VOTE is almost complete, I should be able to complete the VOTE and push out jars tonight or tomorrow.
Gary On Mon, May 31, 2021, 12:52 Gary Gregory <[email protected]> wrote: > I hope to have a release candidate for 2.9.0 this week that no longer > publishes the password via JMX. > > Gary > > > On Wed, May 26, 2021, 11:09 Adesina Adebiyi > <[email protected]> wrote: > >> Good day, >> >> I trust this my enquiry will find you well. >> >> I am researching an issue raised by sonatype (sonatype-2020-1349). >> >> It looks like Gary Gregory's commit of Sep 21, 2020 fixed the issue: >> >> https://github.com/apache/commons-dbcp/commit/a4c5af0da1de3a7f50c72fc7edaa1f653ca276dd >> < >> https://protect2.fireeye.com/v1/url?k=ea4de5de-b5d6dd37-ea4dcf08-86e0458f6361-dc5811fcd881880c&q=1&e=1dd5d6d0-ae23-4de5-8527-a3ee712dba7b&u=https%3A%2F%2Fgithub.com%2Fapache%2Fcommons-dbcp%2Fcommit%2Fa4c5af0da1de3a7f50c72fc7edaa1f653ca276dd >> > >> >> Yet, Sonatype is still claiming that version 2.8.0 is vulnerable. Indeed, >> WhiteSource and Snyk.io are also claiming that all versions of the Apache >> commons dbcp including version 2.8.0 are vulnerable: >> >> WhiteSource >> Upgrade Version >> No fix version available >> CVSS v3.1 >> https://www.whitesourcesoftware.com/vulnerability-database/WS-2020-0287 >> >> >> sonatype-2020-1349 >> CVSS Vector:CVSS:3.1 >> The Apache Commons DBCP packages are vulnerable to Insufficiently >> Protected >> Credentials. >> The application is vulnerable by using this componen >> >> >> https://snyk.io/vuln/maven:org.apache.commons%3Acommons-dbcp2 >> Vulnerability: Information Exposure Vulnerable versions [0,] >> org.apache.commons:commons-dbcp2 2.8.0 Published 21 Sep, 2020 >> >> I would really appreciate your help and insight on this: Was Gary's >> commit >> never released? Or could it be that WhiteSource, Sonatype, and Snyk.io >> are >> all reporting this incorrectly since Gary's "released" commit already >> fixed >> the issue. >> >> Thank you in advance for your prompt response. And stay safe as we >> continue to emerge from the Covid-19 public health concerns. >> >> Regards, >> >> Adesina >> >> -- >> This message contains proprietary information from Equifax which may be >> confidential. If you are not an intended recipient, please refrain from >> any >> disclosure, copying, distribution or use of this information and note >> that >> such actions are prohibited. If you have received this transmission in >> error, please notify by e-mail [email protected] >> <mailto:[email protected]>. >> >> >> Equifax® is a registered trademark of >> Equifax Inc. All rights reserved. >> >
