You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomee.apache.org by COURTAULT Francois <Fr...@gemalto.com> on 2017/05/31 17:51:18 UTC
Info about TomEE vulnarabilities
Hello everyone,
It is quite hard to find information about all the TomEE CVEs.
If we go to http://tomee.apache.org/security/index.html it is stated to look at the sub projects listed below:
* Tomcat
* Open JPA
* CXF
* OpenWebBeans
* MyFaces
* Bean Validation
According to me it should be a good thing to centralized this information at TomEE web site in order to avoid to navigate to all the TomEE sub project sites to find
this information even if sometimes we can't find it (for example for OpenWebBeans).
What do you think ?
Best Regards.
________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
Re: Info about TomEE vulnarabilities
Posted by Romain Manni-Bucau <rm...@gmail.com>.
2017-06-02 9:32 GMT+02:00 COURTAULT Francois <Francois.Courtault@gemalto.com
>:
> Hello Romain,
>
> My point is that, as vulnerabilities are critical in IT world today, it
> should be really useful to have a dedicated page on TomEE web site,
> in order, for each third-parties version included, to list/collect their
> CVEs .
>
> It will help a lot our day to day work in a way that we won't have anymore
> to look at different locations for finding this kind of information.
>
> When you say CVE databases: which one do you recommend to monitor the
> TomEE CVEs ?
>
Well we used with JL (on this list as well) secunia for instance but there
are multiple good alternative.
>
> Best Regards.
>
> -----Original Message-----
> From: Romain Manni-Bucau [mailto:rmannibucau@gmail.com]
> Sent: mercredi 31 mai 2017 19:53
> To: users@tomee.apache.org
> Subject: Re: Info about TomEE vulnarabilities
>
> Hi François,
>
> générally in CVE databases you can listen for the tomee stack which makes
> only needed and useful (as "avoids a ton of noise") the directly tomee
> related issues on tomee website. Was mainly thought this way I think.
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog <
> https://blog-rmannibucau.rhcloud.com> | Old Blog <
> http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau>
> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory <
> https://javaeefactory-rmannibucau.rhcloud.com>
>
> 2017-05-31 19:51 GMT+02:00 COURTAULT Francois <
> Francois.Courtault@gemalto.com>:
>
> > Hello everyone,
> >
> > It is quite hard to find information about all the TomEE CVEs.
> > If we go to http://tomee.apache.org/security/index.html it is stated
> > to look at the sub projects listed below:
> >
> > * Tomcat
> >
> > * Open JPA
> >
> > * CXF
> >
> > * OpenWebBeans
> >
> > * MyFaces
> >
> > * Bean Validation
> >
> > According to me it should be a good thing to centralized this
> > information at TomEE web site in order to avoid to navigate to all the
> > TomEE sub project sites to find this information even if sometimes we
> > can't find it (for example for OpenWebBeans).
> >
> > What do you think ?
> >
> > Best Regards.
> > ________________________________
> > This message and any attachments are intended solely for the
> > addressees and may contain confidential information. Any unauthorized
> > use or disclosure, either whole or partial, is prohibited.
> > E-mails are susceptible to alteration. Our company shall not be liable
> > for the message if altered, changed or falsified. If you are not the
> > intended recipient of this message, please delete it and notify the
> sender.
> > Although all reasonable efforts have been made to keep this
> > transmission free from viruses, the sender will not be liable for
> > damages caused by a transmitted virus.
> >
> ________________________________
> This message and any attachments are intended solely for the addressees
> and may contain confidential information. Any unauthorized use or
> disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for
> the message if altered, changed or falsified. If you are not the intended
> recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission
> free from viruses, the sender will not be liable for damages caused by a
> transmitted virus.
>
RE: Info about TomEE vulnarabilities
Posted by COURTAULT Francois <Fr...@gemalto.com>.
Hello Romain,
My point is that, as vulnerabilities are critical in IT world today, it should be really useful to have a dedicated page on TomEE web site,
in order, for each third-parties version included, to list/collect their CVEs .
It will help a lot our day to day work in a way that we won't have anymore to look at different locations for finding this kind of information.
When you say CVE databases: which one do you recommend to monitor the TomEE CVEs ?
Best Regards.
-----Original Message-----
From: Romain Manni-Bucau [mailto:rmannibucau@gmail.com]
Sent: mercredi 31 mai 2017 19:53
To: users@tomee.apache.org
Subject: Re: Info about TomEE vulnarabilities
Hi François,
générally in CVE databases you can listen for the tomee stack which makes only needed and useful (as "avoids a ton of noise") the directly tomee related issues on tomee website. Was mainly thought this way I think.
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog <https://blog-rmannibucau.rhcloud.com> | Old Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory <https://javaeefactory-rmannibucau.rhcloud.com>
2017-05-31 19:51 GMT+02:00 COURTAULT Francois <
Francois.Courtault@gemalto.com>:
> Hello everyone,
>
> It is quite hard to find information about all the TomEE CVEs.
> If we go to http://tomee.apache.org/security/index.html it is stated
> to look at the sub projects listed below:
>
> * Tomcat
>
> * Open JPA
>
> * CXF
>
> * OpenWebBeans
>
> * MyFaces
>
> * Bean Validation
>
> According to me it should be a good thing to centralized this
> information at TomEE web site in order to avoid to navigate to all the
> TomEE sub project sites to find this information even if sometimes we
> can't find it (for example for OpenWebBeans).
>
> What do you think ?
>
> Best Regards.
> ________________________________
> This message and any attachments are intended solely for the
> addressees and may contain confidential information. Any unauthorized
> use or disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable
> for the message if altered, changed or falsified. If you are not the
> intended recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this
> transmission free from viruses, the sender will not be liable for
> damages caused by a transmitted virus.
>
________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
Re: Info about TomEE vulnarabilities
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Hi François,
générally in CVE databases you can listen for the tomee stack which makes
only needed and useful (as "avoids a ton of noise") the directly tomee
related issues on tomee website. Was mainly thought this way I think.
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://blog-rmannibucau.rhcloud.com> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>
2017-05-31 19:51 GMT+02:00 COURTAULT Francois <
Francois.Courtault@gemalto.com>:
> Hello everyone,
>
> It is quite hard to find information about all the TomEE CVEs.
> If we go to http://tomee.apache.org/security/index.html it is stated to
> look at the sub projects listed below:
>
> * Tomcat
>
> * Open JPA
>
> * CXF
>
> * OpenWebBeans
>
> * MyFaces
>
> * Bean Validation
>
> According to me it should be a good thing to centralized this information
> at TomEE web site in order to avoid to navigate to all the TomEE sub
> project sites to find
> this information even if sometimes we can't find it (for example for
> OpenWebBeans).
>
> What do you think ?
>
> Best Regards.
> ________________________________
> This message and any attachments are intended solely for the addressees
> and may contain confidential information. Any unauthorized use or
> disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for
> the message if altered, changed or falsified. If you are not the intended
> recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission
> free from viruses, the sender will not be liable for damages caused by a
> transmitted virus.
>