lhotari opened a new pull request, #25785: URL: https://github.com/apache/pulsar/pull/25785
### Motivation `org.apache.kerby:kerb-simplekdc` was last bumped to `1.1.1`, which was released on **May 25th, 2018**. That release transitively pulls in some vulnerable dependencies, including `com.nimbusds:nimbus-jose-jwt` `4.41.2`. Kerby `2.1.1` is the latest release and brings in modern, supported versions of its transitive dependencies (e.g. `nimbus-jose-jwt` `10.6`), in addition to several years of upstream bug fixes. ### Modifications - Bump `kerby` version in `gradle/libs.versions.toml` from `1.1.1` to `2.1.1`. The `kerb-simplekdc` artifact is only used in test scope by the `pulsar-broker-auth-sasl` module (`MiniKdc.java`). The API surface used by `MiniKdc` (`SimpleKdcServer`, `KdcConfigKey`, `KrbException`, `org.apache.kerby.util.IOUtil`, `org.apache.kerby.util.NetworkUtil`) is source-compatible between 1.1.1 and 2.1.1, so no production or test code changes are required. ### Verifying this change - [x] Make sure that the change passes the CI checks. This change is already covered by existing tests: - `./gradlew :pulsar-broker-auth-sasl:test` — all 11 tests pass (`ProxySaslAuthenticationTest`, `SaslAuthenticateTest`, `SaslServerTokenSignerTest`), which exercise the SASL/Kerberos flow backed by the embedded Kerby `SimpleKdcServer` via `MiniKdc`. - `./gradlew spotlessCheck checkstyleMain checkstyleTest` — clean. ### Does this pull request potentially affect one of the following parts: - [x] Dependencies (add or upgrade a dependency) - [ ] The public API - [ ] The schema - [ ] The default values of configurations - [ ] The threading model - [ ] The binary protocol - [ ] The REST endpoints - [ ] The admin CLI options - [ ] The metrics - [ ] Anything that affects deployment This is a test-scope dependency upgrade (`kerb-simplekdc` is only used by `pulsar-broker-auth-sasl` tests), so there is no impact on runtime artifacts or deployment. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
