Sandor Molnar created KNOX-2741:
-----------------------------------
Summary: Upgrade to velocity 2.3 due to CVE-2020-13936
Key: KNOX-2741
URL: https://issues.apache.org/jira/browse/KNOX-2741
Project: Apache Knox
Issue Type: Task
Reporter: Sandor Molnar
Assignee: Sandor Molnar
Fix For: 2.0.0
Knox is pulling in Velocity 1.7 which is vulnerable to CVE-2020-13926. Upgrade
to Velocity 2.3 to address. The last 1.x release was 2010 so no new 1.x release
to go to. See [https://velocity.apache.org/engine/2.3/upgrading.html] about
upgrading to 2.x.
There is one very important side effect:
Upgrading Velocity to 2.3 makes Knox incompatible with the current Pac4J
version if it is configured to use SAML:
{noformat}
HTTP ERROR 500 javax.servlet.ServletException: javax.servlet.ServletException:
java.lang.NoClassDefFoundError: org/apache/velocity/runtime/log/LogChute
{noformat}
In Knox, we are using Pac4j 4.3.0 (including {{pac4j-saml-opensamlv3}}). In
this version, the velocity is still on 1.7. In 4.5.2 they changed their
velocity dependency to 2.3:
[https://repo1.maven.org/maven2/org/pac4j/pac4j-saml-opensamlv3/4.5.2/pac4j-saml-opensamlv3-4.5.2.pom]
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
