Michael Smith created IMPALA-13740:
--------------------------------------
Summary: Update velocity-engine-core dependency of pac4j to 2.4.1
Key: IMPALA-13740
URL: https://issues.apache.org/jira/browse/IMPALA-13740
Project: IMPALA
Issue Type: Bug
Components: Frontend
Affects Versions: Impala 4.5.0
Reporter: Michael Smith
pac4j-saml-opensamlv3 (even the latest version) depends on velocity-engine-core
2.3. That version of velocity-engine-core includes a shaded copy of commons-io,
which is flagged for CVE-2024-47554. We should update it.
velocity-engine-core 2.4 removes use of commons-io. Update to the latest
release, 2.4.1. We have [done similar
things|https://github.com/apache/impala/blob/4.4.1/java/pom.xml#L76-L80] for
other pac4j dependencies.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
