Adam - Hard to prove a negative, but I would assume that it would be better to hold off on public discussion until it can be ascertained if an issue with a dependency creates an actual security issue in the upstream project like Fineract. That's my 2 cents and it's probably useful to have this discussion here. My approach would be to first examine before bringing to dev OR to fix it in a release and then report it as fixed.
In any case, as a reminder, if someone looks at these and then determines that there is an impact on security of Fineract, please report that ONLY to secur...@fineract.apache.org or secur...@apache.org (or both). Do not bring that to a public jira ticket or this public listserv. Thanks, On Wed, Mar 5, 2025 at 8:31 AM Adam Monsen <amon...@mifos.org> wrote: > I appreciated this reminder from Arnout that *known* *vulnerabilities in* > *dependencies* *of a product* are not the same as *known vulnerabilities > in a product, *and this fact informs the security incident response > process. > > See also: > https://github.com/apache/fineract/pull/4401#issuecomment-2700259145 > > Work continues on PR 4401 (thank you Ádám and Victor!). > > ---------- Forwarded message --------- > From: Arnout Engelen <enge...@apache.org> > Date: Wed, Mar 5, 2025 at 1:35 AM > Subject: Re: dependency issues in v1.11.0 release candidate > > Thanks for the heads-up! I added a comment on the PR: since in this case > there's no specific analysis that these advisories for dependencies > actually affect Fineract it's fine to handle them in public. > > Welcome back to Fineract! > > > Kind regards, > > Arnout > > -- > Arnout Engelen > ASF Security Response > Apache Pekko PMC member, ASF Member > NixOS Committer > Independent Open Source consultant > > > Adam Monsen wrote: > >> FYI. It appears some Fineract dependencies may have security issues of >> varying severities. Victor first found these via Docker Scout / Snyk and >> mentioned them in private. I believe Victor was checking against commit >> 843b27926e516420297f40655fa734277195d773 in the maintenance/1.11 release >> maintenance branch (repo home is https://github.com/apache/fineract ), >> packaged as v1.11.0 and available at >> https://dist.apache.org/repos/dist/dev/fineract/1.11.0/ . Adam S. was >> able to get the screenshots by temporarily enabling Docker Scout. >> >> There is an extant PR to upgrade dependencies: >> https://github.com/apache/fineract/pull/4401 . Presumably this will >> mitigate some/all of the vulns. >> >> My recommendation is to keep this private, continue to work PR 4401 and >> get it merged ASAP to the develop branch (mainline for tested, integrated >> PRs) and continue/complete shipping v1.11.0 as-is. >> >> Please advise. I'm not a security researcher so I'm new to this process. >> Feedback welcome on my actions so far. Heads up that I'm also fairly new to >> Fineract, having re-joined after ~15 years. >> >> Best and thanks, >> -Adam >> >
