You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by based2 <ba...@free.fr> on 2012/04/01 23:45:00 UTC
Re: Sonotype Security Brief
* May be http://tapestry.apache.org/integrating-with-spring-framework.html
(2.5.6 ==> 2.5.6.SEC02)
> http://www.springsource.com/security/cve-2010-1622
http://en.securitylab.ru/nvd/395057.php
A secchecker plugin for gradle/maven could be created around a CVE check
list:
org.apache.wicket:wicket Wicket 1.4.x - CVE-2011-2712 - Apache Wicket XSS
vulnerability http://wicket.apache.org/2012/03/22/wicket-cve-2012-0047.html
bouncycastle Bouncy Castle Java Cryptography API 2.5.2 CVE-2007-6721
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6721
org.springframework Spring Framework 3.0.0->3.0.2 2.5.0->2.5.6.SEC01
(community releases) 2.5.0->2.5.7 (subscription customers) CVE-2010-1622
http://www.springsource.com/security/cve-2010-1622
http://en.securitylab.ru/nvd/395057.php
org.apache.cxf CXF +2.4.5,+2.5.1 CVE-2012-0803
http://osdir.com/ml/users-cxf-apache/2012-02/msg00175.html
http://marc.info/?l=bugtraq&m=130583021727954
org.apache.derby Derby database +10.6.0 CVE-2009-4269
http://db.apache.org/derby/releases/release-10.6.1.0.html#Fix+for+Security+Bug+CVE-2009-4269
com.google.gwt 1.6.4-1 CVE-2007-2378 CVE-2007-6542
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563542
commons-daemon 1.0.3->1.0.6 CVE-2011-2729
http://mail-archives.apache.org/mod_mbox/www-announce/201108.mbox/%3C4E451C01.6000007@apache.org%3E
geronimo/org.apache.geronimo 2.2.0
http://geronimo.apache.org/2010/12/11/apache-geronimo-v221-released.html
http://mail-archives.apache.org/mod_mbox/servicemix-users/201201.mbox/%3CCAJUL34NnCnQ4LSDN-9NWfia+2C0pSXaMajY51-=YgES46dsoiw@mail.gmail.com%3E
...
tomcat https://bugs.launchpad.net/ubuntu/+source/tomcat6/+bug/843701
myfaces http://www.spinics.net/lists/bugtraq/msg46538.html
archiva
http://archives.neohapsis.com/archives/fulldisclosure/2011-05/0532.html
jonas +4.10.9 CVE-2009-3555
http://mail-archive.ow2.org/jonas/2010-11/msg00015.html
mojarra CVE-2011-4358
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650430
opensaml CVE-2011-1411
http://shibboleth.1660669.n2.nabble.com/CVE-2011-1411-OpenSAML-library-vulnerable-to-XML-Signature-wrapping-attacks-td6618773.html
jetty 6.1->6.1.21 CVE-2009-4612
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4612
jetty (6.1.24) CVE-2011-4461
https://bugzilla.redhat.com/show_bug.cgi?id=781677
CVE-2011-0533: Apache Continuum cross
===
hadoop CVE-2010-0405 https://issues.apache.org/jira/browse/HADOOP-6966
--
View this message in context: http://tapestry.1045711.n5.nabble.com/Sonotype-Security-Brief-tp5606474p5611057.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Sonotype Security Brief
Posted by Howard Lewis Ship <hl...@gmail.com>.
Despite the inflammatory appearance of the document, the intent was to
point out that many people are still downloading out-of-date versions
of frameworks, including Tapestry, that have known vulnerabilities
even when the vulnerabilities have been fixed in later releases.
Despite that, their methodology is suspect, such as how they determine
a framework has vulnerabilities (once such is just a suggestion by me
about logging, for example) and they don't have a real way of relating
downloads to actual usage of the various frameworks.
On Sun, Apr 1, 2012 at 2:45 PM, based2 <ba...@free.fr> wrote:
> * May be http://tapestry.apache.org/integrating-with-spring-framework.html
> (2.5.6 ==> 2.5.6.SEC02)
>> http://www.springsource.com/security/cve-2010-1622
> http://en.securitylab.ru/nvd/395057.php
>
> A secchecker plugin for gradle/maven could be created around a CVE check
> list:
>
> org.apache.wicket:wicket Wicket 1.4.x - CVE-2011-2712 - Apache Wicket XSS
> vulnerability http://wicket.apache.org/2012/03/22/wicket-cve-2012-0047.html
> bouncycastle Bouncy Castle Java Cryptography API 2.5.2 CVE-2007-6721
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6721
> org.springframework Spring Framework 3.0.0->3.0.2 2.5.0->2.5.6.SEC01
> (community releases) 2.5.0->2.5.7 (subscription customers) CVE-2010-1622
> http://www.springsource.com/security/cve-2010-1622
> http://en.securitylab.ru/nvd/395057.php
> org.apache.cxf CXF +2.4.5,+2.5.1 CVE-2012-0803
> http://osdir.com/ml/users-cxf-apache/2012-02/msg00175.html
> http://marc.info/?l=bugtraq&m=130583021727954
> org.apache.derby Derby database +10.6.0 CVE-2009-4269
> http://db.apache.org/derby/releases/release-10.6.1.0.html#Fix+for+Security+Bug+CVE-2009-4269
> com.google.gwt 1.6.4-1 CVE-2007-2378 CVE-2007-6542
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563542
> commons-daemon 1.0.3->1.0.6 CVE-2011-2729
> http://mail-archives.apache.org/mod_mbox/www-announce/201108.mbox/%3C4E451C01.6000007@apache.org%3E
> geronimo/org.apache.geronimo 2.2.0
> http://geronimo.apache.org/2010/12/11/apache-geronimo-v221-released.html
> http://mail-archives.apache.org/mod_mbox/servicemix-users/201201.mbox/%3CCAJUL34NnCnQ4LSDN-9NWfia+2C0pSXaMajY51-=YgES46dsoiw@mail.gmail.com%3E
> ...
> tomcat https://bugs.launchpad.net/ubuntu/+source/tomcat6/+bug/843701
> myfaces http://www.spinics.net/lists/bugtraq/msg46538.html
> archiva
> http://archives.neohapsis.com/archives/fulldisclosure/2011-05/0532.html
> jonas +4.10.9 CVE-2009-3555
> http://mail-archive.ow2.org/jonas/2010-11/msg00015.html
> mojarra CVE-2011-4358
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650430
> opensaml CVE-2011-1411
> http://shibboleth.1660669.n2.nabble.com/CVE-2011-1411-OpenSAML-library-vulnerable-to-XML-Signature-wrapping-attacks-td6618773.html
> jetty 6.1->6.1.21 CVE-2009-4612
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4612
> jetty (6.1.24) CVE-2011-4461
> https://bugzilla.redhat.com/show_bug.cgi?id=781677
>
> CVE-2011-0533: Apache Continuum cross
> ===
> hadoop CVE-2010-0405 https://issues.apache.org/jira/browse/HADOOP-6966
>
> --
> View this message in context: http://tapestry.1045711.n5.nabble.com/Sonotype-Security-Brief-tp5606474p5611057.html
> Sent from the Tapestry - User mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
--
Howard M. Lewis Ship
Creator of Apache Tapestry
The source for Tapestry training, mentoring and support. Contact me to
learn how I can get you up and productive in Tapestry fast!
(971) 678-5210
http://howardlewisship.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org