(druid) branch master updated: Fix CVE errors (#16147)

Fri, 05 Apr 2024 05:23:19 -0700 

This is an automated email from the ASF dual-hosted git repository.

abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git


The following commit(s) were added to refs/heads/master by this push:
     new af24cc88ce9 Fix CVE errors (#16147)
af24cc88ce9 is described below

commit af24cc88ce9256c5087655bad75fe1a3639ea59a
Author: Vishesh Garg <[email protected]>
AuthorDate: Fri Apr 5 17:53:09 2024 +0530

    Fix CVE errors (#16147)
    
    * Fix CVE errors
    
    * Update pac4j
    
    * Update nimbus.jose.jwt.version
    
    * Change pac4j version to 5.7.3
    
    * Change pac4j version to 5.3.1
    
    * Revert pac4j version change
    
    * Update pac4j comment
---
 owasp-dependency-check-suppressions.xml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/owasp-dependency-check-suppressions.xml 
b/owasp-dependency-check-suppressions.xml
index 2cfbc334edb..41d71fbb24a 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -664,4 +664,32 @@
     ]]></notes>
     <cve>CVE-2023-36415</cve>
   </suppress>
+  <suppress>
+    <!-- Used in Pac4j. Pac4j versions (such as v5.7.3) corresponding
+    to the safe nimbus-jose-jwt v9.37.2 are incompatible with druid as they 
don't support JDK 8
+    https://www.pac4j.org/docs/alldocs.html -->
+
+    <notes><![CDATA[
+   file name: nimbus-jose-jwt-8.22.1.jar
+   ]]></notes>
+    <cve>CVE-2023-52428</cve>
+  </suppress>
+  <suppress>
+    <!-- Used in Azure dependencies.
+    Current latest version of Azure BOM (1.2.21) still uses 9.30.2, whereas 
bug resolved in 9.37.2 -->
+    <notes><![CDATA[
+   file name: nimbus-jose-jwt-9.30.2.jar
+   ]]></notes>
+    <cve>CVE-2023-52428</cve>
+  </suppress>
+  <suppress>
+    <!-- Legit issues but currently use the latest ranger-plugins-audit jar 
v2.4.0 -->
+    <notes><![CDATA[
+     file name: solr-solrj-8.11.2.jar
+     ]]></notes>
+    <cve>CVE-2023-50291</cve>
+    <cve>CVE-2023-50298</cve>
+    <cve>CVE-2023-50386</cve>
+    <cve>CVE-2023-50292</cve>
+  </suppress>
 </suppressions>


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to