[CKAN-Security] Vulnerabilities due to outdated sofware.

• Previous message: [CKAN-Security] Fwd: Vulnerabilities reported on OpenBugBounty.org
• Next message: [CKAN-Security] Vulnerabilities due to outdated sofware.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At first sight there doesn't seem to be anything too critical here so we
can plan this a bit. I have very limited time available to work on CKAN
core stuff, which I'd like to focus as much as possible on the Flask
migration so it'd great if someone could help here (the grant that is
paying for my time is ending soon, but I'll update on that when I have more
details). Let's discuss on tomorrow's meeting and see what we can do.

This is a tricky one for published releases, as in theory we don't include
changes in requirements on patch releases (on master we should upgrade all
of these for sure).
Of course if a dependency presents a serious security issue we should
revisit this somehow. JS are simpler because we can just repackage them in
the source code but upgrading the python reqs would complicate the patch
install instructions which we aim to keep ultra simple to encourage people
to update so I'd double check if it's worth it before doing this.

On Pylons, Tyler started a PR for updating to the latest version that I
think is worth getting into master as it will be a while before we drop it
completely: https://github.com/ckan/ckan/pull/3382




On 29 September 2017 at 11:03, David Read <david.read at hackneyworkshop.com>
wrote:

> Interesting to receive this. Sadly, bad timing straight after we did
> the last one. I for one am all out of time at the moment to work on
> this, sadly, so hopefully someone can step up.
>
> So they read through the changelogs for all the deps and highlighted
> anything that looked like a vulnerability. My experience suggests that
> dependencies are rarely fully used, so the vulnerabilities tend not to
> affect the dependee. But you just can't be sure without raking through
> the details :( Simplest thing is to be on the latest version.
>
> No doubt someone should see if we can upgrade all of these. I bet
> there will be some difficulties though and that will raise the
> questions.
>
> Do we look to update deps on just CKAN 2.7? or 2.4, 2.5 and 2.6 too?
>
> As a general thing, I've heard Snyk mentioned a few times, which I
> believe we can add to our Travis for free, that is supposed to look at
> dependencies and give you levels of risk.
>
> Dave
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20171002/b34e2764/attachment.html>

• Previous message: [CKAN-Security] Fwd: Vulnerabilities reported on OpenBugBounty.org
• Next message: [CKAN-Security] Vulnerabilities due to outdated sofware.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]