Awesome. Thank you for the reminder Daniel. I’ll loop in that list. Regards, Alexis
> On Dec 7, 2018, at 3:56 PM, Daniel Farrell <dfarr...@redhat.com> wrote: > > No, this list is exactly meant for this type of secret information. It's the > group of people the TSC has appointed as trusted to handle security issues. > They will follow all the normal security embargo best practices. > > Thanks, > Daniel > > On Fri, Dec 7, 2018 at 9:52 PM Alexis de Talhouët <adetalhoue...@gmail.com > <mailto:adetalhoue...@gmail.com>> wrote: > Daniel, > > Is the content of information provided through that mailing list publicly > available? If yes, then I can’t provide the information to that list, as we > don’t want to share publicly the vulnerabilities. > > Alexis > > >> On Dec 7, 2018, at 3:50 PM, Daniel Farrell <dfarr...@redhat.com >> <mailto:dfarr...@redhat.com>> wrote: >> >> Hey Alexis, >> >> Reminder that we have a security response team that's meant to handle these >> types of things. Stephen is on the security response team, but you might >> still be better off sharing with that group vs Stephen and Michael directly. >> We asked for these details to be sent to that list months ago when ONAP >> folks first mentioned these scanning issues, but last time I talked to >> Stephen about it they still hadn't been sent. >> >> secur...@lists.opendaylight.org <mailto:secur...@lists.opendaylight.org> >> >> We appreciate ONAP working with us to make sure we're the best upstream we >> can be. Looking forward to benefiting both projects by working together more >> closely. >> >> Daniel >> >> On Fri, Dec 7, 2018 at 8:16 PM Alexis de Talhouët <adetalhoue...@gmail.com >> <mailto:adetalhoue...@gmail.com>> wrote: >> Michael, Stephen, >> >> I sent you the information privately, as we should not share vulnerabilities >> publicly. >> Please only distribute internally to PTL and/or TSC. >> >> Regards, >> Alexis >> >>> On Dec 6, 2018, at 2:20 PM, Abhijit Kumbhare <abhijitk...@gmail.com >>> <mailto:abhijitk...@gmail.com>> wrote: >>> >>> Thanks Alexis, Stephen and Michael. >>> >>> On Thu, Dec 6, 2018 at 10:16 AM Alexis de Talhouët <adetalhoue...@gmail.com >>> <mailto:adetalhoue...@gmail.com>> wrote: >>> Michael, Stephen, >>> >>> Thank you for prompt response. I’ll get clarification on the >>> vulnerabilities we have identified and will come back to you on the points >>> you mentioned. >>> >>> Alexis >>> >>> > On Dec 6, 2018, at 1:06 PM, Stephen Kitt <sk...@redhat.com >>> > <mailto:sk...@redhat.com>> wrote: >>> > >>> > Hi Alexis, >>> > >>> > On Thu, 6 Dec 2018 17:57:29 +0100 >>> > Michael Vorburger <vorbur...@redhat.com <mailto:vorbur...@redhat.com>> >>> > wrote: >>> >>> On Dec 6, 2018, at 11:05 AM, Alexis de Talhouët >>> >>> <adetalhoue...@gmail.com <mailto:adetalhoue...@gmail.com>> wrote: >>> >>> >>> >>> Greeting ODL community, TSC, >>> >>> >>> >>> Within the ONAP community, we’re seeking CII badging. For that, we >>> >>> need to eradicate critical vulnerabilities. >>> >>> >>> >>> Few ONAP projects are depending on OpenDaylight artifacts, such as >>> >>> CCSDK, and we’re seeing a fair amount of vulnerabilities coming >>> >>> from OpenDaylight; precisely, 130 vulnerabilities in our CCSDK CLM >>> >>> reports that were found in the ODL Oxygen SR3 distribution, >>> >>> documented here >>> >>> https://wiki.onap.org/pages/viewpage.action?pageId=45300857 >>> >>> <https://wiki.onap.org/pages/viewpage.action?pageId=45300857>. The >>> >>> document is high level information providing only the groupId of >>> >>> the maven artifact. I don’t have permission to see ODL projects in >>> >>> LF Nexus-ID: https://nexus-iq.wl.linuxfoundation.org >>> >>> <https://nexus-iq.wl.linuxfoundation.org/>, so I can't >>> >>> link directly reports here. >>> >>> >>> >>> Point is, we would like to know where ODL stands with regards to CII >>> >>> Badging; is that something you’re seeking? >>> > >>> > Not actively, but we do care about fixing vulnerabilities. >>> > >>> >>> Regardless, we would like to know if ODL is willing to address >>> >>> critical vulnerabilities impacting ONAP? >>> > >>> > Yes, we are. >>> > >>> >> I just had a (quick) look at wiki.onap.org <http://wiki.onap.org/>, and >>> >> was wondering if you >>> >> guys would be willing to help us help you more, by: >>> >> >>> >> - clarifying details about the vulnerability, like a link to a CVE >>> > >>> > +1 >>> > >>> >> - first check out Fluorine or even better already Neon; at least some >>> >> of the Karaf related ones likely are already solved >>> > >>> > At least, check Oxygen SR4 when it’s available. I’m also not entirely >>> > sure how the analysis matches up with Oxygen SR3; for example, the >>> > version of Guava in SR3 is 23.6.1, which fixes the known >>> > vulnerabilities. CLM also flags a number of false positives, e.g. >>> > commons-fileupload (1.3.3 in SR3) which is fixed AFAIK. >>> > >>> >> - clarify where you found the artifact... there are (to me) some >>> >> surprises in your list; e.g. sendgrid or angular I wouldn't know >>> >> where that is used by what project in ODL >>> > >>> > +1 >>> > >>> >> - dedupe your list - it looks a lot longer than it really is, many >>> >> dupes ;) >>> > >>> > I think this is because the artifacts aren’t fully described: we need >>> > the artifactId as well as the groupId, and ideally the version. >>> > >>> > Regards, >>> > >>> > Stephen >>> >>> _______________________________________________ >>> TSC mailing list >>> t...@lists.opendaylight.org <mailto:t...@lists.opendaylight.org> >>> https://lists.opendaylight.org/mailman/listinfo/tsc >>> <https://lists.opendaylight.org/mailman/listinfo/tsc> >> >> _______________________________________________ >> TSC mailing list >> t...@lists.opendaylight.org <mailto:t...@lists.opendaylight.org> >> https://lists.opendaylight.org/mailman/listinfo/tsc >> <https://lists.opendaylight.org/mailman/listinfo/tsc> > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4280): https://lists.onap.org/g/onap-tsc/message/4280 Mute This Topic: https://lists.onap.org/mt/28628360/21656 Group Owner: onap-tsc+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-