You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Stefan Bodewig <bo...@apache.org> on 2018/05/16 06:24:40 UTC
[io] Black Duck apparently sees vulnerability in 2.5
Hi all
https://issues.apache.org/jira/browse/IO-559 says BlackDuck would call
IO 2.5 vulnerable because of this issue - so far I've not been able to
verify this claim. I guess it is because of IO-556 that has been closed
as a duplicate of IO-559.
There is a PR (by me) to fix the bug
https://github.com/apache/commons-io/pull/52 - as this is my first
contribution to IO I'd appreciate if anybody else could spare some time
and verify it. I'll rebase it onto master soon.
Also, would there be any reason to not cut a new release from master? I
mean is there any work in progress that needs to be finished?
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [io] Black Duck apparently sees vulnerability in 2.5
Posted by Gary Gregory <ga...@gmail.com>.
WRT releasing, the new file system class needs to be finished/cleanup or
removed.
Gary
On Thu, May 17, 2018 at 1:27 PM, Stefan Bodewig <bo...@apache.org> wrote:
> On 2018-05-17, Pascal Schumacher wrote:
>
> > Am 16.05.2018 um 08:24 schrieb Stefan Bodewig:
>
> >> Also, would there be any reason to not cut a new release from master? I
> >> mean is there any work in progress that needs to be finished?
>
> > I think a new release from master can be done any time.
>
> Thanks, I also looked through the commits. To me it looks as if master
> contained commits that address
> https://issues.apache.org/jira/browse/IO-567 but the ticket says "in
> progress".
>
> Stefan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>
Re: [io] Black Duck apparently sees vulnerability in 2.5
Posted by Stefan Bodewig <bo...@apache.org>.
On 2018-05-17, Pascal Schumacher wrote:
> Am 16.05.2018 um 08:24 schrieb Stefan Bodewig:
>> Also, would there be any reason to not cut a new release from master? I
>> mean is there any work in progress that needs to be finished?
> I think a new release from master can be done any time.
Thanks, I also looked through the commits. To me it looks as if master
contained commits that address
https://issues.apache.org/jira/browse/IO-567 but the ticket says "in
progress".
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [io] Black Duck apparently sees vulnerability in 2.5
Posted by Pascal Schumacher <pa...@gmx.net>.
Am 16.05.2018 um 08:24 schrieb Stefan Bodewig:
> Also, would there be any reason to not cut a new release from master? I
> mean is there any work in progress that needs to be finished?
I think a new release from master can be done any time.
-Pascal
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [io] Black Duck apparently sees vulnerability in 2.5
Posted by Stefan Bodewig <bo...@apache.org>.
On 2018-05-16, Otto Fowler wrote:
> Is there a PMC for IO?
Sure, IO is a component overseen by the Apache Commons PMC.
Maybe I should also point at http://commons.apache.org/security.html ?
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [io] Black Duck apparently sees vulnerability in 2.5
Posted by Stefan Bodewig <bo...@apache.org>.
On 2018-05-16, Otto Fowler wrote:
> I believe all security related issues and vulnerabilities need to be
> handled privately by the PMC for the project.
> Has this issue gone through he PMC?
The "issue" is public discussion in a JIRA issue, it is public knowledge
anyway.
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [io] Black Duck apparently sees vulnerability in 2.5
Posted by Otto Fowler <ot...@gmail.com>.
I believe all security related issues and vulnerabilities need to be
handled privately by the PMC for the project.
Has this issue gone through he PMC?
On May 16, 2018 at 10:50:21, Gilles (gilles@harfang.homelinux.org) wrote:
On Wed, 16 May 2018 07:33:54 -0700, Otto Fowler wrote:
> Is there a PMC for IO?
There is a PMC for all of "Commons".
Components are unequal wrt the number of contributors (and
attention they get from the PMC).
Gilles
> On May 16, 2018 at 02:24:44, Stefan Bodewig (bodewig@apache.org)
> wrote:
>
> Hi all
>
> https://issues.apache.org/jira/browse/IO-559 says BlackDuck would
> call
> IO 2.5 vulnerable because of this issue - so far I've not been able
> to
> verify this claim. I guess it is because of IO-556 that has been
> closed
> as a duplicate of IO-559.
>
> There is a PR (by me) to fix the bug
> https://github.com/apache/commons-io/pull/52 - as this is my first
> contribution to IO I'd appreciate if anybody else could spare some
> time
> and verify it. I'll rebase it onto master soon.
>
> Also, would there be any reason to not cut a new release from master?
> I
> mean is there any work in progress that needs to be finished?
>
> Stefan
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [io] Black Duck apparently sees vulnerability in 2.5
Posted by Gilles <gi...@harfang.homelinux.org>.
On Wed, 16 May 2018 07:33:54 -0700, Otto Fowler wrote:
> Is there a PMC for IO?
There is a PMC for all of "Commons".
Components are unequal wrt the number of contributors (and
attention they get from the PMC).
Gilles
> On May 16, 2018 at 02:24:44, Stefan Bodewig (bodewig@apache.org)
> wrote:
>
> Hi all
>
> https://issues.apache.org/jira/browse/IO-559 says BlackDuck would
> call
> IO 2.5 vulnerable because of this issue - so far I've not been able
> to
> verify this claim. I guess it is because of IO-556 that has been
> closed
> as a duplicate of IO-559.
>
> There is a PR (by me) to fix the bug
> https://github.com/apache/commons-io/pull/52 - as this is my first
> contribution to IO I'd appreciate if anybody else could spare some
> time
> and verify it. I'll rebase it onto master soon.
>
> Also, would there be any reason to not cut a new release from master?
> I
> mean is there any work in progress that needs to be finished?
>
> Stefan
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [io] Black Duck apparently sees vulnerability in 2.5
Posted by Otto Fowler <ot...@gmail.com>.
Is there a PMC for IO?
On May 16, 2018 at 02:24:44, Stefan Bodewig (bodewig@apache.org) wrote:
Hi all
https://issues.apache.org/jira/browse/IO-559 says BlackDuck would call
IO 2.5 vulnerable because of this issue - so far I've not been able to
verify this claim. I guess it is because of IO-556 that has been closed
as a duplicate of IO-559.
There is a PR (by me) to fix the bug
https://github.com/apache/commons-io/pull/52 - as this is my first
contribution to IO I'd appreciate if anybody else could spare some time
and verify it. I'll rebase it onto master soon.
Also, would there be any reason to not cut a new release from master? I
mean is there any work in progress that needs to be finished?
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org