How to handle security alerts #3498
Replies: 5 comments
-
I'd be all for upgrading because we already use Karaf 4.2.2 with the Jetty version that doesn't have this vulnerability in openHAB 2.5.0 (#458). It got downgraded again when ESH got merged (#467 (comment)). We might as well upgrade it straight to Karaf 4.2.4 which got released March 18th. |
Beta Was this translation helpful? Give feedback.
-
It depends if it is about a runtime dependency or a compile time one. In the following example let's talk about minor version bumps WRT to semver: Remember: The compile time dependency can differ from the runtime dependency in OSGi. |
Beta Was this translation helpful? Give feedback.
-
Yes you're right that there is no immediate need to upgrade it for OHC itself. It might help to push solutions using OHC (unaware of this) to bump their Karaf/Jetty version. Although I don't think there will be many. 😉 If we don't want to address this we can also dismiss it so it's not becoming an annoyance. E.g. by choosing "Risk is tolarable to this project" option: We'll still get vulnerability updates and can act accordingly. Furthermore the risk is not high because it's about a DoS threat and most users will be running some proxy (NGINX/myopenhab) providing security in front of Jetty anyways. If they don't they'll have a lot more security concerns to worry about. |
Beta Was this translation helpful? Give feedback.
-
Thanks for your opinions. Makes sense. I will dismiss this one like suggest by @wborn . |
Beta Was this translation helpful? Give feedback.
-
They've been dismissed now. You can still find these dismissed alerts in Insights > Alerts > Closed. |
Beta Was this translation helpful? Give feedback.
-
Two days ago a security alert popped up in my notifications (see https://github.com/openhab/openhab-core/network/alert/bom/runtime/pom.xml/org.eclipse.jetty:jetty-server/open). How should we handle those alerts? Upgrade our dependency? Or ignore them for the moment?
Beta Was this translation helpful? Give feedback.
All reactions