-
1. Re: CVE fix list for WildFly?
ctomc Mar 28, 2014 4:06 PM (in response to bosullivan00)Red Hat provides CVE for commercially supported version Jboss EAP.
see more details about it here https://access.redhat.com/site/support/policy/updates/jboss_notes/
and https://rhn.redhat.com/errata/rhel6-jbeap-6-errata-security.html
WildFly (previously JBoss AS) is upstream project for EAP, we do fix security related problems in product and upstream at the same time (if applicable),
but in upstream it is usually just applied to the master and fixes are as such available as part of next release what ever that is,
product on other hand gets patches for all released versions.
--
tomaz
-
2. Re: CVE fix list for WildFly?
sivasubram Apr 10, 2014 5:31 PM (in response to ctomc)On a similar theme I am looking for CVEs that are fixed in Community version 7.2.0 Final (not in EAP 6.1.0). Can you help
Siva
-
3. Re: CVE fix list for WildFly?
ctomc Apr 10, 2014 6:50 PM (in response to sivasubram)We do not keep separate CVEs if that is what you are asking?
As for 7.2.0.Final goes it is exactly the same as EAP 6.1.0.Alpha which then got bunch of testing and fixes and became EAP 6.1.0.GA
-
4. Re: CVE fix list for WildFly?
sivasubram Apr 11, 2014 10:31 AM (in response to ctomc)Thank you for the response. Where can I find the CVE's that are fixed in Community version AS7. RedHat's webiste gives the CVEs that are associated for each of the EAP releases. As an example CVEs 2012-4572/5575, 2013-2067/2185/428/4213 are fixed in EAP 6.1.0. Does the 7.2.0 Final have these fixes.
-
5. Re: CVE fix list for WildFly?
ctomc Apr 11, 2014 11:02 AM (in response to sivasubram)We fix all security problems in upstream first and than they are backported to EAP.
but that means that only latest upstream releases have all CVE fixes.
as for 7.2.0 goes
7.2.0.Final --> EAP 6.1.0.Alpha --> EAP 6.1.0.Beta --> EAP 6.1.0.Final --> EAP 6.1.1 --> ...
So any fixes in EAP6.1 post alpha are not part of 7.2.0.Final but went to "current" upstream at the time and ware part of next community release in this case WildFly 8.
We usually don't do back ports of any fixes for community releases, we just fix stuff in latest release.
-
6. Re: CVE fix list for WildFly?
bosullivan00 Apr 11, 2014 2:40 PM (in response to ctomc)I think I'm looking for the same thing that Siva is - just to get a good idea of what CVE fixes are in which release. Tomas was talking earlier about the JBoss EAP CVE info, which is great, but only tells me which versions of EAP the CVEs are fixed in. I need to know precisely which version of Community / WildFly they're fixed in.
-
7. Re: CVE fix list for WildFly?
whitingjr Apr 14, 2014 5:42 AM (in response to bosullivan00)Brian and Siva,
The list of fixed CVEs are not something currently compiled by the community. Tomaz has mentioned this a couple of times for you. This being an open source project your contributions to the project are greatly welcomed to make it better.
Your contribution to list the CVEs in the community version involves comparing the changes that went into EAP versus Wildfly. Tomaz pointed out a patch goes into upstream initially. Then backported to EAP. To compile a list yourself look through the CVE list for EAP. Identifying the project that was changed to include the fix. Then look at Wildfly project versions to see if the version has the same or more recent.
Having compiled a list for the version Wildfly that interests you then create a blog post or some similar announcement to share with the community your findings.
Of course, if you don't have the time to contribute then reconsider using EAP. Where the information you want is provided on a plate.
-
8. Re: CVE fix list for WildFly?
bosullivan00 Apr 14, 2014 2:24 PM (in response to whitingjr)Ah, sorry - I did not get that from Tomas's answer. From my reading, I realized that WildFly would add CVEs whenever possible, but was still hoping that there would be a tracking system that allowed users to determine when they had been added.
-
9. Re: CVE fix list for WildFly?
sivasubram Apr 14, 2014 2:54 PM (in response to bosullivan00)Agree - For example I was looking at the release notes for 7.0.2 Final and could not find any information on CVEs that are in this release. Can I assume that the only CVEs that are fixed are from the Red Hat website?
-
10. Re: CVE fix list for WildFly?
ctomc Apr 14, 2014 3:50 PM (in response to sivasubram)Siva Subramaniam wrote:
Can I assume that the only CVEs that are fixed are from the Red Hat website?
Yes.
7.0.2 was community only release without any EAP contra part at that time (EAP6.0 dev started with 7.1.1 as base),
in releases like that you can go trough list of fixed jira issues, we don't hide anything, code always tells the truth
-
11. Re: CVE fix list for WildFly?
sivasubram Apr 18, 2014 4:34 PM (in response to bosullivan00)Thank you for the info. I am compiling a CVE list for the 7.2.0 Final (which has been fixed in this release) and a CVE list for WildFly. I looked at the release notes for 7.2.0 Final and issues (Jira) for WildFly and cannot find any matches. Examples - 7.2.0 Final: CVE-2012-5629/RHSA-2013:0234-1/Bugzilla#885569 - Cannot find this anywhere. WildFly 8.x.x: CVE-2013-4213/RHSA-2013:1437-1/Bugzilla#985359
-
12. Re: CVE fix list for WildFly?
ctomc Apr 18, 2014 4:50 PM (in response to sivasubram)was the one you are looking for, they are all linked with the EAP ones, to be fair, issues around eap 6.0.1 to eap 6.1 are bit more messy as there was migration jira --> Bugzilla
but everything can still be found.
-
13. Re: CVE fix list for WildFly?
sivasubram Apr 22, 2014 3:25 PM (in response to ctomc)Thank you. As I am compiling a complete CVE list for WidlFly (Post 7.2.0 Final) I need some guidance here. From the Mitre CVE website (also linked to the NVD website) I did a search for JBoss and got 106 CVEs. Now if I search the issues list in Wildfly and I am unable to find any of the CVEs. Examples CVE-2103-6448, CVE-2012-5575 (used the descriptive text as my search criteria). There are approximately 340 issues in WildFly. CVE-2012-5575 has been fixed in EAP 6.1.0 update (Bugzilla #880443) and has this been fixed in WildFly?
-
14. Re: CVE fix list for WildFly?
sivasubram Apr 23, 2014 5:56 PM (in response to bosullivan00)Brian,
Are you having any luck in finding any CVEs that are being fixed in any version of WildFly?