From aa404b856f182e381f1d40b55dc568d87828d2ec Mon Sep 17 00:00:00 2001 From: Joe McDonnell Date: Wed, 23 Mar 2022 17:14:46 -0700 Subject: [PATCH] IMPALA-11197/IMPALA-11149: Address CVEs in pac4j/xmlsec This upgrades pac4j and several of its dependencies (including xmlsec) to address CVEs in those components. Specifically: - pac4j 4.5.5 addresses CVE-2021-44878 - xmlsec 2.2.3 addresses CVE-2021-40690 - bcprov 1.68 addresses CVE-2020-15522 This also upgrade springframework to 5.2.9.RELEASE to match the version for pac4j 4.5.5. Testing: - Ran core job Change-Id: I8421d867dd0fce8eeaa6bc13a511ca3e8dd05723 Reviewed-on: http://gerrit.cloudera.org:8080/18348 Reviewed-by: Csaba Ringhofer Tested-by: Joe McDonnell --- java/pom.xml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/java/pom.xml b/java/pom.xml index 0e26d9572..81bd03449 100644 --- a/java/pom.xml +++ b/java/pom.xml @@ -67,12 +67,14 @@ under the License. 2.10.5.1 UTF-8 ${env.IMPALA_ICEBERG_VERSION} - 4.0.3 + 4.5.5 - 2.2.1 - 1.64 - 4.3.29.RELEASE + but they are needed by pac4j. This uses a newer xmlsec to address a CVE, + but bcprov-jdk15on and springframework versions match the versions from + pac4j 4.5.5. --> + 2.2.3 + 1.68 + 5.2.9.RELEASE 2.4.7