Re: OSS-Fuzz issues are being reported as vulnerabilities

2021-05-24 Thread Tero Saarni
On Tuesday, May 25, 2021 00:04 Bernd wrote: > BTW: I was not Aware that JFrog has its own vulnerability feed, is that the > Snyk Knowledge Base or do they have their own analysts? They used to use Snyk, but since few years ago they say it is based on VulnDB from Risk Based Security. -- Tero [1]

Re: OSS-Fuzz issues are being reported as vulnerabilities

2021-05-24 Thread Stefan Bodewig
On 2021-05-24, Bernd wrote: > Am Mo., 24. Mai 2021 um 20:46 Uhr schrieb Matt Sicker : >> There's also a bit of an issue of fixing these types of >> vulnerabilities at the library level. The library itself typically >> won't have much in the way of a security model until you integrate it >> into a

Re: [VOTE] Release Apache Commons IO 2.9.0 based on RC1

2021-05-24 Thread Rob Tompkins
+1 all reports check out. Builds with Java 8 and 11. Keep up the good work Gary! Cheers, -Rob > On May 24, 2021, at 8:32 PM, Gary Gregory wrote: > > Keeps me on my toes ;-) > > Gary > > >> On Mon, May 24, 2021 at 12:49 PM Rob Tompkins wrote: >> >> Sounds good just wanted to ask the quest

Re: [VOTE] Release Apache Commons IO 2.9.0 based on RC1

2021-05-24 Thread Gary Gregory
Keeps me on my toes ;-) Gary On Mon, May 24, 2021 at 12:49 PM Rob Tompkins wrote: > Sounds good just wanted to ask the question. > > -Rob > > > On May 24, 2021, at 12:47 PM, Gary Gregory > wrote: > > > > The method is already implemented in a super class so nothing is broken. > > Recall also

Re: OSS-Fuzz issues are being reported as vulnerabilities

2021-05-24 Thread Bernd
Hello, Am Mo., 24. Mai 2021 um 20:46 Uhr schrieb Matt Sicker : > There's also a bit of an issue of fixing these types of > vulnerabilities at the library level. The library itself typically > won't have much in the way of a security model until you integrate it > into an application. That is tr

Re: [Math][Numbers][Geometry][Statistics] Road map for next release(s)

2021-05-24 Thread Gilles Sadowski
Le dim. 23 mai 2021 à 22:54, Alex Herbert a écrit : > > On Sun, 23 May 2021 at 15:58, Gilles Sadowski wrote: > > > > > I've created a multi-module[1] version of the code base with a > > corresponding JIRA issue: > > https://issues.apache.org/jira/browse/MATH-1575 > > > Thanks. This is more ma

Re: OSS-Fuzz issues are being reported as vulnerabilities

2021-05-24 Thread Matt Sicker
There's also a bit of an issue of fixing these types of vulnerabilities at the library level. The library itself typically won't have much in the way of a security model until you integrate it into an application. For example, if you only use commons-compress on trusted input, then even high availa

Re: OSS-Fuzz issues are being reported as vulnerabilities

2021-05-24 Thread Fabian Meumertzheim
The JFrog reports seem to reference the following two OSS-Fuzz findings, which have not been classified as security issues: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34437 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33959 OSS-Fuzz and Jazzer, its Java fuzzer, never mark unca

Re: OSS-Fuzz issues are being reported as vulnerabilities

2021-05-24 Thread Stefan Bodewig
On 2021-05-24, Tero Saarni wrote: > We are getting reports from JFrog Xray vulnerability scanner that seem > to be related to recently fixed OSS-Fuzz issues: I wasn't aware of this effect. This is very unfortunate. > * Summary: Apache Commons Compress archivers/zip/ZipFile.java > ZipFile::read

Re: [VOTE] Release Apache Commons IO 2.9.0 based on RC1

2021-05-24 Thread Rob Tompkins
Sounds good just wanted to ask the question. -Rob > On May 24, 2021, at 12:47 PM, Gary Gregory wrote: > > The method is already implemented in a super class so nothing is broken. > Recall also that generics are erased by the compiler. > > Gary > > On Mon, May 24, 2021, 12:06 Rob Tompkins wro

Re: [VOTE] Release Apache Commons IO 2.9.0 based on RC1

2021-05-24 Thread Gary Gregory
The method is already implemented in a super class so nothing is broken. Recall also that generics are erased by the compiler. Gary On Mon, May 24, 2021, 12:06 Rob Tompkins wrote: > I’m curious….does this change break BC > > > https://github.com/apache/commons-io/commit/6803ac145c274546d0f2

OSS-Fuzz issues are being reported as vulnerabilities

2021-05-24 Thread Tero Saarni
Hi, We are getting reports from JFrog Xray vulnerability scanner that seem to be related to recently fixed OSS-Fuzz issues: * Summary: Apache Commons Compress archivers/zip/ZipFile.java ZipFile::readCentralDirectoryEntry() Function Uncaught Exception DoS Severity: High * Summary: Apache Comm

Re: [VOTE] Release Apache Commons IO 2.9.0 based on RC1

2021-05-24 Thread Rob Tompkins
I’m curious….does this change break BC https://github.com/apache/commons-io/commit/6803ac145c274546d0f2e06374a9723a4d4d7ce6 with the removal of: public FileVisitResult visitFile(final Path file, final Ba

Re: [Math][Numbers][Geometry][Statistics] Road map for next release(s)

2021-05-24 Thread Erik Svensson
Hello! I/We are still willing to contribute. Sadly, more urgent things have had to be handled, thus my silence. I will look at the jira and I will try to formulate some sort of proposal. /Erik Erik Svensson Principal Architect Strategic Programs, Platform & Product Engineering