Or is that this https://issues.apache.org/jira/projects/JXPATH/issues/JXPATH-200?filter=allopenissues
Get Outlook for iOS<https://aka.ms/o0ukef> ________________________________ From: Eric Bresie <ebre...@gmail.com> Sent: Monday, October 10, 2022 4:22:42 PM To: Commons Developers List <dev@commons.apache.org> Subject: Re: [jxpath] reported CVE and path forward So then discussed here (1) (which assume is what’s being done here) and bugs raised here (2)? Has (2) been done yet? 1. https://commons.apache.org/proper/commons-jxpath/mail-lists.html 2. https://commons.apache.org/proper/commons-jxpath/issue-tracking.html Get Outlook for iOS<https://aka.ms/o0ukef> ________________________________ From: Bruno Kinoshita <ki...@apache.org> Sent: Monday, October 10, 2022 4:15:03 PM To: Commons Developers List <dev@commons.apache.org> Subject: Re: [jxpath] reported CVE and path forward Hi Eric, For my understanding, is oss-fuzz an open source project that is maintained > and managed by Google (and is not an Apache project) but is for “fuzz > testing” with portion focused on Apache common products? > That's my understanding too, although I am not sure if it is maintained and managed solely by Google. But you are correct in that oss-fuzz is not an Apache project. It is an external service similar to GitHub Actions, Dependabot, Codecov, etc. So am I correct in saying run oss-fuzz against Apache-common, which may > find problems in commons. So any findings would be identified as a bug and > fix as applicable? > That sounds correct to me. There is an apache-commons oss-fuzz project created in the oss-fuzz GitHub repository. That becomes a project in the oss-fuzz web system which I and other ASF members have access to - anyone from ASF can request access: https://oss-fuzz.com It was created some time ago, and Commons Imaging was one of the first included. We (ASF Commons) were involved in setting up that project, so that someone from ASF would receive notifications (by being CC'ed in oss-fuzz notifications). We decided against using the dev-list, so only those that volunteered at the time receive emails. I checked the GitHub repository today, and found other Commons Components, that are not part of the apache-commons project, and that have the notifications configured to emails of a security company. So in this case the findings in Commons repositories would be identified as a bug and report to that company, without - as far as I can tell - involvement of ASF Commons devs. Hope that clarifies, Bruno On Tue, 11 Oct 2022 at 10:06, Eric Bresie <ebre...@gmail.com> wrote: > For my understanding, is oss-fuzz an open source project that is > maintained and managed by Google (and is not an Apache project) but is for > “fuzz testing” with portion focused on Apache common products? > > So am I correct in saying run oss-fuzz against Apache-common, which may > find problems in commons. So any findings would be identified as a bug and > fix as applicable? > > > Get Outlook for iOS<https://aka.ms/o0ukef> > ________________________________ > From: Bruno Kinoshita <ki...@apache.org> > Sent: Monday, October 10, 2022 3:51:30 PM > To: Commons Developers List <dev@commons.apache.org> > Subject: Re: Re: [jxpath] reported CVE and path forward > > Hi Matt, > > I am also subscribed to oss-fuzz for Imaging. > > Looks like someone added jxpath to oss-fuzz here: > https://github.com/google/oss-fuzz/pull/7582 > > The initial oss-fuzz for ASF was, if I recall correctly, all put under a > single project: > https://github.com/google/oss-fuzz/tree/master/projects/apache-commons > > If you go one level higher in that repository link, you will see there are > now other projects in oss-fuzz for other Commons components. > > The apache-commons project (that contains Imaging, Compress, and Geometry) > had a custom policy, agreed in the mailing list and later with someone that > maintained oss-fuzz, where ASF issues were not disclosed in 90 days, but > instead gave us more time to align the issues with our ASF process. > > I am not sure if these other projects follow similar policy, nor if the ASF > developers are aware of the integration (I only keep an eye on > compress/imaging/geometry notifications from the apache-commons project). > Also not sure whether it's better to have everything in a single project in > oss-fuzz or in separate projects. I'm happy with Imaging being a single > oss-fuzz project if needed, but I prefer to keep the policy of giving a > longer time to review the issues. I try to review important issues quickly, > but the ones that I know are very low priority or won't be fixed (e.g. OOM) > I leave for later. > > Cheers > Bruno > > On Tue, 11 Oct 2022 at 09:01, Matt Sicker <boa...@gmail.com> wrote: > > > I get emails about some of the Commons fuzzing things, but I was only > > aware of it being enabled for compress and imaging. > > > > On Mon, Oct 10, 2022 at 1:37 PM Roman Wagner > > <wag...@code-intelligence.com> wrote: > > > > > > Hi all, > > > > > > I am working for Code Intelligence we did our best to find a maintainer > > for > > > the oss-fuzz project. Unfortunately we've got no feedback until now, > but > > It > > > seems to be an unmaintained project except for some typo fixes since > some > > > years. I am not sure yet to which mailing list the bug report was send > > to, > > > but I will check that information with the team. > > > > > > However, I am really happy that there is some interest in fixing the > > RCE. I > > > have verified the vulnerability and for me it seems to be a valid > > > RCE. @Mark Thomas should we continue to discuss further details via > > > secur...@apache.org? > > > > > > Best regards > > > Roman > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > >
