Best way to keep ourselves informed of security vulnerabilities

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Best way to keep ourselves informed of security vulnerabilities

Venkat Pedapati
Hello,

I am looking for ways to keeping my team informed about any security vulnerabilities discovered in a specific version of Apache POI.

I went through the general guidelines about security vulnerabilities in Apache projects here: https://www.apache.org/security/. But I don't see any project-specific page that lists or describes security information for Apache POI.

Is there a way to keep track of security vulnerabilities discovered in Apache POI?

Thank you,
Venkat.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Best way to keep ourselves informed of security vulnerabilities

kiwiwings
Hi Venkat,

> Is there a way to keep track of security vulnerabilities discovered in Apache POI?


I know the following sources:

the official CVE list:
https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-22766/Apache-POI.html

our change list not necessarily point out security issues:
http://poi.apache.org/changes.html

our sonar instance reports vulnerabilities:
https://sonarcloud.io/dashboard?id=poi-parent

you can verify the source commits / logs, if you like ... but usually we don't write "ATTENTION severe vulnerability" into it ...

and as every Apache project, we have a private mailing list, which is only available to committers, where every now and then (maybe once every 1/2 year), we discuss security issues.

Best wishes,
Andi



signature.asc (499 bytes) Download Attachment