Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

On the release branch, suppress Karaf's XXE vulnerability and update the release notes #4351

Closed
brjeter opened this issue Feb 11, 2019 · 0 comments
Closed

On the release branch, suppress Karaf's XXE vulnerability and update the release notes #4351

brjeter opened this issue Feb 11, 2019 · 0 comments
Assignees
@brjeter
Labels
⬆️ Dependency Upgrade
Projects
GH Issues Pilot Test
Milestone
2.13.6

Comments

@brjeter
Copy link
Contributor

brjeter commented Feb 11, 2019

Description

A CVE just popped up that is blocking 2.13.x builds (doesn't affect DDF master because it's been upgraded to Karaf 4.2.2). Suppressing this CVE since it's mitigated by file system hardening. Will also update the release notes to be explicit about the vulnerability and point to the hardening guide.

[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0':
00:26:45 [ERROR] 
00:26:45 [ERROR] org.apache.karaf.jaas.boot-4.2.1.jar: CVE-2018-11788
00:26:45 [ERROR] 
00:26:45 [ERROR] See the dependency-check report for more details.

Build reference: https://jenkins.codice.org/job/DDF-Jobs/job/2.13.x/job/pr/job/Linux/597/console

Expected behavior (if applicable):

N/A

Version

2.13.6-SNAPSHOT

Additional Information

N/A
@coyotesqrl coyotesqrl added this to To do in GH Issues Pilot Test via automation Feb 11, 2019
@brjeter brjeter mentioned this issue Feb 11, 2019
Merged
4 tasks
@brjeter brjeter self-assigned this Feb 11, 2019
@brjeter brjeter added this to the 2.13.6 milestone Feb 21, 2019
@brjeter brjeter closed this as completed Mar 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brjeter brjeter

Labels
⬆️ Dependency Upgrade
Projects
No open projects
GH Issues Pilot Test
  
To do
Milestone
2.13.6
Development

No branches or pull requests
2 participants
@coyotesqrl @brjeter