[
https://issues.apache.org/jira/browse/KNOX-2741?focusedWorklogId=768625&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-768625
]
ASF GitHub Bot logged work on KNOX-2741:
----------------------------------------
Author: ASF GitHub Bot
Created on: 10/May/22 18:06
Start Date: 10/May/22 18:06
Worklog Time Spent: 10m
Work Description: smolnar82 merged PR #570:
URL: https://github.com/apache/knox/pull/570
Issue Time Tracking
-------------------
Worklog Id: (was: 768625)
Time Spent: 20m (was: 10m)
> Upgrade to velocity 2.3 due to CVE-2020-13936
> ----------------------------------------------
>
> Key: KNOX-2741
> URL: https://issues.apache.org/jira/browse/KNOX-2741
> Project: Apache Knox
> Issue Type: Task
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 2.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Knox is pulling in Velocity 1.7 which is vulnerable to CVE-2020-13926.
> Upgrade to Velocity 2.3 to address. The last 1.x release was 2010 so no new
> 1.x release to go to. See
> [https://velocity.apache.org/engine/2.3/upgrading.html] about upgrading to
> 2.x.
> There is one very important side effect:
> Upgrading Velocity to 2.3 makes Knox incompatible with the current Pac4J
> version if it is configured to use SAML:
> {noformat}
> HTTP ERROR 500 javax.servlet.ServletException:
> javax.servlet.ServletException: java.lang.NoClassDefFoundError:
> org/apache/velocity/runtime/log/LogChute
> {noformat}
> In Knox, we are using Pac4j 4.3.0 (including {{pac4j-saml-opensamlv3}}). In
> this version, the velocity is still on 1.7. In 4.5.2 they changed their
> velocity dependency to 2.3:
> [https://repo1.maven.org/maven2/org/pac4j/pac4j-saml-opensamlv3/4.5.2/pac4j-saml-opensamlv3-4.5.2.pom]
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
