Skip to content

minor: upgrade pac4j and log4j and rhino#19388

Merged
cecemei merged 4 commits intoapache:masterfrom
cecemei:cve4
Apr 29, 2026
Merged

minor: upgrade pac4j and log4j and rhino#19388
cecemei merged 4 commits intoapache:masterfrom
cecemei:cve4

Conversation

@cecemei
Copy link
Copy Markdown
Contributor

@cecemei cecemei commented Apr 28, 2026
edited
Loading

Upgrade pac4j and log4j and rhino.

This PR has:

  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • a release note entry in the PR description.
  • added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • added or updated version, license, or notice information in licenses.yaml
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • added integration tests.
  • been tested in a test Druid cluster.

@cecemei cecemei changed the title minor: upgrade pac4j and log4j minor: upgrade pac4j and log4j and rhino Apr 28, 2026
@cecemei cecemei marked this pull request as ready for review April 28, 2026 23:29
FrankChen021
FrankChen021 reviewed Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@FrankChen021 FrankChen021 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severity Findings
P0 0
P1 0
P2 1
P3 0
Total 1

This is an automated review by Codex GPT-5

Comment thread owasp-dependency-check-suppressions.xml
<notes><![CDATA[
file name: hadoop-client-runtime-3.5.0.jar
]]></notes>
<cve>CVE-2026-5795</cve> <!-- Jetty 9.4.58 JASPI ThreadLocal privilege escalation in shaded hadoop. Not exploitable in Druid's Hadoop client usage (file operations only, no JASPI auth). Requires Hadoop to update to Jetty 9.4.59+ -->
Copy link
Copy Markdown
Member

@FrankChen021 FrankChen021 Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[P2] Scope the Hadoop CVE suppression

This suppression has only a CVE selector, so dependency-check will suppress CVE-2026-5795 for every dependency in the scan, not just the shaded Jetty copy in hadoop-client-runtime-3.5.0. That can hide a real vulnerable Jetty artifact if one is introduced elsewhere. Add a dependency selector such as a packageUrl/filePath regex for org.apache.hadoop:hadoop-client-runtime:3.5.0 before suppressing this CVE.

@cecemei cecemei merged commit 6dd9d6b into apache:master Apr 29, 2026
38 of 41 checks passed
@github-actions github-actions Bot added this to the 38.0.0 milestone Apr 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@FrankChen021 FrankChen021 FrankChen021 left review comments

@capistrant capistrant capistrant approved these changes

Assignees

No one assigned

Labels

Area - Dependencies

Projects

None yet

Milestone

38.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@cecemei @FrankChen021 @capistrant