Re: [ee4j-pmc] Fwd: Your GitHub security alerts for the week of Oct 23 -

[Mark Thomas <markt@xxxxxxxxxx>]

You have to be an org admin.

Experience at the ASF is that they are mostly noise due to a high false 
positive rate.

Mark


On 31/10/2018 17:24, Bill Shannon wrote:
> I'm not sure who gets these.  You may have to be a Committer on the 
> project or an admin for the organization.
>
> Steve Millidge (Payara) wrote on 10/31/2018 02:24 AM:
> > Security alerts on GitHub
> >
> > I don’t get these at a PMC level.
> >
> > *From:*ee4j-pmc-bounces@xxxxxxxxxxx <ee4j-pmc-bounces@xxxxxxxxxxx> *On 
> > Behalf Of *Bill Shannon
> > *Sent:* 30 October 2018 23:55
> > *To:* EE4J PMC Discussions <ee4j-pmc@xxxxxxxxxxx>
> > *Subject:* [ee4j-pmc] Fwd: Your GitHub security alerts for the week of 
> > Oct 23 - Oct 30
> >
> > Is anyone on the PMC tracking these security alerts?
> >
> > Shouldn't someone ensure that the EE4J projects are responding to 
> > these in a timely manner?
> >
> >
> > (Obviously ignore the "javaee" entries below.)
> >
> >
> > -------- Forwarded Message --------
> >
> > *Subject: *
> >
> > 	
> >
> > Your GitHub security alerts for the week of Oct 23 - Oct 30
> >
> > *Date: *
> >
> > 	
> >
> > Tue, 30 Oct 2018 17:36:28 +0000 (UTC)
> >
> > *From: *
> >
> > 	
> >
> > GitHub <noreply@xxxxxxxxxx> <mailto:noreply@xxxxxxxxxx>
> >
> > *To: *
> >
> > 	
> >
> > Bill Shannon <bill.shannon@xxxxxxxxxx> <mailto:bill.shannon@xxxxxxxxxx>
> >
> >
> >
> >
> >
> > 	
> >
> > Explore this week on GitHub
> >
> > GitHub security alerts__
> >
> >
> >   GitHub <https://github.com> security alert digest
> >
> > *bshannon’s*repository security updates from the week of *Oct 23 - Oct 30*
> >
> > <https://github.com>
> >
> > 	
> >
> >
> >       Java EE organization <https://github.com>
> >
> > Warning!
> >
> > 	
> >
> >
> >       javaee / *metro-jaxws-commons*
> >       <https://github.com/javaee/metro-jaxws-commons>
> >
> > *Known security vulnerabilities detected*
> >
> > Dependencyorg.springframework:spring-core
> >
> > 	
> >
> > Version> 3.2.0 < 3.2.15
> >
> > 	
> >
> > Upgrade to~> 3.2.15
> >
> > Vulnerabilities
> >
> > CVE-2015-5211 High severity
> >
> > CVE-2018-1270 High severity
> >
> > CVE-2018-1275 High severity
> >
> > CVE-2015-3192 Moderate severity
> >
> > CVE-2016-5007 Moderate severity
> >
> > View 3 more 
> > <https://github.com/javaee/metro-jaxws-commons/network/alert/spring/spring-core/pom.xml/org.springframework:spring-core/open> 
> >
> >
> > 	
> >
> > Defined inpom.xml
> >
> > 	
> >
> >
> > 	
> >
> > *Review all vulnerable dependencies* 
> > <https://github.com/javaee/metro-jaxws-commons/network/alerts>
> >
> > Warning!
> >
> > 	
> >
> >
> >       javaee / *javadb* <https://github.com/javaee/javadb>
> >
> > *Known security vulnerabilities detected*
> >
> > Dependencyorg.apache.axis:axis
> >
> > 	
> >
> > Version<= 1.4
> >
> > 	
> >
> > Vulnerabilities
> >
> > CVE-2014-3596 Moderate severity
> >
> > CVE-2018-8032 Moderate severity
> >
> > 	
> >
> > Defined inpom.xml
> >
> > 	
> >
> >
> > 	
> >
> > *Review all vulnerable dependencies* 
> > <https://github.com/javaee/javadb/network/alerts>
> >
> > Warning!
> >
> > 	
> >
> >
> >       javaee / *external* <https://github.com/javaee/external>
> >
> > *Known security vulnerabilities detected*
> >
> > Dependencyorg.apache.axis:axis
> >
> > 	
> >
> > Version<= 1.4
> >
> > 	
> >
> > Vulnerabilities
> >
> > CVE-2014-3596 Moderate severity
> >
> > CVE-2018-8032 Moderate severity
> >
> > 	
> >
> > Defined inpom.xml
> >
> > 	
> >
> >
> > 	
> >
> > *Review all vulnerable dependencies* 
> > <https://github.com/javaee/external/network/alerts>
> >
> > <https://github.com>
> >
> > 	
> >
> >
> >       Eclipse EE4J organization <https://github.com>
> >
> > Warning!
> >
> > 	
> >
> >
> >       eclipse-ee4j / *tyrus* <https://github.com/eclipse-ee4j/tyrus>
> >
> > *Known security vulnerabilities detected*
> >
> > Dependencyorg.eclipse.jetty:jetty-server
> >
> > 	
> >
> > Version< 9.2.25.v20180606
> >
> > 	
> >
> > Upgrade to~> 9.2.25.v20180606
> >
> > Vulnerabilities
> >
> > CVE-2017-7657 Critical severity
> >
> > CVE-2017-7656 Moderate severity
> >
> > 	
> >
> > Defined inpom.xml
> >
> > 	
> >
> >
> > 	
> >
> > *Review all vulnerable dependencies* 
> > <https://github.com/eclipse-ee4j/tyrus/network/alerts>
> >
> > Warning!
> >
> > 	
> >
> >
> >       eclipse-ee4j / *grizzly-ahc*
> >       <https://github.com/eclipse-ee4j/grizzly-ahc>
> >
> > *Known security vulnerabilities detected*
> >
> > Dependencyorg.eclipse.jetty:jetty-server
> >
> > 	
> >
> > Version>= 9.4.0 < 9.4.11.v20180605
> >
> > 	
> >
> > Upgrade to~> 9.4.11.v20180605
> >
> > Vulnerabilities
> >
> > CVE-2018-12538 Moderate severity
> >
> > CVE-2018-12536 Moderate severity
> >
> > CVE-2017-7656 Moderate severity
> >
> > 	
> >
> > Defined inpom.xml
> >
> > 	
> >
> >
> > 	
> >
> > *Review all vulnerable dependencies* 
> > <https://github.com/eclipse-ee4j/grizzly-ahc/network/alerts>
> >
> > /Always verify the validity and compatibility of suggestions with your 
> > codebase. /
> >
> > ------------------------------------------------------------------------
> >
> > Unsubscribe 
> > <https://github.com/email/unsubscribe?token=AAKLo8HMACwtuFae2pc5lUHVqhk50Feqks5ducoagaRuYW1lrXZ1bG5lcmFiaWxpdHk%3D> 
> > · Email preferences <https://github.com/settings/emails> · Terms 
> > <https://help.github.com/articles/github-terms-of-service> · Privacy 
> > <https://help.github.com/articles/github-privacy-policy> · Sign into 
> > GitHub <https://github.com/login>
> >
> > GitHub, Inc.
> > 88 Colin P Kelly Jr St.
> > San Francisco, CA 94107
> >
> >
> >
> > _______________________________________________
> > ee4j-pmc mailing list
> > ee4j-pmc@xxxxxxxxxxx
> > To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> > https://www.eclipse.org/mailman/listinfo/ee4j-pmc
>
>
>
> _______________________________________________
> ee4j-pmc mailing list
> ee4j-pmc@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/ee4j-pmc