May be adding "security warnings "in module dependencies" .. to distinguish it from having security issues in the project code itself - then we had to follow ASF standard security procedures.
(Another solution might be to publish the result page of the check, but this should then be be updated for every push/commit) But we could point to it, although it seems to me not to be enforced by any ASF policy in this case .. Best regards, Georg Von: Bryan Pendleton <bpendleton.de...@gmail.com> An: Apache Torque Developers List <torque-dev@db.apache.org> Datum: 27.01.2021 23:59 Betreff: Re: Items for our (delayed) quarterly report to the board? Should we say something like: Torque team have addressed two recently reported security warnings (CVE-2020-8908 and CVE-2020-9488) by upgrading to the fixed version of the relevant packages. Would that be accurate? bryan On Wed, Jan 27, 2021 at 8:06 AM Georg Kallidis <georg.kalli...@cedis.fu-berlin.de> wrote: > > Hi Bryan, > > there are some minor updates (site) ASAIK, but we had two dependency > security warnings with a owasp check: > > - CVE-2020-8908 for guava in module torque-maven (base score/severity: > low) and > > - CVE-2020-9488: for log4j2 (all torque-dev), severity: Low ( > https://logging.apache.org/log4j/2.x/security.html) > > Log4j2 is updated to 2.14.0 (from 2.13.0, 2.13.2 is the fixed version) and > guava to fixed version 30.0. Fix date was January 18th. This is fixed in > the trunk. > > As this is updated and it's just a dependency we use (log4j2 might be used > by a lot of Apache projects, what do they?), we might just wait and > include it later in a patch release. > > Should we include this in the report now? I don't think so. > > Best regards, Georg > > > > > Von: Bryan Pendleton <bpendleton.de...@gmail.com> > An: torque-dev@db.apache.org > Datum: 27.01.2021 16:30 > Betreff: Items for our (delayed) quarterly report to the board? > > > > Hi all, I'm preparing our quarterly report to the Apache board. > > I missed our regular January report due to some personal issues (better > now). > > Please let me know of any Torque-related items that we should include > in this quarter's report! > > thanks, > > bryan > > --------------------------------------------------------------------- > To unsubscribe, e-mail: torque-dev-unsubscr...@db.apache.org > For additional commands, e-mail: torque-dev-h...@db.apache.org > > > --------------------------------------------------------------------- To unsubscribe, e-mail: torque-dev-unsubscr...@db.apache.org For additional commands, e-mail: torque-dev-h...@db.apache.org
smime.p7s
Description: S/MIME Cryptographic Signature
