Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency org.keycloak:keycloak-core to v26.0.6 [security] - autoclosed #267

Closed

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 25, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.keycloak:keycloak-core (source) 26.0.5 -> 26.0.6 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-10039

A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism.


Release Notes

keycloak/keycloak (org.keycloak:keycloak-core)

v26.0.6

Compare Source

Highlights

Admin events might include now additional details about the context when the event is fired

In this release, admin events might hold additional details about the context when the event is fired. When upgrading you should expect the database schema being updated to add a new column DETAILS_JSON to the ADMIN_EVENT_ENTITY table.

Updates to documentation of X.509 client certificate lookup via proxy

Potential vulnerable configurations have been identified in the X.509 client certificate lookup when using a reverse proxy. Additional configuration steps might be required depending on your current configuration. Make sure to review the updated reverse proxy guide if you have configured the client certificate lookup via a proxy header.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

  • #​34315 Update the Keycloak CPU and Memory sizing guide to reflect the new ec2 workder nodes
  • #​34386 Some dynamic imported functions are also statically imported making bundling them in-efficient
  • #​34570 Make documentation more clear that keycloak javascript adapter and node.js adapter are OIDC docs
  • #​34855 Add conditional text to Installation Locations
  • #​34873 Update Leveraging JaKarta EE in Server Development guide
  • #​34887 Apply QE edits to High Availability guide

Bugs

  • #​609 Workflow failure - Jakarta - SAMLServiceProviderTest.testAccessAccountManagement
  • #​11008 Incorrect get the members of a group imported from LDAP ldap
  • #​17593 Incorrect ldap-group-mapper chosen to sync changes to ActiveDirectory when several mappers with varying group paths used ldap
  • #​19652 Members are inhereted from LDAP group with the same name ldap
  • #​23732 JavascriptAdapterTest errors when running with strict cookies on Firefox ci
  • #​27856 Social login - Stack Overflow test fails ci
  • #​31456 Enabling/Disabling user does not work with Microsoft AD LDAP via Admin API/UI ldap
  • #​32786 Organization Domain not marked as a required field in the Admin UI admin/ui
  • #​33531 Previously entered translations should persist in the translation dialog for the attribute groups admin/ui
  • #​34013 Add More Info to Organization Events organizations
  • #​34065 Users without `view-realm` can't see user lockout state in Admin UI admin/ui
  • #​34201 OIDC IdP Unable to validate signatures using validatingPublicKey certificate admin/ui
  • #​34335 NPE in Organization(s)Resource when using Quarkus Rest Client admin/api
  • #​34401 Incorrect Content-Type Expectation for POST /admin/realms/{realm}/organizations/{id}/members in Keycloak API admin/api
  • #​34465 Missing help icons in Webauthn Policy and Webauthn Passwordless Policy missing in admin ui admin/ui
  • #​34519 Clicking on link to Keycloak documentation from Keycloak admin UI does nothing instead of opening documentation admin/ui
  • #​34549 Quarkus dev mode does not work dist/quarkus
  • #​34572 Text in "Choose a policy type" is not wrapping admin/ui
  • #​34603 NPE in InfinispanOrganizationProvider if userCache is disabled infinispan
  • #​34624 Securing apps guide breaks downstream docs
  • #​34634 Missing downstream explicit name for anchors docs
  • #​34644 KC_CACHE_EMBEDDED_MTLS_ENABLED is ignored infinispan
  • #​34671 `ClientConnection.getRemoteAddr` can return a hostname when behind a reverse proxy core
  • #​34687 New credential templates broken in KC26 login/ui
  • #​34905 [Keycloak CI] Outdated surefire artifacts names - Quarkus IT and UT ci
  • #​35213 CVE-2024-10451 Sensitive Data Exposure in Keycloak Build Process
  • #​35214 CVE-2024-10270 Potential Denial of Service
  • #​35215 CVE-2024-10492 Keycloak path trasversal
  • #​35216 CVE-2024-9666 Keycloak proxy header handling Denial-of-Service (DoS) vulnerability
  • #​35217 CVE-2024-10039 Bypassing mTLS validation

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

…ecurity]

| datasource | package                    | from   | to     |
| ---------- | -------------------------- | ------ | ------ |
| maven      | org.keycloak:keycloak-core | 26.0.5 | 26.0.6 |
@renovate renovate bot requested a review from a team as a code owner November 25, 2024 19:42
@renovate renovate bot changed the title fix(deps): update dependency org.keycloak:keycloak-core to v26.0.6 [security] fix(deps): update dependency org.keycloak:keycloak-core to v26.0.6 [security] - autoclosed Dec 2, 2024
@renovate renovate bot closed this Dec 2, 2024
@renovate renovate bot deleted the renovate/maven-org.keycloak-keycloak-core-vulnerability branch December 2, 2024 14:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants