> "*Yes*, we are distributing software with known security issues", is the > answer to the subject question.
So much for Betteridge's law :) > To walk through one example, the article named org.apache.commons.fileupload > version 1.2.1 as being often redistributed, even though known security issue > (CVE-2014-0050). Versions 1.0 to 3.0 had the flaw, and 1.3.1 is required to > avoid it. Version 1.3.2 is the most recent Apache version. > > > That 'fileupload' package sounded familiar so I began to look around and I > found that in the Platform's repository they are re-distributing version > 1.2.2 of that package but (luckily?) in the Sim Release repo we have version > 1.3.1. In the platform, it is Equinox's Http servlet bundle that has an > optional prereq on "fileupload" and in Sim Release, it is RAP, apparently, > that is "pulling in" version 1.3.1. > > = = = = = = > I call out this flaw in our release practices, here on cross-project list, > for several reasons: > > 1) I wanted to open a bug on the Platform and Equinox to update that prereq > (bug 509388 ), but I see that "fileupload" Version 1.3.1 is not available > from Orbit. *Why not?* That alone appears to be a Simultaneous Releases "no > no". I saw your post a while back and thought of https://www.owasp.org/index.php/OWASP_Dependency_Check . It's available as a maven-plugin so it should be pretty easy to run such a thing in a separate HIPP. Seems like Orbit could benefit from such a report and maybe even as one of the sanity checks done on platform ? In fact, after running it on the Orbit bundles we ship, fileupload was one of the high severity ones discovered. I see all of this (OWASP) has already been suggested on 509389 so this seems like the right thing to do. Cheers, -- Roland Grunberg _______________________________________________ cross-project-issues-dev mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
