You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2022/10/18 03:32:14 UTC

[GitHub] [druid] zhoumengyks opened a new pull request, #13234: fix(sec): upgrade com.nimbusds:oauth2-oidc-sdk to 8.36.2

zhoumengyks opened a new pull request, #13234:
URL: https://github.com/apache/druid/pull/13234

   ### What happened？
   There are 1 security vulnerabilities found in com.nimbusds:oauth2-oidc-sdk 6.5
   - [MPS-2022-12182](https://www.oscs1024.com/hd/MPS-2022-12182)
   
   
   ### What did I do？
   Upgrade com.nimbusds:oauth2-oidc-sdk from 6.5 to 8.36.2 for vulnerability fix
   
   ### What did you expect to happen？
   Ideally, no insecure libs should be used.
   
   ### The specification of the pull request
   [PR Specification](https://www.oscs1024.com/docs/pr-specification/) from OSCS


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

Re: [PR] fix(sec): upgrade com.nimbusds:oauth2-oidc-sdk to 8.36.2 (druid)

Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.

github-actions[bot] commented on PR #13234:
URL: https://github.com/apache/druid/pull/13234#issuecomment-1935130555

   This pull request/issue has been closed due to lack of activity. If you think that
   is incorrect, or the pull request requires review, you can revive the PR at any time.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] zhoumengyks commented on pull request #13234: fix(sec): upgrade com.nimbusds:oauth2-oidc-sdk to 8.36.2

Posted by GitBox <gi...@apache.org>.

zhoumengyks commented on PR #13234:
URL: https://github.com/apache/druid/pull/13234#issuecomment-1283537928

   > Hello @zhoumengyks Thanks for the PR.
   > 
   > In Druid, to bump the version of a component, beside the pom.xml, we also need to update the `licenses.yaml` file located at the root directory.
   
   Thanks for your reminder, `licenses.yaml` file has been updated. @FrankChen021 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] FrankChen021 commented on pull request #13234: fix(sec): upgrade com.nimbusds:oauth2-oidc-sdk to 8.36.2

Posted by GitBox <gi...@apache.org>.

FrankChen021 commented on PR #13234:
URL: https://github.com/apache/druid/pull/13234#issuecomment-1281825921

   Hello @zhoumengyks Thanks for the PR. 
   
   In Druid, to bump the version of a component, beside the pom.xml, we also need to update the `licenses.yaml` file located at the root directory.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] a2l007 commented on pull request #13234: fix(sec): upgrade com.nimbusds:oauth2-oidc-sdk to 8.36.2

Posted by GitBox <gi...@apache.org>.

a2l007 commented on PR #13234:
URL: https://github.com/apache/druid/pull/13234#issuecomment-1287342007

   @FrankChen021 The [later versions of pac4j](https://www.pac4j.org/blog/what_s_new_in_pac4j_v5.html) are only compatible with java 11+, I had tried to upgrade these deps as part of another pac4j auth PR and ran into a bunch of compatibility issues since our source java version 1.8


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

Re: [PR] fix(sec): upgrade com.nimbusds:oauth2-oidc-sdk to 8.36.2 (druid)

Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.

github-actions[bot] closed pull request #13234: fix(sec): upgrade com.nimbusds:oauth2-oidc-sdk to 8.36.2
URL: https://github.com/apache/druid/pull/13234


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] FrankChen021 commented on pull request #13234: fix(sec): upgrade com.nimbusds:oauth2-oidc-sdk to 8.36.2

Posted by GitBox <gi...@apache.org>.

FrankChen021 commented on PR #13234:
URL: https://github.com/apache/druid/pull/13234#issuecomment-1286368746

   I'm worried about this upgrade. 
   One is that the newer version is a major version, not sure if there's any compatibility problem.
   
   The other is that `pac4j-oicd` internally referenced the `oauth2-oidc-sdk` 6.5
   ![image](https://user-images.githubusercontent.com/6525742/197095171-a85616a8-fce6-46cd-92ac-7ea701f99a5a.png)
   
   If we need to upgrade this dependency, we may also need to update `pac4j-oicd` to use a matched version.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] FrankChen021 commented on pull request #13234: fix(sec): upgrade com.nimbusds:oauth2-oidc-sdk to 8.36.2

Posted by GitBox <gi...@apache.org>.

FrankChen021 commented on PR #13234:
URL: https://github.com/apache/druid/pull/13234#issuecomment-1287589527

   @a2l007 Thanks for the information. 
   
   I took a look at the [fix of the reported security problem](https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/commits/bfd95d5e), it's related to XML parsing functionality which I think is not used in our repo.
   In other words, Druid is not affected by this problem.
   
   I think we can ignore this security problem.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

Re: [PR] fix(sec): upgrade com.nimbusds:oauth2-oidc-sdk to 8.36.2 (druid)

Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.

github-actions[bot] commented on PR #13234:
URL: https://github.com/apache/druid/pull/13234#issuecomment-1885969318

   This pull request has been marked as stale due to 60 days of inactivity.
   It will be closed in 4 weeks if no further activity occurs. If you think
   that's incorrect or this pull request should instead be reviewed, please simply
   write any comment. Even if closed, you can still revive the PR at any time or
   discuss it on the dev@druid.apache.org list.
   Thank you for your contributions.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org