Hi Team

I am interested in upgrading Apache Directory to remediate a few CVEs and would appreciate feedback on my approach before I start

Context
The embedded Apache Directory Server (2.0.0.AM26) currently pulls in multiple CVEs. Moving to 2.0.0.AM27 would require introducing Apache Kerby.

Relevant CVEs
CVE-2015-6420
CVE-2015-7501
CVE-2020-15522
CVE-2021-41973
CVE-2023-33201
CVE-2023-33202
CVE-2024-29857
CVE-2024-52046
CVE-2024-30171

Vulnerable dependencies from Apache Directory Server
commons-collections:commons-collections
org.apache.mina:mina-core
org.bouncycastle:bcprov-jdk15on

Keycloak Modules impacted

• Util – util/embedded-ldap-server
• Test Suite Utils – testsuite/utils
• Integration Servers - testsuite/integration-arquillian/servers/auth-server/undertow
• Integration Test Base – testsuite/integration-arquillian/tests/base
• Model Test – testsuite/model

Proposed approach

• Upgrade Apache Directory Server and introduce Apache Kerby
• Fix Keytab generation by adapting KerberosKeytabCreator to Apache Kerby APIs
• Set up / adjust the Kerberos embedded server
• Fix test any test case failures

Does this approach look correct to you?
Also, are there any guidelines or expectations for testing util/embedded-ldap-server that I should follow while making these changes?

Thanks in advance!