Re: JIRA about CVEs
Thanks, Richard!! On Mon, Nov 18, 2019 at 3:44 AM Zowalla, Richard < richard.zowa...@hs-heilbronn.de> wrote: > Did not find anything with the owasp plugin profile. Should be fine (for > now). > > > Am Mittwoch, den 13.11.2019, 08:25 -0600 schrieb Richard Monson-Haefel: > > Excellent! Thanks, Richard! > > On Wed, Nov 13, 2019 at 8:18 AM Zowalla, Richard < > richard.zowa...@hs-heilbronn.de> wrote: > > Ok, John did comment in the JIRA, that the upgrades are already conducted > in previous commits. > I will run an OWASP scan on the code. If this reveals some more vulnerable > dependencies, I will report in the JIRA and provide a PR, if possible. > > Best, > Richard Z. > > Am Mittwoch, den 13.11.2019, 14:08 + schrieb Zowalla, Richard: > > Alright, I will proceed :) > > Best, > Richard > > Am Mittwoch, den 13.11.2019, 07:52 -0600 schrieb Richard Monson-Haefel: > > If you don't mind, Richard, can you do the upgrades and create a PR? We > can let it run overnight and see how it goes. > > I'm not sure as to what the best policy is for announcing the CVE so that > people know to upgrade. I think we should figure that out after the ci has > run. As an alternative you can run the full test suite on your own machine > (takes about an hour or something like that) and see if you pick up any > errors. I did this yesterday with a different PR but I don't have the > extra cycles to do it again today. > > On Wed, Nov 13, 2019 at 7:07 AM Zowalla, Richard < > richard.zowa...@hs-heilbronn.de> wrote: > > Sounds reasonable to me. If I can assist in upgrading, let me know. > > However, we should publish the link to the ASF CI somewhere, so we can > better monitor the current build status. > > Best, > Richard Z > > Am Mittwoch, den 13.11.2019, 07:00 -0600 schrieb Richard Monson-Haefel: > > Is this a matter of upgrading and testing or is there more to it than > > that? If that's it we can create a PR with the updates and let the asf ci > > run the tests and look for problems. > > > > On Wed, Nov 13, 2019 at 5:58 AM COURTAULT Francois < > > francois.courta...@thalesgroup.com> wrote: > > > Hello, > > > Could you take this JIRA entry ( > > https://issues.apache.org/jira/browse/TOMEE-2737) into account please ? > > > Best Regard. > > > > > > > This message and any attachments are intended solely for the addressees > > and may contain confidential information. Any unauthorized use or > > disclosure, either whole or partial, is prohibited. > > E-mails are susceptible to alteration. Our company shall not be liable for > > the message if altered, changed or falsified. If you are not the intended > > recipient of this message, please delete it and notify the sender. > > Although all reasonable efforts have been made to keep this transmission > > free from viruses, the sender will not be liable for damages caused by a > > transmitted virus. > > > > > > -- > > > > > -- > > > > > -- > > > -- Richard Monson-Haefel https://twitter.com/rmonson https://www.linkedin.com/in/monsonhaefel/
Re: JIRA about CVEs
Did not find anything with the owasp plugin profile. Should be fine (for now). Am Mittwoch, den 13.11.2019, 08:25 -0600 schrieb Richard Monson-Haefel: > Excellent! Thanks, Richard! > > On Wed, Nov 13, 2019 at 8:18 AM Zowalla, Richard < > richard.zowa...@hs-heilbronn.de> wrote: > > Ok, John did comment in the JIRA, that the upgrades are already > > conducted in previous commits. > > I will run an OWASP scan on the code. If this reveals some more > > vulnerable dependencies, I will report in the JIRA and provide a > > PR, if possible. > > > > Best, > > Richard Z. > > > > Am Mittwoch, den 13.11.2019, 14:08 + schrieb Zowalla, Richard: > > > Alright, I will proceed :) > > > Best,Richard > > > Am Mittwoch, den 13.11.2019, 07:52 -0600 schrieb Richard Monson- > > > Haefel: > > > > If you don't mind, Richard, can you do the upgrades and create > > > > a PR? We can let it run overnight and see how it goes. > > > > I'm not sure as to what the best policy is for announcing the > > > > CVE so that people know to upgrade. I think we should figure > > > > that out after the ci has run. As an alternative you can run > > > > the full test suite on your own machine (takes about an hour or > > > > something like that) and see if you pick up any errors. I did > > > > this yesterday with a different PR but I don't have the extra > > > > cycles to do it again today. > > > > > > > > On Wed, Nov 13, 2019 at 7:07 AM Zowalla, Richard < > > > > richard.zowa...@hs-heilbronn.de> wrote: > > > > > Sounds reasonable to me. If I can assist in upgrading, let me > > > > > know. > > > > > > > > > > However, we should publish the link to the ASF CI somewhere, > > > > > so we can better monitor the current build status. > > > > > > > > > > Best, > > > > > Richard Z > > > > > > > > > > Am Mittwoch, den 13.11.2019, 07:00 -0600 schrieb Richard > > > > > Monson-Haefel: > > > > > > Is this a matter of upgrading and testing or is there more > > > > > > to it thanthat? If that's it we can create a PR with the > > > > > > updates and let the asf cirun the tests and look for > > > > > > problems. > > > > > > > > > > > > On Wed, Nov 13, 2019 at 5:58 AM COURTAULT Francois < > > > > > > francois.courta...@thalesgroup.com> wrote: > > > > > > Hello, > > > > > > Could you take this JIRA entry ( > > > > > > https://issues.apache.org/jira/browse/TOMEE-2737) into > > > > > > account please ? > > > > > > Best Regard. > > > > > > > > > > > > > > > > > > This message and any > > > > > > attachments are intended solely for the addresseesand may > > > > > > contain confidential information. Any unauthorized use > > > > > > ordisclosure, either whole or partial, is prohibited.E- > > > > > > mails are susceptible to alteration. Our company shall not > > > > > > be liable forthe message if altered, changed or falsified. > > > > > > If you are not the intendedrecipient of this message, > > > > > > please delete it and notify the sender.Although all > > > > > > reasonable efforts have been made to keep this > > > > > > transmissionfree from viruses, the sender will not be > > > > > > liable for damages caused by atransmitted virus. > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > > > > > > > -- > > > > > > -- smime.p7s Description: S/MIME cryptographic signature
Re: JIRA about CVEs
Excellent! Thanks, Richard! On Wed, Nov 13, 2019 at 8:18 AM Zowalla, Richard < richard.zowa...@hs-heilbronn.de> wrote: > Ok, John did comment in the JIRA, that the upgrades are already conducted > in previous commits. > I will run an OWASP scan on the code. If this reveals some more vulnerable > dependencies, I will report in the JIRA and provide a PR, if possible. > > Best, > Richard Z. > > Am Mittwoch, den 13.11.2019, 14:08 + schrieb Zowalla, Richard: > > Alright, I will proceed :) > > Best, > Richard > > Am Mittwoch, den 13.11.2019, 07:52 -0600 schrieb Richard Monson-Haefel: > > If you don't mind, Richard, can you do the upgrades and create a PR? We > can let it run overnight and see how it goes. > > I'm not sure as to what the best policy is for announcing the CVE so that > people know to upgrade. I think we should figure that out after the ci has > run. As an alternative you can run the full test suite on your own machine > (takes about an hour or something like that) and see if you pick up any > errors. I did this yesterday with a different PR but I don't have the > extra cycles to do it again today. > > On Wed, Nov 13, 2019 at 7:07 AM Zowalla, Richard < > richard.zowa...@hs-heilbronn.de> wrote: > > Sounds reasonable to me. If I can assist in upgrading, let me know. > > However, we should publish the link to the ASF CI somewhere, so we can > better monitor the current build status. > > Best, > Richard Z > > Am Mittwoch, den 13.11.2019, 07:00 -0600 schrieb Richard Monson-Haefel: > > Is this a matter of upgrading and testing or is there more to it than > > that? If that's it we can create a PR with the updates and let the asf ci > > run the tests and look for problems. > > > > On Wed, Nov 13, 2019 at 5:58 AM COURTAULT Francois < > > francois.courta...@thalesgroup.com> wrote: > > > Hello, > > > Could you take this JIRA entry ( > > https://issues.apache.org/jira/browse/TOMEE-2737) into account please ? > > > Best Regard. > > > > > > > This message and any attachments are intended solely for the addressees > > and may contain confidential information. Any unauthorized use or > > disclosure, either whole or partial, is prohibited. > > E-mails are susceptible to alteration. Our company shall not be liable for > > the message if altered, changed or falsified. If you are not the intended > > recipient of this message, please delete it and notify the sender. > > Although all reasonable efforts have been made to keep this transmission > > free from viruses, the sender will not be liable for damages caused by a > > transmitted virus. > > > > > > -- > > Richard Zowalla, M.Sc. > Research Associate, PhD Student | Medical Informatics > > > > Hochschule Heilbronn – University of Applied Sciences > Max-Planck-Str. 39 > D-74081 Heilbronn > phone: +49 7131 504 6791 > mail: richard.zowa...@hs-heilbronn.de > web: http://www.mi.hs-heilbronn.de/ > > > > -- > > Richard Zowalla, M.Sc. > Research Associate, PhD Student | Medical Informatics > > > > Hochschule Heilbronn – University of Applied Sciences > Max-Planck-Str. 39 > D-74081 Heilbronn > phone: +49 7131 504 6791 > mail: richard.zowa...@hs-heilbronn.de > web: http://www.mi.hs-heilbronn.de/ > -- Richard Monson-Haefel https://twitter.com/rmonson https://www.linkedin.com/in/monsonhaefel/
Re: JIRA about CVEs
Please note my comment on the JIRA: These have already been done: Update to Jackson Databind 2.10.0: https://github.com/apache/tomee/commit/5e38138463f65146c4087da8085c8dcd93079ef1 TOMEE-2725 update beanutils to 1.9.4: https://github.com/apache/tomee/commit/0e433e9e565dac45c2c04368f8da6f1e827db295 TOMEE-2726 update Xmlsec to 2.1.4: https://github.com/apache/tomee/commit/e3b05ddf8e4e06286f45a936474fee4eee6dcc99 Shout if you think there are other dependency updates needed. Jon On Wed, Nov 13, 2019 at 2:09 PM Zowalla, Richard < richard.zowa...@hs-heilbronn.de> wrote: > Alright, I will proceed :) > > Best, > Richard > > Am Mittwoch, den 13.11.2019, 07:52 -0600 schrieb Richard Monson-Haefel: > > If you don't mind, Richard, can you do the upgrades and create a PR? We > can let it run overnight and see how it goes. > > I'm not sure as to what the best policy is for announcing the CVE so that > people know to upgrade. I think we should figure that out after the ci has > run. As an alternative you can run the full test suite on your own machine > (takes about an hour or something like that) and see if you pick up any > errors. I did this yesterday with a different PR but I don't have the > extra cycles to do it again today. > > On Wed, Nov 13, 2019 at 7:07 AM Zowalla, Richard < > richard.zowa...@hs-heilbronn.de> wrote: > > Sounds reasonable to me. If I can assist in upgrading, let me know. > > However, we should publish the link to the ASF CI somewhere, so we can > better monitor the current build status. > > Best, > Richard Z > > Am Mittwoch, den 13.11.2019, 07:00 -0600 schrieb Richard Monson-Haefel: > > Is this a matter of upgrading and testing or is there more to it than > > that? If that's it we can create a PR with the updates and let the asf ci > > run the tests and look for problems. > > > > On Wed, Nov 13, 2019 at 5:58 AM COURTAULT Francois < > > francois.courta...@thalesgroup.com> wrote: > > > Hello, > > > Could you take this JIRA entry ( > > https://issues.apache.org/jira/browse/TOMEE-2737) into account please ? > > > Best Regard. > > > > > > > This message and any attachments are intended solely for the addressees > > and may contain confidential information. Any unauthorized use or > > disclosure, either whole or partial, is prohibited. > > E-mails are susceptible to alteration. Our company shall not be liable for > > the message if altered, changed or falsified. If you are not the intended > > recipient of this message, please delete it and notify the sender. > > Although all reasonable efforts have been made to keep this transmission > > free from viruses, the sender will not be liable for damages caused by a > > transmitted virus. > > > > > > -- > > Richard Zowalla, M.Sc. > Research Associate, PhD Student | Medical Informatics > > > > Hochschule Heilbronn – University of Applied Sciences > Max-Planck-Str. 39 > D-74081 Heilbronn > phone: +49 7131 504 6791 > mail: richard.zowa...@hs-heilbronn.de > web: http://www.mi.hs-heilbronn.de/ > > > > -- > Richard Monson-Haefel > https://twitter.com/rmonson > https://www.linkedin.com/in/monsonhaefel/ > > -- > > Richard Zowalla, M.Sc. > Research Associate, PhD Student | Medical Informatics > > > > Hochschule Heilbronn – University of Applied Sciences > Max-Planck-Str. 39 > D-74081 Heilbronn > phone: +49 7131 504 6791 > mail: richard.zowa...@hs-heilbronn.de > web: http://www.mi.hs-heilbronn.de/ >
Re: JIRA about CVEs
Ok, John did comment in the JIRA, that the upgrades are already conducted in previous commits.I will run an OWASP scan on the code. If this reveals some more vulnerable dependencies, I will report in the JIRA and provide a PR, if possible. Best,Richard Z. Am Mittwoch, den 13.11.2019, 14:08 + schrieb Zowalla, Richard: > Alright, I will proceed :) > Best,Richard > Am Mittwoch, den 13.11.2019, 07:52 -0600 schrieb Richard Monson- > Haefel: > > If you don't mind, Richard, can you do the upgrades and create a > > PR? We can let it run overnight and see how it goes. > > I'm not sure as to what the best policy is for announcing the CVE > > so that people know to upgrade. I think we should figure that out > > after the ci has run. As an alternative you can run the full test > > suite on your own machine (takes about an hour or something like > > that) and see if you pick up any errors. I did this yesterday with > > a different PR but I don't have the extra cycles to do it again > > today. > > > > On Wed, Nov 13, 2019 at 7:07 AM Zowalla, Richard < > > richard.zowa...@hs-heilbronn.de> wrote: > > > Sounds reasonable to me. If I can assist in upgrading, let me > > > know. > > > > > > However, we should publish the link to the ASF CI somewhere, so > > > we can better monitor the current build status. > > > > > > Best, > > > Richard Z > > > > > > Am Mittwoch, den 13.11.2019, 07:00 -0600 schrieb Richard Monson- > > > Haefel: > > > > Is this a matter of upgrading and testing or is there more to > > > > it thanthat? If that's it we can create a PR with the updates > > > > and let the asf cirun the tests and look for problems. > > > > > > > > On Wed, Nov 13, 2019 at 5:58 AM COURTAULT Francois < > > > > francois.courta...@thalesgroup.com> wrote: > > > > Hello, > > > > Could you take this JIRA entry ( > > > > https://issues.apache.org/jira/browse/TOMEE-2737) into account > > > > please ? > > > > Best Regard. > > > > > > > > > > > > This message and any > > > > attachments are intended solely for the addresseesand may > > > > contain confidential information. Any unauthorized use > > > > ordisclosure, either whole or partial, is prohibited.E-mails > > > > are susceptible to alteration. Our company shall not be liable > > > > forthe message if altered, changed or falsified. If you are not > > > > the intendedrecipient of this message, please delete it and > > > > notify the sender.Although all reasonable efforts have been > > > > made to keep this transmissionfree from viruses, the sender > > > > will not be liable for damages caused by atransmitted virus. > > > > > > > > > > > > > > > -- > > > Richard Zowalla, M.Sc.Research Associate, PhD Student | Medical > > > Informatics > > > > > > > > > Hochschule Heilbronn – University of Applied SciencesMax-Planck- > > > Str. 39 D-74081 Heilbronn phone: +49 7131 504 6791mail: > > > richard.zowalla@hs-heilbronn.deweb: > > > http://www.mi.hs-heilbronn.de/ > > > > -- Richard Zowalla, M.Sc.Research Associate, PhD Student | Medical Informatics Hochschule Heilbronn – University of Applied SciencesMax-Planck-Str. 39 D-74081 Heilbronn phone: +49 7131 504 6791mail: richard.zowalla@hs-heilbronn.deweb: http://www.mi.hs-heilbronn.de/ smime.p7s Description: S/MIME cryptographic signature
Re: JIRA about CVEs
Alright, I will proceed :) Best, Richard Am Mittwoch, den 13.11.2019, 07:52 -0600 schrieb Richard Monson-Haefel: > If you don't mind, Richard, can you do the upgrades and create a PR? > We can let it run overnight and see how it goes. > I'm not sure as to what the best policy is for announcing the CVE so > that people know to upgrade. I think we should figure that out after > the ci has run. As an alternative you can run the full test suite on > your own machine (takes about an hour or something like that) and see > if you pick up any errors. I did this yesterday with a different PR > but I don't have the extra cycles to do it again today. > On Wed, Nov 13, 2019 at 7:07 AM Zowalla, Richard < > richard.zowa...@hs-heilbronn.de> wrote: > > Sounds reasonable to me. If I can assist in upgrading, let me know. > > > > However, we should publish the link to the ASF CI somewhere, so we > > can better monitor the current build status. > > > > Best, > > Richard Z > > > > Am Mittwoch, den 13.11.2019, 07:00 -0600 schrieb Richard Monson- > > Haefel: > > > Is this a matter of upgrading and testing or is there more to it > > > thanthat? If that's it we can create a PR with the updates and > > > let the asf cirun the tests and look for problems. > > > > > > On Wed, Nov 13, 2019 at 5:58 AM COURTAULT Francois < > > > francois.courta...@thalesgroup.com> wrote: > > > Hello, > > > Could you take this JIRA entry ( > > > https://issues.apache.org/jira/browse/TOMEE-2737) into account > > > please ? > > > Best Regard. > > > > > > > > > This message and any attachments > > > are intended solely for the addresseesand may contain > > > confidential information. Any unauthorized use ordisclosure, > > > either whole or partial, is prohibited.E-mails are susceptible to > > > alteration. Our company shall not be liable forthe message if > > > altered, changed or falsified. If you are not the > > > intendedrecipient of this message, please delete it and notify > > > the sender.Although all reasonable efforts have been made to keep > > > this transmissionfree from viruses, the sender will not be liable > > > for damages caused by atransmitted virus. > > > > > > > > > > > -- > > Richard Zowalla, M.Sc.Research Associate, PhD Student | Medical > > Informatics > > > > > > Hochschule Heilbronn – University of Applied SciencesMax-Planck- > > Str. 39 D-74081 Heilbronn phone: +49 7131 504 6791mail: > > richard.zowalla@hs-heilbronn.deweb: http://www.mi.hs-heilbronn.de/ > > -- > Richard Monson-Haefelhttps://twitter.com/rmonson > https://www.linkedin.com/in/monsonhaefel/ > > -- Richard Zowalla, M.Sc.Research Associate, PhD Student | Medical Informatics Hochschule Heilbronn – University of Applied SciencesMax-Planck-Str. 39 D-74081 Heilbronn phone: +49 7131 504 6791mail: richard.zowalla@hs-heilbronn.deweb: http://www.mi.hs-heilbronn.de/ smime.p7s Description: S/MIME cryptographic signature
Re: JIRA about CVEs
If you don't mind, Richard, can you do the upgrades and create a PR? We can let it run overnight and see how it goes. I'm not sure as to what the best policy is for announcing the CVE so that people know to upgrade. I think we should figure that out after the ci has run. As an alternative you can run the full test suite on your own machine (takes about an hour or something like that) and see if you pick up any errors. I did this yesterday with a different PR but I don't have the extra cycles to do it again today. On Wed, Nov 13, 2019 at 7:07 AM Zowalla, Richard < richard.zowa...@hs-heilbronn.de> wrote: > Sounds reasonable to me. If I can assist in upgrading, let me know. > > However, we should publish the link to the ASF CI somewhere, so we can > better monitor the current build status. > > Best, > Richard Z > > Am Mittwoch, den 13.11.2019, 07:00 -0600 schrieb Richard Monson-Haefel: > > Is this a matter of upgrading and testing or is there more to it than > > that? If that's it we can create a PR with the updates and let the asf ci > > run the tests and look for problems. > > > > On Wed, Nov 13, 2019 at 5:58 AM COURTAULT Francois < > > francois.courta...@thalesgroup.com> wrote: > > > Hello, > > > Could you take this JIRA entry ( > > https://issues.apache.org/jira/browse/TOMEE-2737) into account please ? > > > Best Regard. > > > > > > > This message and any attachments are intended solely for the addressees > > and may contain confidential information. Any unauthorized use or > > disclosure, either whole or partial, is prohibited. > > E-mails are susceptible to alteration. Our company shall not be liable for > > the message if altered, changed or falsified. If you are not the intended > > recipient of this message, please delete it and notify the sender. > > Although all reasonable efforts have been made to keep this transmission > > free from viruses, the sender will not be liable for damages caused by a > > transmitted virus. > > > > > > -- > > Richard Zowalla, M.Sc. > Research Associate, PhD Student | Medical Informatics > > > > Hochschule Heilbronn – University of Applied Sciences > Max-Planck-Str. 39 > D-74081 Heilbronn > phone: +49 7131 504 6791 > mail: richard.zowa...@hs-heilbronn.de > web: http://www.mi.hs-heilbronn.de/ > -- Richard Monson-Haefel https://twitter.com/rmonson https://www.linkedin.com/in/monsonhaefel/
Re: JIRA about CVEs
Sounds reasonable to me. If I can assist in upgrading, let me know. However, we should publish the link to the ASF CI somewhere, so we can better monitor the current build status. Best,Richard Z Am Mittwoch, den 13.11.2019, 07:00 -0600 schrieb Richard Monson-Haefel: > Is this a matter of upgrading and testing or is there more to it > thanthat? If that's it we can create a PR with the updates and let > the asf cirun the tests and look for problems. > > On Wed, Nov 13, 2019 at 5:58 AM COURTAULT Francois < > francois.courta...@thalesgroup.com> wrote: > Hello, > Could you take this JIRA entry ( > https://issues.apache.org/jira/browse/TOMEE-2737) into account please > ? > Best Regard. > > > This message and any attachments are > intended solely for the addresseesand may contain confidential > information. Any unauthorized use ordisclosure, either whole or > partial, is prohibited.E-mails are susceptible to alteration. Our > company shall not be liable forthe message if altered, changed or > falsified. If you are not the intendedrecipient of this message, > please delete it and notify the sender.Although all reasonable > efforts have been made to keep this transmissionfree from viruses, > the sender will not be liable for damages caused by atransmitted > virus. > > > -- Richard Zowalla, M.Sc.Research Associate, PhD Student | Medical Informatics Hochschule Heilbronn – University of Applied SciencesMax-Planck-Str. 39 D-74081 Heilbronn phone: +49 7131 504 6791mail: richard.zowalla@hs-heilbronn.deweb: http://www.mi.hs-heilbronn.de/ smime.p7s Description: S/MIME cryptographic signature
Re: JIRA about CVEs
Is this a matter of upgrading and testing or is there more to it than that? If that's it we can create a PR with the updates and let the asf ci run the tests and look for problems. On Wed, Nov 13, 2019 at 5:58 AM COURTAULT Francois < francois.courta...@thalesgroup.com> wrote: > Hello, > > Could you take this JIRA entry ( > https://issues.apache.org/jira/browse/TOMEE-2737) into account please ? > > Best Regard. > > > > > This message and any attachments are intended solely for the addressees > and may contain confidential information. Any unauthorized use or > disclosure, either whole or partial, is prohibited. > E-mails are susceptible to alteration. Our company shall not be liable for > the message if altered, changed or falsified. If you are not the intended > recipient of this message, please delete it and notify the sender. > Although all reasonable efforts have been made to keep this transmission > free from viruses, the sender will not be liable for damages caused by a > transmitted virus. > -- Richard Monson-Haefel https://twitter.com/rmonson https://www.linkedin.com/in/monsonhaefel/
