chore(security) Upgrading ini4j version.
#238
Conversation
…ass of org.ini4j before v0.5.4 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.
|
Also see #185. the reason why Dependabot did not offer this: 0.5.4 is broken without further changes to the plugin. |
|
Thanks a lot for the explanation. |
…al-of-Service-(DoS)
…al-of-Service-(DoS)
…al-of-Service-(DoS)
…al-of-Service-(DoS)
|
When these changes are going to get merged and released? waiting for ini4j version upgrade as it was marked vulnerable by our security team. Any help is greatly appreciated. |
They are unlikely to be merged or released until someone adopts the plugin, makes the changes noted in #238 (comment) and tests those changes. If your organization depends on the Mercurial plugin, you should persuade your organization to let you or someone else in your organization adopt the plugin, learn its implementation, make the changes, test the changes, and release the plugin. If your organization is not willing to adopt the plugin, then you may want to tell the security team in your organization that their security scanner is probably reporting a false positive. Security teams commonly flag a binary as vulnerable if it includes a dependency, whether or not the dependency is used in a way that makes it vulnerable. If your security team has a way to exercise a vulnerability in the Mercurial plugin for Jenkins, please follow the Jenkins security vulnerability reporting guidelines. |
…ass of org.ini4j before v0.5.4 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.
Link to relevant issues in GitHub or JiraLink to relevant pull requests, esp. upstream and downstream changesEnsure you have provided tests - that demonstrates feature works or fixes the issueAn issue in the fetch() method in the BasicProfile class of org.ini4j before v0.5.4 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.