geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Donald Woods <dwo...@apache.org>
Subject Re: [DISCUSS] Handling of Security Exposures in Geronimo
Date Tue, 19 Aug 2008 17:16:19 GMT
Just added subpages for 2.2 and 2.1, as those code bases have been 
updated to Tomcat 6.0.18 now and are available to users.


-Donald


Donald Woods wrote:
> I've created the following Security Reports page in GMOxSITE based on 
> the content that Tomcat used for their page and linked it in under the 
> Community side nav -
>    http://cwiki.apache.org/confluence/display/GMOxSITE/Security+Reports
> 
> It should show up on the main website after the autoexport and scheduled 
> rsync jobs run.
> 
> We still need to create the release specific pages with known fixes.
> 
> 
> -Donald
> 
> 
> Kevan Miller wrote:
>> All,
>> There was a recent report by Fortify on Open Source Security -- 
>> http://www.fortify.com/l/oss/assets/OpenSource_Security_WP_v5.pdf
>> The report says there were some number of potential vulnerabilities 
>> identified in Geronimo. No details of the vulnerabilities have been 
>> reported to us (although the tests seem to have been run some time 
>> ago...). Once we understand what the potential vulnerabilities are, we 
>> can start to assess...
>>
>> The report does identify concerns that we could be doing a better job 
>> of reporting security vulnerabilities and letting users know how they 
>> can report security vulnerabilities to our project. I agree with this.
>>
>> As noted here -- http://www.apache.org/foundation/contact.html -- any 
>> ASF security concerns can be safely relayed with an email to 
>> security@apache.org.
>>
>> It probably makes sense for us to create a 
>> security@geronimo.apache.org mailing list. Project-specific security 
>> mailing lists are automatically relayed to the security@apache.org 
>> mailing list. A project-specific list will reduce spam and allow us to 
>> focus on Geronimo issues, rather than Apache-wide issues.
>>
>> I also think that we should create a security page on our web site 
>> (e.g. geronimo.apache.org/security). This page could be used to 
>> describe how any potential vulnerabilities should be reported. It 
>> should also be used to report vulnerabilities as they are fixed. This 
>> allows users to easily identify what security exposures a particular 
>> version of Geronimo might have.
>>
>> Thoughts on the mailing list and web site? Assuming we're in general 
>> agreement, I'd like to see us working on these in the near future.
>>
>> Finally, I've learned that there are a few potential sources for 
>> running static code analysis scans against our codebase:
>>
>>    https://opensource.fortify.com/teamserver/welcome.fhtml
>>    http://scan.coverity.com/
>>
>> I think we should take a look at these and decide if it's something we 
>> want to take advantage of. Thoughts?
>>
>> --kevan
>>

Mime
View raw message