spot-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jon Zeolla <JonZeo...@apache.org>
Subject Re: [apache/incubator-spot] One of your dependencies may have a security vulnerability
Date Wed, 07 Feb 2018 22:46:50 GMT
For future reference, pre-patch conversation about security vulnerabilities
should not happen on the dev list, and no JIRAs should be created until it
has been patched.  Please reference
https://www.apache.org/security/#vulnerability-handling and
https://www.apache.org/security/committers.html

Jon

On Wed, Feb 7, 2018 at 4:14 PM Nate Smith <natedogs911@gmail.com> wrote:

> SPOT-262 <https://issues.apache.org/jira/browse/SPOT-262> has been opened.
> https://issues.apache.org/jira/browse/SPOT-262
>
> Assuming this is true:
> >>> update suggested: jquery ~> 3.0.0.
>
> What version should we be using besides latest?
>
> - Nathanael
>
> > On Feb 7, 2018, at 1:44 PM, Nate Smith <nathanael@apache.org> wrote:
> >
> > Thank you for the notice,
> > I’m opening a Jira right now and will work at getting this addressed.
> >
> > Is there a way I can make sure that we get these notifications in the
> future?
> > This is the first email I’ve seen regarding this and I did not get a
> notice from GitHub of course.
> >
> > - Nathanael
> >
> >> On Feb 7, 2018, at 12:32 PM, David Fisher <wave@apache.org <mailto:
> wave@apache.org>> wrote:
> >>
> >> Spot PPMC - You need to be responsive to security issues.
> >>
> >> Regards,
> >> Dave - your friendly Incubator Shepherd
> >>
> >> On 2018/01/22 15:18:06, Greg Stein <gstein@gmail.com <mailto:
> gstein@gmail.com>> wrote:
> >>> Spot PPMC: FYI
> >>>
> >>> ---------- Forwarded message ----------
> >>> From: GitHub <notifications@github.com <mailto:
> notifications@github.com>>
> >>> Date: Mon, Jan 22, 2018 at 9:03 AM
> >>> Subject: [apache/incubator-spot] One of your dependencies may have a
> >>> security vulnerability
> >>> To: apache/incubator-spot <incubator-spot@noreply.github.com <mailto:
> incubator-spot@noreply.github.com>>
> >>> Cc: Security alert <security_alert@noreply.github.com <mailto:
> security_alert@noreply.github.com>>
> >>>
> >>>
> >>> We found a potential security vulnerabilty in one of your dependencies
> >>> [image: GitHub]
> >>> <
> http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBlaoUQ7ZnNSfaod-2BRPoWgKQ-3D_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZL4lRLVekrLGvsUoIhNAGCFXpNVnxDBzHy5zafBWVEwERGy1xQvT1WcV4vjgRQjszChKlBJ5qTJzlnDY3mi-2F-2BK9eTXIWE1i6wEU0lB19we8K8Y7Op6j5-2BlaLLSGmQZwurq2iZQnLMwV3LaQCwryteuhbxMJl4-2F3AbesUtE2Nd6P-2BvmGa3id4nB3dY8qh5SD9EFQfCsIkP7w-2F6avraNPlR91
> <
> http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBlaoUQ7ZnNSfaod-2BRPoWgKQ-3D_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZL4lRLVekrLGvsUoIhNAGCFXpNVnxDBzHy5zafBWVEwERGy1xQvT1WcV4vjgRQjszChKlBJ5qTJzlnDY3mi-2F-2BK9eTXIWE1i6wEU0lB19we8K8Y7Op6j5-2BlaLLSGmQZwurq2iZQnLMwV3LaQCwryteuhbxMJl4-2F3AbesUtE2Nd6P-2BvmGa3id4nB3dY8qh5SD9EFQfCsIkP7w-2F6avraNPlR91
> >>
> >>> Sign
> >>> in
> >>> <
> http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBluE-2FGrtUQ7WwbM8S6nEaj0-3D_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZL4lRLVekrLGvsUoIhNAGCFOKXdI41R-2FdpIP-2FcZP-2Bkll7zSX6qhyAbI-2BhpvzveN7FsSTXG7wtQ0f5obKWCAJmRgW-2BF279Fz-2BXwAyYO-2BDgU5Ux3z0nMd0Oxj-2BF0g9kBS6iCUOQrCqQHO5rwxz71Tg72zV14g-2FWbKwV9V-2Bpz60hdeL4Yj9SsjRrZBJTeRRn1ncqmPXZWsHq5Q1nkCUbFarHoE
> <
> http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBluE-2FGrtUQ7WwbM8S6nEaj0-3D_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZL4lRLVekrLGvsUoIhNAGCFOKXdI41R-2FdpIP-2FcZP-2Bkll7zSX6qhyAbI-2BhpvzveN7FsSTXG7wtQ0f5obKWCAJmRgW-2BF279Fz-2BXwAyYO-2BDgU5Ux3z0nMd0Oxj-2BF0g9kBS6iCUOQrCqQHO5rwxz71Tg72zV14g-2FWbKwV9V-2Bpz60hdeL4Yj9SsjRrZBJTeRRn1ncqmPXZWsHq5Q1nkCUbFarHoE
> >>
> >>> *gstein,*
> >>>
> >>> We found a potential security vulnerability in a repository which you
> have
> >>> been granted security alert access.
> >>> [image: @apache] apache/incubator-spot
> >>> <
> http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBg5kFs28ucWJkBdd8Thfp20BdrR8TCONQc2kn5pucKDG_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZL4lRLVekrLGvsUoIhNAGCFNqsg7wta17av-2FL0YAUtwssIKvIOLxgykpYL1GG8Cf-2FDtEy8HozRvfYZvwCNh0L4fUwB0hG7hob5ekkbrYDND0cxogI-2FwGoPycmiYYRJohy6r-2BgefjbcoxbDegvHwgqZQbR1QIn4mPCDA7F7e2xp6dInvAi6eIOn9wDYyowY94sc4WPHChVhA9T-2FatviMXQ5C
> <
> http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBg5kFs28ucWJkBdd8Thfp20BdrR8TCONQc2kn5pucKDG_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZL4lRLVekrLGvsUoIhNAGCFNqsg7wta17av-2FL0YAUtwssIKvIOLxgykpYL1GG8Cf-2FDtEy8HozRvfYZvwCNh0L4fUwB0hG7hob5ekkbrYDND0cxogI-2FwGoPycmiYYRJohy6r-2BgefjbcoxbDegvHwgqZQbR1QIn4mPCDA7F7e2xp6dInvAi6eIOn9wDYyowY94sc4WPHChVhA9T-2FatviMXQ5C
> >>
> >>> Known * moderate severity* security vulnerability detected in jquery <
> 3.0.0
> >>> defined in package.json
> >>> <
> http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBg5kFs28ucWJkBdd8Thfp21gXpHKmHObT8WHTjVVKiQgQtZKOKCFJwe6y-2FnyqVctZ3JJeIyxf8pLRNasmiW-2FMivwRjAVPe4SAq-2Fq-2Fh3zlEeQ_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZL4lRLVekrLGvsUoIhNAGCF1S9PT4ovvowBY2RawiibfCUSwpASOu4K08TzjIn-2FDwcTA4B4iSfaZGEOPCzHglC984SEVjniu6-2F3-2FonDbw3hea4CfDzN2UI7iglva6cmGpmlWirRvsgjfpRavnwzKYOvsWQnSxsgRg80BQdn1-2BemwwFSrTUr1-2FLIe0WvRmYoSHqTkkZUTGDITf3LUTM6nz-2F2
> <
> http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBg5kFs28ucWJkBdd8Thfp21gXpHKmHObT8WHTjVVKiQgQtZKOKCFJwe6y-2FnyqVctZ3JJeIyxf8pLRNasmiW-2FMivwRjAVPe4SAq-2Fq-2Fh3zlEeQ_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZL4lRLVekrLGvsUoIhNAGCF1S9PT4ovvowBY2RawiibfCUSwpASOu4K08TzjIn-2FDwcTA4B4iSfaZGEOPCzHglC984SEVjniu6-2F3-2FonDbw3hea4CfDzN2UI7iglva6cmGpmlWirRvsgjfpRavnwzKYOvsWQnSxsgRg80BQdn1-2BemwwFSrTUr1-2FLIe0WvRmYoSHqTkkZUTGDITf3LUTM6nz-2F2
> >>.
> >>>
> >>> package.json
> >>> <
> http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBg5kFs28ucWJkBdd8Thfp21gXpHKmHObT8WHTjVVKiQgQtZKOKCFJwe6y-2FnyqVctZ3JJeIyxf8pLRNasmiW-2FMivwRjAVPe4SAq-2Fq-2Fh3zlEeQ_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZL4lRLVekrLGvsUoIhNAGCF8CBnza9vod-2FabzU0PRnJ6ZeADu4F5UdSgQ2TpNKzmbn5M4YqcH8nkL7X2b-2FfzujYAzgezfqql5NadDrrT2J04jOP2ci-2FIqEfZZAK8maQdiQpNW6fGpXcaWB6k-2B2ataOUw9HF3DGL-2BoEA7r0eg32YqQ8bwWuNJffoGkYXnXmIK22kKgAYvoph5t5mcbGLGnqm
> <
> http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBg5kFs28ucWJkBdd8Thfp21gXpHKmHObT8WHTjVVKiQgQtZKOKCFJwe6y-2FnyqVctZ3JJeIyxf8pLRNasmiW-2FMivwRjAVPe4SAq-2Fq-2Fh3zlEeQ_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZL4lRLVekrLGvsUoIhNAGCF8CBnza9vod-2FabzU0PRnJ6ZeADu4F5UdSgQ2TpNKzmbn5M4YqcH8nkL7X2b-2FfzujYAzgezfqql5NadDrrT2J04jOP2ci-2FIqEfZZAK8maQdiQpNW6fGpXcaWB6k-2B2ataOUw9HF3DGL-2BoEA7r0eg32YqQ8bwWuNJffoGkYXnXmIK22kKgAYvoph5t5mcbGLGnqm
> >>
> >>> update suggested: jquery ~> 3.0.0.
> >>> Always verify the validity and compatibility of suggestions with your
> >>> codebase.
> >>> Review vulnerable dependency
> >>> <
> http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBg5kFs28ucWJkBdd8Thfp21gXpHKmHObT8WHTjVVKiQgpzgw0aBkXVPTTY7yOiDwVNADWsjF7Lux-2B9zjUKTDVSs-3D_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZL4lRLVekrLGvsUoIhNAGCFNOOmrgwayH-2FgXIecW0skGr2vzZIN6W6HGXfS667Ct72ixtGrRF6eiAFijdXoZ5WV8x7Ih2SUqDY5p4wmg31K-2B3Kd76YqT-2Bnz0ux4eoDzgq4AhSPF188z6liTteHRszVbs5LdVFRNYCbAHORemlD7h5-2ByGnjXfgMvLUN4JB7Lt1qFmq8-2Bgfj9stUYLFBN9LA-2F
> <
> http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBg5kFs28ucWJkBdd8Thfp21gXpHKmHObT8WHTjVVKiQgpzgw0aBkXVPTTY7yOiDwVNADWsjF7Lux-2B9zjUKTDVSs-3D_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZL4lRLVekrLGvsUoIhNAGCFNOOmrgwayH-2FgXIecW0skGr2vzZIN6W6HGXfS667Ct72ixtGrRF6eiAFijdXoZ5WV8x7Ih2SUqDY5p4wmg31K-2B3Kd76YqT-2Bnz0ux4eoDzgq4AhSPF188z6liTteHRszVbs5LdVFRNYCbAHORemlD7h5-2ByGnjXfgMvLUN4JB7Lt1qFmq8-2Bgfj9stUYLFBN9LA-2F
> >>
> >>> ------------------------------
> >>>
> >>> Only users who have been assigned access to security alerts will
> receive
> >>> these notifications.
> >>> Unsubscribe
> >>> <
> http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBh4tM-2BvbnAt1ZCBIm0TQChRsti2oUDbPtOO7snnCj3QEycC8GiHeVeKbyBlSXelaq7-2B2FbGU-2BXUHQ5RK4GmHXPw36h6PnNOHEmratVPZhRz6VLiRg8jwRr6OU6I4Q3kwzA-3D-3D_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZL4lRLVekrLGvsUoIhNAGCFiIG1-2F-2B-2Fghm-2BZzyU-2BMAkdR8GeXwa22nGqtrFAH9Nv2mTq8ngf11z1bn8uXeIKWCeZ5FDLF1YDyL5dyD-2FQQ-2BGUyfDmySKH0HOCiDmCjZ4VNUDd74Zw5dDVS67Lv2jBKRpYXrd-2BGOlRIK2lP06DskAp1uNdqTqsttuB4k0XC2io3wUIx5uZqgTnjLJh-2FXDcItKU
> <
> http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBh4tM-2BvbnAt1ZCBIm0TQChRsti2oUDbPtOO7snnCj3QEycC8GiHeVeKbyBlSXelaq7-2B2FbGU-2BXUHQ5RK4GmHXPw36h6PnNOHEmratVPZhRz6VLiRg8jwRr6OU6I4Q3kwzA-3D-3D_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZL4lRLVekrLGvsUoIhNAGCFiIG1-2F-2B-2Fghm-2BZzyU-2BMAkdR8GeXwa22nGqtrFAH9Nv2mTq8ngf11z1bn8uXeIKWCeZ5FDLF1YDyL5dyD-2FQQ-2BGUyfDmySKH0HOCiDmCjZ4VNUDd74Zw5dDVS67Lv2jBKRpYXrd-2BGOlRIK2lP06DskAp1uNdqTqsttuB4k0XC2io3wUIx5uZqgTnjLJh-2FXDcItKU
> >>
> >>> · Email preferences
> >>> <
> http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBlttXBNYv-2BeGM-2FMVHbSBvTrPDvaZJ5yvsxfEVwy5gWOO_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZL4lRLVekrLGvsUoIhNAGCFVtJqSkZhddzmJadQJMxJrUurBquyFqQHE3WTAgYaniMPmXLWklY6PmPrZlxP0id-2FnsXRZbKNQ9Nu8crIKoK96Py6ceVFcpzFI6ty6rYLjncewvzVin1cT3lTmtC-2FObcvd0IGTFGn8roRjuEy89MHNteAKUp5ShhDGnNd12X0Ov-2FUOIvac0zmanuPWRSDplZl
> <
> http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBlttXBNYv-2BeGM-2FMVHbSBvTrPDvaZJ5yvsxfEVwy5gWOO_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZL4lRLVekrLGvsUoIhNAGCFVtJqSkZhddzmJadQJMxJrUurBquyFqQHE3WTAgYaniMPmXLWklY6PmPrZlxP0id-2FnsXRZbKNQ9Nu8crIKoK96Py6ceVFcpzFI6ty6rYLjncewvzVin1cT3lTmtC-2FObcvd0IGTFGn8roRjuEy89MHNteAKUp5ShhDGnNd12X0Ov-2FUOIvac0zmanuPWRSDplZl
> >>
> >>> · Terms
> >>> <
> http://sgmail.githubmail.com/wf/click?upn=H-2FQ3yMxnv4jw-2BxNnSBX80-2FAtA3t7vDbetmbWolVUHkI7aIK5sDG6eHhf6PFf2GZEMdAPO1mXdWyaS9GI2aLnBA-3D-3D_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZL4lRLVekrLGvsUoIhNAGCFWnuc5XF-2FCw3L-2BiJFKxBfZdiYBS-2Fe4Zg8HgvXpqyg4x-2BRuL-2FJTvzw9AneX124Z4vAduNmQitXSH3PVAsVoVDXJ83RrKMUs5-2FYYZvGuPXXLoZc-2FNBFkvwlewRKqIxQ93AxkPJxTH9nzS3VulEvCwx0aKOQ8LgYplRceW9XvoNqDih2Y5uC2YR5-2FYx1vc2lB1s6
> <
> http://sgmail.githubmail.com/wf/click?upn=H-2FQ3yMxnv4jw-2BxNnSBX80-2FAtA3t7vDbetmbWolVUHkI7aIK5sDG6eHhf6PFf2GZEMdAPO1mXdWyaS9GI2aLnBA-3D-3D_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZL4lRLVekrLGvsUoIhNAGCFWnuc5XF-2FCw3L-2BiJFKxBfZdiYBS-2Fe4Zg8HgvXpqyg4x-2BRuL-2FJTvzw9AneX124Z4vAduNmQitXSH3PVAsVoVDXJ83RrKMUs5-2FYYZvGuPXXLoZc-2FNBFkvwlewRKqIxQ93AxkPJxTH9nzS3VulEvCwx0aKOQ8LgYplRceW9XvoNqDih2Y5uC2YR5-2FYx1vc2lB1s6
> >>
> >>> · Privacy
> >>> <
> http://sgmail.githubmail.com/wf/click?upn=H-2FQ3yMxnv4jw-2BxNnSBX80-2FAtA3t7vDbetmbWolVUHkKdSMxJcKXeaeoPn0qQqs-2Fw-2BqmMjx3QOoJQotJaBhy-2FxQ-3D-3D_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZL4lRLVekrLGvsUoIhNAGCFOL21UPGR5CgSI2njTtd26AyorxjwdGR8rlPwmX461cgVCs80PYMLEAJd1BWRi2HmmjMp3nJNe0gyzQ6ujtg995SLyYGh667cP0yC43z8Hw4kTtiO5h7Fsf1M9536JGRQtEVP1LCjdBIfC-2FMaEECwuXYyOiVXD9MN0gtfyRW3l-2F0tpBuBjW2F6PJxnHjzMVh8
> <
> http://sgmail.githubmail.com/wf/click?upn=H-2FQ3yMxnv4jw-2BxNnSBX80-2FAtA3t7vDbetmbWolVUHkKdSMxJcKXeaeoPn0qQqs-2Fw-2BqmMjx3QOoJQotJaBhy-2FxQ-3D-3D_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZL4lRLVekrLGvsUoIhNAGCFOL21UPGR5CgSI2njTtd26AyorxjwdGR8rlPwmX461cgVCs80PYMLEAJd1BWRi2HmmjMp3nJNe0gyzQ6ujtg995SLyYGh667cP0yC43z8Hw4kTtiO5h7Fsf1M9536JGRQtEVP1LCjdBIfC-2FMaEECwuXYyOiVXD9MN0gtfyRW3l-2F0tpBuBjW2F6PJxnHjzMVh8
> >>
> >>> · Sign into GitHub
> >>> <
> http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBluE-2FGrtUQ7WwbM8S6nEaj0-3D_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZL4lRLVekrLGvsUoIhNAGCFVueLdQs6hZ7i82KzMD47H-2FXV3uTSuEpgZI2PS1wIGME9rI3jsoHJNhIMt4CVgMPQkrPuSKtkqrs3rewge-2FzsMW6t3SggkydcgRwosldZO657DxLnTnhSioaoETNBiYjBFA8rdOHRI94QzVX7V-2FT6DsmuIRIQNvTuauhklECjPeL5eXbFeXHFnAzUL0GkWOID
> <
> http://sgmail.githubmail.com/wf/click?upn=lYxq-2FYU7yocrdKNILYalBluE-2FGrtUQ7WwbM8S6nEaj0-3D_w6S5n3vrKqGS7A36Z0jQnv0H94jgQYM8GX7TqkbHsZL4lRLVekrLGvsUoIhNAGCFVueLdQs6hZ7i82KzMD47H-2FXV3uTSuEpgZI2PS1wIGME9rI3jsoHJNhIMt4CVgMPQkrPuSKtkqrs3rewge-2FzsMW6t3SggkydcgRwosldZO657DxLnTnhSioaoETNBiYjBFA8rdOHRI94QzVX7V-2FT6DsmuIRIQNvTuauhklECjPeL5eXbFeXHFnAzUL0GkWOID
> >>
> >>>
> >>> GitHub, Inc.
> >>> 88 Colin P Kelly Jr St.
> >>> San Francisco, CA 94107
> >>> <
> https://maps.google.com/?q=88+Colin+P+Kelly+Jr+St.%0D+San+Francisco,+CA+94107&entry=gmail&source=g
> <
> https://maps.google.com/?q=88+Colin+P+Kelly+Jr+St.%0D+San+Francisco,+CA+94107&entry=gmail&source=g
> >>
> >>>
> >
>
> --

Jon

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message