Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [ee4j-pmc] Fwd: Your GitHub security alerts for the week of Oct 23 - Oct 30

Just to inject: A few Oracle employees, myself and Bill included, have been granted GitHub Organization Administrator role, temporarily. Once the initial release of Eclipse GlassFish is done, I would expect this "level up" will be rescinded. Therefore, if these reports only go to GH Org Admins, these reports would then only go to Eclipse administrators.

What Eclipse administrators will do with them is unknown to me. I do not recall any additional notification regarding these alerts and I do currently receive them, directly.

So ... going forward, It sounds like the PMC should decide if it wants these forwarded from the Eclipse Admins. If they aren't useful, I suppose they can be ignored. As Bill hints below, some organizations might tend toward over, rather than under, reaction for security vulnerability related issues.

-- Ed


On 10/31/2018 10:48 AM, Bill Shannon wrote:
False positive in what sense?

The projects don't actually have the dependency?

The dependency doesn't actually have the security vulnerability?

The security vulnerability doesn't actually impact the dependent project?

I know at Oracle our approval process assumes the vulnerability is relevant
unless we can show otherwise.  It's often easier to update the dependency
than to prove that it's not necessary.


Mark Thomas wrote on 10/31/2018 10:40 AM:
You have to be an org admin.

Experience at the ASF is that they are mostly noise due to a high false positive
rate.

Mark


On 31/10/2018 17:24, Bill Shannon wrote:
I'm not sure who gets these.  You may have to be a Committer on the project or
an admin for the organization.

Steve Millidge (Payara) wrote on 10/31/2018 02:24 AM:
Security alerts on GitHub

I don’t get these at a PMC level.

*From:*ee4j-pmc-bounces@xxxxxxxxxxx <ee4j-pmc-bounces@xxxxxxxxxxx> *On Behalf
Of *Bill Shannon
*Sent:* 30 October 2018 23:55
*To:* EE4J PMC Discussions <ee4j-pmc@xxxxxxxxxxx>
*Subject:* [ee4j-pmc] Fwd: Your GitHub security alerts for the week of Oct 23
- Oct 30

Is anyone on the PMC tracking these security alerts?

Shouldn't someone ensure that the EE4J projects are responding to these in a
timely manner?


(Obviously ignore the "javaee" entries below.)


-------- Forwarded Message --------

*Subject: *

Your GitHub security alerts for the week of Oct 23 - Oct 30

*Date: *

Tue, 30 Oct 2018 17:36:28 +0000 (UTC)

*From: *

GitHub <noreply@xxxxxxxxxx> <mailto:noreply@xxxxxxxxxx>

*To: *

Bill Shannon <bill.shannon@xxxxxxxxxx> <mailto:bill.shannon@xxxxxxxxxx>





Explore this week on GitHub

GitHub security alerts__


   GitHub <https://github.com> security alert digest

*bshannon’s*repository security updates from the week of *Oct 23 - Oct 30*

<https://github.com>


       Java EE organization <https://github.com>

Warning!


       javaee / *metro-jaxws-commons*
       <https://github.com/javaee/metro-jaxws-commons>

*Known security vulnerabilities detected*

Dependencyorg.springframework:spring-core

Version> 3.2.0 < 3.2.15

Upgrade to~> 3.2.15

Vulnerabilities

CVE-2015-5211 High severity

CVE-2018-1270 High severity

CVE-2018-1275 High severity

CVE-2015-3192 Moderate severity

CVE-2016-5007 Moderate severity

View 3 more
<https://github.com/javaee/metro-jaxws-commons/network/alert/spring/spring-core/pom.xml/org.springframework:spring-core/open>


Defined inpom.xml


*Review all vulnerable dependencies*
<https://github.com/javaee/metro-jaxws-commons/network/alerts>

Warning!


       javaee / *javadb* <https://github.com/javaee/javadb>

*Known security vulnerabilities detected*

Dependencyorg.apache.axis:axis

Version<= 1.4

Vulnerabilities

CVE-2014-3596 Moderate severity

CVE-2018-8032 Moderate severity

Defined inpom.xml


*Review all vulnerable dependencies*
<https://github.com/javaee/javadb/network/alerts>

Warning!


       javaee / *external* <https://github.com/javaee/external>

*Known security vulnerabilities detected*

Dependencyorg.apache.axis:axis

Version<= 1.4

Vulnerabilities

CVE-2014-3596 Moderate severity

CVE-2018-8032 Moderate severity

Defined inpom.xml


*Review all vulnerable dependencies*
<https://github.com/javaee/external/network/alerts>

<https://github.com>


       Eclipse EE4J organization <https://github.com>

Warning!


       eclipse-ee4j / *tyrus* <https://github.com/eclipse-ee4j/tyrus>

*Known security vulnerabilities detected*

Dependencyorg.eclipse.jetty:jetty-server

Version< 9.2.25.v20180606

Upgrade to~> 9.2.25.v20180606

Vulnerabilities

CVE-2017-7657 Critical severity

CVE-2017-7656 Moderate severity

Defined inpom.xml


*Review all vulnerable dependencies*
<https://github.com/eclipse-ee4j/tyrus/network/alerts>

Warning!


       eclipse-ee4j / *grizzly-ahc*
       <https://github.com/eclipse-ee4j/grizzly-ahc>

*Known security vulnerabilities detected*

Dependencyorg.eclipse.jetty:jetty-server

Version>= 9.4.0 < 9.4.11.v20180605

Upgrade to~> 9.4.11.v20180605

Vulnerabilities

CVE-2018-12538 Moderate severity

CVE-2018-12536 Moderate severity

CVE-2017-7656 Moderate severity

Defined inpom.xml


*Review all vulnerable dependencies*
<https://github.com/eclipse-ee4j/grizzly-ahc/network/alerts>

/Always verify the validity and compatibility of suggestions with your
codebase. /

------------------------------------------------------------------------

Unsubscribe
<https://github.com/email/unsubscribe?token=AAKLo8HMACwtuFae2pc5lUHVqhk50Feqks5ducoagaRuYW1lrXZ1bG5lcmFiaWxpdHk%3D>
· Email preferences <https://github.com/settings/emails> · Terms
<https://help.github.com/articles/github-terms-of-service> · Privacy
<https://help.github.com/articles/github-privacy-policy> · Sign into GitHub
<https://github.com/login>

GitHub, Inc.
88 Colin P Kelly Jr St.
San Francisco, CA 94107



_______________________________________________
ee4j-pmc mailing list
ee4j-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://www.eclipse.org/mailman/listinfo/ee4j-pmc


_______________________________________________
ee4j-pmc mailing list
ee4j-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://www.eclipse.org/mailman/listinfo/ee4j-pmc

_______________________________________________
ee4j-pmc mailing list
ee4j-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://www.eclipse.org/mailman/listinfo/ee4j-pmc
_______________________________________________
ee4j-pmc mailing list
ee4j-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/ee4j-pmc



Back to the top