[Systems] Fwd: Your Dependabot alerts for the week of Dec 15 - Dec 22

James Cameron quozl at laptop.org
Tue Dec 22 14:37:01 EST 2020


I get them too.

Should no action be taken, forward to the oversight board.

For the www-sugarlabs vulnerability, it is low risk because we
have developers who control and review the changes to the repository.

Process used was to review
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001 and
try to figure out how to use the vulnerability to compromise systems
or information security.  It would take an unreviewed commit.

Because of the low quality and high noise of contributions,
www-sugarlabs has temporary interaction limits set to prior
contributors only, with three months remaining.  This is to guide
potential contributors to our software projects rather than our web
site.

On Tue, Dec 22, 2020 at 06:59:38PM +0700, Bernie Innocenti wrote:
> Who should take care of these?
> 
> -------- Forwarded Message --------
> Subject: Your Dependabot alerts for the week of Dec 15 - Dec 22
>    Date: Tue, 22 Dec 2020 02:46:37 +0000 (UTC)
>    From: GitHub [1]<noreply at github.com>
>      To: Bernie Innocenti [2]<bernie at codewiz.org>
> 
>                Explore this week on GitHub
>                Dependabot alerts
> 
>                [3]GitHub security alert digest
> 
>                codewiz’s repository security updates from the week of Dec 15 -
>                Dec 22
> 
>                [4] [5]Sugar Labs organization
>> 
>                Warning! [6]sugarlabs / sugar-gitbot
> 
>                         Known security vulnerabilities detected
> 
>                         Dependency express Version < 3.11.0 Upgrade to ~>
>                                                             3.11.0
>                         Defined in package.json
>                         Vulnerabilities
>                         CVE-2014-6393 Moderate severity
>                         [7]Review all vulnerable dependencies
> 
>                Warning! [8]sugarlabs / www-sugarlabs
> 
>                         Known security vulnerabilities detected
> 
>                         Dependency kramdown Version < 2.3.0 Upgrade to ~> 2.3.0
>                         Defined in Gemfile.lock
>                         Vulnerabilities
>                         CVE-2020-14001 High severity
>                         [9]Review all vulnerable dependencies
> 
>                Warning! [10]sugarlabs / musicblocks
> 
>                         Known security vulnerabilities detected
> 
>                         Dependency ecstatic Version < 4.1.3 Upgrade to ~> 4.1.3
>                         Defined in package-lock.json
>                         Vulnerabilities
>                         CVE-2019-10775 Moderate severity
>                         [11]Review all vulnerable dependencies
> 
>                [12] [13]sugarlabs-infra organization
>> 
>                Warning! [14]sugarlabs-infra / helios-server
> 
>                         Known security vulnerabilities detected
> 
>                         Dependency         Version < 19.5.0 Upgrade to ~>
>                         gunicorn                            19.5.0
>                         Defined in requirements.txt
>                         Vulnerabilities
>                         CVE-2018-1000164 Moderate severity
>                         Dependency         Version <=       Upgrade to ~>
>                         requests           2.19.1           2.20.0
>                         Defined in requirements.txt
>                         Vulnerabilities
>                         CVE-2018-18074 Moderate severity
>                         Dependency       Version <        Upgrade to ~>
>                         django           1.11.18          1.11.18
>                         Defined in requirements.txt
>                         Vulnerabilities
>                         CVE-2020-9402 High severity
>                         CVE-2019-3498 Low severity
>                         CVE-2019-6975 Moderate severity
>                         CVE-2019-19844 Moderate severity
>                         CVE-2020-7471 Moderate severity
>                         Dependency bleach  Version < 3.1.1 Upgrade to ~> 3.1.1
>                         Defined in requirements.txt
>                         Vulnerabilities
>                         CVE-2020-6802 Moderate severity
>                         CVE-2020-6816 Moderate severity
>                         CVE-2020-6817 Moderate severity
>                         [15]Review all vulnerable dependencies
> 
>                Always verify the validity and compatibility of suggestions with
>                your codebase.
> 
>                ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
>                
>                Change how you receive security alert emails in your [16]
>                notification preferences.
> 
>                [17]Unsubscribe · [18]Email preferences · [19]Terms · [20]
>                Privacy · [21]Sign into GitHub
> 
>                GitHub, Inc.
>                88 Colin P Kelly Jr St.
>                San Francisco, CA 94107
> 
> References:
> 
> [1] mailto:noreply at github.com
> [2] mailto:bernie at codewiz.org
> [3] https://github.com/
> [4] https://github.com/sugarlabs
> [5] https://github.com/sugarlabs
> [6] https://github.com/sugarlabs/sugar-gitbot
> [7] https://github.com/sugarlabs/sugar-gitbot/security/dependabot
> [8] https://github.com/sugarlabs/www-sugarlabs
> [9] https://github.com/sugarlabs/www-sugarlabs/security/dependabot
> [10] https://github.com/sugarlabs/musicblocks
> [11] https://github.com/sugarlabs/musicblocks/security/dependabot
> [12] https://github.com/sugarlabs-infra
> [13] https://github.com/sugarlabs-infra
> [14] https://github.com/sugarlabs-infra/helios-server
> [15] https://github.com/sugarlabs-infra/helios-server/security/dependabot
> [16] https://github.com/settings/notifications#vulnerability-alerts-heading
> [17] https://github.com/email/unsubscribe?token=AAJBF3AB43YMTNZOSETMY53BYKIYZANENZQW2ZNNOZ2WY3TFOJQWE2LMNF2HS
> [18] https://github.com/settings/emails
> [19] https://docs.github.com/articles/github-terms-of-service
> [20] https://docs.github.com/articles/github-privacy-policy
> [21] https://github.com/login

> _______________________________________________
> Systems mailing list
> Systems at lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/systems


-- 
James Cameron
https://quozl.linux.org.au/


More information about the Systems mailing list