2017-06-02 9:32 GMT+02:00 COURTAULT Francois <[email protected] >:
> Hello Romain, > > My point is that, as vulnerabilities are critical in IT world today, it > should be really useful to have a dedicated page on TomEE web site, > in order, for each third-parties version included, to list/collect their > CVEs . > > It will help a lot our day to day work in a way that we won't have anymore > to look at different locations for finding this kind of information. > > When you say CVE databases: which one do you recommend to monitor the > TomEE CVEs ? > Well we used with JL (on this list as well) secunia for instance but there are multiple good alternative. > > Best Regards. > > -----Original Message----- > From: Romain Manni-Bucau [mailto:[email protected]] > Sent: mercredi 31 mai 2017 19:53 > To: [email protected] > Subject: Re: Info about TomEE vulnarabilities > > Hi François, > > générally in CVE databases you can listen for the tomee stack which makes > only needed and useful (as "avoids a ton of noise") the directly tomee > related issues on tomee website. Was mainly thought this way I think. > > > Romain Manni-Bucau > @rmannibucau <https://twitter.com/rmannibucau> | Blog < > https://blog-rmannibucau.rhcloud.com> | Old Blog < > http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> > | LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory < > https://javaeefactory-rmannibucau.rhcloud.com> > > 2017-05-31 19:51 GMT+02:00 COURTAULT Francois < > [email protected]>: > > > Hello everyone, > > > > It is quite hard to find information about all the TomEE CVEs. > > If we go to http://tomee.apache.org/security/index.html it is stated > > to look at the sub projects listed below: > > > > * Tomcat > > > > * Open JPA > > > > * CXF > > > > * OpenWebBeans > > > > * MyFaces > > > > * Bean Validation > > > > According to me it should be a good thing to centralized this > > information at TomEE web site in order to avoid to navigate to all the > > TomEE sub project sites to find this information even if sometimes we > > can't find it (for example for OpenWebBeans). > > > > What do you think ? > > > > Best Regards. > > ________________________________ > > This message and any attachments are intended solely for the > > addressees and may contain confidential information. Any unauthorized > > use or disclosure, either whole or partial, is prohibited. > > E-mails are susceptible to alteration. Our company shall not be liable > > for the message if altered, changed or falsified. If you are not the > > intended recipient of this message, please delete it and notify the > sender. > > Although all reasonable efforts have been made to keep this > > transmission free from viruses, the sender will not be liable for > > damages caused by a transmitted virus. > > > ________________________________ > This message and any attachments are intended solely for the addressees > and may contain confidential information. Any unauthorized use or > disclosure, either whole or partial, is prohibited. > E-mails are susceptible to alteration. Our company shall not be liable for > the message if altered, changed or falsified. If you are not the intended > recipient of this message, please delete it and notify the sender. > Although all reasonable efforts have been made to keep this transmission > free from viruses, the sender will not be liable for damages caused by a > transmitted virus. >
