activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Schneider <ch...@die-schneider.net>
Subject [DISCUSS] Make fixes to CVEs more transparent
Date Wed, 10 May 2017 08:29:48 GMT
We currently list CVEs at 
http://activemq.apache.org/security-advisories.html which is already a 
good thing.

I think we are missing an important link though. We should also link the 
jira issue that fixes the CVE. This allows users to see exactly what was 
fixed and in which versions it was fixed. It also allows users to create 
their own patched versions if they can not switch to a new ActiveMQ version.

For example in this CVE :
http://activemq.apache.org/security-advisories.data/CVE-2015-7559-announcement.txt?version=1&modificationDate=1493024710000&api=v2

We see that the issue is fixed in ActiveMQ 5.14.5 but probably it was 
also backported to other versions. The jira and commit would make that 
more transparent.

I stumbled over this issue when I was asked to backport a fix to an 
ActiveMQ 5.11.3 version and the issue came up if we could also apply the 
CVEs for the custom version.

Of course one issue with more transparency is that hackers have an 
easier time to attack unpatched versions as they get more informations.. 
but honestly I think hackers will find this information anyway if they 
really want.

What do you think?

Christian


-- 
Christian Schneider
http://www.liquid-reality.de

Open Source Architect
http://www.talend.com


Mime
View raw message