Despite the inflammatory appearance of the document, the intent was to point out that many people are still downloading out-of-date versions of frameworks, including Tapestry, that have known vulnerabilities even when the vulnerabilities have been fixed in later releases.
Despite that, their methodology is suspect, such as how they determine a framework has vulnerabilities (once such is just a suggestion by me about logging, for example) and they don't have a real way of relating downloads to actual usage of the various frameworks. On Sun, Apr 1, 2012 at 2:45 PM, based2 <ba...@free.fr> wrote: > * May be http://tapestry.apache.org/integrating-with-spring-framework.html > (2.5.6 ==> 2.5.6.SEC02) >> http://www.springsource.com/security/cve-2010-1622 > http://en.securitylab.ru/nvd/395057.php > > A secchecker plugin for gradle/maven could be created around a CVE check > list: > > org.apache.wicket:wicket Wicket 1.4.x - CVE-2011-2712 - Apache Wicket XSS > vulnerability http://wicket.apache.org/2012/03/22/wicket-cve-2012-0047.html > bouncycastle Bouncy Castle Java Cryptography API 2.5.2 CVE-2007-6721 > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6721 > org.springframework Spring Framework 3.0.0->3.0.2 2.5.0->2.5.6.SEC01 > (community releases) 2.5.0->2.5.7 (subscription customers) CVE-2010-1622 > http://www.springsource.com/security/cve-2010-1622 > http://en.securitylab.ru/nvd/395057.php > org.apache.cxf CXF +2.4.5,+2.5.1 CVE-2012-0803 > http://osdir.com/ml/users-cxf-apache/2012-02/msg00175.html > http://marc.info/?l=bugtraq&m=130583021727954 > org.apache.derby Derby database +10.6.0 CVE-2009-4269 > http://db.apache.org/derby/releases/release-10.6.1.0.html#Fix+for+Security+Bug+CVE-2009-4269 > com.google.gwt 1.6.4-1 CVE-2007-2378 CVE-2007-6542 > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563542 > commons-daemon 1.0.3->1.0.6 CVE-2011-2729 > http://mail-archives.apache.org/mod_mbox/www-announce/201108.mbox/%3c4e451c01.6000...@apache.org%3E > geronimo/org.apache.geronimo 2.2.0 > http://geronimo.apache.org/2010/12/11/apache-geronimo-v221-released.html > http://mail-archives.apache.org/mod_mbox/servicemix-users/201201.mbox/%3CCAJUL34NnCnQ4LSDN-9NWfia+2C0pSXaMajY51-=yges46ds...@mail.gmail.com%3E > ... > tomcat https://bugs.launchpad.net/ubuntu/+source/tomcat6/+bug/843701 > myfaces http://www.spinics.net/lists/bugtraq/msg46538.html > archiva > http://archives.neohapsis.com/archives/fulldisclosure/2011-05/0532.html > jonas +4.10.9 CVE-2009-3555 > http://mail-archive.ow2.org/jonas/2010-11/msg00015.html > mojarra CVE-2011-4358 > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650430 > opensaml CVE-2011-1411 > http://shibboleth.1660669.n2.nabble.com/CVE-2011-1411-OpenSAML-library-vulnerable-to-XML-Signature-wrapping-attacks-td6618773.html > jetty 6.1->6.1.21 CVE-2009-4612 > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4612 > jetty (6.1.24) CVE-2011-4461 > https://bugzilla.redhat.com/show_bug.cgi?id=781677 > > CVE-2011-0533: Apache Continuum cross > === > hadoop CVE-2010-0405 https://issues.apache.org/jira/browse/HADOOP-6966 > > -- > View this message in context: > http://tapestry.1045711.n5.nabble.com/Sonotype-Security-Brief-tp5606474p5611057.html > Sent from the Tapestry - User mailing list archive at Nabble.com. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > -- Howard M. Lewis Ship Creator of Apache Tapestry The source for Tapestry training, mentoring and support. Contact me to learn how I can get you up and productive in Tapestry fast! (971) 678-5210 http://howardlewisship.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
