You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@commons.apache.org by Adesina Adebiyi <ad...@equifax.com.INVALID> on 2021/05/26 14:39:54 UTC
Re: Apache Commons DBCP 2.8.0
Good day,
I trust this my enquiry will find you well.
I am researching an issue raised by sonatype (sonatype-2020-1349).
It looks like Gary Gregory's commit of Sep 21, 2020 fixed the issue:
https://github.com/apache/commons-dbcp/commit/a4c5af0da1de3a7f50c72fc7edaa1f653ca276dd
<https://protect2.fireeye.com/v1/url?k=ea4de5de-b5d6dd37-ea4dcf08-86e0458f6361-dc5811fcd881880c&q=1&e=1dd5d6d0-ae23-4de5-8527-a3ee712dba7b&u=https%3A%2F%2Fgithub.com%2Fapache%2Fcommons-dbcp%2Fcommit%2Fa4c5af0da1de3a7f50c72fc7edaa1f653ca276dd>
Yet, Sonatype is still claiming that version 2.8.0 is vulnerable. Indeed,
WhiteSource and Snyk.io are also claiming that all versions of the Apache
commons dbcp including version 2.8.0 are vulnerable:
WhiteSource
Upgrade Version
No fix version available
CVSS v3.1
https://www.whitesourcesoftware.com/vulnerability-database/WS-2020-0287
sonatype-2020-1349
CVSS Vector:CVSS:3.1
The Apache Commons DBCP packages are vulnerable to Insufficiently Protected
Credentials.
The application is vulnerable by using this componen
https://snyk.io/vuln/maven:org.apache.commons%3Acommons-dbcp2
Vulnerability: Information Exposure Vulnerable versions [0,]
org.apache.commons:commons-dbcp2 2.8.0 Published 21 Sep, 2020
I would really appreciate your help and insight on this: Was Gary's commit
never released? Or could it be that WhiteSource, Sonatype, and Snyk.io are
all reporting this incorrectly since Gary's "released" commit already fixed
the issue.
Thank you in advance for your prompt response. And stay safe as we
continue to emerge from the Covid-19 public health concerns.
Regards,
Adesina
--
This message contains proprietary information from Equifax which may be
confidential. If you are not an intended recipient, please refrain from any
disclosure, copying, distribution or use of this information and note that
such actions are prohibited. If you have received this transmission in
error, please notify by e-mail postmaster@equifax.com
<ma...@equifax.com>.
Equifax® is a registered trademark of
Equifax Inc. All rights reserved.
Re: Apache Commons DBCP 2.8.0
Posted by Gary Gregory <ga...@gmail.com>.
VOTE is almost complete, I should be able to complete the VOTE and push out
jars tonight or tomorrow.
Gary
On Mon, May 31, 2021, 12:52 Gary Gregory <ga...@gmail.com> wrote:
> I hope to have a release candidate for 2.9.0 this week that no longer
> publishes the password via JMX.
>
> Gary
>
>
> On Wed, May 26, 2021, 11:09 Adesina Adebiyi
> <ad...@equifax.com.invalid> wrote:
>
>> Good day,
>>
>> I trust this my enquiry will find you well.
>>
>> I am researching an issue raised by sonatype (sonatype-2020-1349).
>>
>> It looks like Gary Gregory's commit of Sep 21, 2020 fixed the issue:
>>
>> https://github.com/apache/commons-dbcp/commit/a4c5af0da1de3a7f50c72fc7edaa1f653ca276dd
>> <
>> https://protect2.fireeye.com/v1/url?k=ea4de5de-b5d6dd37-ea4dcf08-86e0458f6361-dc5811fcd881880c&q=1&e=1dd5d6d0-ae23-4de5-8527-a3ee712dba7b&u=https%3A%2F%2Fgithub.com%2Fapache%2Fcommons-dbcp%2Fcommit%2Fa4c5af0da1de3a7f50c72fc7edaa1f653ca276dd
>> >
>>
>> Yet, Sonatype is still claiming that version 2.8.0 is vulnerable. Indeed,
>> WhiteSource and Snyk.io are also claiming that all versions of the Apache
>> commons dbcp including version 2.8.0 are vulnerable:
>>
>> WhiteSource
>> Upgrade Version
>> No fix version available
>> CVSS v3.1
>> https://www.whitesourcesoftware.com/vulnerability-database/WS-2020-0287
>>
>>
>> sonatype-2020-1349
>> CVSS Vector:CVSS:3.1
>> The Apache Commons DBCP packages are vulnerable to Insufficiently
>> Protected
>> Credentials.
>> The application is vulnerable by using this componen
>>
>>
>> https://snyk.io/vuln/maven:org.apache.commons%3Acommons-dbcp2
>> Vulnerability: Information Exposure Vulnerable versions [0,]
>> org.apache.commons:commons-dbcp2 2.8.0 Published 21 Sep, 2020
>>
>> I would really appreciate your help and insight on this: Was Gary's
>> commit
>> never released? Or could it be that WhiteSource, Sonatype, and Snyk.io
>> are
>> all reporting this incorrectly since Gary's "released" commit already
>> fixed
>> the issue.
>>
>> Thank you in advance for your prompt response. And stay safe as we
>> continue to emerge from the Covid-19 public health concerns.
>>
>> Regards,
>>
>> Adesina
>>
>> --
>> This message contains proprietary information from Equifax which may be
>> confidential. If you are not an intended recipient, please refrain from
>> any
>> disclosure, copying, distribution or use of this information and note
>> that
>> such actions are prohibited. If you have received this transmission in
>> error, please notify by e-mail postmaster@equifax.com
>> <ma...@equifax.com>.
>>
>>
>> Equifax® is a registered trademark of
>> Equifax Inc. All rights reserved.
>>
>
Re: Apache Commons DBCP 2.8.0
Posted by Gary Gregory <ga...@gmail.com>.
I hope to have a release candidate for 2.9.0 this week that no longer
publishes the password via JMX.
Gary
On Wed, May 26, 2021, 11:09 Adesina Adebiyi
<ad...@equifax.com.invalid> wrote:
> Good day,
>
> I trust this my enquiry will find you well.
>
> I am researching an issue raised by sonatype (sonatype-2020-1349).
>
> It looks like Gary Gregory's commit of Sep 21, 2020 fixed the issue:
>
> https://github.com/apache/commons-dbcp/commit/a4c5af0da1de3a7f50c72fc7edaa1f653ca276dd
> <
> https://protect2.fireeye.com/v1/url?k=ea4de5de-b5d6dd37-ea4dcf08-86e0458f6361-dc5811fcd881880c&q=1&e=1dd5d6d0-ae23-4de5-8527-a3ee712dba7b&u=https%3A%2F%2Fgithub.com%2Fapache%2Fcommons-dbcp%2Fcommit%2Fa4c5af0da1de3a7f50c72fc7edaa1f653ca276dd
> >
>
> Yet, Sonatype is still claiming that version 2.8.0 is vulnerable. Indeed,
> WhiteSource and Snyk.io are also claiming that all versions of the Apache
> commons dbcp including version 2.8.0 are vulnerable:
>
> WhiteSource
> Upgrade Version
> No fix version available
> CVSS v3.1
> https://www.whitesourcesoftware.com/vulnerability-database/WS-2020-0287
>
>
> sonatype-2020-1349
> CVSS Vector:CVSS:3.1
> The Apache Commons DBCP packages are vulnerable to Insufficiently Protected
> Credentials.
> The application is vulnerable by using this componen
>
>
> https://snyk.io/vuln/maven:org.apache.commons%3Acommons-dbcp2
> Vulnerability: Information Exposure Vulnerable versions [0,]
> org.apache.commons:commons-dbcp2 2.8.0 Published 21 Sep, 2020
>
> I would really appreciate your help and insight on this: Was Gary's commit
> never released? Or could it be that WhiteSource, Sonatype, and Snyk.io are
> all reporting this incorrectly since Gary's "released" commit already fixed
> the issue.
>
> Thank you in advance for your prompt response. And stay safe as we
> continue to emerge from the Covid-19 public health concerns.
>
> Regards,
>
> Adesina
>
> --
> This message contains proprietary information from Equifax which may be
> confidential. If you are not an intended recipient, please refrain from
> any
> disclosure, copying, distribution or use of this information and note that
> such actions are prohibited. If you have received this transmission in
> error, please notify by e-mail postmaster@equifax.com
> <ma...@equifax.com>.
>
>
> Equifax® is a registered trademark of
> Equifax Inc. All rights reserved.
>