Thanks, Richard!!
On Mon, Nov 18, 2019 at 3:44 AM Zowalla, Richard <
richard.zowa...@hs-heilbronn.de> wrote:
> Did not find anything with the owasp plugin profile. Should be fine (for
> now).
>
>
> Am Mittwoch, den 13.11.2019, 08:25 -0600 schrieb Richard Monson-Haefel:
>
> Excellent! Thanks,
Did not find anything with the owasp plugin profile. Should be fine
(for now).
Am Mittwoch, den 13.11.2019, 08:25 -0600 schrieb Richard Monson-Haefel:
> Excellent! Thanks, Richard!
>
> On Wed, Nov 13, 2019 at 8:18 AM Zowalla, Richard <
> richard.zowa...@hs-heilbronn.de> wrote:
> > Ok, John did
Excellent! Thanks, Richard!
On Wed, Nov 13, 2019 at 8:18 AM Zowalla, Richard <
richard.zowa...@hs-heilbronn.de> wrote:
> Ok, John did comment in the JIRA, that the upgrades are already conducted
> in previous commits.
> I will run an OWASP scan on the code. If this reveals some more vulnerable
Please note my comment on the JIRA:
These have already been done:
Update to Jackson Databind 2.10.0:
https://github.com/apache/tomee/commit/5e38138463f65146c4087da8085c8dcd93079ef1
TOMEE-2725 update beanutils to 1.9.4:
Ok, John did comment in the JIRA, that the upgrades are already
conducted in previous commits.I will run an OWASP scan on the code. If
this reveals some more vulnerable dependencies, I will report in the
JIRA and provide a PR, if possible.
Best,Richard Z.
Am Mittwoch, den 13.11.2019, 14:08 +
Alright, I will proceed :)
Best,
Richard
Am Mittwoch, den 13.11.2019, 07:52 -0600 schrieb Richard Monson-Haefel:
> If you don't mind, Richard, can you do the upgrades and create a PR?
> We can let it run overnight and see how it goes.
> I'm not sure as to what the best policy is for announcing
If you don't mind, Richard, can you do the upgrades and create a PR? We can
let it run overnight and see how it goes.
I'm not sure as to what the best policy is for announcing the CVE so that
people know to upgrade. I think we should figure that out after the ci has
run. As an alternative you can
Sounds reasonable to me. If I can assist in upgrading, let me know.
However, we should publish the link to the ASF CI somewhere, so we can
better monitor the current build status.
Best,Richard Z
Am Mittwoch, den 13.11.2019, 07:00 -0600 schrieb Richard Monson-Haefel:
> Is this a matter of upgrading
Is this a matter of upgrading and testing or is there more to it than
that? If that's it we can create a PR with the updates and let the asf ci
run the tests and look for problems.
On Wed, Nov 13, 2019 at 5:58 AM COURTAULT Francois <
francois.courta...@thalesgroup.com> wrote:
> Hello,
>
>