+1, go ahead with a security page.
2014-02-18 1:26 GMT+01:00 Romain Manni-Bucau <[email protected]>: > we are all up to date normally > > Le mardi 18 février 2014, David Blevins <[email protected]> a écrit > : > > Hey All, > > > > I've been chatting with security@ about what our requirements are for > reporting issues. > > > > Background info: > > > > - Security issues are reported to security@ where we have someone from > mitre.org who adds the report to their database of CVEs (Common > Vulnerabilities and Exposures). > > > > Additionally, projects tend to create a page dedicated to these > vulnerabilities: > > > > - http://geronimo.apache.org/21x-security-report.html > > > > A similar report is available from Secunia: > > > > - http://secunia.com/advisories/product/15811/?task=advisories > > > > > > It's pretty clear we have some requirements to fill on this front. At > minimum a page on our site to record vulnerabilities fixed in each TomEE > release. > > > > Currently, there's one issue for Tomcat that does affect all existing > TomEE releases: > > > > - http://secunia.com/advisories/56830/ > > > > > > Still digging, but since we released TomEE in 2011, there've been at > least a dozen CVEs for Tomcat, 4 for CXF, and 2 for MyFaces. Haven't yet > checked all the components. > > > > We always upgrade each release, but two things stick out at me: > > > > 1. we need to include this in our release notes > > 2. it's a long time between releases > > > > For #1, I'll see what I can do about hacking up a page we can maintain. > > > > For #2, perhaps a separate thread is better. Lots of ways to skin that > cat. > > > > > > -David > > > > > > -- > *Romain Manni-Bucau* > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>* > *Blog: **http://rmannibucau.wordpress.com/*< > http://rmannibucau.wordpress.com/> > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau > <http://fr.linkedin.com/in/rmannibucau>* > *Github: https://github.com/rmannibucau <https://github.com/rmannibucau>* > -- Jean-Louis
