I plan on releasing Commons Pool and then looking at the PR and releasing DBCP...
Gary On Wed, May 26, 2021 at 12:14 PM Matt Sicker <[email protected]> wrote: > See https://issues.apache.org/jira/browse/DBCP-562 which is still open. > > On Wed, 26 May 2021 at 10:29, Adesina Adebiyi > <[email protected]> wrote: > > > > Good day, > > > > I am researching an issue raised by sonatype (sonatype-2020-1349) -- that > > org.apache.commons:commons-dbcp2 has "information exposure" > vulnerability, > > that all versions, including version 2.8.0, are vulnerable. > > > > It appears that Gary's commit of Sep 21, 2020 (mask out name and > password) > > fixed the issue: > > > https://github.com/apache/commons-dbcp/blob/rel/commons-dbcp-2.8.0/RELEASE-NOTES.txt > > > > Yet Sonatype is claiming that version 2.8.0 is vulnerable to information > > disclosure. Indeed, WhiteSource and Snyk.io are also reporting that > > versions of Apache commons including 2.8.0 are vulnerable: > > > > WhiteSource > > Upgrade Version : No fix version available > > CVSS 3.1 > > https://www.whitesourcesoftware.com/vulnerability-database/WS-2020-0287 > > > > Sonatype-2020-1349 > > CVSS Vector:CVSS:3.1 The Apache Commons DBCP packages are vulnerable to > > Insufficiently Protected Credential > > The application is vulnerable by using this component > > > > Snyk.io > > https://snyk.io/vuln/maven:org.apache.commons%3Acommons-dbcp2 > > All versions vulnerable to Information exposure including the latest > > published 21 Sep, 2020 org.apache.commons:commons-dbcp2 2.8.0 > > > > Was Gary's commit never released? Or did Gary's released commit fix the > > issue and somehow Sonatype, Snyk.io, and WhiteSource are incorrectly > > reporting commons-dbcp2 version 2.8.0 as vulnerable to Information > Exposure? > > > > Thanks for your prompt response. > > > > Regards. > > > > Adesina > > > > > > > > Regards, > > > > Adesina > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
