Should we say something like: Torque team have addressed two recently reported security warnings (CVE-2020-8908 and CVE-2020-9488) by upgrading to the fixed version of the relevant packages.
Would that be accurate? bryan On Wed, Jan 27, 2021 at 8:06 AM Georg Kallidis <georg.kalli...@cedis.fu-berlin.de> wrote: > > Hi Bryan, > > there are some minor updates (site) ASAIK, but we had two dependency > security warnings with a owasp check: > > - CVE-2020-8908 for guava in module torque-maven (base score/severity: > low) and > > - CVE-2020-9488: for log4j2 (all torque-dev), severity: Low ( > https://logging.apache.org/log4j/2.x/security.html) > > Log4j2 is updated to 2.14.0 (from 2.13.0, 2.13.2 is the fixed version) and > guava to fixed version 30.0. Fix date was January 18th. This is fixed in > the trunk. > > As this is updated and it's just a dependency we use (log4j2 might be used > by a lot of Apache projects, what do they?), we might just wait and > include it later in a patch release. > > Should we include this in the report now? I don't think so. > > Best regards, Georg > > > > > Von: Bryan Pendleton <bpendleton.de...@gmail.com> > An: torque-dev@db.apache.org > Datum: 27.01.2021 16:30 > Betreff: Items for our (delayed) quarterly report to the board? > > > > Hi all, I'm preparing our quarterly report to the Apache board. > > I missed our regular January report due to some personal issues (better > now). > > Please let me know of any Torque-related items that we should include > in this quarter's report! > > thanks, > > bryan > > --------------------------------------------------------------------- > To unsubscribe, e-mail: torque-dev-unsubscr...@db.apache.org > For additional commands, e-mail: torque-dev-h...@db.apache.org > > > --------------------------------------------------------------------- To unsubscribe, e-mail: torque-dev-unsubscr...@db.apache.org For additional commands, e-mail: torque-dev-h...@db.apache.org