Author: jlmonteiro Date: Wed Feb 19 14:24:24 2014 New Revision: 1569748 URL: http://svn.apache.org/r1569748 Log: Starting security pages
Added: tomee/site/trunk/content/security/ tomee/site/trunk/content/security/index.mdtext (with props) tomee/site/trunk/content/security/tomee-1-6.mdtext (with props) Added: tomee/site/trunk/content/security/index.mdtext URL: http://svn.apache.org/viewvc/tomee/site/trunk/content/security/index.mdtext?rev=1569748&view=auto ============================================================================== --- tomee/site/trunk/content/security/index.mdtext (added) +++ tomee/site/trunk/content/security/index.mdtext Wed Feb 19 14:24:24 2014 @@ -0,0 +1,85 @@ +Title: Security alerts + +## Security updates + +### Apache TomEE + +Please note that, except in rare circumstances, binary patches are not produced for individual vulnerabilities. +To obtain the binary fix for a particular vulnerability you should upgrade to an Apache TomEE version where that +vulnerability has been fixed. + +Source patches, usually in the form of references to SVN commits, may be provided in either in a vulnerability +announcement and/or the vulnerability details listed on these pages. These source patches may be used by users +wishing to build their own local version of TomEE with just that security patch rather than upgrade. + +Lists of security problems fixed in released versions of Apache TomEE are available: + * [Apache TomEE 1.5 Security Vulnerabilities](security/tomee-1-5.html) + * [Apache TomEE 1.6 Security Vulnerabilities](security/tomee-1-6.html) + + +## Reporting New Security Problems with Apache TomEE + +The Apache Software Foundation takes a very active stance in eliminating security problems and denial of service +attacks against Apache projects. + +We strongly encourage folks to report such problems to the [private security mailing list first](http://www.apache.org/security), +before disclosing them in a public forum. + +Please note that the security mailing list should only be used for reporting undisclosed security +vulnerabilities in Apache projects and managing the process of fixing such vulnerabilities. +We cannot accept regular bug reports or other queries at this address. All mail sent to this address that +does not relate to an undisclosed security problem will be ignored. + +If you need to report a bug that isn't an undisclosed security vulnerability, +please use the [bug reporting system](https://issues.apache.org/jira/browse/TOMEE). + +Questions about: + +* how to configure TomEE securely +* if a vulnerability applies to your particular application +* obtaining further information on a published vulnerability +* availability of patches and/or new releases + +should be addressed to the [users mailing list](support.html). + +The private security mailing address is: security (at) apache (dot) org + +Note that all networked servers are subject to denial of service attacks, and we cannot promise magic workarounds +to generic problems (such as a client streaming lots of data to your server, or re-requesting the same URL repeatedly). +In general our philosophy is to avoid any attacks which can cause the server to consume resources in a +non-linear relationship to the size of inputs. + +## Third-party projects + +Apache TomEE depends on a lot of other Apache products like Apache Tomcat, Apache OpenJPA, to name a few. The TomEE +team will also gather all sub projects security issues (CVE) and list them all on our pages. So that you can check which +TomEE version will get the security fix into account. + +By default any regular TomEE releases uses latest sub project releases, so that we can follow all security fixes +as much as possible. + +## Apache TomEE versionning details + +As security is a key concern in many companies, TomEE team also considers to deliver specific security fixes for thoses +external projects being fixed. For instance, if Tomcat fixes a security issue in Tomcat x.y.z, used in TomEE a.b.c, +we will consider packaging a new security update release using the new Tomcat release. + +In order to achieve a smoothly migration patch between a TomEE version and a security update, the TomEE team has decided +to adopt the following versionning *major*.*minor*.*patch*[.*security*] + +* major ([0-9]+) +* minor ([0-9]+) +* patch ([0-9]+) +* security update (su[0-9]+)? + + +## Additional information + +### Secunia + +### Links + +* [http://apache.org/security/](http://apache.org/security/) +* [http://apache.org/security/projects.html](http://apache.org/security/projects.html) +* [http://apache.org/security/committers.html](http://apache.org/security/committers.html) + Propchange: tomee/site/trunk/content/security/index.mdtext ------------------------------------------------------------------------------ svn:executable = * Added: tomee/site/trunk/content/security/tomee-1-6.mdtext URL: http://svn.apache.org/viewvc/tomee/site/trunk/content/security/tomee-1-6.mdtext?rev=1569748&view=auto ============================================================================== --- tomee/site/trunk/content/security/tomee-1-6.mdtext (added) +++ tomee/site/trunk/content/security/tomee-1-6.mdtext Wed Feb 19 14:24:24 2014 @@ -0,0 +1,37 @@ +Title: Apache TomEE 1.x + +## Apache TomEE 1.x vulnerabilities + +This page lists all security vulnerabilities fixed in maintenance releases or interim builds of Apache TomEE 1.x. +Each vulnerability is given a security impact rating by either the Apache TomEE team or by the dependent project +supplying the fix - please note that this rating is not uniform and will vary from project to project. We also list +the versions of Apache TomEE the flaw is known to affect, and where a flaw has not been verified list the +version with a question mark. + +Note: Vulnerabilities that are not TomEE vulnerabilities but have either been incorrectly reported against +TomEE or where TomEE provides a workaround are listed bellow in the section "Not a vulnerability". + +Please note that binary patches are never provided. If you need to apply a source code patch, use the building +instructions for the Apache TomEE version that you are using. For TomEE 1.0 those +are [Building TomEE 1.x](dev/building-tomee-1.html). + +If you need help on building or configuring TomEE or other help on following the instructions to mitigate the +known vulnerabilities listed here, please send your questions to the public [Users mailing list](support.html) + +If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, +or if the descriptions here are incomplete, please report them privately to +the [Apache Security Team](http://www.apache.org/security). Thank you. + +## Fixed in Apache TomEE xxx + +_No CVE has been opened to be fixed on current Apache TomEE project sources._ + +## Fixed in Third-party + +TODO +Tomcat and CVE available in 7.0.52 --> TomEE 1.6.0.su1, TomEE 1.5.2.su1 +Check CXF as well + +## Not a vulnerability + + Propchange: tomee/site/trunk/content/security/tomee-1-6.mdtext ------------------------------------------------------------------------------ svn:executable = *