This is an automated email from the ASF dual-hosted git repository.
cecemei pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/master by this push:
new 6dd9d6b51bf minor: upgrade pac4j and log4j and rhino (#19388)
6dd9d6b51bf is described below
commit 6dd9d6b51bf0a5375580927e9a75f0bda74c5073
Author: Cece Mei <[email protected]>
AuthorDate: Wed Apr 29 11:33:05 2026 -0700
minor: upgrade pac4j and log4j and rhino (#19388)
* upgrade
* upgrade-rhino
* hadoop
* nimbus.jose.jwt.version
---
extensions-core/druid-pac4j/pom.xml | 4 ++--
licenses.yaml | 12 ++++++------
owasp-dependency-check-suppressions.xml | 16 ++++++++++++++++
pom.xml | 6 +++---
4 files changed, 27 insertions(+), 11 deletions(-)
diff --git a/extensions-core/druid-pac4j/pom.xml
b/extensions-core/druid-pac4j/pom.xml
index e1958dfb021..05ec20c5d54 100644
--- a/extensions-core/druid-pac4j/pom.xml
+++ b/extensions-core/druid-pac4j/pom.xml
@@ -34,11 +34,11 @@
</parent>
<properties>
- <pac4j.version>5.7.3</pac4j.version>
+ <pac4j.version>5.7.10</pac4j.version>
<!-- Following must be updated along with any updates to pac4j version.
One can find the compatible version of nimbus libraries in org.pac4j:pac4j-oidc
dependencies-->
<nimbus.lang.tag.version>1.7</nimbus.lang.tag.version>
- <nimbus.jose.jwt.version>9.37.2</nimbus.jose.jwt.version>
+ <nimbus.jose.jwt.version>9.37.3</nimbus.jose.jwt.version>
<oauth2.oidc.sdk.version>10.8</oauth2.oidc.sdk.version>
</properties>
diff --git a/licenses.yaml b/licenses.yaml
index f6cd050a905..3ec887ec5c4 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -877,7 +877,7 @@ name: pac4j-oidc java security library
license_category: binary
module: extensions/druid-pac4j
license_name: Apache License version 2.0
-version: 5.7.3
+version: 5.7.10
libraries:
- org.pac4j: pac4j-oidc
@@ -887,7 +887,7 @@ name: pac4j-core java security library
license_category: binary
module: extensions/druid-pac4j
license_name: Apache License version 2.0
-version: 5.7.3
+version: 5.7.10
libraries:
- org.pac4j: pac4j-core
@@ -897,7 +897,7 @@ name: pac4j-javaee java security library
license_category: binary
module: extensions/druid-pac4j
license_name: Apache License version 2.0
-version: 5.7.3
+version: 5.7.10
libraries:
- org.pac4j: pac4j-javaee
@@ -918,7 +918,7 @@ name: com.nimbusds nimbus-jose-jwt
license_category: binary
module: extensions/druid-pac4j
license_name: Apache License version 2.0
-version: 9.37.2
+version: 9.37.3
libraries:
- com.nimbusds: nimbus-jose-jwt
@@ -2000,7 +2000,7 @@ name: Apache Log4j
license_category: binary
module: java-core
license_name: Apache License version 2.0
-version: 2.25.3
+version: 2.25.4
libraries:
- org.apache.logging.log4j: log4j-1.2-api
- org.apache.logging.log4j: log4j-api
@@ -4042,7 +4042,7 @@ name: Rhino
license_category: binary
module: java-core
license_name: Mozilla Public License Version 2.0
-version: 1.8.0
+version: 1.8.1
copyright: Mozilla and individual contributors.
license_file_path: licenses/bin/rhino.MPL2
libraries:
diff --git a/owasp-dependency-check-suppressions.xml
b/owasp-dependency-check-suppressions.xml
index c1e7448ecd0..5677c037353 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -148,6 +148,14 @@
<cve>CVE-2025-5115</cve> <!-- netty issue in shaded hadoop -->
</suppress>
+ <suppress>
+ <!-- from extensions using hadoop-client-runtime 3.5.0, these dependencies
are shaded in the jar -->
+ <notes><![CDATA[
+ file name: hadoop-client-runtime-3.5.0.jar
+ ]]></notes>
+ <cve>CVE-2026-5795</cve> <!-- Jetty 9.4.58 JASPI ThreadLocal privilege
escalation in shaded hadoop. Not exploitable in Druid's Hadoop client usage
(file operations only, no JASPI auth). Requires Hadoop to update to Jetty
9.4.59+ -->
+ </suppress>
+
<!-- those are false positives, no other tools report any of those CVEs in
the hadoop package -->
<suppress>
<notes><![CDATA[
@@ -752,4 +760,12 @@
]]></notes>
<vulnerabilityName>CVE-2024-11407</vulnerabilityName> <!-- This CVE is a
false positive for java. The CVE is related to their cpp library, not java -->
</suppress>
+
+ <suppress>
+ <notes><![CDATA[
+ file name: grpc-*.jar (all grpc-java artifacts, any version)
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/io\.grpc/grpc-.*@.*$</packageUrl>
+ <cve>CVE-2026-33186</cve> <!-- Only applicable to gRPC Go
(google.golang.org/grpc < 1.79.3), not gRPC Java -
https://nvd.nist.gov/vuln/detail/CVE-2026-33186 -->
+ </suppress>
</suppressions>
diff --git a/pom.xml b/pom.xml
index daf8a67506b..7c3752b3181 100644
--- a/pom.xml
+++ b/pom.xml
@@ -106,7 +106,7 @@
<jersey.version>1.19.4</jersey.version>
<jackson.version>2.20.2</jackson.version>
<codehaus.jackson.version>1.9.13</codehaus.jackson.version>
- <log4j.version>2.25.3</log4j.version>
+ <log4j.version>2.25.4</log4j.version>
<mysql.version>8.2.0</mysql.version>
<mariadb.version>2.7.3</mariadb.version>
<netty3.version>3.10.6.Final</netty3.version>
@@ -683,12 +683,12 @@
<dependency>
<groupId>org.mozilla</groupId>
<artifactId>rhino</artifactId>
- <version>1.8.0</version>
+ <version>1.8.1</version>
</dependency>
<dependency>
<groupId>org.mozilla</groupId>
<artifactId>rhino-engine</artifactId>
- <version>1.8.0</version>
+ <version>1.8.1</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
