Closed Nanmozhi22 closed 3 months ago
I will work on this version upgrade
Hi @Nanmozhi22, I can see OpenSAML in the internal-dependencies/pom.xml dependencyManagement section, but other then that the library is not used in Camunda 7 Platform.
Hi @venetrius,
Can you remove the obsolete dependencies as part of your community work?
Best, Tassilo
Hi @venetrius
Thanks for your response! Will that mean this issue contribution is not required ?
Hi @Nanmozhi22,
It is not a security concern, and no reason to update opensaml
, on the other hand having opensaml
in dependencyManagement when it is not being used is a technical debt.
If you would like to create a pull request to remove opensaml
, that would be welcomed.
Hi @venetrius
Will it be fine if I close this PR by adding the comments ?
Upgrade org.opensaml:opensaml to fix 3 Dependabot alerts in internal-dependencies/pom.xml
The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.
WeaknessCWE-295
CVE-2015-1796