Author: jlmonteiro
Date: Wed Feb 19 14:24:24 2014
New Revision: 1569748
URL: http://svn.apache.org/r1569748
Log:
Starting security pages
Added:
tomee/site/trunk/content/security/
tomee/site/trunk/content/security/index.mdtext (with props)
tomee/site/trunk/content/security/tomee-1-6.mdtext (with props)
Added: tomee/site/trunk/content/security/index.mdtext
URL:
http://svn.apache.org/viewvc/tomee/site/trunk/content/security/index.mdtext?rev=1569748&view=auto
==============================================================================
--- tomee/site/trunk/content/security/index.mdtext (added)
+++ tomee/site/trunk/content/security/index.mdtext Wed Feb 19 14:24:24 2014
@@ -0,0 +1,85 @@
+Title: Security alerts
+
+## Security updates
+
+### Apache TomEE
+
+Please note that, except in rare circumstances, binary patches are not
produced for individual vulnerabilities.
+To obtain the binary fix for a particular vulnerability you should upgrade to
an Apache TomEE version where that
+vulnerability has been fixed.
+
+Source patches, usually in the form of references to SVN commits, may be
provided in either in a vulnerability
+announcement and/or the vulnerability details listed on these pages. These
source patches may be used by users
+wishing to build their own local version of TomEE with just that security
patch rather than upgrade.
+
+Lists of security problems fixed in released versions of Apache TomEE are
available:
+ * [Apache TomEE 1.5 Security Vulnerabilities](security/tomee-1-5.html)
+ * [Apache TomEE 1.6 Security Vulnerabilities](security/tomee-1-6.html)
+
+
+## Reporting New Security Problems with Apache TomEE
+
+The Apache Software Foundation takes a very active stance in eliminating
security problems and denial of service
+attacks against Apache projects.
+
+We strongly encourage folks to report such problems to the [private security
mailing list first](http://www.apache.org/security),
+before disclosing them in a public forum.
+
+Please note that the security mailing list should only be used for reporting
undisclosed security
+vulnerabilities in Apache projects and managing the process of fixing such
vulnerabilities.
+We cannot accept regular bug reports or other queries at this address. All
mail sent to this address that
+does not relate to an undisclosed security problem will be ignored.
+
+If you need to report a bug that isn't an undisclosed security vulnerability,
+please use the [bug reporting
system](https://issues.apache.org/jira/browse/TOMEE).
+
+Questions about:
+
+* how to configure TomEE securely
+* if a vulnerability applies to your particular application
+* obtaining further information on a published vulnerability
+* availability of patches and/or new releases
+
+should be addressed to the [users mailing list](support.html).
+
+The private security mailing address is: security (at) apache (dot) org
+
+Note that all networked servers are subject to denial of service attacks, and
we cannot promise magic workarounds
+to generic problems (such as a client streaming lots of data to your server,
or re-requesting the same URL repeatedly).
+In general our philosophy is to avoid any attacks which can cause the server
to consume resources in a
+non-linear relationship to the size of inputs.
+
+## Third-party projects
+
+Apache TomEE depends on a lot of other Apache products like Apache Tomcat,
Apache OpenJPA, to name a few. The TomEE
+team will also gather all sub projects security issues (CVE) and list them all
on our pages. So that you can check which
+TomEE version will get the security fix into account.
+
+By default any regular TomEE releases uses latest sub project releases, so
that we can follow all security fixes
+as much as possible.
+
+## Apache TomEE versionning details
+
+As security is a key concern in many companies, TomEE team also considers to
deliver specific security fixes for thoses
+external projects being fixed. For instance, if Tomcat fixes a security issue
in Tomcat x.y.z, used in TomEE a.b.c,
+we will consider packaging a new security update release using the new Tomcat
release.
+
+In order to achieve a smoothly migration patch between a TomEE version and a
security update, the TomEE team has decided
+to adopt the following versionning *major*.*minor*.*patch*[.*security*]
+
+* major ([0-9]+)
+* minor ([0-9]+)
+* patch ([0-9]+)
+* security update (su[0-9]+)?
+
+
+## Additional information
+
+### Secunia
+
+### Links
+
+* [http://apache.org/security/](http://apache.org/security/)
+*
[http://apache.org/security/projects.html](http://apache.org/security/projects.html)
+*
[http://apache.org/security/committers.html](http://apache.org/security/committers.html)
+
Propchange: tomee/site/trunk/content/security/index.mdtext
------------------------------------------------------------------------------
svn:executable = *
Added: tomee/site/trunk/content/security/tomee-1-6.mdtext
URL:
http://svn.apache.org/viewvc/tomee/site/trunk/content/security/tomee-1-6.mdtext?rev=1569748&view=auto
==============================================================================
--- tomee/site/trunk/content/security/tomee-1-6.mdtext (added)
+++ tomee/site/trunk/content/security/tomee-1-6.mdtext Wed Feb 19 14:24:24 2014
@@ -0,0 +1,37 @@
+Title: Apache TomEE 1.x
+
+## Apache TomEE 1.x vulnerabilities
+
+This page lists all security vulnerabilities fixed in maintenance releases or
interim builds of Apache TomEE 1.x.
+Each vulnerability is given a security impact rating by either the Apache
TomEE team or by the dependent project
+supplying the fix - please note that this rating is not uniform and will vary
from project to project. We also list
+the versions of Apache TomEE the flaw is known to affect, and where a flaw has
not been verified list the
+version with a question mark.
+
+Note: Vulnerabilities that are not TomEE vulnerabilities but have either been
incorrectly reported against
+TomEE or where TomEE provides a workaround are listed bellow in the section
"Not a vulnerability".
+
+Please note that binary patches are never provided. If you need to apply a
source code patch, use the building
+instructions for the Apache TomEE version that you are using. For TomEE 1.0
those
+are [Building TomEE 1.x](dev/building-tomee-1.html).
+
+If you need help on building or configuring TomEE or other help on following
the instructions to mitigate the
+known vulnerabilities listed here, please send your questions to the public
[Users mailing list](support.html)
+
+If you have encountered an unlisted security vulnerability or other unexpected
behaviour that has security impact,
+or if the descriptions here are incomplete, please report them privately to
+the [Apache Security Team](http://www.apache.org/security). Thank you.
+
+## Fixed in Apache TomEE xxx
+
+_No CVE has been opened to be fixed on current Apache TomEE project sources._
+
+## Fixed in Third-party
+
+TODO
+Tomcat and CVE available in 7.0.52 --> TomEE 1.6.0.su1, TomEE 1.5.2.su1
+Check CXF as well
+
+## Not a vulnerability
+
+
Propchange: tomee/site/trunk/content/security/tomee-1-6.mdtext
------------------------------------------------------------------------------
svn:executable = *
