[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[ee4j-pmc] Fwd: Your GitHub security alerts for the week of Oct 23 - Oct 30

From: Bill Shannon <bill.shannon@xxxxxxxxxx>
Date: Tue, 30 Oct 2018 16:55:26 -0700
Delivered-to: ee4j-pmc@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/ee4j-pmc>
List-help: <mailto:ee4j-pmc-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/ee4j-pmc>, <mailto:ee4j-pmc-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/ee4j-pmc>, <mailto:ee4j-pmc-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1

Title: Security alerts on GitHub

Is anyone on the PMC tracking these security alerts?

Shouldn't someone ensure that the EE4J projects are responding to these in a timely manner?

(Obviously ignore the "javaee" entries below.)

-------- Forwarded Message --------

Subject:	Your GitHub security alerts for the week of Oct 23 - Oct 30
Date:	Tue, 30 Oct 2018 17:36:28 +0000 (UTC)
From:	GitHub <noreply@xxxxxxxxxx>
To:	Bill Shannon <bill.shannon@xxxxxxxxxx>

security alert digest

bshannon’s repository security updates from the week of Oct 23 - Oct 30

Java EE organization

javaee / metro-jaxws-commons

Known security vulnerabilities detected

Dependency org.springframework:spring-core

Version > 3.2.0 < 3.2.15

Upgrade to ~> 3.2.15

Vulnerabilities

CVE-2015-5211 High severity

CVE-2018-1270 High severity

CVE-2018-1275 High severity

CVE-2015-3192 Moderate severity

CVE-2016-5007 Moderate severity

View 3 more

Defined in pom.xml

Review all vulnerable dependencies

javaee / javadb

Known security vulnerabilities detected

Dependency org.apache.axis:axis

Version <= 1.4

Vulnerabilities

CVE-2014-3596 Moderate severity

CVE-2018-8032 Moderate severity

Defined in pom.xml

Review all vulnerable dependencies

javaee / external

Known security vulnerabilities detected

Dependency org.apache.axis:axis

Version <= 1.4

Vulnerabilities

CVE-2014-3596 Moderate severity

CVE-2018-8032 Moderate severity

Defined in pom.xml

Review all vulnerable dependencies

Eclipse EE4J organization

eclipse-ee4j / tyrus

Known security vulnerabilities detected

Dependency org.eclipse.jetty:jetty-server

Version < 9.2.25.v20180606

Upgrade to ~> 9.2.25.v20180606

Vulnerabilities

CVE-2017-7657 Critical severity

CVE-2017-7656 Moderate severity

Defined in pom.xml

Review all vulnerable dependencies

eclipse-ee4j / grizzly-ahc

Known security vulnerabilities detected

Dependency org.eclipse.jetty:jetty-server

Version >= 9.4.0 < 9.4.11.v20180605

Upgrade to ~> 9.4.11.v20180605

Vulnerabilities

CVE-2018-12538 Moderate severity

CVE-2018-12536 Moderate severity

CVE-2017-7656 Moderate severity

Defined in pom.xml

Review all vulnerable dependencies

Always verify the validity and compatibility of suggestions with your codebase.

Follow-Ups:
- Re: [ee4j-pmc] Fwd: Your GitHub security alerts for the week of Oct 23 - Oct 30
  - From: Steve Millidge (Payara)
- Re: [ee4j-pmc] Fwd: Your GitHub security alerts for the week of Oct 23 - Oct 30
  - From: Ivar Grimstad

Prev by Date: Re: [ee4j-pmc] git tags naming convention?
Next by Date: Re: [ee4j-pmc] git tags naming convention?
Previous by thread: [ee4j-pmc] [CQ 17989] SigTest version 3.1
Next by thread: Re: [ee4j-pmc] Fwd: Your GitHub security alerts for the week of Oct 23 - Oct 30
Index(es):
- Date
- Thread

Breadcrumbs

security alert digest

Java EE organization

javaee / metro-jaxws-commons

javaee / javadb

javaee / external

Eclipse EE4J organization

eclipse-ee4j / tyrus

eclipse-ee4j / grizzly-ahc