[jira] [Commented] (IMPALA-11149) Upgrade xmlsec to address CVE

["ASF subversion and git services (Jira)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/IMPALA-11149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17511933#comment-17511933 ] 

ASF subversion and git services commented on IMPALA-11149:
----------------------------------------------------------

Commit aa404b856f182e381f1d40b55dc568d87828d2ec in impala's branch refs/heads/master from Joe McDonnell
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=aa404b8 ]

IMPALA-11197/IMPALA-11149: Address CVEs in pac4j/xmlsec

This upgrades pac4j and several of its dependencies
(including xmlsec) to address CVEs in those components.
Specifically:
 - pac4j 4.5.5 addresses CVE-2021-44878
 - xmlsec 2.2.3 addresses CVE-2021-40690
 - bcprov 1.68 addresses CVE-2020-15522

This also upgrade springframework to 5.2.9.RELEASE to
match the version for pac4j 4.5.5.

Testing:
 - Ran core job

Change-Id: I8421d867dd0fce8eeaa6bc13a511ca3e8dd05723
Reviewed-on: http://gerrit.cloudera.org:8080/18348
Reviewed-by: Csaba Ringhofer <cs...@cloudera.com>
Tested-by: Joe McDonnell <jo...@cloudera.com>


> Upgrade xmlsec to address CVE
> -----------------------------
>
>                 Key: IMPALA-11149
>                 URL: https://issues.apache.org/jira/browse/IMPALA-11149
>             Project: IMPALA
>          Issue Type: Task
>          Components: Infrastructure
>    Affects Versions: Impala 4.1.0
>            Reporter: Joe McDonnell
>            Priority: Major
>
> Scanning Impala docker images found a CVE listed for xmlsec-2.2.1.jar (CVE-2021-40690). We need to upgrade this to 2.2.3 or higher to address the CVE. The latest xmlsec is 2.3.0.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org