Replies: 3 comments 3 replies
-
Building another container just so it doesn't include a specific component is not something we're interested in doing. We should update the h2 version we ship instead. However, AFAIK h2 does not backport security fixes, and we'd have to update h2 from 1.4 to 2.0, which introduces breaking changes. So everyone's existing installation that uses h2 will break. @stevespringett, I know you looked into this b/c I've heard you mentioning the h2 situation on multiple occasions. Any strong feelings on the subject? In any case, if you're not using h2, you're not affected by any of its vulnerabilities. |
Beta Was this translation helpful? Give feedback.
-
@jbruenner, exactly what vulnerabilities are you concerned about in h2? sonatype-2020-1324?This is not a vulnerability... I reported this one to the h2 team and got a detailed (and very speedy) response explaining why it is not a vulnerability. I have logged this with OSSI: OSSIndex/vulns#299 CVE-2018-14335?Only 1.4.197 and older versions are affected. I have updated OSSI Bug 277 to reflect this |
Beta Was this translation helpful? Give feedback.
-
Great, thank you.
Jörg Brünner
Beauftragter für Informationssicherheit der SK
Neue Rufnummer: Sie erreichen mich ab sofort unter 0351.564.10220.
…___________________________________________
SÄCHSISCHE STAATSKANZLEI | STATE CHANCELLERY OF SAXONY
Archivstr. 1 | 01097 Dresden | Postanschrift: 01095 Dresden
Tel.: +49 (0)351.564. 10220 |
***@***.******@***.***%7C> www.sachsen.de<http://www.sachsen.de/>
Der Empfang von elektronisch signierten und/oder verschlüsselten
elektronischen Dokumenten ist möglich. Die öffentlichen Schlüssel der
Sächsischen Staatskanzlei finden Sie unter https://www.sachsen.de/kontakt.html
***@***.***
Von: Niklas ***@***.***>
Gesendet: Montag, 27. Juni 2022 10:42
An: DependencyTrack/dependency-track ***@***.***>
Cc: Brünner, Jörg - SK ***@***.***>; Mention ***@***.***>
Betreff: Re: [DependencyTrack/dependency-track] Container without h2 database? (Discussion #1740)
Are they any problem to secure operation of DT?
Not really, no. Both vulnerabilities require file system access by the attacker (the c_rehash script in OpenSSL that is affected by CVE-2022-1292<https://github.com/advisories/GHSA-qjmp-vmxc-7p8r> iterates over local files, not sure why they flagged the attack vector as network).
—
Reply to this email directly, view it on GitHub<#1740 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AZQYZZ7NWK4D34MJMWHKWL3VRFSO3ANCNFSM5ZPCSM3Q>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
Hi,
I'm introducing DT to our IT service group. They scan new containers. So they fell over the vulnerabilities of the
h2 database. Is it possible to maintain two versions of DT: a test version with h2 and a productive one without?
Thanks a lot
Jörg
Beta Was this translation helpful? Give feedback.
All reactions