You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by an...@apache.org on 2014/04/25 14:03:33 UTC
svn commit: r1590008 - in /tomee/site/trunk/content:
dev/release-tomee.mdtext dev/releasing.mdtext maven.mdtext
security/index.mdtext security/tomee-1-6.mdtext security/tomee.mdtext
Author: andygumbrecht
Date: Fri Apr 25 12:03:32 2014
New Revision: 1590008
URL: http://svn.apache.org/r1590008
Log:
Security.
Release.
Cleanup.
Added:
tomee/site/trunk/content/maven.mdtext
tomee/site/trunk/content/security/tomee.mdtext
Removed:
tomee/site/trunk/content/dev/releasing.mdtext
tomee/site/trunk/content/security/tomee-1-6.mdtext
Modified:
tomee/site/trunk/content/dev/release-tomee.mdtext
tomee/site/trunk/content/security/index.mdtext
Modified: tomee/site/trunk/content/dev/release-tomee.mdtext
URL: http://svn.apache.org/viewvc/tomee/site/trunk/content/dev/release-tomee.mdtext?rev=1590008&r1=1590007&r2=1590008&view=diff
==============================================================================
--- tomee/site/trunk/content/dev/release-tomee.mdtext (original)
+++ tomee/site/trunk/content/dev/release-tomee.mdtext Fri Apr 25 12:03:32 2014
@@ -202,8 +202,16 @@ Ensure the TCK passes with preview repos
\tckbranch\webprofile-plus.properties
\tckbranch\webprofile.properties
-Fire off a build on EC2 from the TCK directory using **./triggerEC2.sh**
+To fire off a build on EC2 from the TCK directory use **./triggerEC2.sh**
-Follow the steps in tasks - In progress...
+If the TCK fails then discuss, fix and re-roll.
+
+Publish a [Vote](https://www.apache.org/foundation/voting.html) if, and only if, the TCK passes.
+
+Votes are generally managed and identified using keywords such as [VOTE], [CANCELLED] and [RESULT]
-mvn org.codehaus.mojo:versions-maven-plugin:2.1:
\ No newline at end of file
+If the vote fails then discuss, fix and re-roll.
+
+TCK test vote binaries
+
+Follow the steps in tasks - In progress...
Added: tomee/site/trunk/content/maven.mdtext
URL: http://svn.apache.org/viewvc/tomee/site/trunk/content/maven.mdtext?rev=1590008&view=auto
==============================================================================
--- tomee/site/trunk/content/maven.mdtext (added)
+++ tomee/site/trunk/content/maven.mdtext Fri Apr 25 12:03:32 2014
@@ -0,0 +1,36 @@
+# Maven Information
+
+This page is intended to provide an insight into basic [Maven](http://maven.apache.org/) usage for users that are not all that familiar with [Maven](http://maven.apache.org/) projects.
+It is by no means a tutorial and is designed to be more of a *quickstart* to get you up and running.
+
+You can find a really good [Maven](http://maven.apache.org/) tutorial here: [http://books.sonatype.com/mvnex-book/reference/public-book.html](http://books.sonatype.com/mvnex-book/reference/public-book.html)
+
+It is assumed you have downloaded and installed [Maven](http://maven.apache.org/) and that you can run **mvn --version** from any command prompt (or console).
+It is assumed you have downloaded and installed [Subversion](http://subversion.apache.org/) and that you can run **svn --version** from any command prompt or console.
+
+It is also assumed you have downloaded one of the following:
+
+ - One of the example projects from [http://svn.apache.org/repos/asf/tomee/tomee/trunk/examples]()
+ - The entire project source from [http://svn.apache.org/repos/asf/tomee/tomee/trunk](http://svn.apache.org/repos/asf/tomee/tomee/trunk)
+
+Use [Subversion](http://subversion.apache.org/) to checkout the example sources from a console like so:
+
+ svn co http://svn.apache.org/repos/asf/tomee/tomee/trunk/examples/[example]
+
+Or that you may of course also also be using your own project pom.xml
+
+If you want to use the latest snapshot locate the *<repositories>* section in your pom.xml and ensure the following repository exists:
+
+ <repositories>
+ <repository>
+ <id>apache-m2-snapshot</id>
+ <name>Apache M2 Snapshot Repository</name>
+ <url>http://repository.apache.org/snapshots/</url>
+ <releases>
+ <enabled>false</enabled>
+ </releases>
+ <snapshots>
+ <enabled>true</enabled>
+ </snapshots>
+ </repository>
+ </repositories>
\ No newline at end of file
Modified: tomee/site/trunk/content/security/index.mdtext
URL: http://svn.apache.org/viewvc/tomee/site/trunk/content/security/index.mdtext?rev=1590008&r1=1590007&r2=1590008&view=diff
==============================================================================
--- tomee/site/trunk/content/security/index.mdtext (original)
+++ tomee/site/trunk/content/security/index.mdtext Fri Apr 25 12:03:32 2014
@@ -14,8 +14,8 @@ wishing to build their own local version
Lists of security problems fixed in released versions of Apache TomEE are available:
-* [Apache TomEE 1.5 Security Vulnerabilities](tomee-1-5.html)
-* [Apache TomEE 1.6 Security Vulnerabilities](tomee-1-6.html)
+* [Apache TomEE 1.5 Security Vulnerabilities](tomee.html)
+* [Apache TomEE 1.6 Security Vulnerabilities](tomee.html)
## Reporting New Security Problems with Apache TomEE
@@ -65,14 +65,14 @@ component for more information on the se
By default any regular TomEE releases uses latest sub project releases, so that we can follow all security fixes
as much as possible.
-## Apache TomEE versionning details
+## Apache TomEE versioning details
-As security is a key concern in many companies, TomEE team also considers to deliver specific security fixes for thoses
+As security is a key concern in many companies, TomEE team also considers to deliver specific security fixes for those
external projects being fixed. For instance, if Tomcat fixes a security issue in Tomcat x.y.z, used in TomEE a.b.c,
we will consider packaging a new security update release using the new Tomcat release.
In order to achieve a smoothly migration patch between a TomEE version and a security update, the TomEE team has decided
-to adopt the following versionning *major*.*minor*.*patch*[.*security update*]
+to adopt the following versioning *major*.*minor*.*patch*[.*security update*]
* major ([0-9]+): it refers mainly to the Java EE version we implement. 1.x for Java EE 6 for example.
* minor ([0-9]+): contains features, bugfixes and security fixes (internal or third-party)
@@ -91,7 +91,7 @@ smaller and the community can deliver a
Secunia is an international IT security company specialising in vulnerability management based in Copenhagen, Denmark.
There is an [Apache Software Foundation vendor](http://secunia.com/advisories/vendor/8/) declared so you can follow
-all vulnarabilities related to Apache products. Of course, a Apache TomEE product
+all vulnerabilities related to Apache products. Of course, a Apache TomEE product
is also available so you can search for know advisories.
Added: tomee/site/trunk/content/security/tomee.mdtext
URL: http://svn.apache.org/viewvc/tomee/site/trunk/content/security/tomee.mdtext?rev=1590008&view=auto
==============================================================================
--- tomee/site/trunk/content/security/tomee.mdtext (added)
+++ tomee/site/trunk/content/security/tomee.mdtext Fri Apr 25 12:03:32 2014
@@ -0,0 +1,42 @@
+Title: Apache TomEE 1.x
+
+## Apache TomEE 1.x vulnerabilities
+
+This page lists all security vulnerabilities fixed in maintenance releases or interim builds of Apache TomEE 1.x.
+Each vulnerability is given a security impact rating by either the Apache TomEE team or by the dependent project
+supplying the fix - please note that this rating is not uniform and will vary from project to project. We also list
+the versions of Apache TomEE the flaw is known to affect, and where a flaw has not been verified list the
+version with a question mark.
+
+Note: Vulnerabilities that are not TomEE vulnerabilities but have either been incorrectly reported against
+TomEE or where TomEE provides a workaround are listed bellow in the section "Not a vulnerability".
+
+Please note that binary patches are never provided. If you need to apply a source code patch, use the building
+instructions for the Apache TomEE version that you are using. For TomEE 1.x those are [Building TomEE 1.x](dev/building-tomee-1.html).
+
+If you need help on building or configuring TomEE or other help on following the instructions to mitigate the
+known vulnerabilities listed here, please send your questions to the public [Users mailing list](support.html)
+
+If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact,
+or if the descriptions here are incomplete, please report them privately to
+the [Apache Security Team](http://www.apache.org/security). Thank you.
+
+## Fixed in Apache TomEE xxx
+
+_No CVE has been opened to be fixed on current Apache TomEE project sources._
+
+## Fixed in Third-party
+
+Provided by [Apache TomEE 1.6.0.1](http://tomee.apache.org/downloads.html)
+
+ - Fixed in Tomcat 7.0.52 *Important: Denial of Service* [CVE-2014-0050](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050)
+
+Provided by [Apache TomEE 1.6.0](http://tomee.apache.org/downloads.html)
+
+ - [CVE-2013-2160](http://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc?version=1&modificationDate=1372324301000&api=v2) - Denial of Service Attacks on Apache CXF
+ - [Note on CVE-2012-5575](http://cxf.apache.org/cve-2012-5575.html) - XML Encryption backwards compatibility attack on Apache CXF.
+ - [CVE-2013-0239](http://cxf.apache.org/cve-2013-0239.html) - Authentication bypass in the case of WS-SecurityPolicy enabled plaintext UsernameTokens.
+
+## Not a vulnerability
+
+