Anneliese, Since Serp is part of the OpenJPA deliverable, any security risks detected via OpenJPA would be properly addressed -- whether the risk was in OpenJPA, Serp, or any other dependent library. So far, we are not aware of any past, present, or future security risks associated with Serp. We have corrected other security risks in OpenJPA proper in the past. Hope this helps.
Thanks, Kevin On Tue, Mar 28, 2017 at 5:11 AM, Anneliese Leipold < [email protected]> wrote: > Hi Romain, Jody, Kevin, > > thanks a lot for your feedback. > > The concerns we have are that the last update of Serp dates back to > October 2014 and that we tried to contact the email which is on the > sourceforge site and got a rejected mail delivery message. But we are not > hosting the Serp source and have not checked for security issues on it. > > @Kevin: Do I understand you right that Serp OpenJPA developers are > checking Serp for security issues? And that you would or already did – in > case of need - deliver a bug fixed Serp version together with OpenJPA? > > Best regards, > > Anneliese > > > > > > > > Several OpenJPA developers have the ability to update the Serp repository. > > And, as Jody pointed out, we have had to do that from time to time for Java > > class file format updates. I would expect that Java 9 would need some > > similar updates. Serp has needed very little maintenance over the years. > > So I am not understanding the concern.... > > > > Kevin > > > > On Mar 20, 2017 11:19, "Jody Grassel" <[email protected]> wrote: > > > > > Hello. SERP is more or less a third party library hosted on SourceForge > > > that is in maintenance mode. The last activity with SERP were updates to > > > support Java 8 JVM instruction set additions and constant pool types, and > > > it is likely that there will be updates to support such new additions to > > > Java 9 once the Virtual Machine Specification has been finalized and > > > released. > > > > > > You speak of security concerns, have you found a security/integrity bug > in > > > the SERP code that needs to be reported and corrected? > > > > > > On Mon, Mar 20, 2017 at 12:31 PM, Romain Manni-Bucau < > > > [email protected]> > > > wrote: > > > > > > > Hi Anneliese, > > > > > > > > last time we asked and got upgrades in serp when we needed but plan is > to > > > > use ASM instead of serp for these parts. > > > > > > > > > > > > Romain Manni-Bucau > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog > > > > <http://rmannibucau.wordpress.com> | Github > > > > <https://github.com/rmannibucau> | LinkedIn > > > > <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory > > > > <https://javaeefactory-rmannibucau.rhcloud.com> > > > > > > > > 2017-03-20 10:06 GMT+01:00 Anneliese Leipold < > > > [email protected] > > > > >: > > > > > > > >> Hi, > > > >> > > > >> we are using OpenJPA in our product. Checking for security we found > that > > > >> Serp which is a 3rd party component of OpenJPA is no longer supported. > > > >> This represents a security risk. So how do you address this issue? Do > > > you > > > >> take over ownership for it? Otherwise – probably not only we - would > be > > > >> forced to replace OpenJPA. > > > >> > > > >> Looking forward to your answer > > > >> > > > >> Best regards, > > > >> > > > >> Anneliese > > > >> > > > >> > > > >> > > > >> [image: Oracle] <http://www.oracle.com/> > > > >> ANNELIESE LEIPOLD | Software Development Manager > > > >> Phone: ++467216291509 > > > >> Oracle Agile A9 > > > >> > > > >> ORACLE Deutschland B.V. & Co. KG > > > >> > > > >> ORACLE Deutschland B.V. & Co. KG > > > >> Hauptverwaltung: Riesstr. 25, D-80992 München > > > >> Registergericht: Amtsgericht München, HRA 95603 > > > >> > > > >> Komplementärin: ORACLE Deutschland Verwaltung B.V. > > > >> Hertogswetering 163/167, 3543 AS Utrecht, Niederlande > > > >> Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697 > > > >> Geschäftsführer: Alexander van der Ven, Jan Schultheiss, Val Maher > > > >> > > > >> [image: Green Oracle] <http://www.oracle.com/commitment> > > > >> > > > >> Oracle is committed to developing practices and products that help > > > >> protect the environment > > > >> > > > >> > > > > > > > > *From:* Anneliese Leipold > *Sent:* Monday, March 20, 2017 10:06 AM > *To:* [email protected] > *Subject:* OpenJPA 3rd party Serp no longer supported > security risk > > > > Hi, > > we are using OpenJPA in our product. Checking for security we found that > Serp which is a 3rd party component of OpenJPA is no longer supported. > This represents a security risk. So how do you address this issue? Do you > take over ownership for it? Otherwise – probably not only we - would be > forced to replace OpenJPA. > > Looking forward to your answer > > Best regards, > > Anneliese > > > > [image: Oracle] <http://www.oracle.com/> > ANNELIESE LEIPOLD | Software Development Manager > Phone: ++467216291509 > Oracle Agile A9 > > ORACLE Deutschland B.V. & Co. KG > > ORACLE Deutschland B.V. & Co. KG > Hauptverwaltung: Riesstr. 25, D-80992 München > Registergericht: Amtsgericht München, HRA 95603 > > Komplementärin: ORACLE Deutschland Verwaltung B.V. > Hertogswetering 163/167, 3543 AS Utrecht, Niederlande > Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697 > Geschäftsführer: Alexander van der Ven, Jan Schultheiss, Val Maher > > [image: Green Oracle] <http://www.oracle.com/commitment> > > Oracle is committed to developing practices and products that help protect > the environment > > > > >
