[GitHub] [jena-site] rvesse commented on a diff in pull request #128: Add a Security Advisories page to the website

[GitBox <gi...@apache.org>]

rvesse commented on code in PR #128:
URL: https://github.com/apache/jena-site/pull/128#discussion_r1022797382


##########
source/about_jena/security-advisories.md:
##########
@@ -0,0 +1,103 @@
+---
+title: Jena Security Advisories
+---
+
+# Security Issue Policy
+
+## Process
+
+Jena follows the standard [ASF Security for Committers](https://www.apache.org/security/committers.html) policy for
+reporting and addressing security issues.
+
+If you think you have identified a Security issue in our project please refer to that policy for how to report it, and
+the process that the Jena Project Management Committe (PMC) will follow in addressing the issue.

Review Comment:
   Fixed



##########
source/about_jena/security-advisories.md:
##########
@@ -0,0 +1,103 @@
+---
+title: Jena Security Advisories
+---
+
+# Security Issue Policy
+
+## Process
+
+Jena follows the standard [ASF Security for Committers](https://www.apache.org/security/committers.html) policy for
+reporting and addressing security issues.
+
+If you think you have identified a Security issue in our project please refer to that policy for how to report it, and
+the process that the Jena Project Management Committe (PMC) will follow in addressing the issue.
+
+## Single Supported Version
+
+As a project with a relatively small developer community Apache Jena only has the resources to maintain a single release
+version.  Therefore any accepted security issue reported will be fixed by developing a fix for our `main` branch.  We
+will then make a release with the fix in a timeframe appropriate to the severity of the issue.  
+
+## Standard Mitigation Advice
+
+Note that as a project our guidance to users is **always** to use the newest Jena version available to ensure you have
+any security fixes we have made available.
+
+Where more specific mitigations are available these will be denoted in the individual CVEs.
+
+## End of Life (EOL) Components
+
+Where a security advisory is issued for a component that is already EOL (sometimes referred to as archived or retired
+within our documentation) then we will not fix the issue but instead reiterate our previous recommendations that users
+cease using the EOL component and migrate to actively supported components.
+
+Such issues will follow the [CVE EOL Assignment
+Process](https://cve.mitre.org/cve/cna/CVE_Program_End_of_Life_EOL_Assignment_Process.html) and will be clearly denoted
+by the **UNSUPPORTED WHEN ASSIGNED** text at the start of the description.
+
+## Security Issues in Dependencies
+
+For our dependencies the project relies primarily upon GitHub Dependabot Alerts to be made aware of available dependency
+updates, whether security related or otherwise.  When a security related update is released and our analysis shows that
+Jena users may be affected we endeavour to take the dependency upgrade ASAP and make a new release in timeframe
+appropriate to the severity of the issue.
+
+# Jena CVEs
+
+The following CVEs specifically relate to the Jena codebase itself and have been addressed by the project. Per our
+policy above we advise users to always utilise the latest Jena release available.
+
+Please refer to the individual CVE links for further details and mitigations.
+
+## CVE-2022-45136 - JDBC Serialisation in Apache Jena SDB
+
+[CVE-2022-45136](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45136) affects all versions of [Jena
+SDB](../documentation/archive/sdb/) up to and including the final 3.17.0 release
+
+Apache Jena SDB has been EOL since December 2020 and we recommend any remaining users migrate to [Jena TDB
+2](../documentation/tdb2/) or other 3rd party vendor alternatives.
+
+Apache Jena would like to thank Crilwa & LaNyer640 for reporting this issue
+
+## CVE-2022-28890 - Processing External DTDs
+
+[CVE-2022-28890](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28890) affects the RDF/XML parser in Jena 4.4.0
+only
+
+Users should upgrade to latest Jena 4.x [release](../download/) available.
+
+Apache Jena would like to thank Feras Daragma, Avishag Shapira & Amit Laish (GE Digital, Cyber Security Lab) for their
+report.
+
+## CVE-2021-39239 - XML External Entity (XXE) Vulnerability
+
+[CVE-2021-39239](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39239) affects XML parsing up to Jena 4.1.0
+
+Users should upgrade to latest Jena 4.x [release](../download/) available.
+
+## CVE-2021-33192 - Display information UI XSS in Apache Jena Fuseki
+
+[CVE-2021-33192](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33192) affected
+[Fuseki](../documentation/fuseki2/) 2.0.0 through 4.0.0
+
+Users should upgrade to latest Jena 4.x [release](../download/) available.
+
+# CVEs in Jena Dependencies
+
+The following advisories are CVE's in Jena's dependencies that may affect users of Jena, as with Jena specific CVEs our

Review Comment:
   Fixed



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@jena.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org