From a58e2b3a3d57cc9ceea69aaf795e6221d28cb69b Mon Sep 17 00:00:00 2001 From: Remco van 't Veer Date: Thu, 8 Jan 2026 12:05:55 +0100 Subject: [PATCH 1/3] Security update CVE-2025-67735 Override netty dependency from aleph and passage. --- connector/deps.edn | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/connector/deps.edn b/connector/deps.edn index de9fc4b..1602517 100644 --- a/connector/deps.edn +++ b/connector/deps.edn @@ -10,10 +10,33 @@ org.clojure/tools.logging {:mvn/version "1.3.0"} ch.qos.logback/logback-classic {:mvn/version "1.5.21"} - aleph/aleph {:mvn/version "0.9.3"} + aleph/aleph {:mvn/version "0.9.3" +;;; >>> fix for CVE-2025-67735 + :exclusions [io.netty/netty-codec + io.netty/netty-codec-http + io.netty/netty-codec-http2 + io.netty/netty-handler + io.netty/netty-handler-proxy + io.netty/netty-resolver + io.netty/netty-resolver-dns + io.netty/netty-transport + io.netty/netty-transport-native-epoll + io.netty/netty-transport-native-kqueue]} + io.netty/netty-codec {:mvn/version "4.1.129.Final"} + io.netty/netty-codec-http {:mvn/version "4.1.129.Final"} + io.netty/netty-codec-http2 {:mvn/version "4.1.129.Final"} + io.netty/netty-handler {:mvn/version "4.1.129.Final"} + io.netty/netty-handler-proxy {:mvn/version "4.1.129.Final"} + io.netty/netty-resolver {:mvn/version "4.1.129.Final"} + io.netty/netty-resolver-dns {:mvn/version "4.1.129.Final"} + io.netty/netty-transport {:mvn/version "4.1.129.Final"} + io.netty/netty-transport-native-epoll {:mvn/version "4.1.129.Final"} + io.netty/netty-transport-native-kqueue {:mvn/version "4.1.129.Final"} +;;; fix for CVE-2025-67735 <<< + nl.jomco/clj-http-status-codes {:mvn/version "0.2"} nl.jomco/passage {:git/url "https://codeberg.org/jomco/passage.git" - :git/sha "0c2f080d46be86c94a9a005725663bfba13661e1"} + :git/sha "0d291ae5386d03e1b6a9a900b98e0183dfadeea9"} org.clojure/data.json {:mvn/version "2.5.1"} ring/ring-core {:mvn/version "1.15.3"} ring/ring-json {:mvn/version "0.5.1"} From 527498b8bbfaff913a4d7f1734b5c0f93774405d Mon Sep 17 00:00:00 2001 From: Remco van 't Veer Date: Thu, 8 Jan 2026 12:21:20 +0100 Subject: [PATCH 2/3] Update dependencies --- .github/workflows/build.yml | 6 ++--- .../workflows/dependency-vulnerabilities.yml | 2 +- .github/workflows/test.yml | 2 +- association-register/deps.edn | 6 ++--- authentication-service/deps.edn | 6 ++--- authorization-register/deps.edn | 8 +++--- clj-authentication/deps.edn | 2 +- clj-ishare-client/deps.edn | 4 +-- clj-ring-middleware/deps.edn | 2 +- connector/deps.edn | 26 +++++++++---------- deps.edn | 4 +-- 11 files changed, 34 insertions(+), 34 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 900714d..07be0ce 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -23,7 +23,7 @@ jobs: steps: - uses: actions/checkout@v6 - - uses: actions/cache@v4 + - uses: actions/cache@v5 with: path: "~/.m2" key: "prep-deps-${{ hashFiles('deps.edn') }}" @@ -71,7 +71,7 @@ jobs: service: [association-register, authorization-register, authentication-service, connector] steps: - uses: actions/checkout@v6 - - uses: actions/cache@v4 + - uses: actions/cache@v5 with: path: "~/.m2" key: "prep-deps${{ hashFiles('deps.edn') }}" @@ -131,7 +131,7 @@ jobs: lib: [clj-ishare-jwt, clj-ishare-client, clj-authentication, clj-ring-middleware] steps: - uses: actions/checkout@v6 - - uses: actions/cache@v4 + - uses: actions/cache@v5 with: path: "~/.m2" key: "prep-deps${{ hashFiles('deps.edn') }}" diff --git a/.github/workflows/dependency-vulnerabilities.yml b/.github/workflows/dependency-vulnerabilities.yml index 94e4d94..47093e7 100644 --- a/.github/workflows/dependency-vulnerabilities.yml +++ b/.github/workflows/dependency-vulnerabilities.yml @@ -24,7 +24,7 @@ jobs: run: echo "date=$(date '+%Y-%m-%d')" >> $GITHUB_OUTPUT - uses: actions/checkout@v6 - - uses: actions/cache@v4 + - uses: actions/cache@v5 with: path: "~/.m2" # store as today's cache diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c62bad3..e8aa1e9 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -32,7 +32,7 @@ jobs: steps: - uses: actions/checkout@v6 - - uses: actions/cache@v4 + - uses: actions/cache@v5 with: path: "~/.m2" key: "deps-${{ hashFiles('deps.edn') }}" diff --git a/association-register/deps.edn b/association-register/deps.edn index 1f67f08..f1d8e49 100644 --- a/association-register/deps.edn +++ b/association-register/deps.edn @@ -15,10 +15,10 @@ ring/ring-json {:mvn/version "0.5.1"} ring/ring-jetty-adapter {:mvn/version "1.15.3"} compojure/compojure {:mvn/version "1.7.2"} - ch.qos.logback/logback-classic {:mvn/version "1.5.21"} + ch.qos.logback/logback-classic {:mvn/version "1.5.24"} nl.jomco/clj-http-status-codes {:mvn/version "0.2"} - org.clojure/core.cache {:mvn/version "1.1.234"} - org.clojure/tools.logging {:mvn/version "1.3.0"} + org.clojure/core.cache {:mvn/version "1.2.249"} + org.clojure/tools.logging {:mvn/version "1.3.1"} nl.jomco/envopts {:mvn/version "0.0.7"}} :paths ["src" "resources"] :aliases diff --git a/authentication-service/deps.edn b/authentication-service/deps.edn index 78a3f80..2aa4a75 100644 --- a/authentication-service/deps.edn +++ b/authentication-service/deps.edn @@ -8,7 +8,7 @@ {:deps {org.bdinetwork/clj-authentication {:local/root "../clj-authentication"} org.bdinetwork/clj-ring-middleware {:local/root "../clj-ring-middleware"} org.bdinetwork/service-commons {:local/root "../service-commons"} - ch.qos.logback/logback-classic {:mvn/version "1.5.21"} + ch.qos.logback/logback-classic {:mvn/version "1.5.24"} nl.jomco/with-resources {:mvn/version "0.1.2"} nl.jomco/openapi-v3-validator {:mvn/version "0.2.6"} clj-commons/clj-yaml {:mvn/version "1.0.29"} @@ -17,8 +17,8 @@ ring/ring-jetty-adapter {:mvn/version "1.15.3"} compojure/compojure {:mvn/version "1.7.2"} nl.jomco/clj-http-status-codes {:mvn/version "0.2"} - org.clojure/core.cache {:mvn/version "1.1.234"} - org.clojure/tools.logging {:mvn/version "1.3.0"} + org.clojure/core.cache {:mvn/version "1.2.249"} + org.clojure/tools.logging {:mvn/version "1.3.1"} nl.jomco/envopts {:mvn/version "0.0.7"}} :paths ["src" "resources"] diff --git a/authorization-register/deps.edn b/authorization-register/deps.edn index 8f33de6..b3809cb 100644 --- a/authorization-register/deps.edn +++ b/authorization-register/deps.edn @@ -5,9 +5,9 @@ ;;; ;;; SPDX-License-Identifier: AGPL-3.0-or-later -{:deps {ch.qos.logback/logback-classic {:mvn/version "1.5.21"} +{:deps {ch.qos.logback/logback-classic {:mvn/version "1.5.24"} clj-commons/clj-yaml {:mvn/version "1.0.29"} - com.github.seancorfield/next.jdbc {:mvn/version "1.3.1070"} + com.github.seancorfield/next.jdbc {:mvn/version "1.3.1086"} compojure/compojure {:mvn/version "1.7.2"} datascript/datascript {:mvn/version "1.7.8"} migratus/migratus {:mvn/version "1.6.4"} @@ -17,8 +17,8 @@ nl.jomco/with-resources {:mvn/version "0.1.2"} org.bdinetwork/clj-ring-middleware {:local/root "../clj-ring-middleware"} org.bdinetwork/service-commons {:local/root "../service-commons"} - org.clojure/core.cache {:mvn/version "1.1.234"} - org.clojure/tools.logging {:mvn/version "1.3.0"} + org.clojure/core.cache {:mvn/version "1.2.249"} + org.clojure/tools.logging {:mvn/version "1.3.1"} org.postgresql/postgresql {:mvn/version "42.7.8"} ring/ring-core {:mvn/version "1.15.3"} ring/ring-jetty-adapter {:mvn/version "1.15.3"} diff --git a/clj-authentication/deps.edn b/clj-authentication/deps.edn index 045a0eb..51a7fb5 100644 --- a/clj-authentication/deps.edn +++ b/clj-authentication/deps.edn @@ -4,7 +4,7 @@ ;;; SPDX-License-Identifier: AGPL-3.0-or-later {:deps {org.bdinetwork/clj-ishare-client {:local/root "../clj-ishare-client"} - org.clojure/core.cache {:mvn/version "1.1.234"} + org.clojure/core.cache {:mvn/version "1.2.249"} clj-commons/clj-yaml {:mvn/version "1.0.29"} nl.jomco/openapi-v3-validator {:mvn/version "0.2.6"}} :paths ["src" "resources"]} diff --git a/clj-ishare-client/deps.edn b/clj-ishare-client/deps.edn index a1af0bb..07bec78 100644 --- a/clj-ishare-client/deps.edn +++ b/clj-ishare-client/deps.edn @@ -8,8 +8,8 @@ {:deps {org.bdinetwork/clj-ishare-jwt {:local/root "../clj-ishare-jwt"} org.babashka/http-client {:mvn/version "0.4.23"} org.babashka/json {:mvn/version "0.1.6"} - org.clojure/tools.logging {:mvn/version "1.3.0"} - org.clojure/core.memoize {:mvn/version "1.1.266"}} + org.clojure/tools.logging {:mvn/version "1.3.1"} + org.clojure/core.memoize {:mvn/version "1.2.273"}} :paths ["src"] :aliases diff --git a/clj-ring-middleware/deps.edn b/clj-ring-middleware/deps.edn index 9513d57..a2e3a45 100644 --- a/clj-ring-middleware/deps.edn +++ b/clj-ring-middleware/deps.edn @@ -7,6 +7,6 @@ {:deps {org.bdinetwork/clj-authentication {:local/root "../clj-authentication"} nl.jomco/clj-http-status-codes {:mvn/version "0.2"} - org.clojure/tools.logging {:mvn/version "1.3.0"} + org.clojure/tools.logging {:mvn/version "1.3.1"} org.slf4j/slf4j-api {:mvn/version "2.0.17"}} :paths ["src"]} diff --git a/connector/deps.edn b/connector/deps.edn index 1602517..79dea39 100644 --- a/connector/deps.edn +++ b/connector/deps.edn @@ -7,8 +7,8 @@ ;; drip responses org.clojure/core.async {:mvn/version "1.8.741"} - org.clojure/tools.logging {:mvn/version "1.3.0"} - ch.qos.logback/logback-classic {:mvn/version "1.5.21"} + org.clojure/tools.logging {:mvn/version "1.3.1"} + ch.qos.logback/logback-classic {:mvn/version "1.5.24"} aleph/aleph {:mvn/version "0.9.3" ;;; >>> fix for CVE-2025-67735 @@ -22,22 +22,22 @@ io.netty/netty-transport io.netty/netty-transport-native-epoll io.netty/netty-transport-native-kqueue]} - io.netty/netty-codec {:mvn/version "4.1.129.Final"} - io.netty/netty-codec-http {:mvn/version "4.1.129.Final"} - io.netty/netty-codec-http2 {:mvn/version "4.1.129.Final"} - io.netty/netty-handler {:mvn/version "4.1.129.Final"} - io.netty/netty-handler-proxy {:mvn/version "4.1.129.Final"} - io.netty/netty-resolver {:mvn/version "4.1.129.Final"} - io.netty/netty-resolver-dns {:mvn/version "4.1.129.Final"} - io.netty/netty-transport {:mvn/version "4.1.129.Final"} - io.netty/netty-transport-native-epoll {:mvn/version "4.1.129.Final"} - io.netty/netty-transport-native-kqueue {:mvn/version "4.1.129.Final"} + io.netty/netty-codec ^:antq/exclude {:mvn/version "4.1.129.Final"} + io.netty/netty-codec-http ^:antq/exclude {:mvn/version "4.1.129.Final"} + io.netty/netty-codec-http2 ^:antq/exclude {:mvn/version "4.1.129.Final"} + io.netty/netty-handler ^:antq/exclude {:mvn/version "4.1.129.Final"} + io.netty/netty-handler-proxy ^:antq/exclude {:mvn/version "4.1.129.Final"} + io.netty/netty-resolver ^:antq/exclude {:mvn/version "4.1.129.Final"} + io.netty/netty-resolver-dns ^:antq/exclude {:mvn/version "4.1.129.Final"} + io.netty/netty-transport ^:antq/exclude {:mvn/version "4.1.129.Final"} + io.netty/netty-transport-native-epoll ^:antq/exclude {:mvn/version "4.1.129.Final"} + io.netty/netty-transport-native-kqueue ^:antq/exclude {:mvn/version "4.1.129.Final"} ;;; fix for CVE-2025-67735 <<< nl.jomco/clj-http-status-codes {:mvn/version "0.2"} nl.jomco/passage {:git/url "https://codeberg.org/jomco/passage.git" :git/sha "0d291ae5386d03e1b6a9a900b98e0183dfadeea9"} - org.clojure/data.json {:mvn/version "2.5.1"} + org.clojure/data.json {:mvn/version "2.5.2"} ring/ring-core {:mvn/version "1.15.3"} ring/ring-json {:mvn/version "0.5.1"} hiccup/hiccup {:mvn/version "2.0.0"} diff --git a/deps.edn b/deps.edn index b0a94cb..167391a 100644 --- a/deps.edn +++ b/deps.edn @@ -34,7 +34,7 @@ ;; connector tests ring/ring {:mvn/version "1.15.3"}} - :main-opts ["-m" "kaocha.runner"] + :main-opts ["-m" "kaocha.runner"] :extra-paths ["test-helpers" "test-resources" "clj-ishare-jwt/test" @@ -48,7 +48,7 @@ :lint {:extra-deps {clj-kondo/clj-kondo {:mvn/version "RELEASE"}} :main-opts ["-m" "clj-kondo.main"]} - :build {:deps {io.github.clojure/tools.build {:mvn/version "0.10.11"} + :build {:deps {io.github.clojure/tools.build {:mvn/version "0.10.12"} slipset/deps-deploy {:mvn/version "RELEASE"}} :ns-default build-lib} From 152eed6bc84d6d89e42bd6b5a194c04e36ead7c8 Mon Sep 17 00:00:00 2001 From: Remco van 't Veer Date: Fri, 9 Jan 2026 10:23:51 +0100 Subject: [PATCH 3/3] connector: drop aleph dependency We only need manifold. --- connector/deps.edn | 31 +++---------------- .../connector/interceptors_test.clj | 11 +++---- 2 files changed, 9 insertions(+), 33 deletions(-) diff --git a/connector/deps.edn b/connector/deps.edn index 79dea39..bb176b2 100644 --- a/connector/deps.edn +++ b/connector/deps.edn @@ -10,33 +10,10 @@ org.clojure/tools.logging {:mvn/version "1.3.1"} ch.qos.logback/logback-classic {:mvn/version "1.5.24"} - aleph/aleph {:mvn/version "0.9.3" -;;; >>> fix for CVE-2025-67735 - :exclusions [io.netty/netty-codec - io.netty/netty-codec-http - io.netty/netty-codec-http2 - io.netty/netty-handler - io.netty/netty-handler-proxy - io.netty/netty-resolver - io.netty/netty-resolver-dns - io.netty/netty-transport - io.netty/netty-transport-native-epoll - io.netty/netty-transport-native-kqueue]} - io.netty/netty-codec ^:antq/exclude {:mvn/version "4.1.129.Final"} - io.netty/netty-codec-http ^:antq/exclude {:mvn/version "4.1.129.Final"} - io.netty/netty-codec-http2 ^:antq/exclude {:mvn/version "4.1.129.Final"} - io.netty/netty-handler ^:antq/exclude {:mvn/version "4.1.129.Final"} - io.netty/netty-handler-proxy ^:antq/exclude {:mvn/version "4.1.129.Final"} - io.netty/netty-resolver ^:antq/exclude {:mvn/version "4.1.129.Final"} - io.netty/netty-resolver-dns ^:antq/exclude {:mvn/version "4.1.129.Final"} - io.netty/netty-transport ^:antq/exclude {:mvn/version "4.1.129.Final"} - io.netty/netty-transport-native-epoll ^:antq/exclude {:mvn/version "4.1.129.Final"} - io.netty/netty-transport-native-kqueue ^:antq/exclude {:mvn/version "4.1.129.Final"} -;;; fix for CVE-2025-67735 <<< - nl.jomco/clj-http-status-codes {:mvn/version "0.2"} nl.jomco/passage {:git/url "https://codeberg.org/jomco/passage.git" :git/sha "0d291ae5386d03e1b6a9a900b98e0183dfadeea9"} + manifold/manifold {:mvn/version "0.5.0"} org.clojure/data.json {:mvn/version "2.5.2"} ring/ring-core {:mvn/version "1.15.3"} ring/ring-json {:mvn/version "0.5.1"} @@ -55,6 +32,6 @@ :run {:main-opts ["-m" "org.bdinetwork.connector.main"]} :print-interceptors {:replace-paths ["src"] ;; prevent log messages - :exec-fn passage.interceptors/print-docs - :exec-args {:extra-namespaces [org.bdinetwork.connector.interceptors] - :ns-alias {bdi org.bdinetwork.connector.interceptors}}}}} + :exec-fn passage.interceptors/print-docs + :exec-args {:extra-namespaces [org.bdinetwork.connector.interceptors] + :ns-alias {bdi org.bdinetwork.connector.interceptors}}}}} diff --git a/connector/test/org/bdinetwork/connector/interceptors_test.clj b/connector/test/org/bdinetwork/connector/interceptors_test.clj index 8e19111..1a4decf 100644 --- a/connector/test/org/bdinetwork/connector/interceptors_test.clj +++ b/connector/test/org/bdinetwork/connector/interceptors_test.clj @@ -3,7 +3,7 @@ ;;; SPDX-License-Identifier: AGPL-3.0-or-later (ns org.bdinetwork.connector.interceptors-test - (:require [aleph.http :as http] + (:require [babashka.http-client :as http] [buddy.core.keys :as keys] [clojure.data.json :as json] [clojure.java.io :as io] @@ -202,9 +202,8 @@ :aud "audience" :sub "test-subject"}) {:keys [status body]} - @(http/get proxy-url - {:throw-exceptions? false - :headers {"authorization" (str "Bearer " token)}})] + (http/get proxy-url + {:throw-exceptions? false + :headers {"authorization" (str "Bearer " token)}})] (is (= http-status/ok status)) - (is (= "pass" - (slurp body))))))) + (is (= "pass" body))))))