You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by Jérôme LELEU <le...@gmail.com> on 2022/08/01 07:31:14 UTC
Re: Pac4J CVE Remediation for Knox
Hi,
I'm back from vacation.
Indeed, we now target JDK 11 and encourage people to upgrade. This is pac4j
v5.
This is where we focus our efforts. All new features and security fixes are
done on this branch.
If you still need JDK 8, pac4j v4 still exists but almost no longer evolves.
Critical security fixes are still applied on this branch when requested.
Related to CVE-2021-44878, it has been fixed in pac4j v4.5.6:
https://www.pac4j.org/docs/release-notes.html
So you just need to upgrade to this version which is JDK 8 based.
Thanks.
Best regards,
Jérôme
Le jeu. 28 juil. 2022 à 20:27, larry mccay <lm...@apache.org> a écrit :
> Hi Jérôme -
>
> Hope you are well!
>
> We have a need to upgrade to a new version of pac4j that
> addresses CVE-2021-44878.
> However, it appears that the version of pac4j with the fix requires Java
> 11 or above.
>
> Can we request a new release with Java 8 support as we are not able to
> drop support for it at this time without broad discussion and community
> agreement. Even then we would need to provide a Knox release with the fix
> backported for those that can't upgrade to 11+.
>
> If we could help with this effort, please let us know.
>
> thanks,
>
> --larry
>
>
Re: Pac4J CVE Remediation for Knox
Posted by larry mccay <lm...@apache.org>.
Thanks for the response, @Jérôme LELEU <le...@gmail.com>!
I missed this email, likely due to my vacation. :)
On Tue, Aug 2, 2022 at 6:46 AM Sandeep Moré <mo...@gmail.com> wrote:
> Thank you Jerome!
> For now we will upgrade to v4.5.6 to mitigate the CVE risks while we
> chart out the plan to move to JDK 11.
> This will force us to think about moving to JDK 11, which I think is time
> for us to move.
>
>
>
> On Mon, Aug 1, 2022 at 3:31 AM Jérôme LELEU <le...@gmail.com> wrote:
>
>> Hi,
>>
>> I'm back from vacation.
>>
>> Indeed, we now target JDK 11 and encourage people to upgrade. This is
>> pac4j
>> v5.
>> This is where we focus our efforts. All new features and security fixes
>> are
>> done on this branch.
>>
>> If you still need JDK 8, pac4j v4 still exists but almost no longer
>> evolves.
>> Critical security fixes are still applied on this branch when requested.
>>
>> Related to CVE-2021-44878, it has been fixed in pac4j v4.5.6:
>> https://www.pac4j.org/docs/release-notes.html
>> So you just need to upgrade to this version which is JDK 8 based.
>>
>> Thanks.
>> Best regards,
>> Jérôme
>>
>>
>> Le jeu. 28 juil. 2022 à 20:27, larry mccay <lm...@apache.org> a écrit :
>>
>> > Hi Jérôme -
>> >
>> > Hope you are well!
>> >
>> > We have a need to upgrade to a new version of pac4j that
>> > addresses CVE-2021-44878.
>> > However, it appears that the version of pac4j with the fix requires Java
>> > 11 or above.
>> >
>> > Can we request a new release with Java 8 support as we are not able to
>> > drop support for it at this time without broad discussion and community
>> > agreement. Even then we would need to provide a Knox release with the
>> fix
>> > backported for those that can't upgrade to 11+.
>> >
>> > If we could help with this effort, please let us know.
>> >
>> > thanks,
>> >
>> > --larry
>> >
>> >
>>
>
Re: Pac4J CVE Remediation for Knox
Posted by Sandeep Moré <mo...@gmail.com>.
Thank you Jerome!
For now we will upgrade to v4.5.6 to mitigate the CVE risks while we chart
out the plan to move to JDK 11.
This will force us to think about moving to JDK 11, which I think is time
for us to move.
On Mon, Aug 1, 2022 at 3:31 AM Jérôme LELEU <le...@gmail.com> wrote:
> Hi,
>
> I'm back from vacation.
>
> Indeed, we now target JDK 11 and encourage people to upgrade. This is pac4j
> v5.
> This is where we focus our efforts. All new features and security fixes are
> done on this branch.
>
> If you still need JDK 8, pac4j v4 still exists but almost no longer
> evolves.
> Critical security fixes are still applied on this branch when requested.
>
> Related to CVE-2021-44878, it has been fixed in pac4j v4.5.6:
> https://www.pac4j.org/docs/release-notes.html
> So you just need to upgrade to this version which is JDK 8 based.
>
> Thanks.
> Best regards,
> Jérôme
>
>
> Le jeu. 28 juil. 2022 à 20:27, larry mccay <lm...@apache.org> a écrit :
>
> > Hi Jérôme -
> >
> > Hope you are well!
> >
> > We have a need to upgrade to a new version of pac4j that
> > addresses CVE-2021-44878.
> > However, it appears that the version of pac4j with the fix requires Java
> > 11 or above.
> >
> > Can we request a new release with Java 8 support as we are not able to
> > drop support for it at this time without broad discussion and community
> > agreement. Even then we would need to provide a Knox release with the fix
> > backported for those that can't upgrade to 11+.
> >
> > If we could help with this effort, please let us know.
> >
> > thanks,
> >
> > --larry
> >
> >
>