Hello Nick,
Our current plan is to finish creating our overview of the currently
detected CVEs. We will share this overview with private@, including a
proposal on how to proceed; what to suppress, what to accept, creating
issues, etc.
It's probably more convenient to start working on CVE
Hi Wes,
Comments inline.
On Wed, Mar 8, 2023 at 1:44 PM Wes Schuitema wrote:
> We could proceed as follows:
> - We keep on working finding out which CVE's are relevant, which we want to
> do anyway. We do need to know if it's okay to discuss the results on the
> mailing list or Jira or if we
Thanks for the quick reply!
We're definitely interested in actively pursuing results of scans. Our main
goal is to maintain a list of detectable CVE's and document their status.
We want to know which CVE's are false positives, which CVE's are accepted,
and how to mitigate possible risks CVE pose.
Thanks for looking at security problems.
All ASF projects follow the same way to process security problems, please
see here
https://www.apache.org/security/
And on the CVEs from dependencies, usually the HBase community will fix it
ASAP. And we have also enabled dependabot on github to help us
Hi Wes,
Thanks a lot for your interest. I think that you'll find this community is
interested in squashing CVEs. As you can see in the description
on HBASE-27436, doing so in a way that meets our strict
compatibility guidelines can be technically challenging. Flagging the
attention of specific
Hello devs,
When doing a security audit on the software we're using we've found a few
CVEs in HBase. We've been looking into the mailing list and Jira in order
to see if these are known and/or accepted CVEs and have found some related
issues.
One of the detected CVEs is mentioned in an issue as