The LedgerSMB team is adopting a process by which older security tickets will be "declassified" and moved from a private Sourceforge tracker to a public one. This is being done as part of our continued efforts to better the security of our software.
These reports may include sensitive security information including actual exploits, and our discussions that surround fixing them. It is hoped that adopting a responsible process in this regard will help to better security of our users in the following ways: 1) By helping security scanning vendors (and internal network security teams) develop automated tests for older vulnerabilities 2) By providing more opportunities for feedback on how we handle security and how we respond to security issues. Please note that our source code repository is public, so malicious individuals can always read security advisories, then go review the sections of code which have been changed. It is thus important to remember that one should keep up to date with the software in order to stay protected. These tracker items will not be declassified immediately when an advisory is released, in order to give administrators a chance to upgrade their systems. However, once a reasonable timeframe has occurred, we will make the information available. Currently all security tracker items fixed by versions through 1.2.0 have been declassified. You can view them by looking up the closed items on the Stale Security tracker. As always, feedback is welcome. Best Wishes, Chris Travers ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Ledger-smb-users mailing list Ledger-smb-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ledger-smb-users
