Re: [Fwd: [SECURITY ISSUE] Using allowLinking with deprecated HTTP 1.1 connector]

[Stefan Bodewig]

I have no idea where the original thread happened, at least I didn't
see any mails before this one.

On Wed, 23 Feb 2005, robert burrell donkin <[EMAIL PROTECTED]> wrote:

> i wonder whether henri might be able to bring this up (either
> formally or informally) with aim of discovering whether jakarta in
> general and tomcat in particular have the right structures in place
> and what improvements we might make.

The structures are pretty well defined.  Each project is supposed to
have at least one security liaison that the security committee knows
about.  Incoming security issues are supposed to go through this
liaison, but recent mails to the PMC list suggest it doesn't happen
that way.

>>> Having just dealt with the issue below I was thinking where else,
>>> other than the Tomcat User mailing list this information needed to
>>> be sent?

[EMAIL PROTECTED] and [EMAIL PROTECTED], IMHO.  This along with a new
Tomcat release that fixes the issue.

>From my experience fix => release => announce is the process used by
other projects, including httpd.  And from an end-user standpoint the
process that makes sense the most.

>>> 2. Do we publish anywhere a list of known security issues and
>>> their associated fixes? If yes, where? If not, should we?

I think we should follow the httpd way
 is linked from the main
navigation.  If you look into one of the pages linked from there, it
goes to apacheweek for some reasin, but we should be able to produce
the same sort of content ourselves.

>> Not that I know. I'd assume it'd be a Tomcat page somewhere?

+1

Stefan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[ANNOUNCE] HiveMind 1.1-alpha-2

[Howard Lewis Ship]

This latest alpha release of the HiveMind services and configuration
microkernel is now available. Release 1.1-alpha-2 sees some
significant improvements:

* Services can now be simple beans (rather than beans implementing
an interface)
* The locale is tracked on a per-thread basis and can be changed at any time
* Modules now have a Java package, allowing class and interface
names to be abbreviated in the module descriptor
* HiveDoc has been revised
* Light-weight initialization of beans is now possible in-line
(class names can be ammended with a list of property names and values
to set)

HiveMind 1.1 is a work in progress (a stable 1.0 release is available
for production work), with but is highly stable and functional ... and
we still have much, much more to put into this release.

Documentation at:

http://jakarta.apache.org/hivemind/current/

Downloads at:

http://jakarta.apache.org/site/downloads/downloads_hivemind.cgi

-- 
Howard M. Lewis Ship
Independent J2EE / Open-Source Java Consultant
Creator, Jakarta Tapestry
Creator, Jakarta HiveMind

Professional Tapestry training, mentoring, support
and project work.  http://howardlewisship.com

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[Jakarta Wiki] Updated: JakartaIssues

[general]

   Date: 2005-02-24T21:13:14
   Editor: HenriYandell
   Wiki: Jakarta Wiki
   Page: JakartaIssues
   URL: http://wiki.apache.org/jakarta/JakartaIssues

   no comment

Change Log:

--
@@ -16,6 +16,7 @@
  15. Fix mail archives for ecs-dev and oro-user mail lists.
  10. Decide how to manage quieter/hibernated subprojects better. Alexandria, 
BCEL, BSF, ORO, Regexp, Watchdog all fit the bill.
  5. Downloads pages are difficult to use.  - '''In progress.'''
+ 20. Security process. Is it obvious how security problems are handled?
 
 Less essential:
 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[Jakarta Wiki] Updated: JakartaIssues

[general]

   Date: 2005-02-24T21:19:51
   Editor: HenriYandell
   Wiki: Jakarta Wiki
   Page: JakartaIssues
   URL: http://wiki.apache.org/jakarta/JakartaIssues

   no comment

Change Log:

--
@@ -14,14 +14,13 @@
  13. Archive dormant codebases. Alexandria, Watchdog, java@ code (find this 
stuff first).
  14. Migrate jetspeed mail+cvs and log4j cvs out of jakarta space.
  15. Fix mail archives for ecs-dev and oro-user mail lists.
- 10. Decide how to manage quieter/hibernated subprojects better. Alexandria, 
BCEL, BSF, ORO, Regexp, Watchdog all fit the bill.
- 5. Downloads pages are difficult to use.  - '''In progress.'''
+ 10. Decide how to manage quieter/hibernated subprojects better. Alexandria, 
BCEL, BSF, ORO, Regexp, Watchdog all fit the bill. - ''BCEL has been 
resuscitated''
  20. Security process. Is it obvious how security problems are handled?
 
 Less essential:
 
  6. Wiki vandalism. Are all our wiki's monitored by a mailing list? Need a 
jakarta-wiki page to point to the sub-wikis - '''Jakarta wiki page exists now'''
- 7. List moderation coverage.
+ 7. List moderation coverage. - ''Got a report on these, a few lesser used 
lists might need covering''
  8. ASF Licence 2.0. Any major work left to do? Need a script to check that no 
ASL 1.0's exist in CVS.
 
 Dealt with:
@@ -29,3 +28,4 @@
  2. Need to continue adding to the PMC. - '''The PMC size now seems to cover 
the projects well and should be adding people one at a time as they are 
nominated.'''
  3. Jakarta-Commons/ASF-Commons confusion. - '''ASF Commons is now dead.'''
  9. Obtaining a site-wide licence for Clover. - '''DONE - 
cvs:committers/donated-licenses/clover'''
+ 5. Downloads pages are difficult to use.  -- '''Some irritation over JDK 
1.5/1.4 issues, but done'''

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]