You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by GitBox <gi...@apache.org> on 2021/11/03 13:37:05 UTC

[GitHub] [directory-ldap-api] renatoathaydes opened a new pull request #18: Update mina.core version to avoid CVE-2021-41973

renatoathaydes opened a new pull request #18:
URL: https://github.com/apache/directory-ldap-api/pull/18


   This was a nasty CVE and it's been fixed in mina-core 2.1.5: https://www.openwall.com/lists/oss-security/2021/11/01/2


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org

[GitHub] [directory-ldap-api] elecharny commented on pull request #18: Update mina.core version to avoid CVE-2021-41973

Posted by GitBox <gi...@apache.org>.

elecharny commented on pull request #18:
URL: https://github.com/apache/directory-ldap-api/pull/18#issuecomment-959128292






-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org

[GitHub] [directory-ldap-api] elecharny closed pull request #18: Update mina.core version to avoid CVE-2021-41973

Posted by GitBox <gi...@apache.org>.

elecharny closed pull request #18:
URL: https://github.com/apache/directory-ldap-api/pull/18


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org

[GitHub] [directory-ldap-api] renatoathaydes commented on pull request #18: Update mina.core version to avoid CVE-2021-41973

Posted by GitBox <gi...@apache.org>.

renatoathaydes commented on pull request #18:
URL: https://github.com/apache/directory-ldap-api/pull/18#issuecomment-959130058


   Thank you for the quick update!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org

[GitHub] [directory-ldap-api] renatoathaydes commented on pull request #18: Update mina.core version to avoid CVE-2021-41973

Posted by GitBox <gi...@apache.org>.

renatoathaydes commented on pull request #18:
URL: https://github.com/apache/directory-ldap-api/pull/18#issuecomment-959130058


   Thank you for the quick update!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org

[GitHub] [directory-ldap-api] elecharny commented on pull request #18: Update mina.core version to avoid CVE-2021-41973

Posted by GitBox <gi...@apache.org>.

elecharny commented on pull request #18:
URL: https://github.com/apache/directory-ldap-api/pull/18#issuecomment-959128292


   Hi Renato,
   
   we will update, but this CVE has no impact on the LDAP API, as we don't expose HTTP. In other words, the LDAP API is not impacted whatsoever.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org

[GitHub] [directory-ldap-api] elecharny commented on pull request #18: Update mina.core version to avoid CVE-2021-41973

Posted by GitBox <gi...@apache.org>.

elecharny commented on pull request #18:
URL: https://github.com/apache/directory-ldap-api/pull/18#issuecomment-959140565


   Also we are currently working on a new MINA version that will support TLS 1.3, which is currently not supported. The idea is to wait for MINA 2.2 before any major release of the LDAP API.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org

[GitHub] [directory-ldap-api] elecharny commented on pull request #18: Update mina.core version to avoid CVE-2021-41973

Posted by GitBox <gi...@apache.org>.

elecharny commented on pull request #18:
URL: https://github.com/apache/directory-ldap-api/pull/18#issuecomment-1004188855


   Just pushed the new version in the pom.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org

[GitHub] [directory-ldap-api] renatoathaydes commented on pull request #18: Update mina.core version to avoid CVE-2021-41973

Posted by GitBox <gi...@apache.org>.

renatoathaydes commented on pull request #18:
URL: https://github.com/apache/directory-ldap-api/pull/18#issuecomment-959130058






-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org

[GitHub] [directory-ldap-api] elecharny commented on pull request #18: Update mina.core version to avoid CVE-2021-41973

Posted by GitBox <gi...@apache.org>.

elecharny commented on pull request #18:
URL: https://github.com/apache/directory-ldap-api/pull/18#issuecomment-959128292






-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org

[GitHub] [directory-ldap-api] travisspencer commented on pull request #18: Update mina.core version to avoid CVE-2021-41973

Posted by GitBox <gi...@apache.org>.

travisspencer commented on pull request #18:
URL: https://github.com/apache/directory-ldap-api/pull/18#issuecomment-1004013267


   This is tripping scanners. I know it's a false positive for the reasons you mentioned @elecharny , and that we can ignore it; however, it would be preferable to just upgrade the dependency. Is that possible? Can this PR be merged?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org