[GitHub] [geronimo-batchee] JLLeitschuh commented on pull request #12: [SECURITY] Fix Zip Slip Vulnerability

2022-11-18 Thread GitBox 


JLLeitschuh commented on PR #12:
URL: https://github.com/apache/geronimo-batchee/pull/12#issuecomment-1320330093

   Sounds good, thank you all for the thorough assessment of the situation. I 
really appreciate it!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@geronimo.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [batchee] future?

2022-11-18 Thread Francois Papon 

Hi,

I don't have insights about how BatchEE is used today and how the jbatch 
specification is support by others.


+1 for freeze.

regards,

François

On 18/11/2022 08:21, Romain Manni-Bucau wrote:

Hi all,

We discussed some time ago to drop batchee as an active subproject, 
wonder where we are now on this?

Do we freeze it and document we don't maintain it anymore?

Romain Manni-Bucau
@rmannibucau  | Blog 
 | Old Blog 
 | Github 
 | LinkedIn 
 | Book

[GitHub] [geronimo-batchee] raboof commented on pull request #12: [SECURITY] Fix Zip Slip Vulnerability

2022-11-18 Thread GitBox 


raboof commented on PR #12:
URL: https://github.com/apache/geronimo-batchee/pull/12#issuecomment-1319681866

   > "anywhere" does not mean "downloaded from a random source" but literally 
"put by an user there". So BatchEE does not take into account the zip creation 
of the zip it extracts but it must be put intentionally by end user there so if 
it is insecure the user intentionally put an insecure zip, similarly to put an 
attacker code voluntary in tomcat webapps folder.
   
   That's indeed how I understood your previous comment. Based on this it 
doesn't look like the zip slip provides any additional privileges to an 
attacker (as an attacker that can control the zip already has full control, 
right?). If that's indeed the case I don't see a reason to issue a CVE. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@geronimo.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org