Fwd: [apache/incubator-livy] One of your dependencies may have a security vulnerability

[Saisai Shao]

Hi Alex,

Would you please check again? Thanks!

Best regards

-- Forwarded message --
From: Apache Security Team 
Date: 2018-03-06 16:39 GMT+08:00
Subject: Re: [apache/incubator-livy] One of your dependencies may have a
security vulnerability
To: Saisai Shao 
Cc: priv...@livy.incubator.apache.org, Apache Security Team <
secur...@apache.org>


Hi, no the gitlab notification states it needs to be nokogiri > 1.8.1 and
your current Gemfile.lock specifies = 1.8.0

Cheers, Mark J Cox

On Tue, Mar 6, 2018 at 12:13 AM, Saisai Shao  wrote:

> I think it was fixed by Alex (https://github.com/apache/inc
> ubator-livy/commit/26428c56f20ba5ea608038ed8c2e11d8f04665d4).
>
>
> 2018-03-06 2:29 GMT+08:00 Marcelo Vanzin :
>
>> Hey Alex / Saisai,
>>
>> This was fixed, right?
>>
>> If so you need to update the guys at security@ saying this was fixed (or
>> what needs to be done to fix it).
>>
>>
>> On Mon, Mar 5, 2018 at 1:50 AM, Apache Security Team > > wrote:
>>
>>> On Mon, Feb 19, 2018 at 8:55 AM, Apache Security Team <
>>> secur...@apache.org> wrote:
>>>
 Hi Livy team, making sure you saw this and will action it.

 Regards, Mark J Cox

 On Tue, Jan 23, 2018 at 10:14 PM, Greg Stein  wrote:

> Livy PPMC: FYI
>
> -- Forwarded message --
> From: GitHub 
> Date: Tue, Jan 23, 2018 at 2:22 PM
> Subject: [apache/incubator-livy] One of your dependencies may have a
> security vulnerability
> To: apache/incubator-livy 
> Cc: Security alert 
>
>
> We found a potential security vulnerabilty in one of your dependencies
> [image: GitHub]
> 
>  Sign
> in
> 
> *gstein,*
>
> We found a potential security vulnerability in a repository for which
> you have been granted security alert access.
> [image: @apache] apache/incubator-livy
> 
> Known * critical severity* security vulnerability detected in nokogiri
> < 1.8.1 defined in Gemfile.lock
> .
>
> Gemfile.lock
> 
> update suggested: nokogiri ~> 1.8.1.
> Always verify the validity and compatibility of suggestions with your
> codebase.
> Review vulnerable dependency
> 
> --
>
> Only users who have been assigned access to security alerts will
> receive these notifications.
> Unsubscribe

Re: Fwd: [apache/incubator-livy] One of your dependencies may have a security vulnerability

[Alex Bozarth]

Wow those urls make that email really difficult to understand. I believe
what it says is that the nokogiri version we're setting in the Gemlock file
should be updated to 1.8.1 to fix a known vulnerability? If so it need's to
be addressed in many Apache incubator websites since that Gemlock was
imported from the website repo which was forked from the apache website
template repo. I can patch it in the morning (unless you'd like to do it)
and we can push it to 0.4.1, 0.5.0 and master. I'll have to cut an rc2
tomorrow also in that case.


   
 Alex Bozarth   
   
 Software Engineer  
   
 Spark Technology Center
   

   

 

 

 
 E-mail: ajboz...@us.ibm.com
 
 GitHub: github.com/ajbozarth   
 
   505 Howard 
Street 
 San Francisco, CA 
94105 
   United 
States 

 








From:   Saisai Shao <sai.sai.s...@gmail.com>
To: dev@livy.incubator.apache.org
Date:   01/23/2018 06:16 PM
Subject:        Fwd: [apache/incubator-livy] One of your dependencies may have
a security vulnerability



Hi Alex,

Is it due to your recent changes to add ruby file?

Thanks
Jerry

-- Forwarded message --
From: Greg Stein <gst...@gmail.com>
Date: 2018-01-24 6:14 GMT+08:00
Subject: Fwd: [apache/incubator-livy] One of your dependencies may have a
security vulnerability
To: priv...@livy.incubator.apache.org
Cc: priv...@incubator.apache.org, priv...@infra.apache.org,
secur...@apache.org


Livy PPMC: FYI

-- Forwarded message --
From: GitHub <notificati...@github.com>
Date: Tue, Jan 23, 2018 at 2:22 PM
Subject: [apache/incubator-livy] One of your dependencies may have a
security vulnerability
To: apache/incubator-livy <incubator-l...@noreply.github.com>
Cc: Security alert <security_al...@noreply.github.com>


We found a potential security vulnerabilty in one of your dependencies
[image: GitHub]
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__sgmail.githubmail.com_wf_click-3Fupn-3DlYxq-2D2FYU7yocrdKNILYalBlaoUQ7ZnNSfaod-2D2BRPoWgKQ-2D3D-5Fw6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZJGWdsYqQFjxwriEF8ZmW1sZ8ttXgzgS3BVWKu3VBqXOMpSzW2VEkJKKe2e9uTex9Q7Z9UijIWv0RRYA-2D2Fdc2r546s6eSy8HZocDFla36b4iDH-2D2B3aDT4HLjIh-2D2Fo9vK3qWDuW00SPllrHUyE-2D2F7oUepVlho6xRLLFnygiZnALZqGXTakYwTsw7U1i0kOz8YTJZN0atv-2D2B6Wb8Vsz97NI2noXzGt=DwIFaQ=jf_iaSHvJObTbx-siA1ZOg=S1_S7Dymu4ZL6g7L21O78VQZ53vEnAyZ-cx37DPYDyo=Nb2s-wD-u11k66Q4U1HKkndVLMmWEk0K2SJ8nMDlxjw=jYMgIvM9_yt_Km6BPb_6bGayAwBnNfdQfyEIUl0nh-c=
>
Sign
in
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__sgmail.githubmail.com_wf_click-3Fupn-3DlYxq-2D2FYU7yocrdKNILYalBluE-2D2FGrtUQ7WwbM8S6nEaj0-2D3D-5Fw6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZJGWdsYqQFjxwriEF8ZmW1sJEB6DZ3WcL-2D2F4II6g4nOXtSt18YBqIm8t9ln67kM2qPU7-2D2BwIp1OhBha1A2HxxgKMyX40eU0B-2D2BxCoEbAUvsw0AB0X9T5UGmnA4C-2D2BYrM2D-2D2B3MDuTZhqAqaXY6Ippc5CRnN3usIzrFwtPWH1tKIk-2D2FIapGBC7Y2Lsyw7S4QWTtwqE8U67-2D2FuDGyxs1Fd0tvqdx9gIQ=DwIFaQ=jf_iaSHvJObTbx-siA1ZOg=S1_S7Dymu4ZL6g7L21O78VQZ53vEnAyZ-cx37DPYDyo=Nb2s-wD-u11k66Q4U1HKkndVLMmWEk0K2SJ8nMDlxjw=K2tkQ2Tb9oa3Sjqjz5vsiIS-P2Hy6DqVhKB9spHTchQ=
>
*gstein,*

We found a potential security vulnerability in a repository for which you
have been granted security alert access.
[image: @apache] apache/incubator-livy
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__sgmail.githubmail.com_wf_click-3Fupn-3DlYxq-2D2FYU7yocrdKNILYalBg5kFs28ucWJkBdd8Thfp23Ag8-2D2FxhdvxK9GAMrvp8gUC-5Fw6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZJGWdsYqQFjxwriEF8ZmW1sqJPyhuVFWI7a-2D2BCvW4tyXVGKVBZY13BEvr-2D2Bq0IaZU-2D2BUr9JXtZ-2D2FwPj4cV2z3v3QVEOiwfg1cPLVN93lsgJ8m5RMCdkFQBaHX-2D2Bxc-2D2B-2D2BIRsFowmpW0QyMBlxuDLaxDM4JwxNhXI3BIM7nyaHpSS-2D2FYq6xcOzCY2u-2D2B-2D2B2GH1SAI3PmsjyEjQqdMIARNgBMpvoIRbrRgp=DwIFaQ=jf_iaSHvJObTbx-siA1ZOg=S1_S7Dymu4ZL6g7L21O78VQZ53vEnAyZ-cx37DPYDyo=Nb2s-wD-u11k66Q4U1HKkndVLMmWEk0K2SJ8nMDlxjw=TIOzm9vKkovR4wJNqRAwHMl94HpjJEbjDHlA11VNiY0=
>
Known * critical severity* security vulnerability detected in nokogiri <
1.8.1 defined in Gemfile.loc

Fwd: [apache/incubator-livy] One of your dependencies may have a security vulnerability

[Saisai Shao]

Hi Alex,

Is it due to your recent changes to add ruby file?

Thanks
Jerry

-- Forwarded message --
From: Greg Stein <gst...@gmail.com>
Date: 2018-01-24 6:14 GMT+08:00
Subject: Fwd: [apache/incubator-livy] One of your dependencies may have a
security vulnerability
To: priv...@livy.incubator.apache.org
Cc: priv...@incubator.apache.org, priv...@infra.apache.org,
secur...@apache.org


Livy PPMC: FYI

-- Forwarded message --
From: GitHub <notificati...@github.com>
Date: Tue, Jan 23, 2018 at 2:22 PM
Subject: [apache/incubator-livy] One of your dependencies may have a
security vulnerability
To: apache/incubator-livy <incubator-l...@noreply.github.com>
Cc: Security alert <security_al...@noreply.github.com>


We found a potential security vulnerabilty in one of your dependencies
[image: GitHub]
<http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBlaoUQ7ZnNSfaod-2BRPoWgKQ-3D_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZJGWdsYqQFjxwriEF8ZmW1sZ8ttXgzgS3BVWKu3VBqXOMpSzW2VEkJKKe2e9uTex9Q7Z9UijIWv0RRYA-2Fdc2r546s6eSy8HZocDFla36b4iDH-2B3aDT4HLjIh-2Fo9vK3qWDuW00SPllrHUyE-2F7oUepVlho6xRLLFnygiZnALZqGXTakYwTsw7U1i0kOz8YTJZN0atv-2B6Wb8Vsz97NI2noXzGt>
Sign
in
<http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBluE-2FGrtUQ7WwbM8S6nEaj0-3D_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZJGWdsYqQFjxwriEF8ZmW1sJEB6DZ3WcL-2F4II6g4nOXtSt18YBqIm8t9ln67kM2qPU7-2BwIp1OhBha1A2HxxgKMyX40eU0B-2BxCoEbAUvsw0AB0X9T5UGmnA4C-2BYrM2D-2B3MDuTZhqAqaXY6Ippc5CRnN3usIzrFwtPWH1tKIk-2FIapGBC7Y2Lsyw7S4QWTtwqE8U67-2FuDGyxs1Fd0tvqdx9gIQ>
*gstein,*

We found a potential security vulnerability in a repository for which you
have been granted security alert access.
[image: @apache] apache/incubator-livy
<http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBg5kFs28ucWJkBdd8Thfp23Ag8-2FxhdvxK9GAMrvp8gUC_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZJGWdsYqQFjxwriEF8ZmW1sqJPyhuVFWI7a-2BCvW4tyXVGKVBZY13BEvr-2Bq0IaZU-2BUr9JXtZ-2FwPj4cV2z3v3QVEOiwfg1cPLVN93lsgJ8m5RMCdkFQBaHX-2Bxc-2B-2BIRsFowmpW0QyMBlxuDLaxDM4JwxNhXI3BIM7nyaHpSS-2FYq6xcOzCY2u-2B-2B2GH1SAI3PmsjyEjQqdMIARNgBMpvoIRbrRgp>
Known * critical severity* security vulnerability detected in nokogiri <
1.8.1 defined in Gemfile.lock
<http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBg5kFs28ucWJkBdd8Thfp210wIho9lAyQVafDi7j-2Bh1B6kbDR-2FojhEUYkAYcdbN0VSnoCf19MxCRvx0tyoloYkc-3D_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZJGWdsYqQFjxwriEF8ZmW1sKmS-2B4Jr20quYqSULJfJpwhzNFCYuG-2Fcp-2BZ53NXhvxtDb6uQlhPVD-2BWhPS-2F8KvYfjoJvoxxa-2B8fGggIKzvNEAZq3ghOpKRdYfXiWO7PMcJMkpxyPF1lBYdww4rR2mqKtRCh8hbW8Pikyiij0abzMoZOe5IhuZhuCtVolZWuydD9MOHFlbZZ085iiui59TrE6Z>.

Gemfile.lock
<http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBg5kFs28ucWJkBdd8Thfp210wIho9lAyQVafDi7j-2Bh1B6kbDR-2FojhEUYkAYcdbN0VSnoCf19MxCRvx0tyoloYkc-3D_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZJGWdsYqQFjxwriEF8ZmW1sZ5YHwUqPmspFEs5FGzvBtkT-2BGxTgoMX32p1A30L7XZl9ba1BQ6kIc1Ju5KJnc9UFc9YhoObi9S7D6j4K4Kd-2BPNMLSjQYMDdw1Ok22ar0ELvfe0GIC8Kr6L3-2BcuFd4h134bTAF-2BE4BkAZkEJ09z-2FBOw8UEmNbvbW47WusN6PUaa-2BpC4X2-2BAl0DkEaPeDdIX4p>
update suggested: nokogiri ~> 1.8.1.
Always verify the validity and compatibility of suggestions with your
codebase.
Review vulnerable dependency
<http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBg5kFs28ucWJkBdd8Thfp210wIho9lAyQVafDi7j-2Bh1BsSEpl7-2BodLzkPnCI16io1EUX0KWzbnTNsYMVTWx5FkY-3D_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZJGWdsYqQFjxwriEF8ZmW1s63BiTzDYzOMuznnWGknprX5nV5qI3p7E5MNq-2F-2BCeSmff9oAuadWJgaOfvHZLByYIV0zHOOFGuioyaQ9TO1oI3FSGN2IbGYrbjGG7grFgEIaMQdmRl29mN63jqTTvjlIdbxDAHXaDzyseL6To8UVFPOihmHtsBfJ2hvjelwhG2S4n7rmgqoKidrE81f196nYg>
--

Only users who have been assigned access to security alerts will receive
these notifications.
Unsubscribe
<http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBh4tM-2BvbnAt1ZCBIm0TQChRsti2oUDbPtOO7snnCj3QERwAm0kRs-2BRbdRN9p4cNyTeWPYkfrS1ODEOx0oDnLbM2kp4eFoUgxpyR3UaHs1zobd4govawYg7uAIW5v89Mheg-3D-3D_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZJGWdsYqQFjxwriEF8ZmW1sCQBUqbu4yKe40h5oO9JBbZ-2F1zvvJCfLchhz3sY23EBCpkI-2F5s-2BjExUKpmsuicwGyhELdxNuSrd6Q1L3Qb5Vey4NwRdJhiBIaRylHLpQE4Oa05ohrf5fQOPD09AZOpnbJDyiZ-2B7C2oktRtytgoDhPHKnOwQwTNnWSUnrnHLW8g0rW9zfxefyuWf5C8L5g5iho>
· Email preferences
<http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBlttXBNYv-2BeGM-2FMVHbSBvTrPDvaZJ5yvsxfEVwy5gWOO_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZJGWdsYqQFjxwriEF8ZmW1spWA8FXrQ1ep3Y4MqmtLqy0g82Io9WrJdQ7JAJ4ieKHX-2FrjvOLsmCuN6OYy-2Bj-2BuQlwwX27bdOnDTIXfGtB-2FmfknuFuijXP1Dykj1crN0oVJNqqZ6nalIMcTzEoXJta2RWzBpA89JPppMP-2Fi3gxtaRgOBGg50FqfS6Ha9kBxOoBQYqS2hc8ex3BJjegfu5wVDE>
· Terms
<http://sgmail.githubmail.com/wf/click?upn=H-2FQ3yMxnv4jw-2BxNnSBX80-2FAtA3t7vDbetmbWolVUHkI7aIK5sDG6eHhf6PFf2GZEMdAPO1mXdWyaS9GI2aLnBA-3D-3D_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZJGWdsYqQFjxwriEF8ZmW1s6sN