dependabot[bot] opened a new pull request, #1887: URL: https://github.com/apache/stormcrawler/pull/1887
Bumps `storm-client.version` from 2.8.6 to 2.8.7. Updates `org.apache.storm:storm-client` from 2.8.6 to 2.8.7 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/apache/storm/releases";>org.apache.storm:storm-client's releases</a>.</em></p> <blockquote> <p>Apache Storm 2.8.7 has been released. This release includes critical security fixes, library updates, and documentation improvements. <strong>The community strongly encourages all users of previous versions to upgrade to this release.</strong></p> <hr /> <h3>⚠️ Security Fixes</h3> <ul> <li><strong>CVE-2026-40557: JVM-wide TLS Security Downgrade in Prometheus Reporter</strong> <ul> <li><strong>Versions Affected:</strong> 2.6.3 to 2.8.6.</li> <li><strong>Technical Description:</strong> Enabling the <code>skip_tls_validation</code> configuration in the Prometheus Reporter caused an improper certificate validation that replaced the default SSL context. This resulted in a JVM-wide TLS security downgrade, affecting all components within the same process.</li> <li><strong>Fix:</strong> The reporter now uses a scoped SSL context for validation bypass, ensuring the default JVM SSL context remains secure.</li> </ul> </li> <li><strong>CVE-2026-41081: Improper Handling of TLS Client Authentication Failures</strong> <ul> <li><strong>Versions Affected:</strong> All versions before 2.8.7.</li> <li><strong>Technical Description:</strong> When TLS client authentication was enabled, failed authentication attempts were incorrectly assigned a fallback "ANONYMOUS" principal. This allowed unauthorized users to potentially bypass authorization checks that relied on the presence of a principal.</li> <li><strong>Fix:</strong> Connections are now strictly rejected if TLS client authentication fails or is missing when required.</li> </ul> </li> </ul> <hr /> <h3>🐛 Bug Fixes</h3> <ul> <li><a href="https://redirect.github.com/apache/storm/issues/8518";>#8518</a> - Cache busting is broken - <code>${packageTimestamp}</code> is never substituted in HTML resources.</li> <li><a href="https://redirect.github.com/apache/storm/issues/8516";>#8516</a> - Hardening: clean up TlsTransportPlugin and surface unverified peers.</li> <li><a href="https://redirect.github.com/apache/storm/issues/8515";>#8515</a> - Profiling/debugging REST endpoints should use POST instead of GET.</li> <li><a href="https://redirect.github.com/apache/storm/issues/8533";>#8533</a> - <strong>flux:</strong> fix 'recieveed' -> 'received' in LogInfoBolt Javadoc.</li> <li><a href="https://redirect.github.com/apache/storm/issues/8532";>#8532</a> - <strong>storm-client:</strong> fix 'accross' -> 'across' in Stream.java Javadoc.</li> <li><a href="https://redirect.github.com/apache/storm/issues/8531";>#8531</a> - <strong>storm-core:</strong> fix 'seperate' -> 'separate' in configuration.h comment.</li> <li><a href="https://redirect.github.com/apache/storm/issues/8530";>#8530</a> - <strong>docs:</strong> fix 'occured' -> 'occurred' in LocallyCachedBlob Javadoc.</li> <li><a href="https://redirect.github.com/apache/storm/issues/8529";>#8529</a> - <strong>docs:</strong> fix 'recieved' -> 'received' in IAutoCredentials Javadoc.</li> </ul> <hr /> <h3>📦 Dependency Upgrades</h3> <table> <thead> <tr> <th align="left">Dependency</th> <th align="left">From</th> <th align="left">To</th> <th align="left">PR</th> </tr> </thead> <tbody> <tr> <td align="left"><strong>com.google.guava:guava</strong></td> <td align="left">33.5.0-jre</td> <td align="left">33.6.0-jre</td> <td align="left"><a href="https://redirect.github.com/apache/storm/issues/8526";>#8526</a></td> </tr> <tr> <td align="left"><strong>org.apache.commons:commons-configuration2</strong></td> <td align="left">2.13.0</td> <td align="left">2.14.0</td> <td align="left"><a href="https://redirect.github.com/apache/storm/issues/8525";>#8525</a></td> </tr> <tr> <td align="left"><strong>org.bouncycastle (bouncycastle.version)</strong></td> <td align="left">1.83</td> <td align="left">1.84</td> <td align="left"><a href="https://redirect.github.com/apache/storm/issues/8524";>#8524</a></td> </tr> <tr> <td align="left"><strong>org.rocksdb:rocksdbjni</strong></td> <td align="left">10.10.1</td> <td align="left">10.10.1.1</td> <td align="left"><a href="https://redirect.github.com/apache/storm/issues/8523";>#8523</a></td> </tr> <tr> <td align="left"><strong>org.jgrapht:jgrapht-core</strong></td> <td align="left">0.9.0</td> <td align="left">1.5.3</td> <td align="left"><a href="https://redirect.github.com/apache/storm/issues/8522";>#8522</a></td> </tr> <tr> <td align="left"><strong>org.apache.hbase:hbase-client</strong></td> <td align="left">2.6.4-hadoop3</td> <td align="left">2.6.5-hadoop3</td> <td align="left"><a href="https://redirect.github.com/apache/storm/issues/8520";>#8520</a></td> </tr> <tr> <td align="left"><strong>follow-redirects</strong> (storm-webapp)</td> <td align="left">1.15.11</td> <td align="left">1.16.0</td> <td align="left"><a href="https://redirect.github.com/apache/storm/issues/8519";>#8519</a></td> </tr> <tr> <td align="left"><strong>axios</strong> (storm-webapp)</td> <td align="left">1.13.6</td> <td align="left">1.15.0</td> <td align="left"><a href="https://redirect.github.com/apache/storm/issues/8511";>#8511</a></td> </tr> <tr> <td align="left"><strong>org.apache.activemq:activemq-client</strong></td> <td align="left">6.2.3</td> <td align="left">6.2.4</td> <td align="left"><a href="https://redirect.github.com/apache/storm/issues/8508";>#8508</a></td> </tr> <tr> <td align="left"><strong>org.apache.activemq:activemq-broker</strong></td> <td align="left">6.2.3</td> <td align="left">6.2.4</td> <td align="left"><a href="https://redirect.github.com/apache/storm/issues/8507";>#8507</a></td> </tr> <tr> <td align="left"><strong>org.apache.activemq:activemq-all</strong></td> <td align="left">6.2.3</td> <td align="left">6.2.4</td> <td align="left"><a href="https://redirect.github.com/apache/storm/issues/8506";>#8506</a></td> </tr> <tr> <td align="left"><strong>org.apache.activemq:activemq-mqtt</strong></td> <td align="left">6.2.3</td> <td align="left">6.2.4</td> <td align="left"><a href="https://redirect.github.com/apache/storm/issues/8505";>#8505</a></td> </tr> </tbody> </table> <hr /> <h3>📝 Contributors</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/apache/storm/commit/db9cce52989123da301e401f4b7561848dd625af";><code>db9cce5</code></a> [maven-release-plugin] prepare release v2.8.7</li> <li><a href="https://github.com/apache/storm/commit/c9087ca6ce2a36335fb2742b79454efac0fd43ce";><code>c9087ca</code></a> storm-core: fix 'seperate' -> 'separate' in configuration.h comment</li> <li><a href="https://github.com/apache/storm/commit/74236510b0f480b66fedbbeb3bbd2b7e2f4225d6";><code>7423651</code></a> docs: fix 'occured' -> 'occurred' in LocallyCachedBlob Javadoc</li> <li><a href="https://github.com/apache/storm/commit/a2caed9bd2642755c039376fa282ac2c417d2b11";><code>a2caed9</code></a> storm-client: fix 'accross' -> 'across' in Stream.java Javadoc</li> <li><a href="https://github.com/apache/storm/commit/820eaaf81a35e5e0957658c8e0dff297225a88b3";><code>820eaaf</code></a> flux: fix 'recieveed' -> 'received' in LogInfoBolt Javadoc</li> <li><a href="https://github.com/apache/storm/commit/c09f03ab5c6b7f0ead193b311d6683b80c1aebcd";><code>c09f03a</code></a> security: fix 'recieved' -> 'received' in IAutoCredentials Javadoc</li> <li><a href="https://github.com/apache/storm/commit/a023ef52cfc99f8fe732a1a951a9d3ae9904a549";><code>a023ef5</code></a> Regenerate license files after dependency changes</li> <li><a href="https://github.com/apache/storm/commit/046cab5a8019b8de92523159886363e29c7d2cd9";><code>046cab5</code></a> Upgrade to JGraphT 1.5.3</li> <li><a href="https://github.com/apache/storm/commit/6b32b2f2de6c3fd8fcb46ab78ade98d8bae85f4a";><code>6b32b2f</code></a> Bump org.jgrapht:jgrapht-core from 0.9.0 to 1.5.3</li> <li><a href="https://github.com/apache/storm/commit/4d748f39a5b199afe4e68545b8fdfe2da616e110";><code>4d748f3</code></a> Regenerate license files after dependency changes</li> <li>Additional commits viewable in <a href="https://github.com/apache/storm/compare/v2.8.6...v2.8.7";>compare view</a></li> </ul> </details> <br /> Updates `org.apache.storm:storm-hdfs` from 2.8.6 to 2.8.7 Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
