Skip to content

Bump org.apache.storm:storm-client from 2.6.2 to 2.8.7#2

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/org.apache.storm-storm-client-2.8.7
Open

Bump org.apache.storm:storm-client from 2.6.2 to 2.8.7#2
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/org.apache.storm-storm-client-2.8.7

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github May 6, 2026

Bumps org.apache.storm:storm-client from 2.6.2 to 2.8.7.

Release notes

Sourced from org.apache.storm:storm-client's releases.

Apache Storm 2.8.7 has been released. This release includes critical security fixes, library updates, and documentation improvements. The community strongly encourages all users of previous versions to upgrade to this release.

⚠️ Security Fixes

  • CVE-2026-40557: JVM-wide TLS Security Downgrade in Prometheus Reporter
    • Versions Affected: 2.6.3 to 2.8.6.
    • Technical Description: Enabling the skip_tls_validation configuration in the Prometheus Reporter caused an improper certificate validation that replaced the default SSL context. This resulted in a JVM-wide TLS security downgrade, affecting all components within the same process.
    • Fix: The reporter now uses a scoped SSL context for validation bypass, ensuring the default JVM SSL context remains secure.
  • CVE-2026-41081: Improper Handling of TLS Client Authentication Failures
    • Versions Affected: All versions before 2.8.7.
    • Technical Description: When TLS client authentication was enabled, failed authentication attempts were incorrectly assigned a fallback "ANONYMOUS" principal. This allowed unauthorized users to potentially bypass authorization checks that relied on the presence of a principal.
    • Fix: Connections are now strictly rejected if TLS client authentication fails or is missing when required.

🐛 Bug Fixes

  • #8518 - Cache busting is broken - ${packageTimestamp} is never substituted in HTML resources.
  • #8516 - Hardening: clean up TlsTransportPlugin and surface unverified peers.
  • #8515 - Profiling/debugging REST endpoints should use POST instead of GET.
  • #8533 - flux: fix 'recieveed' -> 'received' in LogInfoBolt Javadoc.
  • #8532 - storm-client: fix 'accross' -> 'across' in Stream.java Javadoc.
  • #8531 - storm-core: fix 'seperate' -> 'separate' in configuration.h comment.
  • #8530 - docs: fix 'occured' -> 'occurred' in LocallyCachedBlob Javadoc.
  • #8529 - docs: fix 'recieved' -> 'received' in IAutoCredentials Javadoc.

📦 Dependency Upgrades

Dependency From To PR
com.google.guava:guava 33.5.0-jre 33.6.0-jre #8526
org.apache.commons:commons-configuration2 2.13.0 2.14.0 #8525
org.bouncycastle (bouncycastle.version) 1.83 1.84 #8524
org.rocksdb:rocksdbjni 10.10.1 10.10.1.1 #8523
org.jgrapht:jgrapht-core 0.9.0 1.5.3 #8522
org.apache.hbase:hbase-client 2.6.4-hadoop3 2.6.5-hadoop3 #8520
follow-redirects (storm-webapp) 1.15.11 1.16.0 #8519
axios (storm-webapp) 1.13.6 1.15.0 #8511
org.apache.activemq:activemq-client 6.2.3 6.2.4 #8508
org.apache.activemq:activemq-broker 6.2.3 6.2.4 #8507
org.apache.activemq:activemq-all 6.2.3 6.2.4 #8506
org.apache.activemq:activemq-mqtt 6.2.3 6.2.4 #8505

📝 Contributors

... (truncated)

Commits
  • db9cce5 [maven-release-plugin] prepare release v2.8.7
  • c9087ca storm-core: fix 'seperate' -> 'separate' in configuration.h comment
  • 7423651 docs: fix 'occured' -> 'occurred' in LocallyCachedBlob Javadoc
  • a2caed9 storm-client: fix 'accross' -> 'across' in Stream.java Javadoc
  • 820eaaf flux: fix 'recieveed' -> 'received' in LogInfoBolt Javadoc
  • c09f03a security: fix 'recieved' -> 'received' in IAutoCredentials Javadoc
  • a023ef5 Regenerate license files after dependency changes
  • 046cab5 Upgrade to JGraphT 1.5.3
  • 6b32b2f Bump org.jgrapht:jgrapht-core from 0.9.0 to 1.5.3
  • 4d748f3 Regenerate license files after dependency changes
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump org.apache.storm:storm-client from 2.6.2 to 2.8.7
3016e1a 
Bumps [org.apache.storm:storm-client](https://github.com/apache/storm) from 2.6.2 to 2.8.7.
- [Release notes](https://github.com/apache/storm/releases)
- [Commits](apache/storm@v2.6.2...v2.8.7)

---
updated-dependencies:
- dependency-name: org.apache.storm:storm-client
  dependency-version: 2.8.7
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels May 6, 2026
@dependabot dependabot Bot mentioned this pull request May 6, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants