Greetings Georgi,Sorry for the delay - I've just pushed a release candidate to github for you all to scan:Cheers!SeanOn Fri, Nov 17, 2017 at 1:29 PM, Georgi Kostov - NOAA Affiliate <address@hidden> wrote:GeorgiPerhaps scanning that would be a better path forward.Sean,Is there a way for several of us to be notified when a Release Candidate is tagged?On Thu, Nov 16, 2017 at 5:30 PM, Sean Arms <address@hidden> wrote:The snapshot came from our current master (commit a0361e80ce157716e67acccef366a836e53e24bd): Cheers,SeanOn Thu, Nov 16, 2017 at 2:31 PM, Georgi Kostov - NOAA Affiliate <address@hidden> wrote:Sean,We can deploy and test on a DEV server here (although we are more likely to wait for a tagged release). What's more important is that we would also need to do a code scan. In the past we have done that against a release tag (e.g. https://github.com/Unidata/thredds/releases/tag/v4.6.10 ). What GitHub tree was the snapshot built from that we can scan against?TIA,GeorgiOn Thu, Nov 16, 2017 at 3:37 PM, Sean Arms <address@hidden> wrote:Greetings Georgi,The snapshot can be found here:Just be sure to rename it thredds.war or thredds##4.6.11-SNAPSHOT.war before you try to deploy it. We have this war running on our demonstration TDS now as well:Let me know how it goes, and if everything is good, we can start working on cutting the 4.6.11 release.Cheers,SeanOn Thu, Nov 16, 2017 at 11:03 AM, Georgi Kostov - NOAA Affiliate <address@hidden> wrote:Fantastic! And, yes please.GeorgiOn Thu, Nov 16, 2017 at 12:36 PM, Sean Arms <address@hidden> wrote:Greetings Georgi,The following PR:addresses the outstanding github issues relating to open CVEs. I'll let you know when it gets into the master branch, and I can point you to a snapshot for testing.Cheers!SeanOn Wed, Nov 15, 2017 at 1:00 PM, Georgi Kostov - NOAA Affiliate <address@hidden> wrote:GeorgiGreat - many thanks in advance, Sean!Looking forward to 4.6.11,On Wed, Nov 15, 2017 at 2:54 PM, Sean Arms <address@hidden> wrote:Greetings Georgi,I'm digging into those at the moment. Hopefully I will find a fix, and, if so, it will be in the 4.6.11 release. However, I am surprised these, and a few others that have been fixed, are not in the 4.6.8 release. I'll keep you informed as things progress.Cheers,SeanOn Wed, Nov 15, 2017 at 9:44 AM, Georgi Kostov - NOAA Affiliate <address@hidden> wrote:We have stayed with 4.6.8 and avoided 4.6.10 because of these vulnerabilities. Do you guys have plans to issue fixes in a 4.6.11 since that is the supported release?Is there any change?Sean, and all,Looks like 865 and 866 were closed but the other three are still open: 864, 867 and 868.TIA,Georgi--On Wed, Jun 21, 2017 at 12:03 PM, Georgi Kostov - NOAA Affiliate <address@hidden> wrote:Sean, and all,I was initially swamped and delayed putting these on GitHub, so here are the links:
https://github.com/Unidata/thredds/issues/868
https://github.com/Unidata/thredds/issues/867
https://github.com/Unidata/thredds/issues/866
https://github.com/Unidata/thredds/issues/865
https://github.com/Unidata/thredds/issues/864
IHTH, and please add the fixes to the current stable release (4.6.x).Many thanks for your good work!GeorgiOn Sat, Jun 17, 2017 at 9:20 AM, Sean Arms <address@hidden> wrote:Thanks for the report, Georgi!
It looks like ncwms and godiva are pulling most of these (all the
_javascript_ libs, and the jstl lib) - I'll take a look and see what I
can do there.
I was able to update the log4j lib without issue, so we're good there.
The jackson-core and jackson-annotations are being pulled in by the
amazon aws-sdk lib. According to their github site, these hits were
false positives:
https://github.com/aws/aws-sdk-java/issues/801
so I'm not sure there is anything to be done there.
I'll keep in touch about how the ncwms / godiva upgrades go.
Sean
On Fri, Jun 16, 2017 at 4:46 PM, Georgi Kostov - NOAA Affiliate
<address@hidden> wrote:
> Sean, Dennis and Christian,
>
> Thank you for fixing (most of) the previous vulnerabilities!
>
> We have done another scan - this time of thredds 4.6.10, and I am enclosing
> a brief version of the findings - mostly pertaining to critical and high
> vulnerabilities. I am not enclosing any info about vulnerabilities ranked
> below those two levels.
>
> Please let me know what you find out and I hope that you'd be able to
> incorporate fixes into the 4.6, it being the current stable release.
>
> Many thanks for your attention to this important finding,
> Georgi
>
> ---------- Forwarded message ----------
>
> ...see results of the code analysis, including the Critical code injection
> vulnerability (related to prototype.js) and some others.
>
> Additionally, the following are some results from other scans and
> inspections:
>
> ----_javascript_ Libraries----
>
> /godiva2/js/OpenLayers-2.10.js
> ↳ prototypejs 1.4.0 has known vulnerabilities: severity: high; CVE:
> CVE-2008-7220; http://www.cvedetails.com/cve/CVE-2008-7220/
>
> /home/appsec/static/thredds/the-war-file/godiva2/js/OpenLaye rs-2.8.js
> ↳ prototypejs 1.4.0 has known vulnerabilities: severity: high; CVE:
> CVE-2008-7220; http://www.cvedetails.com/cve/CVE-2008-7220/
>
> /home/appsec/static/thredds/the-war-file/js/lib/jquery-1.7.2 .min.js
> ↳ jquery 1.7.2.min has known vulnerabilities: severity: medium; bug: 11290,
> summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290
> http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-releas ed/
>
> I can tell you that jQuery 1.x and 2.x are end of life and no longer
> receiving any security updates, so the only way forward on that is to move
> to the 3.x series.
>
> ----Java Libraries----
>
> jackson-annotations-2.6.0.jar
> https://nvd.nist.gov/vuln/detail/CVE-2016-7051 - High
> https://nvd.nist.gov/vuln/detail/CVE-2016-3720 - Critical
>
>
> jackson-core-2.6.6.jar
> https://nvd.nist.gov/vuln/detail/CVE-2016-7051 - High
> https://nvd.nist.gov/vuln/detail/CVE-2016-3720 - Critical
>
>
> jstl-1.2.jar
> https://nvd.nist.gov/vuln/detail/CVE-2015-0254 - High
>
>
> log4j-core-2.7.jar
> https://nvd.nist.gov/vuln/detail/CVE-2017-5645 - Critical
>
>
> --
> Georgi Kostov
> Team ERT (Earth Resources Technology, Inc.), US Government Contractor
> Data Access Branch, NOMADS/NCMA Team | NOAA Mail code E/NE54
> NOAA's National Centers for Environmental Information (NCEI)
> 151 Patton Ave., Suite 420, Asheville, NC 28801-5001
> address@hidden | (828) 271-4921 | http://nomads.ncdc.noaa.gov/
> GPG Key ID 0xE2BD9A06. Fingerprint: 5109 7E85 D528 5E10 E516 BB80 AA42 52F1
> E2BD 9A06
>
> Follow NCEI on Facebook and Twitter
>
> The contents of this message are mine personally and do not necessarily
> reflect any position of NOAA or STG. This electronic transmission contains
> information that may be internal use only, confidential, or proprietary. If
> you are not the intended recipient, be aware that any disclosure, copying,
> distribution or use of the contents hereof is strictly prohibited. If you
> have received this transmission in error, please notify
> address@hidden
--Georgi Kostov
Team ERT (Earth Resources Technology, Inc.), US Government Contractor
Data Access Branch, NOMADS/NCMA Team | NOAA Mail code E/NE54
NOAA's National Centers for Environmental Information (NCEI)
151 Patton Ave., Suite 420, Asheville, NC 28801-5001
address@hidden | (828) 271-4921 | http://nomads.ncdc.noaa.gov/GPG Key ID 0xE2BD9A06. Fingerprint: 5109 7E85 D528 5E10 E516 BB80 AA42 52F1 E2BD 9A06
Follow NCEI on Facebook and Twitter
The contents of this message are mine personally and do not necessarily reflect any position of NOAA or STG. This electronic transmission contains information that may be internal use only, confidential, or proprietary. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents hereof is strictly prohibited. If you have received this transmission in error, please notify address@hiddenGeorgi Kostov
NOAA National Centers for Environmental Information (NCEI)
Data Stewardship Division, Data Access Branch, NOMADS/NCMA Team
ERT (Earth Resources Technology, Inc.), US Government Contractor
151 Patton Ave., Suite 420, Asheville, NC 28801-5001
address@hidden | (828) 271-4921 | http://nomads.ncdc.noaa.gov/GPG Key ID 0xE2BD9A06. Fingerprint: 5109 7E85 D528 5E10 E516 BB80 AA42 52F1 E2BD 9A06
Follow NCEI on Facebook and Twitter
The contents of this message are mine personally and do not necessarily reflect any position of NOAA or ERT. This electronic transmission contains information that may be internal use only, confidential, or proprietary. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents hereof is strictly prohibited. Please notify me If you have received this transmission in error.
--Georgi Kostov
NOAA National Centers for Environmental Information (NCEI)
Data Stewardship Division, Data Access Branch, NOMADS/NCMA Team
ERT (Earth Resources Technology, Inc.), US Government Contractor
151 Patton Ave., Suite 420, Asheville, NC 28801-5001
address@hidden | (828) 271-4921 | http://nomads.ncdc.noaa.gov/GPG Key ID 0xE2BD9A06. Fingerprint: 5109 7E85 D528 5E10 E516 BB80 AA42 52F1 E2BD 9A06
Follow NCEI on Facebook and Twitter
The contents of this message are mine personally and do not necessarily reflect any position of NOAA or ERT. This electronic transmission contains information that may be internal use only, confidential, or proprietary. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents hereof is strictly prohibited. Please notify me If you have received this transmission in error.
--Georgi Kostov
NOAA National Centers for Environmental Information (NCEI)
Data Stewardship Division, Data Access Branch, NOMADS/NCMA Team
ERT (Earth Resources Technology, Inc.), US Government Contractor
151 Patton Ave., Suite 420, Asheville, NC 28801-5001
address@hidden | (828) 271-4921 | http://nomads.ncdc.noaa.gov/GPG Key ID 0xE2BD9A06. Fingerprint: 5109 7E85 D528 5E10 E516 BB80 AA42 52F1 E2BD 9A06
Follow NCEI on Facebook and Twitter
The contents of this message are mine personally and do not necessarily reflect any position of NOAA or ERT. This electronic transmission contains information that may be internal use only, confidential, or proprietary. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents hereof is strictly prohibited. Please notify me If you have received this transmission in error.
--Georgi Kostov
NOAA National Centers for Environmental Information (NCEI)
Data Stewardship Division, Data Access Branch, NOMADS/NCMA Team
ERT (Earth Resources Technology, Inc.), US Government Contractor
151 Patton Ave., Suite 420, Asheville, NC 28801-5001
address@hidden | (828) 271-4921 | http://nomads.ncdc.noaa.gov/GPG Key ID 0xE2BD9A06. Fingerprint: 5109 7E85 D528 5E10 E516 BB80 AA42 52F1 E2BD 9A06
Follow NCEI on Facebook and Twitter
The contents of this message are mine personally and do not necessarily reflect any position of NOAA or ERT. This electronic transmission contains information that may be internal use only, confidential, or proprietary. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents hereof is strictly prohibited. Please notify me If you have received this transmission in error.
--Georgi Kostov
NOAA National Centers for Environmental Information (NCEI)
Data Stewardship Division, Data Access Branch, NOMADS/NCMA Team
ERT (Earth Resources Technology, Inc.), US Government Contractor
151 Patton Ave., Suite 420, Asheville, NC 28801-5001
address@hidden | (828) 271-4921 | http://nomads.ncdc.noaa.gov/GPG Key ID 0xE2BD9A06. Fingerprint: 5109 7E85 D528 5E10 E516 BB80 AA42 52F1 E2BD 9A06
Follow NCEI on Facebook and Twitter
The contents of this message are mine personally and do not necessarily reflect any position of NOAA or ERT. This electronic transmission contains information that may be internal use only, confidential, or proprietary. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents hereof is strictly prohibited. Please notify me If you have received this transmission in error.