Fwd: [apache/flink-web] One of your dependencies may have a security vulnerability

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: [apache/flink-web] One of your dependencies may have a security vulnerability

Stephan Ewen
---------- Forwarded message ----------
From: Apache Security Team <[hidden email]>
Date: Thu, Jul 26, 2018 at 6:04 PM
Subject: Fwd: [apache/flink-web] One of your dependencies may have a
security vulnerability
To: [hidden email]


Hi Flink PMC,

we are still receiving this notification from github.

Regards,
Yann.

---------- Forwarded message ----------
From: GitHub <[hidden email]>
Date: Wed, Jul 25, 2018 at 3:43 PM
Subject: [apache/flink-web] One of your dependencies may have a security
vulnerability
To: apache/flink-web <[hidden email]>
Cc: Security alert <[hidden email]>


We found a potential security vulnerabilty in one of your dependencies
[image: GitHub] <https://github.com> Sign in <https://github.com/login>
*asfsecurity,*

We found a potential security vulnerability in a repository for which you
have been granted security alert access.
[image: @apache] apache/flink-web <https://github.com/apache/flink-web>
Known * high severity* security vulnerability detected in yajl-ruby < 1.3.1
defined in Gemfile
<https://github.com/apache/flink-web/blob/asf-site/Gemfile>.
Gemfile <https://github.com/apache/flink-web/blob/asf-site/Gemfile> update
suggested: yajl-ruby ~> 1.3.1.
Always verify the validity and compatibility of suggestions with your
codebase.
Review vulnerable dependency
<https://github.com/apache/flink-web/network/dependencies>
------------------------------

Only users who have been assigned access to security alerts will receive
these notifications.
Unsubscribe
<https://github.com/notifications/unsubscribe-vulnerability/AiUHB9B4nW4WfYwIshte0sVRJ-3jF_yrks5uKHYCgaJpZM4VgG8m>
· Email preferences <https://github.com/settings/emails> · Terms
<https://help.github.com/articles/github-terms-of-service/> · Privacy
<https://help.github.com/articles/github-privacy-policy/> · Sign into GitHub
<https://github.com/login>

GitHub, Inc.
88 Colin P Kelly Jr St.
San Francisco, CA 94107
<https://maps.google.com/?q=88+Colin+P+Kelly+Jr+St.%0D%0A+++++++++++++++++++++++++++++San+Francisco,+CA+94107&entry=gmail&source=g>
Reply | Threaded
Open this post in threaded view
|

Re: [apache/flink-web] One of your dependencies may have a security vulnerability

Ufuk Celebi-2
We fixed this for the Flink docs a while back in
https://github.com/apache/flink/pull/5395, but didn't think of the
flink-web repo which uses a similar setup to our docs.

If somebody has time to look into this, we can follow the above PR to
apply the same changes.

– Ufuk


On Fri, Jul 27, 2018 at 10:20 AM, Stephan Ewen <[hidden email]> wrote:

> ---------- Forwarded message ----------
> From: Apache Security Team <[hidden email]>
> Date: Thu, Jul 26, 2018 at 6:04 PM
> Subject: Fwd: [apache/flink-web] One of your dependencies may have a
> security vulnerability
> To: [hidden email]
>
>
> Hi Flink PMC,
>
> we are still receiving this notification from github.
>
> Regards,
> Yann.
>
> ---------- Forwarded message ----------
> From: GitHub <[hidden email]>
> Date: Wed, Jul 25, 2018 at 3:43 PM
> Subject: [apache/flink-web] One of your dependencies may have a security
> vulnerability
> To: apache/flink-web <[hidden email]>
> Cc: Security alert <[hidden email]>
>
>
> We found a potential security vulnerabilty in one of your dependencies
> [image: GitHub] <https://github.com> Sign in <https://github.com/login>
> *asfsecurity,*
>
> We found a potential security vulnerability in a repository for which you
> have been granted security alert access.
> [image: @apache] apache/flink-web <https://github.com/apache/flink-web>
> Known * high severity* security vulnerability detected in yajl-ruby < 1.3.1
> defined in Gemfile
> <https://github.com/apache/flink-web/blob/asf-site/Gemfile>.
> Gemfile <https://github.com/apache/flink-web/blob/asf-site/Gemfile> update
> suggested: yajl-ruby ~> 1.3.1.
> Always verify the validity and compatibility of suggestions with your
> codebase.
> Review vulnerable dependency
> <https://github.com/apache/flink-web/network/dependencies>
> ------------------------------
>
> Only users who have been assigned access to security alerts will receive
> these notifications.
> Unsubscribe
> <https://github.com/notifications/unsubscribe-vulnerability/AiUHB9B4nW4WfYwIshte0sVRJ-3jF_yrks5uKHYCgaJpZM4VgG8m>
> · Email preferences <https://github.com/settings/emails> · Terms
> <https://help.github.com/articles/github-terms-of-service/> · Privacy
> <https://help.github.com/articles/github-privacy-policy/> · Sign into GitHub
> <https://github.com/login>
>
> GitHub, Inc.
> 88 Colin P Kelly Jr St.
> San Francisco, CA 94107
> <https://maps.google.com/?q=88+Colin+P+Kelly+Jr+St.%0D%0A+++++++++++++++++++++++++++++San+Francisco,+CA+94107&entry=gmail&source=g>
Reply | Threaded
Open this post in threaded view
|

Re: [apache/flink-web] One of your dependencies may have a security vulnerability

Fabian Hueske-2
I've filed this under FLINK-10007 [1].

Cheers, Fabian

[1] https://issues.apache.org/jira/browse/FLINK-10007

2018-08-02 11:10 GMT+02:00 Ufuk Celebi <[hidden email]>:

> We fixed this for the Flink docs a while back in
> https://github.com/apache/flink/pull/5395, but didn't think of the
> flink-web repo which uses a similar setup to our docs.
>
> If somebody has time to look into this, we can follow the above PR to
> apply the same changes.
>
> – Ufuk
>
>
> On Fri, Jul 27, 2018 at 10:20 AM, Stephan Ewen <[hidden email]> wrote:
> > ---------- Forwarded message ----------
> > From: Apache Security Team <[hidden email]>
> > Date: Thu, Jul 26, 2018 at 6:04 PM
> > Subject: Fwd: [apache/flink-web] One of your dependencies may have a
> > security vulnerability
> > To: [hidden email]
> >
> >
> > Hi Flink PMC,
> >
> > we are still receiving this notification from github.
> >
> > Regards,
> > Yann.
> >
> > ---------- Forwarded message ----------
> > From: GitHub <[hidden email]>
> > Date: Wed, Jul 25, 2018 at 3:43 PM
> > Subject: [apache/flink-web] One of your dependencies may have a security
> > vulnerability
> > To: apache/flink-web <[hidden email]>
> > Cc: Security alert <[hidden email]>
> >
> >
> > We found a potential security vulnerabilty in one of your dependencies
> > [image: GitHub] <https://github.com> Sign in <https://github.com/login>
> > *asfsecurity,*
> >
> > We found a potential security vulnerability in a repository for which you
> > have been granted security alert access.
> > [image: @apache] apache/flink-web <https://github.com/apache/flink-web>
> > Known * high severity* security vulnerability detected in yajl-ruby <
> 1.3.1
> > defined in Gemfile
> > <https://github.com/apache/flink-web/blob/asf-site/Gemfile>.
> > Gemfile <https://github.com/apache/flink-web/blob/asf-site/Gemfile>
> update
> > suggested: yajl-ruby ~> 1.3.1.
> > Always verify the validity and compatibility of suggestions with your
> > codebase.
> > Review vulnerable dependency
> > <https://github.com/apache/flink-web/network/dependencies>
> > ------------------------------
> >
> > Only users who have been assigned access to security alerts will receive
> > these notifications.
> > Unsubscribe
> > <https://github.com/notifications/unsubscribe-vulnerability/
> AiUHB9B4nW4WfYwIshte0sVRJ-3jF_yrks5uKHYCgaJpZM4VgG8m>
> > · Email preferences <https://github.com/settings/emails> · Terms
> > <https://help.github.com/articles/github-terms-of-service/> · Privacy
> > <https://help.github.com/articles/github-privacy-policy/> · Sign into
> GitHub
> > <https://github.com/login>
> >
> > GitHub, Inc.
> > 88 Colin P Kelly Jr St.
> > San Francisco, CA 94107
> > <https://maps.google.com/?q=88+Colin+P+Kelly+Jr+St.%0D%0A+
> ++++++++++++++++++++++++++++San+Francisco,+CA+94107&entry=gmail&source=g>
>