[kie-issues 1788] Updating to Keycloak 26.1.0 #3837
Conversation
Should fix CVE-2024-9666 and CVE-2024-7318 This also aligns with Quarkus 3.15.3 Signed-off-by: Jason Porter <lightguard.jp@gmail.com>
Not sure about that |
|
I see this as green. Are there any other checks to be made, please? Or can we merge? |
|
I believe we're good to merge. |
|
I've found some other places where we pull in Keycloak transitively in the data-index-persistence addon. It includes quarkus-oidc artifacts, which in turn pull in Keycloak. The biggest problem is that there is no version using a more recent version of keycloak :( I have my doubts of getting it fixed upstream in the 3.15 branch, I could try though. Just looked, the more recent versions have changed the pom, so that probably won't work. Do we exclude keycloak in that dependency and get our own version? |
|
@LightGuard thanks for checking. I think we could just align with what is in Quarkus now and I guess there will be another Quarkus bump soon as as far as I know there is a very recent new LTS release (or soon will be a new LTS release released). |
|
Okay, then we're good with this change for now. |
|
I believe we're good to merge |
Fixes apache/incubator-kie-issues#1788.
Dashbuilder Appformer also uses keycloak, but I think this takes care of it as well. We'll need to do a full build to make sure everything is good.