Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KAFKA-16210: Update jose4j to 0.9.4 #15284

Merged
merged 1 commit into from Jan 30, 2024
Merged

KAFKA-16210: Update jose4j to 0.9.4 #15284

merged 1 commit into from Jan 30, 2024

Conversation

mike-lloyd03
Copy link
Contributor

@mike-lloyd03 mike-lloyd03 commented Jan 29, 2024
edited

Committer Checklist (excluded from commit message)

  • Verify design and implementation
  • Verify test coverage and CI build status
  • Verify documentation (including upgrade notes)

org.bitbucket.b_c:jose4j 0.9.3 is susceptible to Denial of Service per CVE-2023-51775.

This PR updates kafka to use 0.9.4.

Thank you

@divijvaidya divijvaidya added dependencies Pull requests that update a dependency file backport-candidate This pull request is a candidate to be backported to previous versions labels Jan 30, 2024
divijvaidya
divijvaidya approved these changes Jan 30, 2024
View reviewed changes
Copy link
Contributor

@divijvaidya divijvaidya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion, when upgrading dependencies, please add the diff of the changes and explanation on why the upgrade is backward compatible etc.

In this case https://bitbucket.org/b_c/jose4j/wiki/Release%20Notes is the release notes for this dependency.

Seems like we are adding a constraint to limit (to a reasonable default) the computational resource that this algorithm can use. Sounds fair to me.

@divijvaidya divijvaidya changed the title Update jose4j to 0.9.4 to address CVE-2023-51775 KAFKA-16210: Update jose4j to 0.9.4 to address CVE-2023-51775 Jan 30, 2024
@divijvaidya divijvaidya changed the title KAFKA-16210: Update jose4j to 0.9.4 to address CVE-2023-51775 KAFKA-16210: Update jose4j to 0.9.4 Jan 30, 2024
@divijvaidya
Copy link
Contributor

the CI tests that are failing are unrelated since they don't use SASL (which is impacted by this dependency)

@divijvaidya divijvaidya merged commit d6199ad into apache:trunk Jan 30, 2024
1 check was pending
divijvaidya pushed a commit that referenced this pull request Jan 30, 2024
@mike-lloyd03 @divijvaidya
KAFKA-16210: Update jose4j to 0.9.4 (#15284)
b18d4c1 
Co-authored-by: Mike Lloyd <mike.lloyd@teradata.com>

Reviewers: Divij Vaidya <diviv@amazon.com>
@divijvaidya
Copy link
Contributor

backported to 3.7

yyu1993 pushed a commit to yyu1993/kafka that referenced this pull request Feb 15, 2024
@mike-lloyd03 @yyu1993
KAFKA-16210: Update jose4j to 0.9.4 (apache#15284)
3f7330a 
Co-authored-by: Mike Lloyd <mike.lloyd@teradata.com>

Reviewers: Divij Vaidya <diviv@amazon.com>
omkreddy pushed a commit that referenced this pull request Mar 18, 2024
@mike-lloyd03 @omkreddy
KAFKA-16210: Update jose4j to 0.9.4 (#15284)
689c8e0 
Co-authored-by: Mike Lloyd <mike.lloyd@teradata.com>

Reviewers: Divij Vaidya <diviv@amazon.com>
msn-tldr pushed a commit to confluentinc/kafka that referenced this pull request Mar 22, 2024
@mike-lloyd03 @msn-tldr
KAFKA-16210: Update jose4j to 0.9.4 (apache#15284)
61c932b 
Co-authored-by: Mike Lloyd <mike.lloyd@teradata.com>

Reviewers: Divij Vaidya <diviv@amazon.com>
msn-tldr pushed a commit to confluentinc/kafka that referenced this pull request Mar 22, 2024
@mike-lloyd03 @msn-tldr
KAFKA-16210: Update jose4j to 0.9.4 (apache#15284)
f57a055 
Co-authored-by: Mike Lloyd <mike.lloyd@teradata.com>

Reviewers: Divij Vaidya <diviv@amazon.com>
msn-tldr pushed a commit to confluentinc/kafka that referenced this pull request Mar 22, 2024
@mike-lloyd03 @msn-tldr
KAFKA-16210: Update jose4j to 0.9.4 (apache#15284)
5791111 
Co-authored-by: Mike Lloyd <mike.lloyd@teradata.com>

Reviewers: Divij Vaidya <diviv@amazon.com>
msn-tldr pushed a commit to confluentinc/kafka that referenced this pull request Mar 22, 2024
@mike-lloyd03 @msn-tldr
KAFKA-16210: Update jose4j to 0.9.4 (apache#15284)
e65144d 
Co-authored-by: Mike Lloyd <mike.lloyd@teradata.com>

Reviewers: Divij Vaidya <diviv@amazon.com>
msn-tldr pushed a commit to confluentinc/kafka that referenced this pull request Mar 22, 2024
@mike-lloyd03 @msn-tldr
KAFKA-16210: Update jose4j to 0.9.4 (apache#15284)
fe12d67 
Co-authored-by: Mike Lloyd <mike.lloyd@teradata.com>

Reviewers: Divij Vaidya <diviv@amazon.com>
msn-tldr pushed a commit to confluentinc/kafka that referenced this pull request Mar 22, 2024
@mike-lloyd03 @msn-tldr
KAFKA-16210: Update jose4j to 0.9.4 (apache#15284)
3019e9a 
Co-authored-by: Mike Lloyd <mike.lloyd@teradata.com>

Reviewers: Divij Vaidya <diviv@amazon.com>
msn-tldr pushed a commit to confluentinc/kafka that referenced this pull request Mar 22, 2024
@mike-lloyd03 @msn-tldr
KAFKA-16210: Update jose4j to 0.9.4 (apache#15284)
3754719 
Co-authored-by: Mike Lloyd <mike.lloyd@teradata.com>

Reviewers: Divij Vaidya <diviv@amazon.com>
msn-tldr pushed a commit to confluentinc/kafka that referenced this pull request Mar 22, 2024
@mike-lloyd03 @msn-tldr
KAFKA-16210: Update jose4j to 0.9.4 (apache#15284)
4a30d67 
Co-authored-by: Mike Lloyd <mike.lloyd@teradata.com>

Reviewers: Divij Vaidya <diviv@amazon.com>
msn-tldr added a commit to confluentinc/kafka that referenced this pull request Mar 25, 2024
@msn-tldr @mike-lloyd03
KAFKA-16210: Update jose4j to 0.9.4 (apache#15284) (#1128)
f63ae6a 
Co-authored-by: Mike Lloyd <mike.lloyd@teradata.com>

Reviewers: Divij Vaidya <diviv@amazon.com>

Co-authored-by: Mike Lloyd <49411532+mike-lloyd03@users.noreply.github.com>
msn-tldr added a commit to confluentinc/kafka that referenced this pull request Mar 25, 2024
@msn-tldr @mike-lloyd03
KAFKA-16210: Update jose4j to 0.9.4 (apache#15284) (#1127)
d90d1ac 
Co-authored-by: Mike Lloyd <mike.lloyd@teradata.com>

Reviewers: Divij Vaidya <diviv@amazon.com>

Co-authored-by: Mike Lloyd <49411532+mike-lloyd03@users.noreply.github.com>
msn-tldr added a commit to confluentinc/kafka that referenced this pull request Mar 25, 2024
@msn-tldr @mike-lloyd03
KAFKA-16210: Update jose4j to 0.9.4 (apache#15284) (#1126)
452b84d 
Co-authored-by: Mike Lloyd <mike.lloyd@teradata.com>

Reviewers: Divij Vaidya <diviv@amazon.com>

Co-authored-by: Mike Lloyd <49411532+mike-lloyd03@users.noreply.github.com>
msn-tldr added a commit to confluentinc/kafka that referenced this pull request Mar 25, 2024
@msn-tldr @mike-lloyd03
KAFKA-16210: Update jose4j to 0.9.4 (apache#15284) (#1125)
11c123f 
Co-authored-by: Mike Lloyd <mike.lloyd@teradata.com>

Reviewers: Divij Vaidya <diviv@amazon.com>

Co-authored-by: Mike Lloyd <49411532+mike-lloyd03@users.noreply.github.com>
msn-tldr added a commit to confluentinc/kafka that referenced this pull request Mar 25, 2024
@msn-tldr @mike-lloyd03
KAFKA-16210: Update jose4j to 0.9.4 (apache#15284) (#1123)
438b0fd 
Co-authored-by: Mike Lloyd <mike.lloyd@teradata.com>

Reviewers: Divij Vaidya <diviv@amazon.com>

Co-authored-by: Mike Lloyd <49411532+mike-lloyd03@users.noreply.github.com>
msn-tldr added a commit to confluentinc/kafka that referenced this pull request Mar 25, 2024
@msn-tldr @mike-lloyd03
KAFKA-16210: Update jose4j to 0.9.4 (apache#15284) (#1124)
6a7e199 
Co-authored-by: Mike Lloyd <mike.lloyd@teradata.com>

Reviewers: Divij Vaidya <diviv@amazon.com>

Co-authored-by: Mike Lloyd <49411532+mike-lloyd03@users.noreply.github.com>
clolov pushed a commit to clolov/kafka that referenced this pull request Apr 5, 2024
@mike-lloyd03 @clolov
KAFKA-16210: Update jose4j to 0.9.4 (apache#15284)
1c9ebf7 
Co-authored-by: Mike Lloyd <mike.lloyd@teradata.com>

Reviewers: Divij Vaidya <diviv@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@divijvaidya divijvaidya divijvaidya approved these changes

Assignees
No one assigned
Labels
backport-candidate This pull request is a candidate to be backported to previous versions dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
2 participants
@mike-lloyd03 @divijvaidya