You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@turbine.apache.org by Georg Kallidis <ge...@cedis.fu-berlin.de> on 2021/10/15 14:32:04 UTC
Fulcrum Security Hibernate Module
Hi Turbine Dev community,
before we are ready to come up with the "big" Turbine Core release 5.1
(any volunteers noticing it now ;-)!)
we need to do a Fulcrum Security Component release, as it is a core
dependency.
But I still get vulnerability warnings for the hibernate module, if I run
mvn org.owasp:dependency-check-maven:aggregate -DskipTests=true
https://nvd.nist.gov/vuln/detail/CVE-2020-25638
https://nvd.nist.gov/vuln/detail/CVE-2019-14900
We have the following options:
a) just wait until someone is prepared to fix it by upgrading (at least to
hibernate 5.3.23 from 3.6.10).
b) ignore it (suppress it) or
c) disable/remove it ?
Does anyone need this component to be up-to-date soon ? If no, IMO we
should disable it for now -?
Nevertheless a JIRA task-issue could be opened to do it later ..
Best regards, Georg
Re: Fulcrum Security Hibernate Module
Posted by Thomas Vandahl <tv...@apache.org>.
Hi Georg,
> Am 15.10.2021 um 16:32 schrieb Georg Kallidis <ge...@cedis.fu-berlin.de>:
>
> a) just wait until someone is prepared to fix it by upgrading (at least to
> hibernate 5.3.23 from 3.6.10).
I guess that nowadays JPA would be the way to go. I always (half-heartedly) tried to keep the module at least current with the API, but never used it in a real application. Therefore...
> b) ignore it (suppress it) or
> c) disable/remove it ?
>
... I'm in favour for c)
> Nevertheless a JIRA task-issue could be opened to do it later ..
+1
Bye, Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@turbine.apache.org
For additional commands, e-mail: dev-help@turbine.apache.org
Re: Fulcrum Security Hibernate Module
Posted by Jeffery Painter <je...@jivecast.com>.
Hi Georg,
I don't use it
Thanks,
Jeff
On 10/15/21 10:32 AM, Georg Kallidis wrote:
> Hi Turbine Dev community,
>
> before we are ready to come up with the "big" Turbine Core release 5.1
> (any volunteers noticing it now ;-)!)
> we need to do a Fulcrum Security Component release, as it is a core
> dependency.
>
> But I still get vulnerability warnings for the hibernate module, if I run
>
> mvn org.owasp:dependency-check-maven:aggregate -DskipTests=true
>
> https://nvd.nist.gov/vuln/detail/CVE-2020-25638
> https://nvd.nist.gov/vuln/detail/CVE-2019-14900
>
> We have the following options:
>
> a) just wait until someone is prepared to fix it by upgrading (at least to
> hibernate 5.3.23 from 3.6.10).
> b) ignore it (suppress it) or
> c) disable/remove it ?
>
> Does anyone need this component to be up-to-date soon ? If no, IMO we
> should disable it for now -?
>
> Nevertheless a JIRA task-issue could be opened to do it later ..
>
>
> Best regards, Georg
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@turbine.apache.org
For additional commands, e-mail: dev-help@turbine.apache.org