Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE Fixes] Update version of Nimbus.jose.jwt #16320

Merged
merged 2 commits into from
Apr 23, 2024
Merged

[CVE Fixes] Update version of Nimbus.jose.jwt #16320

merged 2 commits into from
Apr 23, 2024

Conversation

pagrawal10
Copy link
Contributor

@pagrawal10 pagrawal10 commented Apr 23, 2024
edited
Loading

This PR updates the version of Nimbus.jose.jwt dependency. It is needed to remove the CVE https://avd.aquasec.com/nvd/2023/cve-2023-52428/

This PR has:

  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • a release note entry in the PR description.
  • added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • added or updated version, license, or notice information in licenses.yaml
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • added integration tests.
  • been tested in a test Druid cluster.

@cryptoe cryptoe merged commit f1d24c8 into apache:master Apr 23, 2024
86 checks passed
@adarshsanjeev adarshsanjeev added this to the 30.0.0 milestone May 6, 2024
@adarshsanjeev adarshsanjeev mentioned this pull request May 28, 2024
Closed
pagrawal10 added a commit to confluentinc/druid that referenced this pull request Jun 1, 2024
@pagrawal10
[CVE Fixes] Update version of Nimbus.jose.jwt (apache#16320)
32de3ff 
* Update version of nimbus.jose.jwt.version

* update licenses.yaml
pagrawal10 added a commit to confluentinc/druid that referenced this pull request Jun 1, 2024
@pagrawal10
[CVE Fixes] Update version of Nimbus.jose.jwt (apache#16320)
91aaac4 
* Update version of nimbus.jose.jwt.version

* update licenses.yaml
@pagrawal10 pagrawal10 mentioned this pull request Jun 1, 2024
Merged
10 tasks
pagrawal10 added a commit to confluentinc/druid that referenced this pull request Jun 3, 2024
@pagrawal10
[CVE Fixes] Update version of Nimbus.jose.jwt (apache#16320)
de9342a 
* Update version of nimbus.jose.jwt.version

* update licenses.yaml
pagrawal10 added a commit to pagrawal10/druid that referenced this pull request Sep 2, 2024
@pagrawal10
Revert "[CVE Fixes] Update version of Nimbus.jose.jwt (apache#16320)"
fe40427 
This reverts commit f1d24c8.
@pagrawal10 pagrawal10 mentioned this pull request Sep 2, 2024
Merged
abhishekagarwal87 pushed a commit that referenced this pull request Sep 9, 2024
@pagrawal10
Revert "[CVE Fixes] Update version of Nimbus.jose.jwt (#16320)" (#16986)
b7a21a9 
This reverts commit f1d24c8.

Updating nimbus to version 9+ is causing HTTP ERROR 500 java.lang.NoSuchMethodError: 'net.minidev.json.JSONObject com.nimbusds.jwt.JWTClaimsSet.toJSONObject()'
Refer to SAP/cloud-security-services-integration-library#429 (comment) for more details.

We would need to upgrade other libraries as well for updating nimbus.jose.jwt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cryptoe cryptoe cryptoe approved these changes

Assignees
No one assigned
Labels
Area - Dependencies
Projects
None yet
Milestone
30.0.0
Development

Successfully merging this pull request may close these issues.
3 participants
@pagrawal10 @cryptoe @adarshsanjeev