IMPALA-11197/IMPALA-11149: Address CVEs in pac4j/xmlsec

This upgrades pac4j and several of its dependencies (including xmlsec) to address CVEs in those components. Specifically: - pac4j 4.5.5 addresses CVE-2021-44878 - xmlsec 2.2.3 addresses CVE-2021-40690 - bcprov 1.68 addresses CVE-2020-15522 This also upgrade springframework to 5.2.9.RELEASE to match the version for pac4j 4.5.5. Testing: - Ran core job Change-Id: I8421d867dd0fce8eeaa6bc13a511ca3e8dd05723 Reviewed-on: http://gerrit.cloudera.org:8080/18348 Reviewed-by: Csaba Ringhofer <csringhofer@cloudera.com> Tested-by: Joe McDonnell <joemcdonnell@cloudera.com>
2025-12-29 18:01:07 -05:00 · 2022-03-23 17:14:46 -07:00
parent f9dfd1f954
commit aa404b856f
1 changed files with 7 additions and 5 deletions
--- a/java/pom.xml
+++ b/java/pom.xml
@@ -67,12 +67,14 @@ under the License.
    <jackson-databind.version>2.10.5.1</jackson-databind.version>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <iceberg.version>${env.IMPALA_ICEBERG_VERSION}</iceberg.version>
-    <pac4j.version>4.0.3</pac4j.version>
+    <pac4j.version>4.5.5</pac4j.version>
    <!-- xmlsec, bcprov-jdk15on and springframework are not used by Impala directly,
-         but needed to replace pac4j 4.0.3's unsafe versions -->
-    <xmlsec.version>2.2.1</xmlsec.version>
-    <bcprov-jdk15on.version>1.64</bcprov-jdk15on.version>
-    <springframework.version>4.3.29.RELEASE</springframework.version>
+         but they are needed by pac4j. This uses a newer xmlsec to address a CVE,
+         but bcprov-jdk15on and springframework versions match the versions from
+         pac4j 4.5.5. -->
+    <xmlsec.version>2.2.3</xmlsec.version>
+    <bcprov-jdk15on.version>1.68</bcprov-jdk15on.version>
+    <springframework.version>5.2.9.RELEASE</springframework.version>
    <json-smart.version>2.4.7</json-smart.version>
  </properties>