You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/05/09 20:14:00 UTC

[jira] [Work logged] (KNOX-2741) Upgrade to velocity 2.3 due to CVE-2020-13936

     [ https://issues.apache.org/jira/browse/KNOX-2741?focusedWorklogId=768163&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-768163 ]

ASF GitHub Bot logged work on KNOX-2741:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 09/May/22 20:13
            Start Date: 09/May/22 20:13
    Worklog Time Spent: 10m 
      Work Description: smolnar82 opened a new pull request, #570:
URL: https://github.com/apache/knox/pull/570

   ## What changes were proposed in this pull request?
   
   Upgraded Velocity and Pac4j versions to address CVE issues in Velocity (Pac4j upgrade was a required upgrade to be compatible with the new Velocity version).
   
   ## How was this patch tested?
   
   TODO




Issue Time Tracking
-------------------

            Worklog Id:     (was: 768163)
    Remaining Estimate: 0h
            Time Spent: 10m

>  Upgrade to velocity 2.3 due to CVE-2020-13936
> ----------------------------------------------
>
>                 Key: KNOX-2741
>                 URL: https://issues.apache.org/jira/browse/KNOX-2741
>             Project: Apache Knox
>          Issue Type: Task
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 2.0.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Knox is pulling in Velocity 1.7 which is vulnerable to CVE-2020-13926. Upgrade to Velocity 2.3 to address. The last 1.x release was 2010 so no new 1.x release to go to. See [https://velocity.apache.org/engine/2.3/upgrading.html] about upgrading to 2.x.
> There is one very important side effect:
> Upgrading Velocity to 2.3 makes Knox incompatible with the current Pac4J version if it is configured to use SAML:
> {noformat}
> HTTP ERROR 500 javax.servlet.ServletException: javax.servlet.ServletException: java.lang.NoClassDefFoundError: org/apache/velocity/runtime/log/LogChute
> {noformat}
> In Knox, we are using Pac4j 4.3.0 (including {{pac4j-saml-opensamlv3}}). In this version, the velocity is still on 1.7. In 4.5.2 they changed their velocity dependency to 2.3: [https://repo1.maven.org/maven2/org/pac4j/pac4j-saml-opensamlv3/4.5.2/pac4j-saml-opensamlv3-4.5.2.pom]



--
This message was sent by Atlassian Jira
(v8.20.7#820007)