[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: thredds 4.6.10



Greetings Georgi,

Sorry for the delay - I've just pushed a release candidate to github for you all to scan:

https://github.com/Unidata/thredds/releases/tag/v4.6.11-rc1

Cheers!

Sean


On Fri, Nov 17, 2017 at 1:29 PM, Georgi Kostov - NOAA Affiliate <address@hidden> wrote:
Sean,
Is there a way for several of us to be notified when a Release Candidate is tagged?
Perhaps scanning that would be a better path forward.
Georgi


On Thu, Nov 16, 2017 at 5:30 PM, Sean Arms <address@hidden> wrote:
The snapshot came from our current master (commit a0361e80ce157716e67acccef366a836e53e24bd):


Cheers,

Sean



On Thu, Nov 16, 2017 at 2:31 PM, Georgi Kostov - NOAA Affiliate <address@hidden> wrote:
Sean,

We can deploy and test on a DEV server here (although we are more likely to wait for a tagged release). What's more important is that we would also need to do a code scan. In the past we have done that against a release tag (e.g. https://github.com/Unidata/thredds/releases/tag/v4.6.10 ). What GitHub tree was the snapshot built from that we can scan against?

TIA,
Georgi


On Thu, Nov 16, 2017 at 3:37 PM, Sean Arms <address@hidden> wrote:
Greetings Georgi,

The snapshot can be found here:


Just be sure to rename it thredds.war or thredds##4.6.11-SNAPSHOT.war before you try to deploy it. We have this war running on our demonstration TDS now as well:


Let me know how it goes, and if everything is good, we can start working on cutting the 4.6.11 release.

Cheers,

Sean


On Thu, Nov 16, 2017 at 11:03 AM, Georgi Kostov - NOAA Affiliate <address@hidden> wrote:
Fantastic! And, yes please.

Georgi

On Thu, Nov 16, 2017 at 12:36 PM, Sean Arms <address@hidden> wrote:
Greetings Georgi,

The following PR:


addresses the outstanding github issues relating to open CVEs. I'll let you know when it gets into the master branch, and I can point you to a snapshot for testing.

Cheers!

Sean


On Wed, Nov 15, 2017 at 1:00 PM, Georgi Kostov - NOAA Affiliate <address@hidden> wrote:
Great - many thanks in advance, Sean!

Looking forward to 4.6.11,

Georgi


On Wed, Nov 15, 2017 at 2:54 PM, Sean Arms <address@hidden> wrote:
Greetings Georgi,

I'm digging into those at the moment. Hopefully I will find a fix, and, if so, it will be in the 4.6.11 release. However, I am surprised these, and a few others that have been fixed, are not in the 4.6.8 release. I'll keep you informed as things progress.

Cheers,

Sean


On Wed, Nov 15, 2017 at 9:44 AM, Georgi Kostov - NOAA Affiliate <address@hidden> wrote:
Sean, and all,

Looks like 865 and 866 were closed but the other three are still open: 864, 867 and 868.
Is there any change?

We have stayed with 4.6.8 and avoided 4.6.10 because of these vulnerabilities. Do you guys have plans to issue fixes in a 4.6.11 since that is the supported release?

TIA,
Georgi


On Wed, Jun 21, 2017 at 12:03 PM, Georgi Kostov - NOAA Affiliate <address@hidden> wrote:

IHTH, and please add the fixes to the current stable release (4.6.x).

Many thanks for your good work!

Georgi


On Sat, Jun 17, 2017 at 9:20 AM, Sean Arms <address@hidden> wrote:
Thanks for the report, Georgi!

It looks like ncwms and godiva are pulling most of these (all the
_javascript_ libs, and the jstl lib) - I'll take a look and see what I
can do there.

I was able to update the log4j lib without issue, so we're good there.

The jackson-core and jackson-annotations are being pulled in by the
amazon aws-sdk lib. According to their github site, these hits were
false positives:

https://github.com/aws/aws-sdk-java/issues/801

so I'm not sure there is anything to be done there.

I'll keep in touch about how the ncwms / godiva upgrades go.

Sean


On Fri, Jun 16, 2017 at 4:46 PM, Georgi Kostov - NOAA Affiliate
<address@hidden> wrote:
> Sean, Dennis and Christian,
>
> Thank you for fixing (most of) the previous vulnerabilities!
>
> We have done another scan - this time of thredds 4.6.10, and I am enclosing
> a brief version of the findings - mostly pertaining to critical and high
> vulnerabilities. I am not enclosing any info about vulnerabilities ranked
> below those two levels.
>
> Please let me know what you find out and I hope that you'd be able to
> incorporate fixes into the 4.6, it being the current stable release.
>
> Many thanks for your attention to this important finding,
> Georgi
>
> ---------- Forwarded message ----------
>
> ...see results of the code analysis, including the Critical code injection
> vulnerability (related to prototype.js) and some others.
>
> Additionally, the following are some results from other scans and
> inspections:
>
> ----_javascript_ Libraries----
>
> /godiva2/js/OpenLayers-2.10.js
> â prototypejs 1.4.0 has known vulnerabilities: severity: high; CVE:
> CVE-2008-7220; http://www.cvedetails.com/cve/CVE-2008-7220/
>
> /home/appsec/static/thredds/the-war-file/godiva2/js/OpenLayers-2.8.js
> â prototypejs 1.4.0 has known vulnerabilities: severity: high; CVE:
> CVE-2008-7220; http://www.cvedetails.com/cve/CVE-2008-7220/
>
> /home/appsec/static/thredds/the-war-file/js/lib/jquery-1.7.2.min.js
> â jquery 1.7.2.min has known vulnerabilities: severity: medium; bug: 11290,
> summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290
> http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
>
> I can tell you that jQuery 1.x and 2.x are end of life and no longer
> receiving any security updates, so the only way forward on that is to move
> to the 3.x series.
>
> ----Java Libraries----
>
> jackson-annotations-2.6.0.jar
> https://nvd.nist.gov/vuln/detail/CVE-2016-7051 - High
> https://nvd.nist.gov/vuln/detail/CVE-2016-3720 - Critical
>
>
> jackson-core-2.6.6.jar
> https://nvd.nist.gov/vuln/detail/CVE-2016-7051 - High
> https://nvd.nist.gov/vuln/detail/CVE-2016-3720 - Critical
>
>
> jstl-1.2.jar
> https://nvd.nist.gov/vuln/detail/CVE-2015-0254 - High
>
>
> log4j-core-2.7.jar
> https://nvd.nist.gov/vuln/detail/CVE-2017-5645 - Critical
>
>
> --
> Georgi Kostov
> Team ERT (Earth Resources Technology, Inc.), US Government Contractor
> Data Access Branch, NOMADS/NCMA Team | NOAA Mail code E/NE54
> NOAA's National Centers for Environmental Information (NCEI)
> 151 Patton Ave., Suite 420, Asheville, NC 28801-5001
> address@hidden | (828) 271-4921 | http://nomads.ncdc.noaa.gov/
> GPG Key ID 0xE2BD9A06. Fingerprint: 5109 7E85 D528 5E10 E516 BB80 AA42 52F1
> E2BD 9A06
>
> Follow NCEI on Facebook and Twitter
>
> The contents of this message are mine personally and do not necessarily
> reflect any position of NOAA or STG. This electronic transmission contains
> information that may be internal use only, confidential, or proprietary. If
> you are not the intended recipient, be aware that any disclosure, copying,
> distribution or use of the contents hereof is strictly prohibited. If you
> have received this transmission in error, please notify
> address@hidden



--
Georgi Kostov
Team ERT (Earth Resources Technology, Inc.), US Government Contractor
Data Access Branch, NOMADS/NCMA Team
| NOAA Mail code E/NE54
NOAA's National Centers for Environmental Information (NCEI)
151 Patton Ave., Suite 420, Asheville, NC 28801-5001
address@hidden | (828) 271-4921 | http://nomads.ncdc.noaa.gov/Â
GPG Key ID 0xE2BD9A06. Fingerprint: 5109 7E85 D528 5E10 E516 BB80 AA42 52F1 E2BD 9A06

Follow NCEI onÂ
FacebookÂandÂTwitter

The contents of this message are mine personally and do not necessarily reflect any position of NOAA or STG.ÂThis electronic transmission contains information that may be internal use only, confidential, or proprietary. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents hereof is strictly prohibited. If you have received this transmission in error, please notify address@hiddenÂ



--
Georgi Kostov

NOAA National Centers for Environmental Information (NCEI)
Data Stewardship Division, Data Access Branch, NOMADS/NCMA Team
ERT (Earth Resources Technology, Inc.), US Government Contractor
151 Patton Ave., Suite 420, Asheville, NC 28801-5001
address@hidden | (828) 271-4921 | http://nomads.ncdc.noaa.gov/Â
GPG Key ID 0xE2BD9A06. Fingerprint: 5109 7E85 D528 5E10 E516 BB80 AA42 52F1 E2BD 9A06

Follow NCEI onÂ
FacebookÂandÂTwitter

The contents of this message are mine personally and do not necessarily reflect any position of NOAA or ERT.ÂThis electronic transmission contains information that may be internal use only, confidential, or proprietary. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents hereof is strictly prohibited. Please notify me If you have received this transmission in error.




--
Georgi Kostov

NOAA National Centers for Environmental Information (NCEI)
Data Stewardship Division, Data Access Branch, NOMADS/NCMA Team
ERT (Earth Resources Technology, Inc.), US Government Contractor
151 Patton Ave., Suite 420, Asheville, NC 28801-5001
address@hidden | (828) 271-4921 | http://nomads.ncdc.noaa.gov/Â
GPG Key ID 0xE2BD9A06. Fingerprint: 5109 7E85 D528 5E10 E516 BB80 AA42 52F1 E2BD 9A06

Follow NCEI onÂ
FacebookÂandÂTwitter

The contents of this message are mine personally and do not necessarily reflect any position of NOAA or ERT.ÂThis electronic transmission contains information that may be internal use only, confidential, or proprietary. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents hereof is strictly prohibited. Please notify me If you have received this transmission in error.




--
Georgi Kostov

NOAA National Centers for Environmental Information (NCEI)
Data Stewardship Division, Data Access Branch, NOMADS/NCMA Team
ERT (Earth Resources Technology, Inc.), US Government Contractor
151 Patton Ave., Suite 420, Asheville, NC 28801-5001
address@hidden | (828) 271-4921 | http://nomads.ncdc.noaa.gov/Â
GPG Key ID 0xE2BD9A06. Fingerprint: 5109 7E85 D528 5E10 E516 BB80 AA42 52F1 E2BD 9A06

Follow NCEI onÂ
FacebookÂandÂTwitter

The contents of this message are mine personally and do not necessarily reflect any position of NOAA or ERT.ÂThis electronic transmission contains information that may be internal use only, confidential, or proprietary. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents hereof is strictly prohibited. Please notify me If you have received this transmission in error.




--
Georgi Kostov

NOAA National Centers for Environmental Information (NCEI)
Data Stewardship Division, Data Access Branch, NOMADS/NCMA Team
ERT (Earth Resources Technology, Inc.), US Government Contractor
151 Patton Ave., Suite 420, Asheville, NC 28801-5001
address@hidden | (828) 271-4921 | http://nomads.ncdc.noaa.gov/Â
GPG Key ID 0xE2BD9A06. Fingerprint: 5109 7E85 D528 5E10 E516 BB80 AA42 52F1 E2BD 9A06

Follow NCEI onÂ
FacebookÂandÂTwitter

The contents of this message are mine personally and do not necessarily reflect any position of NOAA or ERT.ÂThis electronic transmission contains information that may be internal use only, confidential, or proprietary. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents hereof is strictly prohibited. Please notify me If you have received this transmission in error.




--
Georgi Kostov

NOAA National Centers for Environmental Information (NCEI)
Data Stewardship Division, Data Access Branch, NOMADS/NCMA Team
ERT (Earth Resources Technology, Inc.), US Government Contractor
151 Patton Ave., Suite 420, Asheville, NC 28801-5001
address@hidden | (828) 271-4921 | http://nomads.ncdc.noaa.gov/Â
GPG Key ID 0xE2BD9A06. Fingerprint: 5109 7E85 D528 5E10 E516 BB80 AA42 52F1 E2BD 9A06

Follow NCEI onÂ
FacebookÂandÂTwitter

The contents of this message are mine personally and do not necessarily reflect any position of NOAA or ERT.ÂThis electronic transmission contains information that may be internal use only, confidential, or proprietary. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents hereof is strictly prohibited. Please notify me If you have received this transmission in error.


NOTE: All email exchanges with Unidata User Support are recorded in the Unidata inquiry tracking system and then made publicly available through the web. If you do not want to have your interactions made available in this way, you must let us know in each email you send to us.