Nanmozhi22
commented
4 months ago I will work on this version upgrade
Closed Nanmozhi22 closed 3 months ago
Nanmozhi22
commented
4 months ago I will work on this version upgrade
venetrius
commented
4 months ago Hi @Nanmozhi22, I can see OpenSAML in the internal-dependencies/pom.xml dependencyManagement section, but other then that the library is not used in Camunda 7 Platform.
tasso94
commented
4 months ago Hi @venetrius,
Can you remove the obsolete dependencies as part of your community work?
Best, Tassilo
Nanmozhi22
commented
3 months ago Hi @venetrius
Thanks for your response! Will that mean this issue contribution is not required ?
venetrius
commented
3 months ago Hi @Nanmozhi22,
It is not a security concern, and no reason to update opensaml, on the other hand having opensaml in dependencyManagement when it is not being used is a technical debt.
If you would like to create a pull request to remove opensaml, that would be welcomed.
Nanmozhi22
commented
3 months ago Hi @venetrius
Will it be fine if I close this PR by adding the comments ?
Upgrade org.opensaml:opensaml to fix 3 Dependabot alerts in internal-dependencies/pom.xml
The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.
WeaknessCWE-295
CVE-2015-1796