Created attachment 269345 [details] net/keycloak Upgrade Keycloak to 26.5.7. Tested on 14.3-RELEASE and 15.0-RELEASE. Fixes: CVE-2025-14083 keycloak-server: Keycloak: Improper Access Control in Admin REST API leads to information disclosure admin/api CVE-2026-1002 - io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files CVE-2026-3429 Improper Access Control for LoA During Credential Deletion account/api CVE-2026-4634 Keycloak Application-Level DoS via Scope Processing CVE-2026-4636 UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants CVE-2026-3872 Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint CVE-2026-4282 Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=37ce78ee03fb6b560d80561e84ee474a76d190a0 commit 37ce78ee03fb6b560d80561e84ee474a76d190a0 Author: Matthias Wolf <freebsd@rheinwolf.de> AuthorDate: 2026-04-04 16:55:27 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2026-04-04 16:55:27 +0000 net/keycloak: Update 26.5.6 => 26.5.7 Release Notes: https://www.keycloak.org/2026/04/keycloak-2657-released PR: 294235 Security: CVE-2025-14083 Security: CVE-2026-1002 Security: CVE-2026-3429 Security: CVE-2026-4634 Security: CVE-2026-4636 Security: CVE-2026-3872 Security: CVE-2026-4282 Sponsored by: UNIS Labs MFH: 2026Q2 net/keycloak/Makefile | 3 +- net/keycloak/distinfo | 6 +- net/keycloak/pkg-plist | 329 +++++++++++++++++++++++++------------------------ 3 files changed, 169 insertions(+), 169 deletions(-)
A commit in branch 2026Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=8336ae749c41603aa99c43e9616d0db4fbe6b872 commit 8336ae749c41603aa99c43e9616d0db4fbe6b872 Author: Matthias Wolf <freebsd@rheinwolf.de> AuthorDate: 2026-04-04 16:55:27 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2026-04-04 16:59:24 +0000 net/keycloak: Update 26.5.6 => 26.5.7 Release Notes: https://www.keycloak.org/2026/04/keycloak-2657-released PR: 294235 Security: CVE-2025-14083 Security: CVE-2026-1002 Security: CVE-2026-3429 Security: CVE-2026-4634 Security: CVE-2026-4636 Security: CVE-2026-3872 Security: CVE-2026-4282 Sponsored by: UNIS Labs MFH: 2026Q2 (cherry picked from commit 37ce78ee03fb6b560d80561e84ee474a76d190a0) net/keycloak/Makefile | 2 +- net/keycloak/distinfo | 6 +- net/keycloak/pkg-plist | 329 +++++++++++++++++++++++++------------------------ 3 files changed, 169 insertions(+), 168 deletions(-)
Thanks. I've recently been using this port in production with java/openjdk25, which literally became the default in the ports yesterday. To get it to run correctly, I needed to add the following line to /etc/rc.conf: keycloak_env='JAVA_ADD_OPENS="--add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED"' Error message in log was: Exception in thread "vert.x-internal-blocking-1" java.lang.IllegalAccessError: module java.base does not open java.lang to unnam ed module @e25b2fe; to use the thread-local-reset capability on Java 24 or later, use this JVM option: --add-opens java.base/jav a.lang=ALL-UNNAMED at org.jboss.threads.JDKSpecific$ThreadAccess.<clinit>(JDKSpecific.java:32) at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:13) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Thread.java:1474) Exception in thread "executor-thread-1" java.lang.NoClassDefFoundError: Could not initialize class org.jboss.threads.JDKSpecific $ThreadAccess at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:13) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Thread.java:1474) Caused by: java.lang.ExceptionInInitializerError: Exception java.lang.IllegalAccessError: module java.base does not open java.la ng to unnamed module @e25b2fe; to use the thread-local-reset capability on Java 24 or later, use this JVM option: --add-opens ja va.base/java.lang=ALL-UNNAMED [in thread "vert.x-internal-blocking-1"] at org.jboss.threads.JDKSpecific$ThreadAccess.<clinit>(JDKSpecific.java:32) ... 3 more The default value of the JAVA_ADD_OPENS in Keycloak is: "--add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED". I added "--add-opens=java.base/java.lang=ALL-UNNAMED". Without this, Keycloak won't start. We need to consider what changes need to be made to the port so that Keycloak runs without errors after the default installation. Maybe add the following to the startup script: : ${keycloak_env='JAVA_ADD_OPENS="--add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED"'} It might also be worth reporting this bug to upstream.
If you don't mind, I'll commit the proposed change - add the following to the startup script: : ${keycloak_env='JAVA_ADD_OPENS="--add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED"'} ?
I think we can add that for now. Official support for Java 25 is scheduled for Keycloak 26, per https://github.com/keycloak/keycloak/issues/43265.
Created attachment 269459 [details] v1 - Fix run with Java 25. - Improve port.
If there are no objections, shall I commit this patch?
Patch looks fine to me, thanks!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=d848ed23c8dedc71a10834bd17465153e79d22ec commit d848ed23c8dedc71a10834bd17465153e79d22ec Author: Vladimir Druzenko <vvd@FreeBSD.org> AuthorDate: 2026-04-11 17:49:22 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2026-04-11 17:49:22 +0000 net/keycloak: Fix runtime for Java 25+, improve port Add to JAVA_ADD_OPENS in kc.sh for run with Java 25+: --add-opens=java.base/java.lang=ALL-UNNAMED --enable-native-access=ALL-UNNAMED The patch was obtained from here: https://github.com/keycloak/keycloak/pull/45872/files#diff-28d941fe33e0f8217892e8096ba7152ba9ade67e3b2c3f0ce31a333d90cc339d For more information read: https://github.com/keycloak/keycloak/issues/43265 https://github.com/keycloak/keycloak/pull/45872 Improve port: - Parametrize "keycloak" with "${PORTNAME}" in USE_RC_SUBR. - Replace "RM *.bat" with "EXTRACT_AFTER_ARGS=--exclude *.bat". - Remove unnecessary "+" in "SUB_FILES+=" and "SUB_LIST+=". - Use declared "KEYCLOAK_GROUP" instead of "USERS" in "GROUPS" assignment. - Use "RLN" instad of "LN -sf". - Move the creation of "*.sample" configuration files from "post-patch" to "do-install". - Improve alignment in comments rc script. - Respect "%%USER%%" and "%%GROUP%%" in rc script. - Replace "export JAVA_HOME=…" with "${name}_env=JAVA_HOME=…" in rc script. PR: 294235 Approved by: Matthias Wolf <freebsd@rheinwolf.de> (maintainer) Sponsored by: UNIS Labs MFH: 2026Q2 net/keycloak/Makefile | 27 +++++++++++++-------------- net/keycloak/files/keycloak.in | 31 +++++++++++++++++-------------- net/keycloak/files/patch-bin_kc.sh (new) | 11 +++++++++++ 3 files changed, 41 insertions(+), 28 deletions(-)
A commit in branch 2026Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=2cef2419e11ec988586e0f888850563e825c57ae commit 2cef2419e11ec988586e0f888850563e825c57ae Author: Vladimir Druzenko <vvd@FreeBSD.org> AuthorDate: 2026-04-11 17:49:22 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2026-04-11 18:19:29 +0000 net/keycloak: Fix runtime for Java 25+, improve port Add to JAVA_ADD_OPENS in kc.sh for run with Java 25+: --add-opens=java.base/java.lang=ALL-UNNAMED --enable-native-access=ALL-UNNAMED The patch was obtained from here: https://github.com/keycloak/keycloak/pull/45872/files#diff-28d941fe33e0f8217892e8096ba7152ba9ade67e3b2c3f0ce31a333d90cc339d For more information read: https://github.com/keycloak/keycloak/issues/43265 https://github.com/keycloak/keycloak/pull/45872 Improve port: - Parametrize "keycloak" with "${PORTNAME}" in USE_RC_SUBR. - Replace "RM *.bat" with "EXTRACT_AFTER_ARGS=--exclude *.bat". - Remove unnecessary "+" in "SUB_FILES+=" and "SUB_LIST+=". - Use declared "KEYCLOAK_GROUP" instead of "USERS" in "GROUPS" assignment. - Use "RLN" instad of "LN -sf". - Move the creation of "*.sample" configuration files from "post-patch" to "do-install". - Improve alignment in comments rc script. - Respect "%%USER%%" and "%%GROUP%%" in rc script. - Replace "export JAVA_HOME=…" with "${name}_env=JAVA_HOME=…" in rc script. PR: 294235 Approved by: Matthias Wolf <freebsd@rheinwolf.de> (maintainer) Sponsored by: UNIS Labs MFH: 2026Q2 (cherry picked from commit d848ed23c8dedc71a10834bd17465153e79d22ec) net/keycloak/Makefile | 27 +++++++++++++-------------- net/keycloak/files/keycloak.in | 31 +++++++++++++++++-------------- net/keycloak/files/patch-bin_kc.sh (new) | 11 +++++++++++ 3 files changed, 41 insertions(+), 28 deletions(-)