Antwort: Re: Items for our (delayed) quarterly report to the board?
May be adding "security warnings "in module dependencies" .. to distinguish it from having security issues in the project code itself - then we had to follow ASF standard security procedures. (Another solution might be to publish the result page of the check, but this should then be be updated for every push/commit) But we could point to it, although it seems to me not to be enforced by any ASF policy in this case .. Best regards, Georg Von:Bryan Pendleton An: Apache Torque Developers List Datum: 27.01.2021 23:59 Betreff: Re: Items for our (delayed) quarterly report to the board? Should we say something like: Torque team have addressed two recently reported security warnings (CVE-2020-8908 and CVE-2020-9488) by upgrading to the fixed version of the relevant packages. Would that be accurate? bryan On Wed, Jan 27, 2021 at 8:06 AM Georg Kallidis wrote: > > Hi Bryan, > > there are some minor updates (site) ASAIK, but we had two dependency > security warnings with a owasp check: > > - CVE-2020-8908 for guava in module torque-maven (base score/severity: > low) and > > - CVE-2020-9488: for log4j2 (all torque-dev), severity: Low ( > https://logging.apache.org/log4j/2.x/security.html) > > Log4j2 is updated to 2.14.0 (from 2.13.0, 2.13.2 is the fixed version) and > guava to fixed version 30.0. Fix date was January 18th. This is fixed in > the trunk. > > As this is updated and it's just a dependency we use (log4j2 might be used > by a lot of Apache projects, what do they?), we might just wait and > include it later in a patch release. > > Should we include this in the report now? I don't think so. > > Best regards, Georg > > > > > Von: Bryan Pendleton > An: torque-dev@db.apache.org > Datum: 27.01.2021 16:30 > Betreff:Items for our (delayed) quarterly report to the board? > > > > Hi all, I'm preparing our quarterly report to the Apache board. > > I missed our regular January report due to some personal issues (better > now). > > Please let me know of any Torque-related items that we should include > in this quarter's report! > > thanks, > > bryan > > - > To unsubscribe, e-mail: torque-dev-unsubscr...@db.apache.org > For additional commands, e-mail: torque-dev-h...@db.apache.org > > > - To unsubscribe, e-mail: torque-dev-unsubscr...@db.apache.org For additional commands, e-mail: torque-dev-h...@db.apache.org smime.p7s Description: S/MIME Cryptographic Signature
Re: Items for our (delayed) quarterly report to the board?
Should we say something like: Torque team have addressed two recently reported security warnings (CVE-2020-8908 and CVE-2020-9488) by upgrading to the fixed version of the relevant packages. Would that be accurate? bryan On Wed, Jan 27, 2021 at 8:06 AM Georg Kallidis wrote: > > Hi Bryan, > > there are some minor updates (site) ASAIK, but we had two dependency > security warnings with a owasp check: > > - CVE-2020-8908 for guava in module torque-maven (base score/severity: > low) and > > - CVE-2020-9488: for log4j2 (all torque-dev), severity: Low ( > https://logging.apache.org/log4j/2.x/security.html) > > Log4j2 is updated to 2.14.0 (from 2.13.0, 2.13.2 is the fixed version) and > guava to fixed version 30.0. Fix date was January 18th. This is fixed in > the trunk. > > As this is updated and it's just a dependency we use (log4j2 might be used > by a lot of Apache projects, what do they?), we might just wait and > include it later in a patch release. > > Should we include this in the report now? I don't think so. > > Best regards, Georg > > > > > Von:Bryan Pendleton > An: torque-dev@db.apache.org > Datum: 27.01.2021 16:30 > Betreff:Items for our (delayed) quarterly report to the board? > > > > Hi all, I'm preparing our quarterly report to the Apache board. > > I missed our regular January report due to some personal issues (better > now). > > Please let me know of any Torque-related items that we should include > in this quarter's report! > > thanks, > > bryan > > - > To unsubscribe, e-mail: torque-dev-unsubscr...@db.apache.org > For additional commands, e-mail: torque-dev-h...@db.apache.org > > > - To unsubscribe, e-mail: torque-dev-unsubscr...@db.apache.org For additional commands, e-mail: torque-dev-h...@db.apache.org
Re: Items for our (delayed) quarterly report to the board?
Hi Bryan, there are some minor updates (site) ASAIK, but we had two dependency security warnings with a owasp check: - CVE-2020-8908 for guava in module torque-maven (base score/severity: low) and - CVE-2020-9488: for log4j2 (all torque-dev), severity: Low ( https://logging.apache.org/log4j/2.x/security.html) Log4j2 is updated to 2.14.0 (from 2.13.0, 2.13.2 is the fixed version) and guava to fixed version 30.0. Fix date was January 18th. This is fixed in the trunk. As this is updated and it's just a dependency we use (log4j2 might be used by a lot of Apache projects, what do they?), we might just wait and include it later in a patch release. Should we include this in the report now? I don't think so. Best regards, Georg Von:Bryan Pendleton An: torque-dev@db.apache.org Datum: 27.01.2021 16:30 Betreff: Items for our (delayed) quarterly report to the board? Hi all, I'm preparing our quarterly report to the Apache board. I missed our regular January report due to some personal issues (better now). Please let me know of any Torque-related items that we should include in this quarter's report! thanks, bryan - To unsubscribe, e-mail: torque-dev-unsubscr...@db.apache.org For additional commands, e-mail: torque-dev-h...@db.apache.org smime.p7s Description: S/MIME Cryptographic Signature
Items for our (delayed) quarterly report to the board?
Hi all, I'm preparing our quarterly report to the Apache board. I missed our regular January report due to some personal issues (better now). Please let me know of any Torque-related items that we should include in this quarter's report! thanks, bryan - To unsubscribe, e-mail: torque-dev-unsubscr...@db.apache.org For additional commands, e-mail: torque-dev-h...@db.apache.org