[
https://issues.apache.org/jira/browse/IMPALA-11149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17511933#comment-17511933
]
ASF subversion and git services commented on IMPALA-11149:
----------------------------------------------------------
Commit aa404b856f182e381f1d40b55dc568d87828d2ec in impala's branch
refs/heads/master from Joe McDonnell
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=aa404b8 ]
IMPALA-11197/IMPALA-11149: Address CVEs in pac4j/xmlsec
This upgrades pac4j and several of its dependencies
(including xmlsec) to address CVEs in those components.
Specifically:
- pac4j 4.5.5 addresses CVE-2021-44878
- xmlsec 2.2.3 addresses CVE-2021-40690
- bcprov 1.68 addresses CVE-2020-15522
This also upgrade springframework to 5.2.9.RELEASE to
match the version for pac4j 4.5.5.
Testing:
- Ran core job
Change-Id: I8421d867dd0fce8eeaa6bc13a511ca3e8dd05723
Reviewed-on: http://gerrit.cloudera.org:8080/18348
Reviewed-by: Csaba Ringhofer <[email protected]>
Tested-by: Joe McDonnell <[email protected]>
> Upgrade xmlsec to address CVE
> -----------------------------
>
> Key: IMPALA-11149
> URL: https://issues.apache.org/jira/browse/IMPALA-11149
> Project: IMPALA
> Issue Type: Task
> Components: Infrastructure
> Affects Versions: Impala 4.1.0
> Reporter: Joe McDonnell
> Priority: Major
>
> Scanning Impala docker images found a CVE listed for xmlsec-2.2.1.jar
> (CVE-2021-40690). We need to upgrade this to 2.2.3 or higher to address the
> CVE. The latest xmlsec is 2.3.0.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
