[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [ee4j-pmc] [External] : Re: vulnerability issues, how to find?
|
- From: Ed Bratt <ed.bratt@xxxxxxxxxx>
- Date: Thu, 3 Jun 2021 10:39:26 -0700
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9LBx90/9UtTSi+pGruHRUMmANwrofmI/ynY4s5t19w4=; b=D+wnG36y1k+Fqc7nUcJZtcxdOHQlAlPG3+OHHElTvkcRaEM4nTGGALewVMiU6LwhB1tn7hsTyvWxm3P87p47Lw8plt/15hNADbDtIZNk4rP7NGYEeZNJvFgCXnRN9+bs90Tvi+oA5ElpbFJP1GWT8zsgcH4Nn5CXwuSTacnFPptx4kGPuaIuiqPo/Gy/va3gZcT8LGF3FhZN50S6yTncPufEHGgxmqc8GwmclBrdW4jAcns8tMpuPQDhFiLmKEJvMIbGolWgioYQw17m6P6M6sdaLJV8lNCw0EeKphUaMkrK6QR5wq48aGl5vnRGgrG66oCoH71+LPaZzh6da7PbGA==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Bxub3AJF/zxKXhBhNyAAGRoDfFF+rj/3zB+ktnf/2smyxxsOJFNj2OWFh3QA2Q01m8mVA5uDbbKa0HqM+89Xii3924OibI12dG5IGogQ8iWVGbk0t3TCnKB+dOMTUtvs0vJj40cDbtM7TrRJa3GyoRBVz6kK1h9NqGTXY/eOE6kdxR2YCCYYwHUdii70gtsBkreSb9A9CG0ayba6kXZ4pkbDi0Y0PvN1CqqiZi5XbmGcuE96TeO6eWzwl66srQVbXLpiJM3+x68R5HDrsJdbc9Hw2kZIMiQUk6F/yOH9cYDHZqQyH9QJX/V5kqNTY7J7ojCLnSMcz9IGT9WXU420tg==
- Delivered-to: ee4j-pmc@xxxxxxxxxxx
- List-archive: <https://www.eclipse.org/mailman/private/ee4j-pmc/>
- List-help: <mailto:ee4j-pmc-request@eclipse.org?subject=help>
- List-subscribe: <https://www.eclipse.org/mailman/listinfo/ee4j-pmc>, <mailto:ee4j-pmc-request@eclipse.org?subject=subscribe>
- List-unsubscribe: <https://www.eclipse.org/mailman/options/ee4j-pmc>, <mailto:ee4j-pmc-request@eclipse.org?subject=unsubscribe>
- User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.2
+ PMC List -- continuation of the discussion that was started in
the PMC meeting this morning....
My 2ยข worth ...
I will observe that, at least for me, it was not obvious that
these issues would be filed under the "Community" product -- I was
looking under EE4J and not having good results (but there does
appear to be a single open vulnerability under GlassFish ORB). I
don't know how well socialized this meta-data / search requirement
is, in the EE4J working group. I would also recommend additional
socialization about using bugs.eclipse.org in general since I
suspect most committers focus, perhaps almost exclusively, on the
GitHub issue trackers.
Are there mechanisms in place for interested persons to get on
auto-notifications for bugzilla? While some of this maybe obvious
to seasoned Eclipse'ers, others might now know how to be notified
whenever a new issue like those from the query given below are
created (I don't know how to do that, for example). For example,
would it make any sense to send a "new" notification to the PMC
members whenever an issue is entered? If there is to be a triage
step, should that include adding the project lead(s) as 'cc'?
Yes, I agree - at the least, the product/sub-project meta-data
could be nice in the subject lines -- though the issues you've
listed below already include 'mojarra' in their synopsis line.
If it is a function of the PMC to perform triage of these issues
as they arrive, I'd suggest that should be formalized with some
starting instructions for whomever it is that agrees to take this
up.
-- Ed
On 6/3/2021 9:52 AM, Wayne Beaton
wrote:
The list of open issues in Bugzilla (the
Community/Vulnerabilities product/component) are
here. Apparently the first
obvious thing that we can do is annotate these with project
information to make them easier to identify (e.g., prefix the
subject with "[ee4j]" or something).
Here are some specific ones:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=563784
Note that we use Bugzilla for these for historical reasons
and because Bugzilla allows us to mark records as "committers
only" to prevent premature disclosure. Unfortunately, Github
doesn't have a notion of marking issues as confidential, but
we have no specific requirement to use Bugzilla.
One thing that might be good is for the PMC to make a
best practice recommendation regarding how vulnerability
issues are labeled and reinforce with committers that they
should use the label. We've started a
conversation on including a SECURITY
file that details how the project deals with
vulnerabilities as well.
Can we take this discussion to the PMC mailing list?
Wayne
Hi Wayne,
I'm trying to assess how far behind we are, with
vulnerability issues in EE4J. I did a quick scan -- I can
see a couple of reports from GitHub issues about
vulnerabilities --
- EL-RI (GHSL-2020-021) - Bypass input sanitization of
EL expressions EL #155
- JAX-WS, Metro, issue with custom name vulnerability
(fixed) metro-jax-ws
#221
- Bump commons-io from 2.2 to 2.7, a dependabot
automated update jersey #4784
In bugs.eclipse.org
-- I'm not sure what to look for. I can only find one
security bug in the EE4J category against ORB 559604.
I'm guessing that I'm missing something but ... what
keywords or assignment meta-data should I be looking for?
Thanks,
-- Ed
--
Wayne Beaton
Director of Open Source Projects | Eclipse Foundation