Upgrade to Elytron 1.15.5 to address CVE CVE-2021-3642

Dear community,

I am trying to update the dependency that Keycloak ships, by updating versions in pom.xml, from 15.0.2 tag.

Change is simple:

<elytron.version>1.15.3.Final</elytron.version> to <elytron.version>1.15.5.Final</elytron.version>

After the change, I check with mvn dependency:tree and can see that indeed all the versions in the tree are 1.15.5. So far so good.

Next step is building distribution mvn clean install, and distribution is being created.

The problem is when i open the resulted zip/tar.gz file of the distribution i can still see 1.15.3 jar versions inside, and not 1.15.5 as intended.

I tried to search for another definition of 1.15.3 version, but there are none I could find.

Does anyone has any idea what I am missing and WHAT is pulling 1.15.3 version of elytron?

Thanks in advance for a response