Info about TomEE vulnarabilities

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Info about TomEE vulnarabilities

Franos13
Hello everyone,

It is quite hard to find information about all the TomEE CVEs.
If we go to http://tomee.apache.org/security/index.html it is stated to look at the sub projects listed below:

*         Tomcat

*         Open JPA

*         CXF

*         OpenWebBeans

*         MyFaces

*         Bean Validation

According to me it should be a good thing to centralized this information at TomEE web site in order to avoid to navigate to all the TomEE sub project sites to find
this information even if sometimes we can't find it (for example for OpenWebBeans).

What do you think ?

Best Regards.
________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
Reply | Threaded
Open this post in threaded view
|

Re: Info about TomEE vulnarabilities

Romain Manni-Bucau
Hi François,

générally in CVE databases you can listen for the tomee stack which makes
only needed and useful (as "avoids a ton of noise") the directly tomee
related issues on tomee website. Was mainly thought this way I think.


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://blog-rmannibucau.rhcloud.com> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>

2017-05-31 19:51 GMT+02:00 COURTAULT Francois <
[hidden email]>:

> Hello everyone,
>
> It is quite hard to find information about all the TomEE CVEs.
> If we go to http://tomee.apache.org/security/index.html it is stated to
> look at the sub projects listed below:
>
> *         Tomcat
>
> *         Open JPA
>
> *         CXF
>
> *         OpenWebBeans
>
> *         MyFaces
>
> *         Bean Validation
>
> According to me it should be a good thing to centralized this information
> at TomEE web site in order to avoid to navigate to all the TomEE sub
> project sites to find
> this information even if sometimes we can't find it (for example for
> OpenWebBeans).
>
> What do you think ?
>
> Best Regards.
> ________________________________
> This message and any attachments are intended solely for the addressees
> and may contain confidential information. Any unauthorized use or
> disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for
> the message if altered, changed or falsified. If you are not the intended
> recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission
> free from viruses, the sender will not be liable for damages caused by a
> transmitted virus.
>
Reply | Threaded
Open this post in threaded view
|

RE: Info about TomEE vulnarabilities

Franos13
Hello Romain,

My point is that, as vulnerabilities are critical in IT world today, it should be really useful to have a dedicated page on TomEE web site,
in order, for each third-parties version included, to list/collect their CVEs .

It will help a lot our day to day work in a way that we won't have anymore to look at different locations for finding this kind of information.

When you say CVE databases: which one do you recommend to monitor the TomEE CVEs ?

Best Regards.

-----Original Message-----
From: Romain Manni-Bucau [mailto:[hidden email]]
Sent: mercredi 31 mai 2017 19:53
To: [hidden email]
Subject: Re: Info about TomEE vulnarabilities

Hi François,

générally in CVE databases you can listen for the tomee stack which makes only needed and useful (as "avoids a ton of noise") the directly tomee related issues on tomee website. Was mainly thought this way I think.


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog <https://blog-rmannibucau.rhcloud.com> | Old Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory <https://javaeefactory-rmannibucau.rhcloud.com>

2017-05-31 19:51 GMT+02:00 COURTAULT Francois <
[hidden email]>:

> Hello everyone,
>
> It is quite hard to find information about all the TomEE CVEs.
> If we go to http://tomee.apache.org/security/index.html it is stated
> to look at the sub projects listed below:
>
> *         Tomcat
>
> *         Open JPA
>
> *         CXF
>
> *         OpenWebBeans
>
> *         MyFaces
>
> *         Bean Validation
>
> According to me it should be a good thing to centralized this
> information at TomEE web site in order to avoid to navigate to all the
> TomEE sub project sites to find this information even if sometimes we
> can't find it (for example for OpenWebBeans).
>
> What do you think ?
>
> Best Regards.
> ________________________________
> This message and any attachments are intended solely for the
> addressees and may contain confidential information. Any unauthorized
> use or disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable
> for the message if altered, changed or falsified. If you are not the
> intended recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this
> transmission free from viruses, the sender will not be liable for
> damages caused by a transmitted virus.
>
________________________________
 This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
Reply | Threaded
Open this post in threaded view
|

Re: Info about TomEE vulnarabilities

Romain Manni-Bucau
2017-06-02 9:32 GMT+02:00 COURTAULT Francois <[hidden email]
>:

> Hello Romain,
>
> My point is that, as vulnerabilities are critical in IT world today, it
> should be really useful to have a dedicated page on TomEE web site,
> in order, for each third-parties version included, to list/collect their
> CVEs .
>
> It will help a lot our day to day work in a way that we won't have anymore
> to look at different locations for finding this kind of information.
>
> When you say CVE databases: which one do you recommend to monitor the
> TomEE CVEs ?
>

Well we used with JL (on this list as well) secunia for instance but there
are multiple good alternative.


>
> Best Regards.
>
> -----Original Message-----
> From: Romain Manni-Bucau [mailto:[hidden email]]
> Sent: mercredi 31 mai 2017 19:53
> To: [hidden email]
> Subject: Re: Info about TomEE vulnarabilities
>
> Hi François,
>
> générally in CVE databases you can listen for the tomee stack which makes
> only needed and useful (as "avoids a ton of noise") the directly tomee
> related issues on tomee website. Was mainly thought this way I think.
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> |  Blog <
> https://blog-rmannibucau.rhcloud.com> | Old Blog <
> http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau>
> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory <
> https://javaeefactory-rmannibucau.rhcloud.com>
>
> 2017-05-31 19:51 GMT+02:00 COURTAULT Francois <
> [hidden email]>:
>
> > Hello everyone,
> >
> > It is quite hard to find information about all the TomEE CVEs.
> > If we go to http://tomee.apache.org/security/index.html it is stated
> > to look at the sub projects listed below:
> >
> > *         Tomcat
> >
> > *         Open JPA
> >
> > *         CXF
> >
> > *         OpenWebBeans
> >
> > *         MyFaces
> >
> > *         Bean Validation
> >
> > According to me it should be a good thing to centralized this
> > information at TomEE web site in order to avoid to navigate to all the
> > TomEE sub project sites to find this information even if sometimes we
> > can't find it (for example for OpenWebBeans).
> >
> > What do you think ?
> >
> > Best Regards.
> > ________________________________
> > This message and any attachments are intended solely for the
> > addressees and may contain confidential information. Any unauthorized
> > use or disclosure, either whole or partial, is prohibited.
> > E-mails are susceptible to alteration. Our company shall not be liable
> > for the message if altered, changed or falsified. If you are not the
> > intended recipient of this message, please delete it and notify the
> sender.
> > Although all reasonable efforts have been made to keep this
> > transmission free from viruses, the sender will not be liable for
> > damages caused by a transmitted virus.
> >
> ________________________________
>  This message and any attachments are intended solely for the addressees
> and may contain confidential information. Any unauthorized use or
> disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for
> the message if altered, changed or falsified. If you are not the intended
> recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission
> free from viruses, the sender will not be liable for damages caused by a
> transmitted virus.
>