You are viewing a plain text version of this content. The canonical link for it is here.

Posted to general@jakarta.apache.org by Ortwin Glück <od...@odi.ch> on 2005/11/04 09:58:17 UTC

when to post to security list?

Hi,

could anybody tell me in which case a security problem needs to be 
posted to security at apache.org? Is there a web page?

Thanks

Ortwin


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
For additional commands, e-mail: general-help@jakarta.apache.org

Re: when to post to security list?

Posted by Yoav Shapira <yo...@apache.org>.

Hi,
security@apache.org is general: they will delegate to the appropriate mailing
list, e.g. security@tomcat.apache.org, as needed.

Don't publish something before you run it by security@apache.org, please ;)  

Yoav

--- Ortwin Glück <od...@odi.ch> wrote:

> Yoav,
> 
> Sorry, stupid me didn't know security@apache was for httpd only. I guess 
> then every project has to maintain it's own security mail address if it 
> needs that. I also guess there is no central handling of security issues 
> for all ASF projects. I further guess publishing of vulnerabilities is 
> completely up to the committers. Correct me if I am wrong.
> 
> Cheers
> 
> Odi
> 
> Yoav Shapira wrote:
> > Ortwin,
> > There are general guidelines at
> http://httpd.apache.org/security_report.html. 
> > Basically, if you suspect a security issue, let security@apache.org know. 
> Let
> > them worry about filtering it and possibly coming back to you with a
> message
> > like "no, this is not an issue, because..." ;)
> > 
> > Yoav
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: general-help@jakarta.apache.org
> 
> 


Yoav Shapira
System Design and Management Fellow
MIT Sloan School of Management
Cambridge, MA, USA
yoavs@computer.org / www.yoavshapira.com

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
For additional commands, e-mail: general-help@jakarta.apache.org

Re: when to post to security list?

Posted by Ortwin Glück <od...@odi.ch>.

Yoav,

Sorry, stupid me didn't know security@apache was for httpd only. I guess 
then every project has to maintain it's own security mail address if it 
needs that. I also guess there is no central handling of security issues 
for all ASF projects. I further guess publishing of vulnerabilities is 
completely up to the committers. Correct me if I am wrong.

Cheers

Odi

Yoav Shapira wrote:
> Ortwin,
> There are general guidelines at http://httpd.apache.org/security_report.html. 
> Basically, if you suspect a security issue, let security@apache.org know.  Let
> them worry about filtering it and possibly coming back to you with a message
> like "no, this is not an issue, because..." ;)
> 
> Yoav

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
For additional commands, e-mail: general-help@jakarta.apache.org

Re: when to post to security list?

Posted by Yoav Shapira <yo...@apache.org>.

Ortwin,
There are general guidelines at http://httpd.apache.org/security_report.html. 
Basically, if you suspect a security issue, let security@apache.org know.  Let
them worry about filtering it and possibly coming back to you with a message
like "no, this is not an issue, because..." ;)

Yoav

--- Ortwin Glück <od...@odi.ch> wrote:

> Hi,
> 
> could anybody tell me in which case a security problem needs to be 
> posted to security at apache.org? Is there a web page?
> 
> Thanks
> 
> Ortwin
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: general-help@jakarta.apache.org
> 
> 


Yoav Shapira
System Design and Management Fellow
MIT Sloan School of Management
Cambridge, MA, USA
yoavs@computer.org / www.yoavshapira.com

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
For additional commands, e-mail: general-help@jakarta.apache.org