You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by GitBox <gi...@apache.org> on 2022/10/14 07:06:45 UTC
[GitHub] [maven-javadoc-plugin] sman-81 opened a new pull request, #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
sman-81 opened a new pull request, #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170
Hi, this is a tiny PR that addresses a potentially severe issue:
https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2022-42889
Following this checklist to help us incorporate your
contribution quickly and easily:
- [x] Make sure there is a [JIRA issue](https://issues.apache.org/jira/browse/MJAVADOC) filed
for the change (usually before you start working on it). Trivial changes like typos do not
require a JIRA issue. Your pull request should address just this issue, without
pulling in other changes.
- [x] Each commit in the pull request should have a meaningful subject line and body.
- [x] Format the pull request title like `[MJAVADOC-XXX] - Fixes bug in ApproximateQuantiles`,
where you replace `MJAVADOC-XXX` with the appropriate JIRA issue. Best practice
is to use the JIRA issue title in the pull request title and in the first line of the
commit message.
- [x] Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
- [x] Run `mvn clean verify -Prun-its` to make sure basic checks pass. A more thorough check will
be performed on your pull request automatically.
If your pull request is about ~20 lines of code you don't need to sign an
[Individual Contributor License Agreement](https://www.apache.org/licenses/icla.pdf) if you are unsure
please ask on the developers list.
To make clear that you license your contribution under
the [Apache License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0)
you have to acknowledge this by using the following check-box.
- [x] I hereby declare this contribution to be licensed under the [Apache License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0)
- [ ] In any other case, please file an [Apache Individual Contributor License Agreement](https://www.apache.org/licenses/icla.pdf).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] olamy commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
olamy commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1326378547
@Neutius Please show us how the plugin here is affected by the commons-text CVE. Thanks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] sman-81 commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
sman-81 commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1327111450
I submitted this PR as I wanted to contribute (as I have before). I find this change quite valuable, as small as it is.
Project teams and organisations will always want library versions flagged in context of a CVE to be upgraded asap. Whether the library is in fact affected or not, they do not care.
The experience on this PR, the wait times, the nitpicking and mocking of outside contributors feels very discouraging.
@Neutius Hope you will have a new version soon with this issue fixed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] michael-o commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
michael-o commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1326405758
> > I fully agree with @olamy, we are not affected here. The CVE does not apply: [..]
>
> @michael-o and as a conclusion the plugin won't be upgraded?
No, I did not say that. I approve the PR because I don't see a reason not to merge it, but the abstract provided by the PR does not apply here. So any other committer is free to merge. Those who absolutely need this to happen also this is a non-issue are free to get in touch privately with a committer to sponsor a release.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] sman-81 commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
sman-81 commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1297682585
> I'm not 100% sure, but it seems the PR still can't be merged?
Not due to merge conflicts. Change is binary-compatible. Contributing can at times feel a little like an uphill battle :)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] sman-81 commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
sman-81 commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1293044789
Hi @michael-o, I'd like you to take a look at this PR when you have a moment. TY!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] olamy commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
olamy commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1295716685
did you check if the plugin is **really** affected but the issue?
read here https://blogs.apache.org/security/entry/cve-2022-42889
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] Neutius commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
Neutius commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1297256661
Hi! We're using the maven-javadoc-plugin at our company, and our parent company's IT department is complaining about "dangerous" code that is present on our build server. Turns out, they want to eradicate all uses and presence of commons-text version 1.9 and below.
They are probably overreacting more than slightly, but it would save me, my team and our department a lot of headache if the maven-javadoc-plugin could upgrade to version 1.10.0
@michael-o Are you really adamant about not wanting a property for a single version? @sman-81 gave some context for his choice, are you able to agree with him on this?
Thanks in advance :)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] sman-81 commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
sman-81 commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1326399780
> @Neutius Please show us how the plugin here is affected by the commons-text CVE. Thanks
Why do you keep on going on about this @olamy? I've offered to rename this PR to a title of your liking. You have not responded to the offer. Let me know how the title should be rephrased and I will happily do so.
> I fully agree with @olamy, we are not affected here. The CVE does not apply: [..]
@michael-o and as a conclusion the plugin won't be upgraded?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] olamy commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
olamy commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1326835523
> Please rename the PR to something like "Bump commons-text version to 1.10.0" and let the show go on.
still a Jira issue to create :P
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] olamy commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
olamy commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1326831424
> > @Neutius Please show us how the plugin here is affected by the commons-text CVE. Thanks
>
> Why do you keep on going on about this @olamy? I've offered to rename this PR to a title of your liking. You have not responded to the offer. Let me know how the title should be rephrased and I will happily do so.
>
> > I fully agree with @olamy, we are not affected here. The CVE does not apply: [..]
>
> @michael-o and as a conclusion the plugin won't be upgraded?
read my comment here https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1295751406
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] cstamas closed pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
cstamas closed pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
URL: https://github.com/apache/maven-javadoc-plugin/pull/170
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] cstamas commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
cstamas commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1326842073
Superseded by https://github.com/apache/maven-javadoc-plugin/pull/174
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] sman-81 commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
sman-81 commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1327106370
> Please rename the PR to something like "Bump commons-text version to 1.10.0" and let the show go on.
@cstamas Shouldn't you have given me time to react to your comment rather than merging my change under your own pr and your own name?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] olamy commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
olamy commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1327232559
> > still a Jira issue to create :P especially as the user ticked everything rofl
>
> From checklist: "Trivial changes do not require a JIRA issue"
Sorry for my comment. I have to say it was a bit sarcastic to point to our procedures. (nothing related to you but that's another problem ;) )
I was only asking you to change the title of the PR as the plugin is NOT affected by this CVE! but you didn’t..
But hey at the end of the day you ticked those checkboxes whereas you didn't create a jira....
anyway the upgrade has been done via another PR.
let's move on and onward!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] cstamas commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
cstamas commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1327360027
> @cstamas Shouldn't you have given me time to react to your comment rather than merging my change under your own pr and your own name?
This trivial PR opened since Oct 14 was "parked" for two obvious (and explained) reasons: the wrong intent ("get rid of CVE..." without any assessment or proof that without this PR plugin is affected by it), and, a technical issue (a single used property for a "minor" dependency).
The order of things was that I approved the PR to get it moving, just to figure out I disagree with adding a version property for this single dependency (as it was pointed out on Oct 27) and not fixed since. Hence, after I approved the PR, I would have to start nagging you to rework this trivial PR. Not to mention the pain of going thru creating JIRA account for you (latest ASF infra changes: JIRA is not self signup anymore), and so on.
IMHO, trivial PRs are like fixing a typo in a log message, but changing (even minor) of dependency IMHO should be present in release notes, hence JIRA would be needed (this is strictly my personal opinion)
Sorry for hijacking the change.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] sman-81 commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
sman-81 commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1327097011
> still a Jira issue to create :P especially as the user ticked everything rofl
From checklist: "Trivial changes do not require a JIRA issue"
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] Neutius commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
Neutius commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1326326494
It seems like this PR still isn't merged.
@michael-o Could you please approve this PR?
I've now got a solutions architect breathing down my neck, so thanks in advance :)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] sman-81 commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
sman-81 commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1295749057
> did you check if the plugin is **really** affected but the issue? read here https://blogs.apache.org/security/entry/cve-2022-42889
If there is only the slightest doubt, one would want to upgrade, don't you agree?
Besides, keeping libraries current is a good thing for maintenance.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] sman-81 commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
sman-81 commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1297678307
> But in this case the title shouldn't contains "to address [CVE-2022-42889](https://github.com/advisories/GHSA-599f-7c49-w659)" because we didn't assess it and we can "claim" we are affected by this.
LMK how the title should be rephrased and I will happily do so.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] michael-o commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
michael-o commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1297277927
> Hi! We're using the maven-javadoc-plugin at our company, and our parent company's IT department is complaining about "dangerous" code that is present on our build server. Turns out, they want to eradicate all uses and presence of commons-text version 1.9 and below.
>
> They are probably overreacting more than slightly, but it would save me, my team and our department a lot of headache if the maven-javadoc-plugin could upgrade to version 1.10.0
>
> @michael-o Are you really adamant about not wanting a property for a single version? @sman-81 gave some context for his choice, are you able to agree with him on this?
>
> Thanks in advance :)
I won't object, it is not a blocker.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] Neutius commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
Neutius commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1297293292
> I won't object, it is not a blocker.
Thanks a lot, you made my day a lot easier.
I'm not 100% sure, but it seems the PR still can't be merged?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] michael-o commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
michael-o commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1327148884
> I submitted this PR as I wanted to contribute (as I have before). I find this change quite valuable, as small as it is. Project teams and organisations will always want library versions flagged in context of a CVE to be upgraded asap. Whether the library is in fact affected or not, they do not care.
>
> The experience on this PR, the wait times, the nitpicking and mocking of outside contributors feels very discouraging.
>
> @Neutius Hope you will have a new version soon with this issue fixed.
One of the core issues with this PR was that you tried to sell as a security issue which it was not. It was a mere dependency upgrade to shut off stupid, superficial scanners.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] sman-81 commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
sman-81 commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1294641532
> The property does not make sense for a singe use case.
Thanks for your feedback @michael-o
It's analogous to doxiaVersion, doxia-sitetoolsVersion, plexus-java.version, slf4jVersion etc. the versions of which are defined as properties.
I find defining versions 'at the top' as properties makes maintenance of dependency versions a little easier.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-javadoc-plugin] olamy commented on pull request #170: Bump commons-text version to 1.10.0 to address CVE-2022-42889
Posted by GitBox <gi...@apache.org>.
olamy commented on PR #170:
URL: https://github.com/apache/maven-javadoc-plugin/pull/170#issuecomment-1295751406
> > did you check if the plugin is **really** affected but the issue? read here https://blogs.apache.org/security/entry/cve-2022-42889
>
> If there is only the slightest doubt, one would want to upgrade, don't you agree? Besides, keeping libraries current is a good thing for maintenance.
sure no worries it's a good idea.
But in this case the title shouldn't contains "to address CVE-2022-42889" because we didn't assess it and we can "claim" we are affected by this.
that's a bit different ;)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org