On Tue, Feb 23, 2021 at 11:14 AM Tatu Saloranta <[email protected]> wrote:
> On Tue, Feb 23, 2021 at 3:22 AM Mario Arzileiro < > [email protected]> wrote: > >> Hello, >> >> Sorry if I wasn't clear, let me just enumerate some assumptions, if any >> of this is not true, please let me know and we can clarify if needed: >> * You know what NVD from NIST identifies the CVEs of public components; >> * You know that jackson-databind vulnerabilities are identified on NVD; >> * You know that vulnerability scan tools (such as Synopsys Blackduck or >> Snyk) rely on NVD as Source of Truth. >> >> When I first contacted you, the vulnerabilities identified by NVD were >> not complete correct. There were a lot of CVEs that you already have fixed >> on jackson-databind:2.6.7.4. >> I also contacted NIST about this issue and they already update their >> database. Now, they only identify 4 CVEs check this link >> <https://nvd.nist.gov/vuln/search/results?adv_search=true&query=cpe%3A2.3%3Aa%3Afasterxml%3Ajackson-databind%3A2.6.7.4%3A*%3A*%3A*%3A*%3A*%3A*%3A*> >> . >> >> I think that right know, you just need to validate that the remaining >> CVEs are accurr, and if not, contact them too with further information. >> > > I think that at this point if you want this information, you will go and > do that. > I do not recall you paying my salary, or being a customer of any sort. > > >> Why this is important? >> Companies rely on Vulnerability scan tools, and those tools rely on this >> NVD database. It's essential for your project that this information is up >> to date, in order to give the exact information for risk assessment >> analysis and, since the CVEs are wrongly reported, you want that info to be >> shared and show that your product is safe. >> Right now, there is a tool (Blackduck) that reports >> jackson-databind:2.6.7.4 to have 50+ CVEs, which is not true. >> >> I think that I don't have more information to give. Please use this as >> your will, if you have more doubts please let me know. >> > > You are free to do whatever work you want, but it seems extremely arrogant > to come here to demand I (or anyone else) do things you need. This is not > far removed from "I got this homework for my CS class can you please write > a solution for me", as I see it. > > I work with community members on things reported but this only works when > everyone collaborates and contributes something. You are just posting a big > laundry list of stuff that you are worried about asking for someone else > doing something; others to spend their time. > > In fact I hate having spent time even responding, at this point. > Mario, After re-reading your message, I realized I misunderstood and overreacted, based on commenting just on the first message with a long list of ids. There have been cases on issue tracker where I feel there has been sense of entitlement -- but your message is not one. Since you did already work through the list, I was mistaken to think you have not collaborated here or done part of the process. I am sorry for claiming you have not helped. Now. Since there are only remaining 4 cves, I will check out the link and see what can be done; keeping in mind that 2.6.x branch is long closed. -+ Tatu +- > > -+ Tatu +- > > >> >> Thanks >> On Friday, February 19, 2021 at 5:30:48 PM UTC [email protected] wrote: >> >>> On Fri, Feb 19, 2021 at 7:48 AM Mario Arzileiro <[email protected]> >>> wrote: >>> >>>> Hi, >>>> >>>> I was checking the information that we have available for >>>> jackson-databind:2.6.7.4 on NIST NVD and it is showing Vulnerabilities >>>> (CVEs) that are already fixed. >>>> >>>> Link for jackson-databind:2.6.7.4: >>>> https://nvd.nist.gov/products/cpe/detail/844569 >>>> Link for the vulnerabilities list "here >>>> <https://nvd.nist.gov/vuln/search/results?adv_search=true&query=cpe%3A2.3%3Aa%3Afasterxml%3Ajackson-databind%3A2.6.7.4%3A*%3A*%3A*%3A*%3A*%3A*%3A*> >>>> ". >>>> >>>> List of vulnerabilities fixed and the corresponding fixed version: >>>> >>>> CVE | Fixed version >>>> CVE-2018-11307 | 2.6.7.3 >>>> CVE-2019-16942 | 2.6.7.3 >>>> CVE-2020-9547 | 2.6.7.4 >>>> CVE-2019-20330 | 2.6.7.4 >>>> CVE-2020-8840 | 2.6.7.4 >>>> CVE-2020-9546 | 2.6.7.4 >>>> CVE-2020-9548 | 2.6.7.4 >>>> CVE-2019-16335 | 2.6.7.3 >>>> CVE-2017-15095 | 2.6.7.2 >>>> CVE-2019-14893 | 2.6.7.3 >>>> CVE-2019-17267 | 2.6.7.3 >>>> CVE-2019-14540 | 2.6.7.3 >>>> CVE-2020-11111 | 2.6.7.4 >>>> CVE-2020-11113 | 2.6.7.4 >>>> CVE-2020-10672 | 2.6.7.4 >>>> CVE-2020-10969 | 2.6.7.4 >>>> CVE-2020-10968 | 2.6.7.4 >>>> CVE-2020-10673 | 2.6.7.4 >>>> CVE-2020-11112 | 2.6.7.4 >>>> CVE-2020-14060 | 2.6.7.4 >>>> CVE-2020-11620 | 2.6.7.4 >>>> CVE-2020-24616 | 2.6.7.4 >>>> CVE-2020-14195 | 2.6.7.4 >>>> CVE-2020-11619 | 2.6.7.4 >>>> CVE-2020-24750 | 2.6.7.4 >>>> CVE-2020-14061 | 2.6.7.4 >>>> CVE-2020-14062 | 2.6.7.4 >>>> >>>> Please let me know if you are aware of it, and when are you expecting >>>> to have this fixed. >>>> >>>> >>> I am not quite sure what the question here is. >>> >>> What is not fixed, where? According to whom? Since most CVEs are against >>> jackson-databind, you can see issue tracker here: >>> >>> https://github.com/FasterXML/jackson-databind/issues/ >>> >>> and either search for "cve" (usually mentioned in the title), or label >>> "cve". >>> Release notes under >>> >>> >>> https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x >>> >>> contain updates too, although if you are interested in branch 2.6, >>> you'll have to check that branch (under 'release-notes/2.6). >>> Note, however, that branch 2.6 is not maintained and it is unlikely >>> anything would be fixed or released for that branch, beyond what has been >>> backported by community members (Amazon OSS folks have been helpful with >>> that). >>> >>> -+ Tatu +- >>> >>> >>>> Best regards, >>>> >>>> *The content of this email is confidential and intended for the >>>> recipient specified in message only. It is strictly prohibited to share any >>>> part of this message with any third party, without a written consent of the >>>> sender. If you received this message by mistake, please reply to this >>>> message and follow with its deletion, so that we can ensure such a mistake >>>> does not occur in the future.* >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "jackson-user" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/jackson-user/2fb7c750-4f62-4154-a753-808e79c64a7an%40googlegroups.com >>>> <https://groups.google.com/d/msgid/jackson-user/2fb7c750-4f62-4154-a753-808e79c64a7an%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> >> *The content of this email is confidential and intended for the recipient >> specified in message only. It is strictly prohibited to share any part of >> this message with any third party, without a written consent of the sender. >> If you received this message by mistake, please reply to this message and >> follow with its deletion, so that we can ensure such a mistake does not >> occur in the future.* >> >> -- >> You received this message because you are subscribed to the Google Groups >> "jackson-user" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jackson-user/8b7f72f1-f458-41ce-8602-14c5d6241a94n%40googlegroups.com >> <https://groups.google.com/d/msgid/jackson-user/8b7f72f1-f458-41ce-8602-14c5d6241a94n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAGrxA26XC3rqQFBTQ4_A6%3D%3DC%3DTLcz7P6vC9784%3DkVoB9AT5%3Dpw%40mail.gmail.com.
