Author: kkolinko
Date: Mon Oct 21 15:13:08 2024
New Revision: 1921457
URL: http://svn.apache.org/viewvc?rev=1921457&view=rev
Log:
Security. - Rearrange and amend text in "Reporting New Security Problems". Add
links to vulnerability handloing process at ASF.
Modified:
tomcat/site/trunk/docs/security.html
tomcat/site/trunk/xdocs/security.xml
Modified: tomcat/site/trunk/docs/security.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security.html?rev=1921457&r1=1921456&r2=1921457&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security.html (original)
+++ tomcat/site/trunk/docs/security.html Mon Oct 21 15:13:08 2024
@@ -57,21 +57,27 @@
security mailing list first, before disclosing them in a public forum.
</p>
+ <p><strong>Please note that the security mailing list should only be used
+ for reporting undisclosed security vulnerabilities in Tomcat and
managing
+ the process of fixing such vulnerabilities. We cannot accept regular bug
+ reports, provide free consulting or answer other queries at this
address.
+ All mail sent to this address that does not relate to an undisclosed
+ security problem in the Tomcat source code will be ignored.</strong>
+ The private security mailing address is:
+ <a href="mailto:secur...@tomcat.apache.org";>
+ security<span>@</span>tomcat.apache.org</a></p>
+
<p>The Tomcat <a href="security-model.html">security model</a> describes
what the Tomcat security team will and will not accept as a valid
vulnerability report for Tomcat.</p>
- <p><strong>Please note that the security mailing list should only be used
- for reporting undisclosed security vulnerabilities in Tomcat and
managing
- the process of fixing such vulnerabilities. We cannot accept regular bug
- reports or other queries at this address. All mail sent to this address
- that does not relate to an undisclosed security problem in the Tomcat
- source code will be ignored.</strong></p>
+ <p>Note that all networked servers are subject to denial of service
attacks,
+ and we cannot promise magic workarounds to generic problems (such as a
+ client streaming lots of data to your server, or re-requesting the same
+ URL repeatedly). In general our philosophy is to avoid any attacks which
+ can cause the server to consume resources in a non-linear relationship
to
+ the size of inputs.</p>
- <p>If you need to report a bug that isn't an undisclosed security
- vulnerability, please use the <a href="bugreport.html">bug reporting
- page</a>.</p>
-
<p>Questions about:</p>
<ul>
<li>how to configure Tomcat securely</li>
@@ -82,17 +88,16 @@
<p>should be addressed to the users mailing list. Please see the
<a href="lists.html">mailing lists</a> page for details of how to
subscribe.</p>
-
- <p>The private security mailing address is:
- <a href="mailto:secur...@tomcat.apache.org";>
- secur...@tomcat.apache.org</a></p>
- <p>Note that all networked servers are subject to denial of service
attacks,
- and we cannot promise magic workarounds to generic problems (such as a
- client streaming lots of data to your server, or re-requesting the same
- URL repeatedly). In general our philosophy is to avoid any attacks which
- can cause the server to consume resources in a non-linear relationship
to
- the size of inputs.</p>
+ <p>If you need to report a bug that isn't an undisclosed security
+ vulnerability, please use the <a href="bugreport.html">bug reporting
+ page</a>.</p>
+
+ <p>If you are interested in how reported vulnerabilities are handled, the
+ process is documented at ASF-wide pages
+ <a href="https://apache.org/security/#vulnerability-handling";>[1]</a>
and
+ <a href="https://apache.org/security/committers.html#possible";>[2]</a>.
+ </p>
</div><h3 id="Errors_and_omissions">Errors and omissions</h3><div
class="text">
<p>Please report any errors or omissions to
Modified: tomcat/site/trunk/xdocs/security.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security.xml?rev=1921457&r1=1921456&r2=1921457&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security.xml (original)
+++ tomcat/site/trunk/xdocs/security.xml Mon Oct 21 15:13:08 2024
@@ -67,21 +67,27 @@
security mailing list first, before disclosing them in a public forum.
</p>
+ <p><strong>Please note that the security mailing list should only be used
+ for reporting undisclosed security vulnerabilities in Tomcat and
managing
+ the process of fixing such vulnerabilities. We cannot accept regular bug
+ reports, provide free consulting or answer other queries at this
address.
+ All mail sent to this address that does not relate to an undisclosed
+ security problem in the Tomcat source code will be ignored.</strong>
+ The private security mailing address is:
+ <a href="mailto:secur...@tomcat.apache.org";>
+ security<span>@</span>tomcat.apache.org</a></p>
+
<p>The Tomcat <a href="security-model.html">security model</a> describes
what the Tomcat security team will and will not accept as a valid
vulnerability report for Tomcat.</p>
- <p><strong>Please note that the security mailing list should only be used
- for reporting undisclosed security vulnerabilities in Tomcat and
managing
- the process of fixing such vulnerabilities. We cannot accept regular bug
- reports or other queries at this address. All mail sent to this address
- that does not relate to an undisclosed security problem in the Tomcat
- source code will be ignored.</strong></p>
+ <p>Note that all networked servers are subject to denial of service
attacks,
+ and we cannot promise magic workarounds to generic problems (such as a
+ client streaming lots of data to your server, or re-requesting the same
+ URL repeatedly). In general our philosophy is to avoid any attacks which
+ can cause the server to consume resources in a non-linear relationship
to
+ the size of inputs.</p>
- <p>If you need to report a bug that isn't an undisclosed security
- vulnerability, please use the <a href="bugreport.html">bug reporting
- page</a>.</p>
-
<p>Questions about:</p>
<ul>
<li>how to configure Tomcat securely</li>
@@ -92,17 +98,16 @@
<p>should be addressed to the users mailing list. Please see the
<a href="lists.html">mailing lists</a> page for details of how to
subscribe.</p>
-
- <p>The private security mailing address is:
- <a href="mailto:secur...@tomcat.apache.org";>
- secur...@tomcat.apache.org</a></p>
- <p>Note that all networked servers are subject to denial of service
attacks,
- and we cannot promise magic workarounds to generic problems (such as a
- client streaming lots of data to your server, or re-requesting the same
- URL repeatedly). In general our philosophy is to avoid any attacks which
- can cause the server to consume resources in a non-linear relationship
to
- the size of inputs.</p>
+ <p>If you need to report a bug that isn't an undisclosed security
+ vulnerability, please use the <a href="bugreport.html">bug reporting
+ page</a>.</p>
+
+ <p>If you are interested in how reported vulnerabilities are handled, the
+ process is documented at ASF-wide pages
+ <a href="https://apache.org/security/#vulnerability-handling";>[1]</a>
and
+ <a href="https://apache.org/security/committers.html#possible";>[2]</a>.
+ </p>
</section>
<section name="Errors and omissions">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
