[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cross-project-issues-dev] Are we distributing software with known security issues?
- From: Roland Grunberg <rgrunber@xxxxxxxxxx>
- Date: Tue, 3 Jan 2017 12:03:31 -0500 (EST)
- Delivered-to: email@example.com
- Thread-index: ASmCMZRrwdly44YY9LCCyJNclAktCA==
- Thread-topic: Are we distributing software with known security issues?
> "*Yes*, we are distributing software with known security issues", is the
> answer to the subject question.
So much for Betteridge's law :)
> To walk through one example, the article named org.apache.commons.fileupload
> version 1.2.1 as being often redistributed, even though known security issue
> (CVE-2014-0050). Versions 1.0 to 3.0 had the flaw, and 1.3.1 is required to
> avoid it. Version 1.3.2 is the most recent Apache version.
> That 'fileupload' package sounded familiar so I began to look around and I
> found that in the Platform's repository they are re-distributing version
> 1.2.2 of that package but (luckily?) in the Sim Release repo we have version
> 1.3.1. In the platform, it is Equinox's Http servlet bundle that has an
> optional prereq on "fileupload" and in Sim Release, it is RAP, apparently,
> that is "pulling in" version 1.3.1.
> = = = = = =
> I call out this flaw in our release practices, here on cross-project list,
> for several reasons:
> 1) I wanted to open a bug on the Platform and Equinox to update that prereq
> (bug 509388 ), but I see that "fileupload" Version 1.3.1 is not available
> from Orbit. *Why not?* That alone appears to be a Simultaneous Releases "no
I saw your post a while back and thought of
https://www.owasp.org/index.php/OWASP_Dependency_Check . It's available as a
maven-plugin so it should be pretty easy to run such a thing in a separate HIPP.
Seems like Orbit could benefit from such a report and maybe even as one of the
sanity checks done on platform ?
In fact, after running it on the Orbit bundles we ship, fileupload was one of
the high severity ones discovered. I see all of this (OWASP) has already been
suggested on 509389 so this seems like the right thing to do.