we are all up to date normally Le mardi 18 février 2014, David Blevins <[email protected]> a écrit : > Hey All, > > I've been chatting with security@ about what our requirements are for reporting issues. > > Background info: > > - Security issues are reported to security@ where we have someone from mitre.org who adds the report to their database of CVEs (Common Vulnerabilities and Exposures). > > Additionally, projects tend to create a page dedicated to these vulnerabilities: > > - http://geronimo.apache.org/21x-security-report.html > > A similar report is available from Secunia: > > - http://secunia.com/advisories/product/15811/?task=advisories > > > It's pretty clear we have some requirements to fill on this front. At minimum a page on our site to record vulnerabilities fixed in each TomEE release. > > Currently, there's one issue for Tomcat that does affect all existing TomEE releases: > > - http://secunia.com/advisories/56830/ > > > Still digging, but since we released TomEE in 2011, there've been at least a dozen CVEs for Tomcat, 4 for CXF, and 2 for MyFaces. Haven't yet checked all the components. > > We always upgrade each release, but two things stick out at me: > > 1. we need to include this in our release notes > 2. it's a long time between releases > > For #1, I'll see what I can do about hacking up a page we can maintain. > > For #2, perhaps a separate thread is better. Lots of ways to skin that cat. > > > -David > >
-- *Romain Manni-Bucau* *Twitter: @rmannibucau <https://twitter.com/rmannibucau>* *Blog: **http://rmannibucau.wordpress.com/*<http://rmannibucau.wordpress.com/> *LinkedIn: **http://fr.linkedin.com/in/rmannibucau <http://fr.linkedin.com/in/rmannibucau>* *Github: https://github.com/rmannibucau <https://github.com/rmannibucau>*
