[cross-project-issues-dev] Are we distributing software with known secur

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[cross-project-issues-dev] Are we distributing software with known security issues?

From: David Williams <david_williams@xxxxxxx>
Date: Sat, 17 Dec 2016 11:53:05 -0500
Delivered-to: cross-project-issues-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/cross-project-issues-dev>
List-help: <mailto:cross-project-issues-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1

This question is motivated by a recent article[1] I happened across. In short, it pointed to evidence that many software applications are re-distributing open source components with known security issues.

"*Yes*, we are distributing software with known security issues", is the answer to the subject question.

To walk through one example, the article named org.apache.commons.fileupload version 1.2.1 as being often redistributed, even though known security issue (CVE-2014-0050). Versions 1.0 to 3.0 had the flaw, and 1.3.1 is required to avoid it. Version 1.3.2 is the most recent Apache version.

That 'fileupload' package sounded familiar so I began to look around and I found that in the Platform's repository they are re-distributing version 1.2.2 of that package but (luckily?) in the Sim Release repo we have version 1.3.1. In the platform, it is Equinox's Http servlet bundle that has an optional prereq on "fileupload" and in Sim Release, it is RAP, apparently, that is "pulling in" version 1.3.1.

= = = = = =

I call out this flaw in our release practices, here on cross-project list, for several reasons:

1) I wanted to open a bug on the Platform and Equinox to update that prereq (bug 509388), but I see that "fileupload" Version 1.3.1 is not available from Orbit. *Why not?* That alone appears to be a Simultaneous Releases "no no".

2) More importantly, I mention this on cross-project list to encourage all projects to take a look at their third party dependencies and I ask you to get "up to date". If you find it is hard to update, at least confirm that the version you use does not have any security advisories associated with it. This should likely become part of our standard review process. (I have opened bug 509389 where that idea can be discussed.)

To emphasize, the "org.apache.commons.fileupload" is but one example, easily spotted because it sounded familiar to me. There could be many others -- I do not know -- perhaps it is the only one?

Thanks for reading (and taking action! :)

[1] http://www.infoworld.com/article/3136330/security/buggy-components-still-dog-java-apps.html

Follow-Ups:
- Re: [cross-project-issues-dev] Are we distributing software with known security issues?
  - From: Roland Grunberg

Prev by Date: [cross-project-issues-dev] Requirements to participate in the Oxygen (2017) Release repository
Next by Date: [cross-project-issues-dev] hudson-slave6 not used anymore?
Previous by thread: [cross-project-issues-dev] Requirements to participate in the Oxygen (2017) Release repository
Next by thread: Re: [cross-project-issues-dev] Are we distributing software with known security issues?
Index(es):
- Date
- Thread

Breadcrumbs