Back port security vulnerabilities fixes to Keycloak 23

[Wilson de Carvalho]

Hello,

I would like to know if there are any plans to back port to Keycloak 23 the fixes for the following vulnerabilities just fixed in 24.0.3. I would gladly try to back port them myself given someone points me to the right direction.

CVE-2024-1132 - Keycloak path transversal vulnerability in redirection validation

CVE-2024-1249 - Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS

CVE-2024-2419 - Keycloak path traversal vulnerability in the redirect validation

Thanks!

[Jon Koops]

There are no plans to do so. The only supported version of Keycloak is the latest major version, so if you want to receive security updates you'll have to upgrade to Keycloak 24. For long term support there is the Red Hat build of Keycloak.

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/23db7c60-1d6d-444d-8205-d6190be92e2cn%40googlegroups.com.

[Wilson de Carvalho]

Thanks Jon. We are moving to the RH build instead.

Best,

--

Wilson de Carvalho.