From bernie at codewiz.org Tue Dec 22 06:59:38 2020 From: bernie at codewiz.org (Bernie Innocenti) Date: Tue, 22 Dec 2020 18:59:38 +0700 Subject: [Systems] Fwd: Your Dependabot alerts for the week of Dec 15 - Dec 22 In-Reply-To: <5fe15e0cf0134_363319f021417@github-lowworker-c5134a3.ac4-iad.github.net.mail> References: <5fe15e0cf0134_363319f021417@github-lowworker-c5134a3.ac4-iad.github.net.mail> Message-ID: <48f7cc70-14a3-dded-61dc-08e66f921fca@codewiz.org> Who should take care of these? -------- Forwarded Message -------- Subject: Your Dependabot alerts for the week of Dec 15 - Dec 22 Date: Tue, 22 Dec 2020 02:46:37 +0000 (UTC) From: GitHub To: Bernie Innocenti Dependabot alerts on GitHub Explore this week on GitHub Dependabot alerts GitHub ?security alert digest *codewiz?s* repository security updates from the week of *Dec 15 - Dec 22* Sugar Labs organization Warning! sugarlabs / *sugar-gitbot* Known security vulnerabilities detected Dependency express Version < 3.11.0 Upgrade to ~> 3.11.0 Defined in package.json Vulnerabilities CVE-2014-6393 Moderate severity Review all vulnerable dependencies Warning! sugarlabs / *www-sugarlabs* Known security vulnerabilities detected Dependency kramdown Version < 2.3.0 Upgrade to ~> 2.3.0 Defined in Gemfile.lock Vulnerabilities CVE-2020-14001 High severity Review all vulnerable dependencies Warning! sugarlabs / *musicblocks* Known security vulnerabilities detected Dependency ecstatic Version < 4.1.3 Upgrade to ~> 4.1.3 Defined in package-lock.json Vulnerabilities CVE-2019-10775 Moderate severity Review all vulnerable dependencies sugarlabs-infra organization Warning! sugarlabs-infra / *helios-server* Known security vulnerabilities detected Dependency gunicorn Version < 19.5.0 Upgrade to ~> 19.5.0 Defined in requirements.txt Vulnerabilities CVE-2018-1000164 Moderate severity Dependency requests Version <= 2.19.1 Upgrade to ~> 2.20.0 Defined in requirements.txt Vulnerabilities CVE-2018-18074 Moderate severity Dependency django Version < 1.11.18 Upgrade to ~> 1.11.18 Defined in requirements.txt Vulnerabilities CVE-2020-9402 High severity CVE-2019-3498 Low severity CVE-2019-6975 Moderate severity CVE-2019-19844 Moderate severity CVE-2020-7471 Moderate severity Dependency bleach Version < 3.1.1 Upgrade to ~> 3.1.1 Defined in requirements.txt Vulnerabilities CVE-2020-6802 Moderate severity CVE-2020-6816 Moderate severity CVE-2020-6817 Moderate severity Review all vulnerable dependencies Always verify the validity and compatibility of suggestions with your codebase. ------------------------------------------------------------------------ Change how you receive security alert emails in your notification preferences . Unsubscribe ? Email preferences ? Terms ? Privacy ? Sign into GitHub GitHub, Inc. 88 Colin P Kelly Jr St. San Francisco, CA 94107 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ibiamchihurumnaya at gmail.com Tue Dec 22 07:07:51 2020 From: ibiamchihurumnaya at gmail.com (Chihurumnaya Ibiam) Date: Tue, 22 Dec 2020 13:07:51 +0100 Subject: [Systems] Fwd: Your Dependabot alerts for the week of Dec 15 - Dec 22 In-Reply-To: <48f7cc70-14a3-dded-61dc-08e66f921fca@codewiz.org> References: <5fe15e0cf0134_363319f021417@github-lowworker-c5134a3.ac4-iad.github.net.mail> <48f7cc70-14a3-dded-61dc-08e66f921fca@codewiz.org> Message-ID: I've created updates for sugar-gcibot and www-sugarlabs, I've alerted Walter about the musicblocks alert and I don't have access to sugarlabs-infra but I think we should retire the helios server if it's still running as we haven't been using it for our elections as we've been using civs and I think we only used it for the election last conducted by Dave - I think -. -- Ibiam Chihurumnaya ibiamchihurumnaya at gmail.com On Tue, Dec 22, 2020 at 12:59 PM Bernie Innocenti wrote: > Who should take care of these? > > -------- Forwarded Message -------- > Subject: Your Dependabot alerts for the week of Dec 15 - Dec 22 > Date: Tue, 22 Dec 2020 02:46:37 +0000 (UTC) > From: GitHub > To: Bernie Innocenti > > > Explore this week on GitHub > [image: Dependabot alerts] > [image: GitHub] security alert digest > > *codewiz?s* repository security updates from the week of *Dec 15 - Dec 22* > Sugar Labs organization > > [image: Warning!] sugarlabs / *sugar-gitbot* > > > Known security vulnerabilities detected > Dependency express Version < 3.11.0 Upgrade to ~> 3.11.0 > Defined in package.json > Vulnerabilities > CVE-2014-6393 Moderate severity > > Review all vulnerable dependencies > > [image: Warning!] sugarlabs / *www-sugarlabs* > > > Known security vulnerabilities detected > Dependency kramdown Version < 2.3.0 Upgrade to ~> 2.3.0 > Defined in Gemfile.lock > Vulnerabilities > CVE-2020-14001 High severity > > Review all vulnerable dependencies > > [image: Warning!] sugarlabs / *musicblocks* > > > Known security vulnerabilities detected > Dependency ecstatic Version < 4.1.3 Upgrade to ~> 4.1.3 > Defined in package-lock.json > Vulnerabilities > CVE-2019-10775 Moderate severity > > Review all vulnerable dependencies > > sugarlabs-infra organization > > [image: Warning!] sugarlabs-infra / *helios-server* > > > Known security vulnerabilities detected > Dependency gunicorn Version < 19.5.0 Upgrade to ~> 19.5.0 > Defined in requirements.txt > Vulnerabilities > CVE-2018-1000164 Moderate severity > Dependency requests Version <= 2.19.1 Upgrade to ~> 2.20.0 > Defined in requirements.txt > Vulnerabilities > CVE-2018-18074 Moderate severity > Dependency django Version < 1.11.18 Upgrade to ~> 1.11.18 > Defined in requirements.txt > Vulnerabilities > CVE-2020-9402 High severity > CVE-2019-3498 Low severity > CVE-2019-6975 Moderate severity > CVE-2019-19844 Moderate severity > CVE-2020-7471 Moderate severity > Dependency bleach Version < 3.1.1 Upgrade to ~> 3.1.1 > Defined in requirements.txt > Vulnerabilities > CVE-2020-6802 Moderate severity > CVE-2020-6816 Moderate severity > CVE-2020-6817 Moderate severity > > Review all vulnerable dependencies > > > Always verify the validity and compatibility of suggestions with your > codebase. > ------------------------------ > > Change how you receive security alert emails in your notification > preferences > . > > Unsubscribe > > ? Email preferences ? Terms > ? Privacy > ? Sign into > GitHub > > GitHub, Inc. > 88 Colin P Kelly Jr St. > San Francisco, CA 94107 > _______________________________________________ > Systems mailing list > Systems at lists.sugarlabs.org > http://lists.sugarlabs.org/listinfo/systems > -------------- next part -------------- An HTML attachment was scrubbed... URL: From quozl at laptop.org Tue Dec 22 14:37:01 2020 From: quozl at laptop.org (James Cameron) Date: Wed, 23 Dec 2020 06:37:01 +1100 Subject: [Systems] Fwd: Your Dependabot alerts for the week of Dec 15 - Dec 22 In-Reply-To: <48f7cc70-14a3-dded-61dc-08e66f921fca@codewiz.org> References: <5fe15e0cf0134_363319f021417@github-lowworker-c5134a3.ac4-iad.github.net.mail> <48f7cc70-14a3-dded-61dc-08e66f921fca@codewiz.org> Message-ID: <20201222193701.GA27154@laptop.org> I get them too. Should no action be taken, forward to the oversight board. For the www-sugarlabs vulnerability, it is low risk because we have developers who control and review the changes to the repository. Process used was to review https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001 and try to figure out how to use the vulnerability to compromise systems or information security. It would take an unreviewed commit. Because of the low quality and high noise of contributions, www-sugarlabs has temporary interaction limits set to prior contributors only, with three months remaining. This is to guide potential contributors to our software projects rather than our web site. On Tue, Dec 22, 2020 at 06:59:38PM +0700, Bernie Innocenti wrote: > Who should take care of these? > > -------- Forwarded Message -------- > Subject: Your Dependabot alerts for the week of Dec 15 - Dec 22 > Date: Tue, 22 Dec 2020 02:46:37 +0000 (UTC) > From: GitHub [1] > To: Bernie Innocenti [2] > > Explore this week on GitHub > Dependabot alerts > > [3]GitHub?security alert digest > > codewiz?s repository security updates from the week of Dec 15 - > Dec 22 > > [4] [5]Sugar Labs organization > ? > > Warning! [6]sugarlabs / sugar-gitbot > > Known security vulnerabilities detected > > Dependency express Version < 3.11.0 Upgrade to ~> > 3.11.0 > Defined in package.json > Vulnerabilities > CVE-2014-6393 Moderate severity > [7]Review all vulnerable dependencies > > Warning! [8]sugarlabs / www-sugarlabs > > Known security vulnerabilities detected > > Dependency kramdown Version < 2.3.0 Upgrade to ~> 2.3.0 > Defined in Gemfile.lock > Vulnerabilities > CVE-2020-14001 High severity > [9]Review all vulnerable dependencies > > Warning! [10]sugarlabs / musicblocks > > Known security vulnerabilities detected > > Dependency ecstatic Version < 4.1.3 Upgrade to ~> 4.1.3 > Defined in package-lock.json > Vulnerabilities > CVE-2019-10775 Moderate severity > [11]Review all vulnerable dependencies > > [12] [13]sugarlabs-infra organization > ? > > Warning! [14]sugarlabs-infra / helios-server > > Known security vulnerabilities detected > > Dependency Version < 19.5.0 Upgrade to ~> > gunicorn 19.5.0 > Defined in requirements.txt > Vulnerabilities > CVE-2018-1000164 Moderate severity > Dependency Version <= Upgrade to ~> > requests 2.19.1 2.20.0 > Defined in requirements.txt > Vulnerabilities > CVE-2018-18074 Moderate severity > Dependency Version < Upgrade to ~> > django 1.11.18 1.11.18 > Defined in requirements.txt > Vulnerabilities > CVE-2020-9402 High severity > CVE-2019-3498 Low severity > CVE-2019-6975 Moderate severity > CVE-2019-19844 Moderate severity > CVE-2020-7471 Moderate severity > Dependency bleach Version < 3.1.1 Upgrade to ~> 3.1.1 > Defined in requirements.txt > Vulnerabilities > CVE-2020-6802 Moderate severity > CVE-2020-6816 Moderate severity > CVE-2020-6817 Moderate severity > [15]Review all vulnerable dependencies > > Always verify the validity and compatibility of suggestions with > your codebase. > > ???????????????????????????????????????????????????????????????? > > Change how you receive security alert emails in your [16] > notification preferences. > > [17]Unsubscribe ? [18]Email preferences ? [19]Terms ? [20] > Privacy ? [21]Sign into GitHub > > GitHub, Inc. > 88 Colin P Kelly Jr St. > San Francisco, CA 94107 > > References: > > [1] mailto:noreply at github.com > [2] mailto:bernie at codewiz.org > [3] https://github.com/ > [4] https://github.com/sugarlabs > [5] https://github.com/sugarlabs > [6] https://github.com/sugarlabs/sugar-gitbot > [7] https://github.com/sugarlabs/sugar-gitbot/security/dependabot > [8] https://github.com/sugarlabs/www-sugarlabs > [9] https://github.com/sugarlabs/www-sugarlabs/security/dependabot > [10] https://github.com/sugarlabs/musicblocks > [11] https://github.com/sugarlabs/musicblocks/security/dependabot > [12] https://github.com/sugarlabs-infra > [13] https://github.com/sugarlabs-infra > [14] https://github.com/sugarlabs-infra/helios-server > [15] https://github.com/sugarlabs-infra/helios-server/security/dependabot > [16] https://github.com/settings/notifications#vulnerability-alerts-heading > [17] https://github.com/email/unsubscribe?token=AAJBF3AB43YMTNZOSETMY53BYKIYZANENZQW2ZNNOZ2WY3TFOJQWE2LMNF2HS > [18] https://github.com/settings/emails > [19] https://docs.github.com/articles/github-terms-of-service > [20] https://docs.github.com/articles/github-privacy-policy > [21] https://github.com/login > _______________________________________________ > Systems mailing list > Systems at lists.sugarlabs.org > http://lists.sugarlabs.org/listinfo/systems -- James Cameron https://quozl.linux.org.au/