Skip to content

Update Memcache SSLContext Protocol to TLSv1.2#16035

Merged
xvrl merged 4 commits intoapache:masterfrom
pagrawal10:pagrawal/updateMemcacheProtocol
Mar 7, 2024
Merged

Update Memcache SSLContext Protocol to TLSv1.2#16035
xvrl merged 4 commits intoapache:masterfrom
pagrawal10:pagrawal/updateMemcacheProtocol

Conversation

@pagrawal10
Copy link
Copy Markdown
Contributor

@pagrawal10 pagrawal10 commented Mar 4, 2024

Fixes insecure SSLContext Protocol

Description

TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated.
This PR updates the TLS version used for SSL connections to v1.2

Release note

SSLContext Protocol updated to TLSv1.2 for Memcache

Key changed/added classes in this PR
  • MemcachedCache.java

This PR has:

  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • a release note entry in the PR description.
  • added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • added or updated version, license, or notice information in licenses.yaml
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • added integration tests.
  • been tested in a test Druid cluster.

xvrl
xvrl approved these changes Mar 6, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@xvrl xvrl left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

makes sense to update. Druid already defaults to TLS1.2 for inter-node TLS. Ideally we would make this configurable like we do for the HTTP TLS protocols. We should also mention in this in the release notes just in case.

@xvrl xvrl merged commit bf39c71 into apache:master Mar 7, 2024
pagrawal10 added a commit to confluentinc/druid that referenced this pull request Mar 8, 2024
@pagrawal10
Update protocol for MemcachedCache (apache#16035)
aa88da3
@pagrawal10 pagrawal10 mentioned this pull request Mar 8, 2024
Merged
10 tasks
pagrawal10 added a commit to confluentinc/druid that referenced this pull request Mar 8, 2024
@pagrawal10 @KeerthanaSrikanth @xvrl
Update Memcache SSLContext Protocol to TLSv1.2 (#190)
3746924 
* Upgrade pac4j-oidc to 4.5.7 to address CVE-2021-44878 (apache#15522)

* Upgrade org.pac4j:pac4j-oidc to 4.5.5 to address CVE-2021-44878
* add CVE suppression and notes, since vulnerability scan still shows this CVE
* Add tests to improve coverage

* CVE Fix: Update json-path version (apache#15772)

Apache Druid brings the dependency json-path which is affected by CVE-2023-51074.
Its latest version 2.9.0 fixes the above CVE.

Append function has been added to json-path and so the unit test to check for the append function not present has been updated.

---------

Co-authored-by: Xavier Léauté <xvrl@apache.org>

* Update protocol for MemcachedCache (apache#16035)

---------

Co-authored-by: Keerthana Srikanth <ksrikanth@confluent.io>
Co-authored-by: Xavier Léauté <xvrl@apache.org>
@adarshsanjeev adarshsanjeev added this to the 30.0.0 milestone May 6, 2024
airlock-confluentinc Bot pushed a commit to confluentinc/druid that referenced this pull request Mar 27, 2025
@pagrawal10
Update protocol for MemcachedCache (apache#16035)
bbdafe4
@pagrawal10 pagrawal10 mentioned this pull request Mar 27, 2025
Merged
10 tasks
pagrawal10 added a commit to confluentinc/druid that referenced this pull request Mar 27, 2025
@pagrawal10
Update protocol for MemcachedCache (apache#16035) (#313)
9fa4289
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xvrl xvrl xvrl approved these changes

Assignees

No one assigned

Labels

Release Notes

Projects

None yet

Milestone

30.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@pagrawal10 @xvrl @adarshsanjeev