svn commit: r1934286 - in tomcat/site/trunk: docs xdocs

[markt]

Author: markt
Date: Sun May 17 09:07:53 2026
New Revision: 1934286

Log:
Add 'Known non-findings' section to the security model

Modified:
   tomcat/site/trunk/docs/security-model.html
   tomcat/site/trunk/xdocs/security-model.xml

Modified: tomcat/site/trunk/docs/security-model.html
==============================================================================
--- tomcat/site/trunk/docs/security-model.html  Sun May 17 08:44:53 2026        
(r1934285)
+++ tomcat/site/trunk/docs/security-model.html  Sun May 17 09:07:53 2026        
(r1934286)
@@ -99,6 +99,21 @@
 
     </div></div>
 
+  </div><h3 id="Known_non-findings">Known non-findings</h3><div class="text">
+
+    <p>The following non-findings are frequently reported to the Tomcat 
security
+       team despite them being invalid as per the security model described
+       above. Repeated reports of non-findings from any source will be treated
+       as spam and will result in all email from the source being blocked at 
the
+       ASF's border.</p>
+    
+    <ol>
+      <li>Any report that depends on deserialisation within the clustering code
+          when the EcryptInterceptor has not been configured.</li>
+
+      <li>Any report that depends on write access to an application's 
+          <code>docBase</code>.</li>
+    </ol>
   </div></div></div></div></main><footer id="footer">
     Copyright &copy; 1999-2026, The Apache Software Foundation
     <br>

Modified: tomcat/site/trunk/xdocs/security-model.xml
==============================================================================
--- tomcat/site/trunk/xdocs/security-model.xml  Sun May 17 08:44:53 2026        
(r1934285)
+++ tomcat/site/trunk/xdocs/security-model.xml  Sun May 17 09:07:53 2026        
(r1934286)
@@ -109,5 +109,22 @@
 
   </section>
 
+  <section name="Known non-findings">
+
+    <p>The following non-findings are frequently reported to the Tomcat 
security
+       team despite them being invalid as per the security model described
+       above. Repeated reports of non-findings from any source will be treated
+       as spam and will result in all email from the source being blocked at 
the
+       ASF's border.</p>
+    
+    <ol>
+      <li>Any report that depends on deserialisation within the clustering code
+          when the EcryptInterceptor has not been configured.</li>
+
+      <li>Any report that depends on write access to an application's 
+          <code>docBase</code>.</li>
+    </ol>
+  </section>
+
 </body>
 </document>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org