shows this CVE
* Add tests to improve coverage
Pankaj260100 added a commit to confluentinc/druid that referenced this pull request Feb 2, 2024
…he#15753)

- After upgrading the pac4j version in: apache#15522. We were not able to access the druid ui. 
- Upgraded the Nimbus libraries version to a compatible version to pac4j.
- In the older pac4j version, when we return RedirectAction there we also update the webcontext Response status code and add the authentication URL to the header. But in the newer pac4j version, we just simply return the RedirectAction. So that's why it was not getting redirected to the generated authentication URL.
- To fix the above, I have updated the NOOP_HTTP_ACTION_ADAPTER to JEE_HTTP_ACTION_ADAPTER and it updates the HTTP Response in context as per the HTTP Action.
pagrawal10 pushed a commit to confluentinc/druid that referenced this pull request Feb 6, 2024
* Upgrade pac4j-oidc to 4.5.7 to address CVE-2021-44878 (apache#15522)

* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878
* add CVE suppression and notes, since vulnerability scan still shows this CVE
* Add tests to improve coverage

* pac4j: fix incompatible dependencies + authorization regression (apache#15753)

- After upgrading the pac4j version in: apache#15522. We were not able to access the druid ui. 
- Upgraded the Nimbus libraries version to a compatible version to pac4j.
- In the older pac4j version, when we return RedirectAction there we also update the webcontext Response status code and add the authentication URL to the header. But in the newer pac4j version, we just simply return the RedirectAction. So that's why it was not getting redirected to the generated authentication URL.
- To fix the above, I have updated the NOOP_HTTP_ACTION_ADAPTER to JEE_HTTP_ACTION_ADAPTER and it updates the HTTP Response in context as per the HTTP Action.

---------

Co-authored-by: Keerthana Srikanth <[email protected]>
LakshSingla pushed a commit to LakshSingla/druid that referenced this pull request Feb 7, 2024
…he#15753)

- After upgrading the pac4j version in: apache#15522. We were not able to access the druid ui. 
- Upgraded the Nimbus libraries version to a compatible version to pac4j.
- In the older pac4j version, when we return RedirectAction there we also update the webcontext Response status code and add the authentication URL to the header. But in the newer pac4j version, we just simply return the RedirectAction. So that's why it was not getting redirected to the generated authentication URL.
- To fix the above, I have updated the NOOP_HTTP_ACTION_ADAPTER to JEE_HTTP_ACTION_ADAPTER and it updates the HTTP Response in context as per the HTTP Action.
cryptoe pushed a commit that referenced this pull request Feb 7, 2024
…) (#15851)

- After upgrading the pac4j version in: #15522. We were not able to access the druid ui. 
- Upgraded the Nimbus libraries version to a compatible version to pac4j.
- In the older pac4j version, when we return RedirectAction there we also update the webcontext Response status code and add the authentication URL to the header. But in the newer pac4j version, we just simply return the RedirectAction. So that's why it was not getting redirected to the generated authentication URL.
- To fix the above, I have updated the NOOP_HTTP_ACTION_ADAPTER to JEE_HTTP_ACTION_ADAPTER and it updates the HTTP Response in context as per the HTTP Action.

Co-authored-by: PANKAJ KUMAR <[email protected]>
pagrawal10 pushed a commit to confluentinc/druid that referenced this pull request Feb 15, 2024
* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878
* add CVE suppression and notes, since vulnerability scan still shows this CVE
* Add tests to improve coverage
pagrawal10 added a commit to confluentinc/druid that referenced this pull request Mar 8, 2024
* Upgrade pac4j-oidc to 4.5.7 to address CVE-2021-44878 (apache#15522)

* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878
* add CVE suppression and notes, since vulnerability scan still shows this CVE
* Add tests to improve coverage

* CVE Fix: Update json-path version (apache#15772)

Apache Druid brings the dependency json-path which is affected by CVE-2023-51074.
Its latest version 2.9.0 fixes the above CVE.

Append function has been added to json-path and so the unit test to check for the append function not present has been updated.

---------

Co-authored-by: Xavier Léauté <[email protected]>

* Update protocol for MemcachedCache (apache#16035)

---------

Co-authored-by: Keerthana Srikanth <[email protected]>
Co-authored-by: Xavier Léauté <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants