[io] Black Duck apparently sees vulnerability in 2.5

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

[io] Black Duck apparently sees vulnerability in 2.5

Stefan Bodewig
Hi all

https://issues.apache.org/jira/browse/IO-559 says BlackDuck would call
IO 2.5 vulnerable because of this issue - so far I've not been able to
verify this claim. I guess it is because of IO-556 that has been closed
as a duplicate of IO-559.

There is a PR (by me) to fix the bug
https://github.com/apache/commons-io/pull/52 - as this is my first
contribution to IO I'd appreciate if anybody else could spare some time
and verify it. I'll rebase it onto master soon.

Also, would there be any reason to not cut a new release from master? I
mean is there any work in progress that needs to be finished?

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [io] Black Duck apparently sees vulnerability in 2.5

Otto Fowler
Is there a PMC for IO?


On May 16, 2018 at 02:24:44, Stefan Bodewig ([hidden email]) wrote:

Hi all

https://issues.apache.org/jira/browse/IO-559 says BlackDuck would call
IO 2.5 vulnerable because of this issue - so far I've not been able to
verify this claim. I guess it is because of IO-556 that has been closed
as a duplicate of IO-559.

There is a PR (by me) to fix the bug
https://github.com/apache/commons-io/pull/52 - as this is my first
contribution to IO I'd appreciate if anybody else could spare some time
and verify it. I'll rebase it onto master soon.

Also, would there be any reason to not cut a new release from master? I
mean is there any work in progress that needs to be finished?

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [io] Black Duck apparently sees vulnerability in 2.5

Stefan Bodewig
On 2018-05-16, Otto Fowler wrote:

> Is there a PMC for IO?

Sure, IO is a component overseen by the Apache Commons PMC.

Maybe I should also point at http://commons.apache.org/security.html ?

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [io] Black Duck apparently sees vulnerability in 2.5

Gilles Sadowski
In reply to this post by Otto Fowler
On Wed, 16 May 2018 07:33:54 -0700, Otto Fowler wrote:
> Is there a PMC for IO?

There is a PMC for all of "Commons".
Components are unequal wrt the number of contributors (and
attention they get from the PMC).

Gilles

> On May 16, 2018 at 02:24:44, Stefan Bodewig ([hidden email])
> wrote:
>
> Hi all
>
> https://issues.apache.org/jira/browse/IO-559 says BlackDuck would
> call
> IO 2.5 vulnerable because of this issue - so far I've not been able
> to
> verify this claim. I guess it is because of IO-556 that has been
> closed
> as a duplicate of IO-559.
>
> There is a PR (by me) to fix the bug
> https://github.com/apache/commons-io/pull/52 - as this is my first
> contribution to IO I'd appreciate if anybody else could spare some
> time
> and verify it. I'll rebase it onto master soon.
>
> Also, would there be any reason to not cut a new release from master?
> I
> mean is there any work in progress that needs to be finished?
>
> Stefan
>



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [io] Black Duck apparently sees vulnerability in 2.5

Otto Fowler
I believe all security related issues and vulnerabilities need to be
handled privately by the PMC for the project.
Has this issue gone through he PMC?


On May 16, 2018 at 10:50:21, Gilles ([hidden email]) wrote:

On Wed, 16 May 2018 07:33:54 -0700, Otto Fowler wrote:
> Is there a PMC for IO?

There is a PMC for all of "Commons".
Components are unequal wrt the number of contributors (and
attention they get from the PMC).

Gilles

> On May 16, 2018 at 02:24:44, Stefan Bodewig ([hidden email])
> wrote:
>
> Hi all
>
> https://issues.apache.org/jira/browse/IO-559 says BlackDuck would
> call
> IO 2.5 vulnerable because of this issue - so far I've not been able
> to
> verify this claim. I guess it is because of IO-556 that has been
> closed
> as a duplicate of IO-559.
>
> There is a PR (by me) to fix the bug
> https://github.com/apache/commons-io/pull/52 - as this is my first
> contribution to IO I'd appreciate if anybody else could spare some
> time
> and verify it. I'll rebase it onto master soon.
>
> Also, would there be any reason to not cut a new release from master?
> I
> mean is there any work in progress that needs to be finished?
>
> Stefan
>



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [io] Black Duck apparently sees vulnerability in 2.5

Stefan Bodewig
On 2018-05-16, Otto Fowler wrote:

> I believe all security related issues and vulnerabilities need to be
> handled privately by the PMC for the project.
> Has this issue gone through he PMC?

The "issue" is public discussion in a JIRA issue, it is public knowledge
anyway.

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [io] Black Duck apparently sees vulnerability in 2.5

Pascal Schumacher
In reply to this post by Stefan Bodewig
Am 16.05.2018 um 08:24 schrieb Stefan Bodewig:
> Also, would there be any reason to not cut a new release from master? I
> mean is there any work in progress that needs to be finished?

I think a new release from master can be done any time.

-Pascal

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [io] Black Duck apparently sees vulnerability in 2.5

Stefan Bodewig
On 2018-05-17, Pascal Schumacher wrote:

> Am 16.05.2018 um 08:24 schrieb Stefan Bodewig:

>> Also, would there be any reason to not cut a new release from master? I
>> mean is there any work in progress that needs to be finished?

> I think a new release from master can be done any time.

Thanks, I also looked through the commits. To me it looks as if master
contained commits that address
https://issues.apache.org/jira/browse/IO-567 but the ticket says "in
progress".

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [io] Black Duck apparently sees vulnerability in 2.5

garydgregory
WRT releasing, the new file system class needs to be finished/cleanup or
removed.

Gary

On Thu, May 17, 2018 at 1:27 PM, Stefan Bodewig <[hidden email]> wrote:

> On 2018-05-17, Pascal Schumacher wrote:
>
> > Am 16.05.2018 um 08:24 schrieb Stefan Bodewig:
>
> >> Also, would there be any reason to not cut a new release from master? I
> >> mean is there any work in progress that needs to be finished?
>
> > I think a new release from master can be done any time.
>
> Thanks, I also looked through the commits. To me it looks as if master
> contained commits that address
> https://issues.apache.org/jira/browse/IO-567 but the ticket says "in
> progress".
>
> Stefan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>