Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE vulnerabilities in WhiteRabbit #369

Open
thenuste opened this issue Mar 1, 2023 · 3 comments
Open

CVE vulnerabilities in WhiteRabbit #369

thenuste opened this issue Mar 1, 2023 · 3 comments

Comments

@thenuste
Copy link

thenuste commented Mar 1, 2023

Hello,

I created a docker image based on jupyterhub/jupyterhub with WhiteRabbit v0.10.7 on top of it. I ran some vulnerability scans (via Sysdig) on the image and it flagged me three critical vulnerabilities due to some java dependencies that WhiteRabbit has. These are:

  • CVE-2018-8088 : due to /WhiteRabbit_v0.10.7/repo/slf4j-api-1.7.5.jar dependency. Sysdig indicates that with version 1.7.26 this has been solved
  • CVE-2020-7692: due to /WhiteRabbit_v0.10.7/repo/google-oauth-client-1.28.0.jar dependency. Version 1.31.0 has this fixed.
  • CVE-2022-26520: due to /WhiteRabbit_v0.10.7/repo/postgresql-42.3.2.jar dependency. From version 42.3.3 onwards this has been fixed.

I'm a bit ignorant on the matter, so I was wondering, are these packages going to be updated in future version of WhiteRabbit, or can I build WhiteRabbit (with source code using Maven) with the updated packages?

Thank you.

@janblom
Copy link
Collaborator

janblom commented Mar 1, 2023

Hi,

a new version of WhiteRabbit is in preparation, I hope to release it some time in March, and updating the dependencies is part of the plan.

For your docker image, without having looked at the impact of the upgrades, I think upgrading slf4j-api and postgresql in your maven file should work fine, since the major and minor version are unchanged, only the patch version is newer. For google-oauth-client this is likely also fine, since a new minor version should not include breaking changes ("should" is an assumption though).

@thenuste
Copy link
Author

thenuste commented Mar 2, 2023

Hello,

Thank you for your prompt response. I don't want to sound pushy or anything like that, but just to get an idea on timelines, will the new release be like by the end of March?

This is unrelated to this opened issue, I am trying to build from source using Maven, but I am getting some errors when compiling due to maven not being able to resolve some dependencies for rabbit-core:

image

Am I missing something obvious that I have to change in the pom.xml file when building locally (like a repo)?

@janblom
Copy link
Collaborator

janblom commented Mar 8, 2023

I have commited 2 small fixes to the master branch (pom.xml and rabbit-core/pom.xml) that should fix current build problems. You can either clone master, or copy those 2 files to your project.

The release is indeed going to be around the end of March.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants