Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(sec): upgrade org.apache.tomcat:tomcat-catalina to 8.5.76 #14950

Merged
merged 3 commits into from Oct 25, 2022
Merged

fix(sec): upgrade org.apache.tomcat:tomcat-catalina to 8.5.76 #14950

merged 3 commits into from Oct 25, 2022

Conversation

Super-Sky
Copy link
Contributor

What happened?

There are 8 security vulnerabilities found in org.apache.tomcat:tomcat-catalina 8.5.38

What did I do?

Upgrade org.apache.tomcat:tomcat-catalina from 8.5.38 to 8.5.76 for vulnerability fix

What did you expect to happen?

Ideally, no insecure libs should be used.

The specification of the pull request

PR Specification from OSCS

@abstractj abstractj added area/dependencies kind/cve Issues identified as CVEs on third-party dependencies, or issues which Keycloak is not affected labels Oct 19, 2022
@abstractj abstractj force-pushed the oscs_fix_cd718g8au51q1alfu0ug branch from 52d343f to 876d10b Compare October 20, 2022 15:48
@abstractj
Copy link
Contributor

@stianst @mposolda even with the Tomcat adapter deprecated, do you see any harm about merging those changes if all the tests pass?

@abstractj abstractj added this to the 20.0.0 milestone Oct 21, 2022
@abstractj
Copy link
Contributor

@stianst would be possible to include this change into 20.0.0?

abstractj
abstractj previously approved these changes Oct 21, 2022
View reviewed changes
martin-kanis
martin-kanis suggested changes Oct 24, 2022
View reviewed changes
Copy link
Contributor

@martin-kanis martin-kanis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see a problem with upgrade of the version. However, there is one override of Tomcat version in the testsuite that can be removed with the PR. https://github.com/keycloak/keycloak/blob/main/testsuite/integration-arquillian/servers/pom.xml#L52

@abstractj
Copy link
Contributor

@Super-Sky could you please incorporate the changes requested by @martin-kanis ?

@abstractj abstractj self-requested a review October 24, 2022 11:56
@stianst
Copy link
Contributor

stianst commented Oct 25, 2022

Removed the override in the testsuite pom

martin-kanis
martin-kanis approved these changes Oct 25, 2022
View reviewed changes
Copy link
Contributor

@martin-kanis martin-kanis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @stianst for the update.

@abstractj abstractj merged commit 1644658 into keycloak:main Oct 25, 2022
andre-nascimento6791 pushed a commit to andre-nascimento6791/keycloak-cnd-work that referenced this pull request Dec 1, 2022
@Super-Sky @stianst @andre-nascimento6791
fix(sec): upgrade org.apache.tomcat:tomcat-catalina to 8.5.76 (keyclo…
4a666a3 
…ak#14950)

Co-authored-by: stianst <stianst@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stianst stianst stianst approved these changes

@martin-kanis martin-kanis martin-kanis approved these changes

@mposolda mposolda Awaiting requested review from mposolda

@abstractj abstractj Awaiting requested review from abstractj

Assignees
No one assigned
Labels
area/dependencies kind/cve Issues identified as CVEs on third-party dependencies, or issues which Keycloak is not affected
Projects
None yet
Milestone
20.0.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Super-Sky @abstractj @stianst @martin-kanis