(sorry if this is a duplicate post, wanted to be sure it made it
through)
Erik
Begin forwarded message:
From: Brian Chess <[EMAIL PROTECTED]>
Date: December 15, 2006 1:42:13 AM EST
To: Erik Hatcher <[EMAIL PROTECTED]>, <java-
[EMAIL PROTECTED]>
Cc: Gary McGraw <[EMAIL PROTECTED]>
Subject: Re: Lucene code review
Hi Erik, thanks for the intro. I'd be happy to set up an account
for anyone
involved with the projects who'd like to take a look. (Because we're
checking for security problems, we don't share specific findings
with the
general public.)
Erik is right, from Lucene, Nutch, and Solr, the most important
things we
found were the cross-site scripting bugs in Solr. There are a few
more bugs
that I think are worth looking at, but nothing to get worked up about.
Brian
From: Erik Hatcher <[EMAIL PROTECTED]>
Date: Thu, 14 Dec 2006 23:43:33 -0500
To: <java-dev@lucene.apache.org>
Cc: Brian Chess <[EMAIL PROTECTED]>, Gary McGraw
<[EMAIL PROTECTED]>
Subject: Re: Lucene code review
On Dec 13, 2006, at 1:00 AM, Otis Gospodnetic wrote:
Just spotted this on Slashdot: http://
opensource.fortifysoftware.com/welcome.html
I wonder what the 3 defects they found and reviewed are... I don't
see a way to see them from their site.
I had an early peek at the Fortify analysis of several open source
projects, primarily Lucene, Nutch, and Solr. Lucene and Nutch both
had very minor cosmetic issues (don't recall off the top of my head
what they were). Solr had cross-site scripting issues in its JSP
pages, which I think are now all fixed (?).
Brian Chess at Fortify was instrumental in the analysis and is eager
to work with open source communities closely to have these types of
analyses automated and useful to the projects. I'm sure we'll hear
more from his organization in the near future.
Erik
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]