You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@turbine.apache.org by Georg Kallidis <ge...@cedis.fu-berlin.de> on 2021/10/15 14:32:04 UTC

Fulcrum Security Hibernate Module

Hi Turbine Dev community,

before we are ready to come up with the "big" Turbine Core release 5.1 
(any volunteers noticing it now ;-)!) 
we need to do a Fulcrum Security Component release, as it is a core 
dependency.

But I still get vulnerability warnings for the hibernate module, if I run

mvn org.owasp:dependency-check-maven:aggregate -DskipTests=true

https://nvd.nist.gov/vuln/detail/CVE-2020-25638
https://nvd.nist.gov/vuln/detail/CVE-2019-14900

We have the following options: 

a) just wait until someone is prepared to fix it by upgrading (at least to 
hibernate 5.3.23 from 3.6.10).
b) ignore it (suppress it) or
c) disable/remove it ?

Does anyone need this component to be up-to-date soon ? If no, IMO we 
should disable it for now -? 

Nevertheless a JIRA task-issue could be opened to do it later ..


Best regards, Georg

Re: Fulcrum Security Hibernate Module

Posted by Thomas Vandahl <tv...@apache.org>.

Hi Georg,

> Am 15.10.2021 um 16:32 schrieb Georg Kallidis <ge...@cedis.fu-berlin.de>:
> 
> a) just wait until someone is prepared to fix it by upgrading (at least to 
> hibernate 5.3.23 from 3.6.10).

I guess that nowadays JPA would be the way to go. I always (half-heartedly) tried to keep the module at least current with the API, but never used it in a real application. Therefore...

> b) ignore it (suppress it) or
> c) disable/remove it ?
> 
... I'm in favour for c)

> Nevertheless a JIRA task-issue could be opened to do it later ..
+1

Bye, Thomas 
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@turbine.apache.org
For additional commands, e-mail: dev-help@turbine.apache.org

Re: Fulcrum Security Hibernate Module

Posted by Jeffery Painter <je...@jivecast.com>.

Hi Georg,

I don't use it


Thanks,

Jeff


On 10/15/21 10:32 AM, Georg Kallidis wrote:
> Hi Turbine Dev community,
>
> before we are ready to come up with the "big" Turbine Core release 5.1
> (any volunteers noticing it now ;-)!)
> we need to do a Fulcrum Security Component release, as it is a core
> dependency.
>
> But I still get vulnerability warnings for the hibernate module, if I run
>
> mvn org.owasp:dependency-check-maven:aggregate -DskipTests=true
>
> https://nvd.nist.gov/vuln/detail/CVE-2020-25638
> https://nvd.nist.gov/vuln/detail/CVE-2019-14900
>
> We have the following options:
>
> a) just wait until someone is prepared to fix it by upgrading (at least to
> hibernate 5.3.23 from 3.6.10).
> b) ignore it (suppress it) or
> c) disable/remove it ?
>
> Does anyone need this component to be up-to-date soon ? If no, IMO we
> should disable it for now -?
>
> Nevertheless a JIRA task-issue could be opened to do it later ..
>
>
> Best regards, Georg
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@turbine.apache.org
For additional commands, e-mail: dev-help@turbine.apache.org