Red Hat provides CVE for commercially supported version Jboss EAP.
see more details about it here https://access.redhat.com/site/support/policy/updates/jboss_notes/
WildFly (previously JBoss AS) is upstream project for EAP, we do fix security related problems in product and upstream at the same time (if applicable),
but in upstream it is usually just applied to the master and fixes are as such available as part of next release what ever that is,
product on other hand gets patches for all released versions.
On a similar theme I am looking for CVEs that are fixed in Community version 7.2.0 Final (not in EAP 6.1.0). Can you help
We do not keep separate CVEs if that is what you are asking?
As for 7.2.0.Final goes it is exactly the same as EAP 6.1.0.Alpha which then got bunch of testing and fixes and became EAP 6.1.0.GA
Thank you for the response. Where can I find the CVE's that are fixed in Community version AS7. RedHat's webiste gives the CVEs that are associated for each of the EAP releases. As an example CVEs 2012-4572/5575, 2013-2067/2185/428/4213 are fixed in EAP 6.1.0. Does the 7.2.0 Final have these fixes.
We fix all security problems in upstream first and than they are backported to EAP.
but that means that only latest upstream releases have all CVE fixes.
as for 7.2.0 goes
7.2.0.Final --> EAP 6.1.0.Alpha --> EAP 6.1.0.Beta --> EAP 6.1.0.Final --> EAP 6.1.1 --> ...
So any fixes in EAP6.1 post alpha are not part of 7.2.0.Final but went to "current" upstream at the time and ware part of next community release in this case WildFly 8.
We usually don't do back ports of any fixes for community releases, we just fix stuff in latest release.
I think I'm looking for the same thing that Siva is - just to get a good idea of what CVE fixes are in which release. Tomas was talking earlier about the JBoss EAP CVE info, which is great, but only tells me which versions of EAP the CVEs are fixed in. I need to know precisely which version of Community / WildFly they're fixed in.
Brian and Siva,
The list of fixed CVEs are not something currently compiled by the community. Tomaz has mentioned this a couple of times for you. This being an open source project your contributions to the project are greatly welcomed to make it better.
Your contribution to list the CVEs in the community version involves comparing the changes that went into EAP versus Wildfly. Tomaz pointed out a patch goes into upstream initially. Then backported to EAP. To compile a list yourself look through the CVE list for EAP. Identifying the project that was changed to include the fix. Then look at Wildfly project versions to see if the version has the same or more recent.
Having compiled a list for the version Wildfly that interests you then create a blog post or some similar announcement to share with the community your findings.
Of course, if you don't have the time to contribute then reconsider using EAP. Where the information you want is provided on a plate.
Ah, sorry - I did not get that from Tomas's answer. From my reading, I realized that WildFly would add CVEs whenever possible, but was still hoping that there would be a tracking system that allowed users to determine when they had been added.
Agree - For example I was looking at the release notes for 7.0.2 Final and could not find any information on CVEs that are in this release. Can I assume that the only CVEs that are fixed are from the Red Hat website?
Siva Subramaniam wrote:
Can I assume that the only CVEs that are fixed are from the Red Hat website?
7.0.2 was community only release without any EAP contra part at that time (EAP6.0 dev started with 7.1.1 as base),
in releases like that you can go trough list of fixed jira issues, we don't hide anything, code always tells the truth
Thank you for the info. I am compiling a CVE list for the 7.2.0 Final (which has been fixed in this release) and a CVE list for WildFly. I looked at the release notes for 7.2.0 Final and issues (Jira) for WildFly and cannot find any matches. Examples - 7.2.0 Final: CVE-2012-5629/RHSA-2013:0234-1/Bugzilla#885569 - Cannot find this anywhere. WildFly 8.x.x: CVE-2013-4213/RHSA-2013:1437-1/Bugzilla#985359
was the one you are looking for, they are all linked with the EAP ones, to be fair, issues around eap 6.0.1 to eap 6.1 are bit more messy as there was migration jira --> Bugzilla
but everything can still be found.
Thank you. As I am compiling a complete CVE list for WidlFly (Post 7.2.0 Final) I need some guidance here. From the Mitre CVE website (also linked to the NVD website) I did a search for JBoss and got 106 CVEs. Now if I search the issues list in Wildfly and I am unable to find any of the CVEs. Examples CVE-2103-6448, CVE-2012-5575 (used the descriptive text as my search criteria). There are approximately 340 issues in WildFly. CVE-2012-5575 has been fixed in EAP 6.1.0 update (Bugzilla #880443) and has this been fixed in WildFly?
Are you having any luck in finding any CVEs that are being fixed in any version of WildFly?