Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-93ww-43rr-79v3] Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination #5236

Merged
merged 2 commits into from
Jan 30, 2025
Merged

[GHSA-93ww-43rr-79v3] Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination #5236

merged 2 commits into from
Jan 30, 2025
+1 −20

Conversation

westonsteimel
Copy link

Updates

  • Affected products

Comments
just adding 24.0.9 to the patch list, the affected range was already < 24.0.9
keycloak/keycloak@3da16ee

@github
Copy link
Collaborator

github commented Jan 29, 2025

Hi there @jonkoops! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@westonsteimel westonsteimel mentioned this pull request Jan 29, 2025
Open
@github-actions github-actions bot changed the base branch from main to westonsteimel/advisory-improvement-5236 January 29, 2025 17:16
@jonkoops
Copy link

The last release in Keycloak 24.x was 24.0.5, after that there have (and will not) be any further official releases. The fix linked here is in a branch that is used for LTS variants for various downstreams (e.g.Red Hat build of Keycloak).

@darakian
Copy link
Contributor

Thanks for the context @jonkoops and good to know. @westonsteimel, given that the patched version isn't (and won't) be published to maven central I'm not sure we want to add it to our advisory. I think the fix commit would be good to have, but thoughts?

@westonsteimel
Copy link
Author

Thanks for the context @jonkoops and good to know. @westonsteimel, given that the patched version isn't (and won't) be published to maven central I'm not sure we want to add it to our advisory. I think the fix commit would be good to have, but thoughts?

Should we add 26.0.6 as the recommended patch for the 24.x range then as well?

@darakian
Copy link
Contributor

Oh that's a thought. I suppose we would be suggesting a potentially breaking change, but it wouldn't be the first time. Any opposition @jonkoops or are you ok with suggesting 24.x users migrate to 26?

@jonkoops
Copy link

I am not sure why it ended up in the advisory, but I believe 24.0.9 should not be mentioned at all, as that is meant for downstream versions, the fixed version is 26.0.6 and the recommendation here is to upgrade to that version (or later). @rmartinc @abstractj @sschu WDYT?

@westonsteimel
Copy link
Author

westonsteimel commented Jan 30, 2025
edited
Loading

So just drop the < 24.0.9 range and make a single range of < 26.0.6? That seems reasonable to me

@rmartinc
Copy link

@jonkoops Yes, I think that 24.0.9 can be deleted in that advisory. But just upgrade to 26.0.6 or later.

@jonkoops
Copy link

Great, if you would like to make the changes @westonsteimel that would be appreciated.

@github
Copy link
Collaborator

github commented Jan 30, 2025

Hi there @jonkoops! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

abstractj
abstractj suggested changes Jan 30, 2025
View reviewed changes
Copy link

@abstractj abstractj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the changes requested by @jonkoops

jonkoops
jonkoops approved these changes Jan 30, 2025
View reviewed changes
Copy link

@jonkoops jonkoops left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@advisory-database advisory-database bot merged commit 6eafa56 into westonsteimel/advisory-improvement-5236 Jan 30, 2025
1 check passed
@advisory-database
Copy link
Contributor

Hi @westonsteimel! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database bot deleted the westonsteimel-GHSA-93ww-43rr-79v3 branch January 30, 2025 17:47
@darakian
Copy link
Contributor

Merged in. Thanks all 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abstractj abstractj abstractj requested changes

@jonkoops jonkoops jonkoops approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@westonsteimel @github @jonkoops @darakian @rmartinc @abstractj