We currently list CVEs at
http://activemq.apache.org/security-advisories.html which is already a
good thing.
I think we are missing an important link though. We should also link the
jira issue that fixes the CVE. This allows users to see exactly what was
fixed and in which versions it was fixed. It also allows users to create
their own patched versions if they can not switch to a new ActiveMQ version.
For example in this CVE :
http://activemq.apache.org/security-advisories.data/CVE-2015-7559-announcement.txt?version=1&modificationDate=1493024710000&api=v2
We see that the issue is fixed in ActiveMQ 5.14.5 but probably it was
also backported to other versions. The jira and commit would make that
more transparent.
I stumbled over this issue when I was asked to backport a fix to an
ActiveMQ 5.11.3 version and the issue came up if we could also apply the
CVEs for the custom version.
Of course one issue with more transparency is that hackers have an
easier time to attack unpatched versions as they get more informations..
but honestly I think hackers will find this information anyway if they
really want.
What do you think?
Christian
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
http://www.talend.com
