Hi Bryan, there are some minor updates (site) ASAIK, but we had two dependency security warnings with a owasp check:
- CVE-2020-8908 for guava in module torque-maven (base score/severity: low) and - CVE-2020-9488: for log4j2 (all torque-dev), severity: Low ( https://logging.apache.org/log4j/2.x/security.html) Log4j2 is updated to 2.14.0 (from 2.13.0, 2.13.2 is the fixed version) and guava to fixed version 30.0. Fix date was January 18th. This is fixed in the trunk. As this is updated and it's just a dependency we use (log4j2 might be used by a lot of Apache projects, what do they?), we might just wait and include it later in a patch release. Should we include this in the report now? I don't think so. Best regards, Georg Von: Bryan Pendleton <bpendleton.de...@gmail.com> An: torque-dev@db.apache.org Datum: 27.01.2021 16:30 Betreff: Items for our (delayed) quarterly report to the board? Hi all, I'm preparing our quarterly report to the Apache board. I missed our regular January report due to some personal issues (better now). Please let me know of any Torque-related items that we should include in this quarter's report! thanks, bryan --------------------------------------------------------------------- To unsubscribe, e-mail: torque-dev-unsubscr...@db.apache.org For additional commands, e-mail: torque-dev-h...@db.apache.org
smime.p7s
Description: S/MIME Cryptographic Signature