Created attachment 239452 [details] net/keycloak Upgrade Keycloak to 20.0.3. Tested on 12.3-RELEASE and 13.1-RELEASE. Poudriere builds ok at https://poudriere.rheinwolf.de/builds/20230113-15:30:07.31971/.
Fixes CVE-2022-40151 & CVE-2022-41966 Note to self: add VuXML entry
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=db9a594cc0ee81cff2e5cd46bc0678b26680df0a commit db9a594cc0ee81cff2e5cd46bc0678b26680df0a Author: Matthias Wolf <freebsd@rheinwolf.de> AuthorDate: 2023-01-15 19:31:39 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-01-16 13:27:54 +0000 net/keycloak: Update to 20.0.3 ChangeLog: https://www.keycloak.org/2023/01/keycloak-2003-released.html * User role mapping tab: Show effective client roles for a user keycloak-ui section/users * ProviderConfigProperty.MAP_TYPE error in new UI keycloak-ui section/identity providers * Unable to turn on "Bypass identity confirmation" keycloak-ui section/authentication * Adding Form sub-flow broken on admin v2 keycloak-ui section/authentication * Custom User Provider SPI: There are no settings to configure the periodically synchronization of users keycloak-ui section/user federation * Assign roles to account - paging doesn't work keycloak-ui section/users * Realm selector requires two clicks to select something keycloak-ui section/realms * User management -> User in 2 subgroups with the same group name assignment does not work keycloak-ui section/users * Invalid language tag error when changing realm localization settings keycloak-ui section/realm settings * `Missing ":type" param` in the Events page when there are Client Scope events keycloak-ui section/events * Import client broken keycloak-ui section/clients * New Admin Console only, unable to add client profile in the first client policy keycloak-ui section/realm settings * Disabling hostname strict in prod doesn't disable https keycloak dist/quarkus * snakeyaml vulnerability GHSA-3mc7-4q67-w48m impacting CLI keycloak admin/cli * The redirect URI cannot be verified during logout in the case when client was removed keycloak oidc * Wrong auth session id being used when validating auth session id cookies keycloak core * Update XStream to 1.4.20 to fix CVE-2022-40151 & CVE-2022-41966 keycloak * Timeout when executing command PutMapCommand keycloak storage * Set OkHttp to 4.10.0 in parent pom keycloak * Lack of validation of access token on client registrations endpoint keycloak oidc PR: 268939 Reported by: freebsd@rheinwolf.de (maintainer) MFH: 2023Q1 (bugfix, security fixes) Security: CVE-2022-40151, CVE-2022-41966 net/keycloak/Makefile | 2 +- net/keycloak/distinfo | 6 +- net/keycloak/pkg-plist | 394 +++++++++++++++++++++++++------------------------ 3 files changed, 203 insertions(+), 199 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=5e8cd88070910be14686cbce2f1afc4d2921d927 commit 5e8cd88070910be14686cbce2f1afc4d2921d927 Author: Fernando Apesteguía <fernape@FreeBSD.org> AuthorDate: 2023-01-16 13:26:18 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-01-16 13:28:27 +0000 security/vuxml: register security/keycloak vulnerability Two Xstream related CVEs that might cause a DoS attack: * CVE-2022-40151 * CVE-2022-41966 PR: 268939 security/vuxml/vuln/2023.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
A commit in branch 2023Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=dfa7df62bc3820c6544a867b33f7aeaa962ac323 commit dfa7df62bc3820c6544a867b33f7aeaa962ac323 Author: Matthias Wolf <freebsd@rheinwolf.de> AuthorDate: 2023-01-15 19:31:39 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-01-16 13:30:24 +0000 net/keycloak: Update to 20.0.3 ChangeLog: https://www.keycloak.org/2023/01/keycloak-2003-released.html * User role mapping tab: Show effective client roles for a user keycloak-ui section/users * ProviderConfigProperty.MAP_TYPE error in new UI keycloak-ui section/identity providers * Unable to turn on "Bypass identity confirmation" keycloak-ui section/authentication * Adding Form sub-flow broken on admin v2 keycloak-ui section/authentication * Custom User Provider SPI: There are no settings to configure the periodically synchronization of users keycloak-ui section/user federation * Assign roles to account - paging doesn't work keycloak-ui section/users * Realm selector requires two clicks to select something keycloak-ui section/realms * User management -> User in 2 subgroups with the same group name assignment does not work keycloak-ui section/users * Invalid language tag error when changing realm localization settings keycloak-ui section/realm settings * `Missing ":type" param` in the Events page when there are Client Scope events keycloak-ui section/events * Import client broken keycloak-ui section/clients * New Admin Console only, unable to add client profile in the first client policy keycloak-ui section/realm settings * Disabling hostname strict in prod doesn't disable https keycloak dist/quarkus * snakeyaml vulnerability GHSA-3mc7-4q67-w48m impacting CLI keycloak admin/cli * The redirect URI cannot be verified during logout in the case when client was removed keycloak oidc * Wrong auth session id being used when validating auth session id cookies keycloak core * Update XStream to 1.4.20 to fix CVE-2022-40151 & CVE-2022-41966 keycloak * Timeout when executing command PutMapCommand keycloak storage * Set OkHttp to 4.10.0 in parent pom keycloak * Lack of validation of access token on client registrations endpoint keycloak oidc PR: 268939 Reported by: freebsd@rheinwolf.de (maintainer) MFH: 2023Q1 (bugfix, security fixes) Security: CVE-2022-40151, CVE-2022-41966 (cherry picked from commit db9a594cc0ee81cff2e5cd46bc0678b26680df0a) net/keycloak/Makefile | 2 +- net/keycloak/distinfo | 6 +- net/keycloak/pkg-plist | 394 +++++++++++++++++++++++++------------------------ 3 files changed, 203 insertions(+), 199 deletions(-)
Committed and merged to 2023Q1, Thanks!