Hi,
in the latest relasae notes of 5.8 it is stated:
AP-25076: Bump Python packages to resolve CVEs
but not detailed out which CVEs for proper risk mitigation (i.e. referencing to log4J with a CVE score of 10.0). I’d like to suggest creating a dedicated security section or always linking the corresponding CVEs to allow all users adequate actioning.
Best
Mike
Great idea!
Fixed security vulnerabilities should be made transparent and public at a separate place in order to be able to search for them at any given time.
This ticket description is probably a bit misleading. Almost every update of a 3rd party dependency will remove some CVEs. However 99% of the CVEs in external dependencies are not affecting our products. Therefore it doesn’t make sense to list them all.
If a release fixes a real security issue - either in our own code or an external dependency that does affect our products - it will be published at Security Advisories | KNIME .