You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@commons.apache.org by "Singh, Randeep" <ra...@sap.com.INVALID> on 2021/05/27 14:15:16 UTC
Security issue in commons-fileup.load version 1.4 .
HI All,
This is regarding one of security issue that is reported in our component which is coming from commons-io (2.2) lib transitive dependency via commons-fileupload .
It seems this is fixed in commons-io (2.7) or above, Hence would it be possible to bump version of commons-io to 2.8 or 2.9 and release a patch .
I can see that it has been already done with this commit https://github.com/apache/commons-fileupload/commit/8370f1e0a15a0469d04579e2abd5500ebf90b8c8/ may I know by when we can expect a release of 2.0 ? in case patch is not possible .
Best Regards
Randeep
Re: Security issue in commons-fileup.load version 1.4 .
Posted by Gilles Sadowski <gi...@gmail.com>.
Le ven. 28 mai 2021 à 18:42, Jurrie Overgoor <ju...@jurr.org> a écrit :
>> [...]
> [...]
>
> In the end this would all be 'fixed' when a release would be less work.
> At the risk of igniting a fierce discussion: why are Apache releases so
> much work?
Perhaps not so much work but, effectively in the "Commons" project,
the scarce number of people doing the work.
> Is there anything that can be improved in this?
Come and help (or ask people to do so). ;-)
Best,
Gilles
>>> [...]
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org
Re: Security issue in commons-fileup.load version 1.4 .
Posted by Jurrie Overgoor <ju...@jurr.org>.
On 27-05-2021 18:05, Mark Thomas wrote:
> On 27/05/2021 16:29, Matt Sicker wrote:
>> As the user, you have ultimate control over transitive dependency
>> versions that end up in your application. Using Maven, for example,
>> you can override the commons-fileupload dependency on commons-io to
>> the latest release. I don't think anyone here wants to go through an
>> entire release for a component just to update a dependency.
>
> I'll add that a vulnerability in a dependency does not always
> translate into a vulnerability in the code using the dependency. The
> last time the ASF looked at this across a large number of our Java
> projects, only about 10% of vulnerabilities translated into potential
> vulnerabilities in the code using the dependency.
Hi Mark, Matt,
Very true, but there is a risk as well. The user should make the
assessment on whether he/she is vulnerable due to the transitive
dependency. As security issues are sometimes quite obscure, and can
deceive many programmers, it is not always easy to make the correct
judgement.
It is true that the user has ultimate control over transitive
dependencies, but my gut feeling is that most of the users do not even
bother to look at them. They just fly with the defaults, and don't think
twice. Even more so: most users do not actually scan their dependencies,
so they don't know about the published CVE in the first place.
I totally understand that the effort to do a release is large - too
large for just a dependency update. And I see the argument that the user
is responsible for managing his/her dependencies. But I also think that
community projects have a responsibility as well in this.
In the end this would all be 'fixed' when a release would be less work.
At the risk of igniting a fierce discussion: why are Apache releases so
much work? Is there anything that can be improved in this?
With kind regards,
Jurrie
>
>>
>> On Thu, 27 May 2021 at 10:00, Singh, Randeep
>> <ra...@sap.com.invalid> wrote:
>>>
>>> HI All,
>>>
>>> This is regarding one of security issue that is reported in our
>>> component which is coming from commons-io (2.2) lib transitive
>>> dependency via commons-fileupload .
>>> It seems this is fixed in commons-io (2.7) or above, Hence would it
>>> be possible to bump version of commons-io to 2.8 or 2.9 and release
>>> a patch .
>>> I can see that it has been already done with this commit
>>> https://github.com/apache/commons-fileupload/commit/8370f1e0a15a0469d04579e2abd5500ebf90b8c8/
>>> may I know by when we can expect a release of 2.0 ? in case patch is
>>> not possible .
>>>
>>>
>>> Best Regards
>>> Randeep
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
>> For additional commands, e-mail: user-help@commons.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
> For additional commands, e-mail: user-help@commons.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org
Re: Security issue in commons-fileup.load version 1.4 .
Posted by Mark Thomas <ma...@apache.org>.
On 27/05/2021 16:29, Matt Sicker wrote:
> As the user, you have ultimate control over transitive dependency
> versions that end up in your application. Using Maven, for example,
> you can override the commons-fileupload dependency on commons-io to
> the latest release. I don't think anyone here wants to go through an
> entire release for a component just to update a dependency.
I'll add that a vulnerability in a dependency does not always translate
into a vulnerability in the code using the dependency. The last time the
ASF looked at this across a large number of our Java projects, only
about 10% of vulnerabilities translated into potential vulnerabilities
in the code using the dependency.
Mark
>
> On Thu, 27 May 2021 at 10:00, Singh, Randeep <ra...@sap.com.invalid> wrote:
>>
>> HI All,
>>
>> This is regarding one of security issue that is reported in our component which is coming from commons-io (2.2) lib transitive dependency via commons-fileupload .
>> It seems this is fixed in commons-io (2.7) or above, Hence would it be possible to bump version of commons-io to 2.8 or 2.9 and release a patch .
>> I can see that it has been already done with this commit https://github.com/apache/commons-fileupload/commit/8370f1e0a15a0469d04579e2abd5500ebf90b8c8/ may I know by when we can expect a release of 2.0 ? in case patch is not possible .
>>
>>
>> Best Regards
>> Randeep
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
> For additional commands, e-mail: user-help@commons.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org
Re: Security issue in commons-fileup.load version 1.4 .
Posted by Matt Sicker <bo...@gmail.com>.
As the user, you have ultimate control over transitive dependency
versions that end up in your application. Using Maven, for example,
you can override the commons-fileupload dependency on commons-io to
the latest release. I don't think anyone here wants to go through an
entire release for a component just to update a dependency.
On Thu, 27 May 2021 at 10:00, Singh, Randeep <ra...@sap.com.invalid> wrote:
>
> HI All,
>
> This is regarding one of security issue that is reported in our component which is coming from commons-io (2.2) lib transitive dependency via commons-fileupload .
> It seems this is fixed in commons-io (2.7) or above, Hence would it be possible to bump version of commons-io to 2.8 or 2.9 and release a patch .
> I can see that it has been already done with this commit https://github.com/apache/commons-fileupload/commit/8370f1e0a15a0469d04579e2abd5500ebf90b8c8/ may I know by when we can expect a release of 2.0 ? in case patch is not possible .
>
>
> Best Regards
> Randeep
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org
RE: Security issue in commons-fileup.load version 1.4 .
Posted by "Singh, Randeep" <ra...@sap.com.INVALID>.
HI Colleagues ,
Any updates you may have would be greatly appreciated.
Best Regards
Randeep
From: Singh, Randeep
Sent: May 27, 2021 7:45 pm
To: user@commons.apache.org
Subject: Security issue in commons-fileup.load version 1.4 .
HI All,
This is regarding one of security issue that is reported in our component which is coming from commons-io (2.2) lib transitive dependency via commons-fileupload .
It seems this is fixed in commons-io (2.7) or above, Hence would it be possible to bump version of commons-io to 2.8 or 2.9 and release a patch .
I can see that it has been already done with this commit https://github.com/apache/commons-fileupload/commit/8370f1e0a15a0469d04579e2abd5500ebf90b8c8/ may I know by when we can expect a release of 2.0 ? in case patch is not possible .
Best Regards
Randeep