geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Donald Woods <dwo...@apache.org>
Subject Re: [DISCUSS] Handling of Security Exposures in Geronimo
Date Tue, 19 Aug 2008 15:36:45 GMT
I've created the following Security Reports page in GMOxSITE based on 
the content that Tomcat used for their page and linked it in under the 
Community side nav -
    http://cwiki.apache.org/confluence/display/GMOxSITE/Security+Reports

It should show up on the main website after the autoexport and scheduled 
rsync jobs run.

We still need to create the release specific pages with known fixes.


-Donald


Kevan Miller wrote:
> All,
> There was a recent report by Fortify on Open Source Security -- 
> http://www.fortify.com/l/oss/assets/OpenSource_Security_WP_v5.pdf
> The report says there were some number of potential vulnerabilities 
> identified in Geronimo. No details of the vulnerabilities have been 
> reported to us (although the tests seem to have been run some time 
> ago...). Once we understand what the potential vulnerabilities are, we 
> can start to assess...
> 
> The report does identify concerns that we could be doing a better job of 
> reporting security vulnerabilities and letting users know how they can 
> report security vulnerabilities to our project. I agree with this.
> 
> As noted here -- http://www.apache.org/foundation/contact.html -- any 
> ASF security concerns can be safely relayed with an email to 
> security@apache.org.
> 
> It probably makes sense for us to create a security@geronimo.apache.org 
> mailing list. Project-specific security mailing lists are automatically 
> relayed to the security@apache.org mailing list. A project-specific list 
> will reduce spam and allow us to focus on Geronimo issues, rather than 
> Apache-wide issues.
> 
> I also think that we should create a security page on our web site (e.g. 
> geronimo.apache.org/security). This page could be used to describe how 
> any potential vulnerabilities should be reported. It should also be used 
> to report vulnerabilities as they are fixed. This allows users to easily 
> identify what security exposures a particular version of Geronimo might 
> have.
> 
> Thoughts on the mailing list and web site? Assuming we're in general 
> agreement, I'd like to see us working on these in the near future.
> 
> Finally, I've learned that there are a few potential sources for running 
> static code analysis scans against our codebase:
> 
>    https://opensource.fortify.com/teamserver/welcome.fhtml
>    http://scan.coverity.com/
> 
> I think we should take a look at these and decide if it's something we 
> want to take advantage of. Thoughts?
> 
> --kevan
> 

Mime
View raw message