-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE vulnerabilities in WhiteRabbit #369
Comments
Hi, a new version of WhiteRabbit is in preparation, I hope to release it some time in March, and updating the dependencies is part of the plan. For your docker image, without having looked at the impact of the upgrades, I think upgrading slf4j-api and postgresql in your maven file should work fine, since the major and minor version are unchanged, only the patch version is newer. For google-oauth-client this is likely also fine, since a new minor version should not include breaking changes ("should" is an assumption though). |
Hello, Thank you for your prompt response. I don't want to sound pushy or anything like that, but just to get an idea on timelines, will the new release be like by the end of March? This is unrelated to this opened issue, I am trying to build from source using Maven, but I am getting some errors when compiling due to maven not being able to resolve some dependencies for Am I missing something obvious that I have to change in the |
I have commited 2 small fixes to the master branch (pom.xml and rabbit-core/pom.xml) that should fix current build problems. You can either clone master, or copy those 2 files to your project. The release is indeed going to be around the end of March. |
Hello,
I created a docker image based on jupyterhub/jupyterhub with WhiteRabbit v0.10.7 on top of it. I ran some vulnerability scans (via Sysdig) on the image and it flagged me three critical vulnerabilities due to some java dependencies that WhiteRabbit has. These are:
/WhiteRabbit_v0.10.7/repo/slf4j-api-1.7.5.jar
dependency. Sysdig indicates that with version 1.7.26 this has been solved/WhiteRabbit_v0.10.7/repo/google-oauth-client-1.28.0.jar
dependency. Version 1.31.0 has this fixed./WhiteRabbit_v0.10.7/repo/postgresql-42.3.2.jar
dependency. From version 42.3.3 onwards this has been fixed.I'm a bit ignorant on the matter, so I was wondering, are these packages going to be updated in future version of WhiteRabbit, or can I build WhiteRabbit (with source code using Maven) with the updated packages?
Thank you.
The text was updated successfully, but these errors were encountered: