Apache Logo
The Apache Way Contribute ASF Sponsors

This was extracted (@ 2017-06-21 20:10) from a list of minutes which have been approved by the Board.
Please Note The Board typically approves the minutes of the previous meeting at the beginning of every Board meeting; therefore, the list below does not normally contain details from the minutes of the most recent Board meeting.

2017 | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000 | 1999 | Pre-organization meetings

Security Team

17 May 2017 [Mark J. Cox / Rich]

Now Apache is a CVE Candidate Naming Authority we're starting to clear
up old CVE names which were given to various TLP over the last 9 years
and that are either public and not yet at cve.mitre.org, or are not
public due to various reasons (still in progress, rejected, etc).

Stats for April 2017:

7 CVEs issued to projects (some may not be public yet).

e-mails to security@

6    Phishing/spam/proxy/attacks point to site "powered by Apache" or
 Confused user due to "Apache" mentioned in OSS licenses
2    Support question

8    Direct Vulnerability report to security@apache.org
  2 [fineract]
  1 [cayenne]
  1 [site]
  1 [logging]
  1 [tika]
  1 [thrift]
  1 [openmeetings]

10    Vulnerabilities reported to projects
  5 [cloudstack]
  3 [tomcat]
  1 [trafficcontrol]
  1 [hadoop]

19 Apr 2017 [Mark J. Cox / Shane]

Stats for March 2017:

11 CVEs issued to projects (some may not be public yet).

e-mails to security@

12    Phishing/spam/proxy/attacks point to site "powered by Apache" or
 Confused user due to "Apache" mentioned in OSS licenses
1     Support question

10    Direct Vulnerability report to security@apache.org
  3 [poi]
  1 [infrastucture]
  1 [deltacloud]
  1 [struts]
  1 [axis]
  1 [logging]
  1 [ambari]
  1 [cxf]

13    Vulnerabilities reported to projects
  1 [hive]
  1 [httpd]
  1 [stark]
  1 [cloudstack]
  3 [struts] (+many more asking if RCE affected 1.x)
  2 [tomcat]
  3 [openoffice]
  1 [impala]

15 Mar 2017 [Mark J. Cox / Shane]

Stats for Feb 2017:

8 CVEs issued to projects (some may not be public yet).

e-mails to security@

2    Phishing/spam/proxy/attacks point to site "powered by Apache" or
 Confused user due to "Apache" mentioned in OSS licenses
2    Support question

10    Direct Vulnerability report to security@apache.org

   3 [site] (3 rejected)
   1 [httpd]
   1 [hbase] (rejected)
   1 [ranger]
   1 [flex]
   1 [struts]
   1 [camel]
   1 [karaf]

9     Vulnerabilities reported to projects

   1 [ambari]
   1 [httpd] (rejected, was PHP)
   1 [zookeeper]
   2 [tomcat]
   1 [brooklyn]
   1 [apex]
   1 [struts]
   1 [ofbiz]

27 Feb 2017 [Mark J. Cox / Shane]

Stats for January 2016:

10 CVEs issued to projects (some may not be public yet).

e-mails to security@

8    Phishing/spam/proxy/attacks point to site "powered by Apache" or
 Confused user due to "Apache" mentioned in OSS licenses
2    Support question

10    Direct Vulnerability report to security@apache.org

3      [httpd] (1 rejected)
2      [ambari]
1      [archiva]
1      [activemq]
1      [cordova]
1      [axis] (rejected)
1      [lucene]

4     Vulnerabilities reported to projects

2      [struts] (1 rejected)
1      [httpd] (already fixed)
1      [couchdb]

18 Jan 2017 [Mark J. Cox / Bertrand]

Stats for December 2016:

5 CVEs issued to projects (some may not be public yet).

e-mails to security@

8    Phishing/spam/proxy/attacks point to site "powered by Apache" or
 Confused user due to "Apache" mentioned in OSS licenses
1    Security vulnerability question, but not a vulnerability report

13    Direct Vulnerability report to security@apache.org

1     [brooklyn]
1     [camel]
1     [openmeetings]
1     [couchdb]
1     [lucene]
1     [ant]
1     [apr]
1     [tomee]
1     [camel]
2     [site] rejected
1     [httpd]
1     [cxf]

8     Vulnerabilities reported to projects

1      [struts]
4      [httpd]
1      [nifi]
1      [hadoop]
1      [ofbiz]

21 Dec 2016 [Mark J. Cox / Jim]

The team is still trying to followup on issues reported via security@
to projects that do not seem to have been dealt with.  While in many
cases this leads to action (or formally closing an issue), there are
still some without action which we will raise to the board in due
course.  We're hoping to find better automated methods of tracking and
reporting on these.

Stats for November 2016:

5 CVEs issued to projects (some may not be public yet).

e-mails to security@

4    Phishing/spam/proxy/attacks point to site "powered by Apache" or
 Confused user due to "Apache" mentioned in OSS licenses
1    Security vulnerability question, but not a vulnerability report
2    Support question

9    Direct Vulnerability report to security@apache.org

1      [ambari]
1      [lucene]
1      [httpd]
1      [xmlgraphics]
1      [karaf] no response to reporter, OP disclosed after 7 days
1      [site] rejected
1      [axis]
1      [cxf]
1      [commons]

5     Vulnerabilities reported to projects

1      [hadoop]
1      [struts]
2      [httpd]
1      [tomcat]

16 Nov 2016 [Mark J. Cox / Bertrand]

The team is still trying to followup on issues reported via security@
to projects that do not seem to have been dealt with.  While in many
cases this leads to action (or formally closing an issue), there are
still some without action which we will raise to the board in due
course.  We're hoping to find better automated methods of tracking and
reporting on these.

Stats for October 2016:

2 CVEs issued to projects (some may not be public yet).

e-mails to security@

15    Phishing/spam/proxy/attacks point to site "powered by Apache" or
 Confused user due to "Apache" mentioned in OSS licenses
1     Security vulnerability question, but not a vulnerability report
2     Support question

1     Direct Vulnerability report to security@apache.org

1     [site]

7     Vulnerabilities reported to projects

1     [zookeeper]
1     [tomcat]
2     [hadoop]
2     [aoo]
1     [cloudstack]

19 Oct 2016 [Mark J. Cox / Chris]

Stats for September 2016:

x11 CVEs issued to projects (some may not be public yet).

e-mails to security@

6      Phishing/spam/proxy/attacks point to site "powered by Apache" or
 Confused user due to Android licenses
2      Security vulnerability question, but not a vulnerability report
2      Support question

3    Direct Vulnerability report to security@apache.org

1     [commons]
1     [axis]
1     [groovy]

4    Vulnerabilities reported to projects

1     [zookeeper]
1     [hadoop]
1     [httpd]
1     [activemq]

21 Sep 2016 [Mark J. Cox / Shane]

In August the Apache Security Team became an official Mitre Candidate
Naming Authority (CNA).  Previously we were giving blocks of CVE names
to use by Red Hat on request.  Now we have our own block of CVE names
direct from Mitre and are known as the official source when anyone
asks for a CVE name for any non-public vulnerability in any ASF
project.  (This change has minimal process or operational impact at
this time, it also was never obvious where the block came from or the
relationship with Red Hat, so we don't intend any public-visible
commentary about this change).

Stats for August 2016:

11 CVEs issued to projects (some may not be public yet).

e-mails to security@

9      Phishing/spam/proxy/attacks point to site "powered by Apache" or
 Confused user due to Android licenses
4      Security vulnerability question, but not a vulnerability report

9    Direct Vulnerability report to security@apache.org

1    [thrift]
4    [site] (rejected)
1    [jackrabbit]
1    [cordova]
1    [brooklyn]
1    [httpd]

7    Vulnerabilities reported to projects

2      [httpd]
1      [struts]
1      [tomcat]
1      [hadoop]
1      [sling]
1      [trafficserver]

17 Aug 2016 [Mark J. Cox / Bertrand]

Stats for July 2016:

10 CVEs issued to projects (some may not be public yet).

e-mails to security@

7      Phishing/spam/proxy/attacks point to site "powered by Apache" or
 Confused user due to Android licenses

12    Direct Vulnerability report to security@apache.org

1      [httpd] (httpoxy)
1      [ofbiz]
1      [wicket]
1      [tika]
1      [axis]
1      [myfaces]
3      [site] (comments.apache.org valid issue addressed, 1 rejected, 1 open)
1      [ranger]
1      [blazeds]

13    Vulnerabilities reported to projects

3      [httpd]
3      [tomcat]
3      [openoffice]
1      [struts]
1      [hadoop]
1      [sling]
1      [hadoop]

20 Jul 2016 [Mark J. Cox / Mark]

Currently Apache allocates CVE names from a pool of names given to us
by Red Hat, with Red Hat being the offical Candidate Naming Authority
(CNA).  We approached Mitre some years ago with a view to becoming our
own CNA so we get our own blocks of names.  We've kickstarted this
process again and hope to conclude it by the next report.

Stats for June 2016:

14 CVEs issued to projects (some may not be public yet).

e-mails to security@

8      Phishing/spam/proxy/attacks point to site "powered by Apache" or
 Confused user due to Android licenses

10    Direct Vulnerability report to security@apache.org

1     [httpd] (rejected)
2     [site] (rejected)
1     [qpid]
1     [ofbiz]
1     [cxf]
1     [solr]
1     [poi]
1     [directory]
1     [various] (rejected)

18    Vulnerabilities reported to projects

2     [httpd]
8     [struts] (some rejected)
1     [hadoop]
3     [tomcat] (all rejected)
2     [openoffice]
1     [cloudstack]
1     [cordova]

15 Jun 2016 [Mark J. Cox / Mark]

Following from the discussion from Mark Thomas at last board mtg we
discussed a plan for handling of security issues that are repeatedly
ignored by a PMC (determined by history of dealing with the PMC/issue
severity/issue history).  We will draft a mail ready to be sent to the
issue reporter which outlines the steps we made to contact the PMC and
our suggested next action (usually that the reporter posts the details
of the issue public in some forum such as the oss-security list).
That draft will be sent to the PMC as our final attempt to get the PMC
to respond and work with the reporter, and after some further period
of inactivity will be sent to the reporter and recorded in the next
board report.

Stats for May 2016:

10 CVEs issued to projects (some may not be public yet).

e-mails to security@

3      Support questions
2      Phishing/spam/proxy/attacks point to site "powered by Apache" or
 Confused user due to Android licenses

12    Direct Vulnerability report to security@apache.org

1     [juddi]
1     [comdev]
2     [site] rejected
1     [ranger]
1     [qpid]
1     [axis]
1     [wicket]
1     [flex]
1     [openmeetings]
1     [oozie]
1     [archiva]

1    Vulnerabilities reported to projects

1     [commons]

18 May 2016 [Mark J. Cox / Bertrand]

Stats for Apr 2016:

9 CVEs issued to projects (some may not be public yet).

e-mails to security@

3      Support questions
3      Phishing/spam/proxy/attacks point to site "powered by Apache" or
 Confused user due to Android licenses

9    Direct Vulnerability report to security@apache.org

3     [site] rejected
1     [santuario]
1     [tika]
1     [continuum]
1     [trafficserver]
1     [myfaces]
1     [activemq]

7    Vulnerabilities reported to projects

4     [struts]
1     [aoo]
2     [ambari]

20 Apr 2016 [Mark J. Cox / Brett]

A little progress has been made reviewing historical reports. We have now
gone back as far as mid-March 2015. The current intention is to continue
back into 2014 but how far back will be determined by the rate at which
overlooked issues are uncovered.

The security team has been evaluating https://srcclr.com/. While it is an
improvement on similar tools and has enabled a handful of projects to
indentify vulnerable dependencies, it currently lacks the features required
for it to be useful without being overly burdensome at the ASF. These
features are expected to be made available shortly at which point the
security team will re-evaluate.

The security team is currently tracking 72 open issues. Not all of these
have been confirmed as valid and it is likely some will be rejected.

Some TLPs have failed to respond to vulnerability reports and/or
requests from the security team for updates.

Stats for Mar 2016:

15 CVEs issued to projects (some may not be public yet).

Just over 1000 e-mails to security@

2      Support questions
6      Questions about published security vulnerabilities
3      Phishing/spam/proxy/attacks point to site "powered by Apache" or
 Confused user due to Android licenses

11    Direct Vulnerability report to security@apache.org
1      [activemq]
1      [cocoon]
1      [commons]
1      [httpd]
1      [jspwiki]
1      [mina]
1      [openmeetings]
1      [qpid]
1      [shiro]
1      [tomcat]
1      [tomee]

14    Vulnerabilities reported to projects
1      [apex]
1      [cloudstack]
1      [hadoop]
5      [httpd]
5      [struts]
1      [trafficserver]

@Jim: follow up with APR

16 Mar 2016 [Mark J. Cox / David]

The team continues to answer requests to security@ and redirect
as appropriate.

For Feb 2016:

3     Security vulnerability question, but not a vulnerability report
3     Phishing/spam/proxy/attacks point to site "powered by Apache" or
 Confused user due to Android licenses

7     Direct Vulnerability report to security@apache.org
 2     [site] (both addressed)
 1     [tomcat]
 1     [commons]
 1     [jackrabbit]
 1     [xerces]
 1     [httpd]

6     Vulnerabilities reported to projects
 1     [sentry]
 1     [struts]
 2     [commons]
 1     [openoffice]
 1     [couchdb]

Greg: How is the review of old reports/follow-through going?

Mark: The exercise is proving to be useful. I intend to keep working back through the archive for as long as it continues to be useful. So far I've gone back a year.

17 Feb 2016 [Mark J. Cox / Rich]

The team continues following up on older reports direct to security@
and ensuring they have been handled by the respective PMCs.

Stats for Jan 2016:

2     Support question
2     Security vulnerability question, but not a vulnerability report
8     Phishing/spam/proxy/attacks point to site "powered by Apache" or
 Confused user due to Android licenses

9     Direct Vulnerability report to security@apache.org
 2     [xerces]
 1     [site]
 1     [cordova]
 2     [commons]
 1     [jetspeed]
 1     [httpd]
 1     [activemq]

7     Vulnerabilities reported to projects
 1     [httpd]
 3     [tomcat]
 2     [aoo]
 1     [sling]

20 Jan 2016 [Mark J. Cox / Chris]

Given recent issues with some teams neglecting security reports, the
team has started going back over older reports and ensuring they have
been handled by the respective PMCs.  One issue affecting Ranger
Policy Admin server was allocated CVE-2015-5167 but after 5 months our
requests to private@ranger.incubator.apache.org for updates have not
been responded to.  Raising this for board attention.

Stats for Dec 2015:

2     Support question
11    Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused
 user due to Android licenses

3     Direct Vulnerability report to security@apache.org
 3     [affecting web sites]

15    Vulnerabilities reported to projects
 1     [cloudstack, via security@cloudstack]
 6     [tomcat, via security@tomcat]
 3     [httpd, via security@httpd] (one not ASF issue)
 1     [aoo site, via security@openoffice]
 2     [aoo, via officesecurity@lists.freedesktop.org]
 2     [aoo, via security@openoffice]

16 Dec 2015 [Mark J. Cox / Brett]

Apologies for lack of report last month and late report this time, due
to a process issue (the trigger to commit the report used to be the
"Is Now Due" mail which have not been received in recent months).
However, there were no significant issues to report.

Given recent issues with some teams ignoring security reports, the
team has started going back over older reports and ensuring they have
been handled by the respective PMCs.

Stats for Oct 2015:

1     Support question
3     Security vulnerability question, but not a vulnerability report
7     Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to Android licenses
1     vulnerability report [httpd, via security@]
2     vulnerability report [tomcat, via security@tomcat]
1     vulnerability report [flex, via security@]
1     vulnerability report [hadoop, via security@hadoop]

Stats for Nov 2015:

3     Support question
2     Security vulnerability question, but not a vulnerability report
13    Phishing/spam/proxy/attacks point to site "powered by Apache" or Confused user due to Android licenses
1     vulnerability report [hadoop, via security@hadoop]
1     vulnerability report [jetty, via security@]
1     vulnerability report [infra, via security@] not an issue
1     vulnerability report [beanutils, via security@]
5     vulnerability reports [httpd, via security@] none are issues
1     vulnerability report [sling, via security@]
1     vulnerability report[hadoop, via security@]
1     vulnerability report [ofbiz, via secuirty@]
1     vulnerability report [php, via security@] redirected to PHP project

18 Nov 2015

A report was expected, but not received

21 Oct 2015 [Mark J. Cox / Greg]

Some concern last month due to non-response of TomEE to a security
issue we passed to the PMC list on 21st May 2015 which had no response
or ack to date.  Please can board remind TomEE PMC of their need to
follow the security process in a timely manner.

Short stats for September 2015, a very quiet month in which we
received:

6     Support question
3     Security vulnerability question, but not a vulnerability report
10    Phishing/spam/proxy/attacks point to site "powered by Apache" or
 Confused user due to Android licenses

Vulnerability reports to security@apache.org:

1     [httpd] (rejected, bug only)

16 Sep 2015 [Mark Cox / Chris]

Short stats for August 2015, we received:

1 Support question
9 Phishing/spam/proxy/attacks point to site
 "powered by Apache" or Confused user due to Android licenses

Vulnerability reports to security@apache.org:

1     [tomcat] closed, user error
1     [ambari]
2     [httpd]

Vulnerability reports direct to projects:

1     [aoo, via officesecurity@freedesktop]
2     [struts, via security@stuts]
1     [sentry, via security@sentry]

19 Aug 2015 [Mark Cox / David]

Short stats for July, we received:

2 Security vulnerability question, but not a vulnerability report
9 Phishing/spam/proxy/attacks point to site
 "powered by Apache" or Confused user due to Android licenses

Vulnerability reports:

1     [cloudstack, via security@cloudstack]
1     [couchdb, via security@couchdb]
1     [struts, via security@struts]
1     [hive, via security@hive]

1     [commons, via security@ and direct]
1     [httpd, via security@]
1     [thrift, via security@]
1     [trafficserver, via security@]
1     [blaze, via security@]
1     [apr, via security@]
1     [groovy via security@]
1     [alurra, via security@]

15 Jul 2015 [Mark Cox / Bertrand]

Yann Ylavic joined security committee.  Short stats for June.  We
received:

 3 Support question
20 Phishing/spam/proxy/attacks point to site
   "powered by Apache" or Confused user due to Android licenses

Vulnerability reports:

2     [struts, via security@struts] (1 rejected)
2     [notus, via security@] redirected to php
2     [httpd, via security@httpd] 1 rejected
2     [aoo, via officesecurity@lists.freedesktop.org]
1     [aoo, via security@] rejected
1     [ambari, via security@]
1     [poi, via security@]
1     [hadoop, via security@hadoop]
1     [xalan, via security@]
1     [camel, via security@]
1     [site, via security@] rejected
1     [directory, via security@]
1     [sling, via security@sling]
1     [groovy, via security@]
1     [activemq, via security@]

17 Jun 2015 [Mark Cox / Chris]

Short stats for May.  We receive:

1      Support question
6      Phishing/spam/proxy/attacks point to site "powered by Apache" or
 Confused user due to Android licenses

Vulnerability reports:

3     [httpd, via security@] (1 rejected)
1     [axis, via security@]
1     [site, via security@] rejected
1     [jackrabbit, via security@]
1     [activemq, via security@]
1     [various, via security@]
1     [tomee, via security@]

1     [hive, via security@hive] rejected
1     [struts, via security@struts]

20 May 2015 [Mark Cox / Bertrand]

Quick stats for April:

1     Support question
18    Phishing/spam/proxy/attacks point to site "powered by Apache" or
 Confused user due to Android licenses

Vulnerability reports:

1     [httpd, via security@httpd]
1     [struts, via security@struts]
2     [cordova, via private@cordova]
1     [httpd, via security@httpd]
2     [site, via security@] server-status again rejected
1     [cordova, via security@]

It was noticed that Axis PMC have not responded to all the security
issues forwarded to them, and those that have were not correctly cc'd
to security@.  We would suggest the board remind Axis PMC of the
responsibility in handling external security vulnerability
notifications.

It was noticed that there was an issue with communication with Xerces
PMC, this was found to be partially due to the failure to moderate
messages to private@.  No board action required.

In the past month the Apache Tomcat project became aware of two
instances where embargoed Tomcat security vulnerability information
was accidentally published by Red Hat. After discussions with Red Hat,
the Tomcat team are confident that both publications had the same root
cause; that procedures have been put in place by Red Hat to prevent
similar errors occurring again; and that no further action is
required.

22 Apr 2015 [Mark Cox / Brett]

There continues to be a steady stream of reports of various kinds
arriving at security@. These continue to be dealt with by the security
team.

March 2015

3 Support Question
5 Confused user probably due to Android licenses
11 Vulnerability reports to security@apache.org
 3 [site] rejected
 2 [httpd]
 1 [solr]
 1 [camel]
 1 [ambari]
 1 [activemq]
 1 [flex]
 1 [cordova]
5 Vulnerability reports to projects own security lists
 1 [sling]
 1 [hive]
 1 [httpd]
 1 [struts]
 1 [tomcat] rejected

18 Mar 2015 [Mark Cox / Brett]

There continues to be a steady stream of reports of various kinds
arriving at security@. These continue to be dealt with by the security
team.

http://apache.org/security/committers.html updated to explain CVE name
progress

February 2015

3 Confused user probably due to Android licenses

7 Vulnerability reports to security@apache.org
 2 [xerces]
 1 [wink]
 1 [trafficserver]
 1 [ant]
 1 [httpd]
 1 [commons]

4 Vulnerability reports to projects own security lists
 1 [svn]
 1 [cloudstack]
 1 [aoo]
 1 [sling]

18 Feb 2015 [Mark Cox / Doug]

There continues to be a steady stream of reports of various kinds
arriving at security@. These continue to be dealt with by the security
team.

January 2015

2 Support question
2 Security vulnerability question, but not a vulnerability report
6 Confused user probably due to Android licenses

8 Vulnerability reports to security@apache.org
 2 [tomcat] (1 rejected)
 1 [xerces]
 1 [site] rejected
 1 [cassandra]
 1 [batik]
 1 [httpd]
 1 [roller]

4 Vulnerability reports to projects own security lists
 1 [hadoop]
 2 [tomcat]
 1 [struts]

21 Jan 2015 [Mark Cox / Chris]

We see a number of confused messages come to security@ every week
where people say they have been hacked, or they never installed our
software.  These were different to what happened in previous years
when people saw "powered by Apache" on a web page that was in outage
and thought we'd hacked them.

In December we emailed a number of these people (we usually ignore
them) to try to figure out what they were seeing.  Only one responsed
to me, and we figured out that what they saw was a license page for
"Guava" on their Android mobile.  The Guava license mentions it's
under the Apache License.  The user didn't know what Guava was, didn't
remember installing it (they didn't), and assumed that whatever other
things were happening on their handset was the result of this
software.

Aside from these; there continues to be a steady stream of reports of
various kinds arriving at security@. These continue to be dealt with
by the security team.

December 2014

2 Support questions
5 Phishing/spam/proxy/attacks point to site "powered by Apache" or Android
 license bundle

8 Vulnerability reports to security@apache.org
      2 [httpd]
      2 [site] rejected
      1 [cxf]
      1 [camel/dozer]
      1 [qpid]
      1 [xerces]

3 Vulnerability reports to projects own security lists
      1 [oo]
      2 [tomcat] (1 rejected)

17 Dec 2014 [Mark Cox / Rich]

There continues to be a steady stream of reports of various kinds
arriving at security@. These continue to be dealt with by the security
team.

November 2014

1 Security vulnerability question, but not a vulnerability report

6 Vulnerability reports to security@apache.org
 2 [httpd]
 1 [site] rejected
 1 [xerces]
 1 [trafficserver]
 1 [tomcat]

7 Vulnerability reports to projects own security lists
 2 [struts]
 2 [oo]
 1 [couchdb]
 1 [cloudstack]
 1 [spamassassin]

19 Nov 2014 [Mark Cox / Chris]

September 2014

3 Support question
1 Security vulnerability question, but not a vulnerability report

11 Vulnerability reports to security@apache.org
 3 [tomcat] (1 invalid)
 2 [site] rejected
 1 [cordova]
 1 [httpd] rejected
 1 [james]
 1 [activemq]
 1 [solr]
 1 [qpid]

8 Vulnerability reports to projects own security lists
 3 [cloudstack]
 2 [oo]
 1 [trafficserver]
 1 [hadoop]
 1 [hive]

15 Oct 2014 [Mark Cox / Greg]

Apologies for lack of report last month; I used to trigger the commit
on receiving the 2nd reminder.

There continues to be a steady stream of reports of various kinds
arriving at security@. These continue to be dealt with by the security
team.

Some press and researchers believed there was a new Apache worm, but
it wasn't:
http://bighacks.net/chroot-apch0day-apache-exploit-explained/

The Bash vulnerabilities CVE-2014-6271(etc) are being actively
exploited via Apache httpd, most commonly where sites have CGI scripts
written in Bash.  (The exploit conditions does limit the number of
affected servers)

August 2014

1 Support question
4 Security vulnerability question, but not a vulnerability report

11 Vulnerability reports to security@apache.org
 7 [website] (5 invalid)
 1 [activemq]
 1 [axis]
 1 [hadoop]
 1 [httpd]

5 Vulnerability reports to projects own security lists
 1 [openoffice]
 1 [tomcat]
 1 [cloudstack]
 1 [poi]
 1 [svn]

September 2014

2 Support question
2 Security vulnerability question, but not a vulnerability report

9 Vulnerability reports to security@apache.org
 2 [httpd] (1 invalid)
 1 [commons]
 1 [website] (invalid)
 1 [camel]
 1 [spark]
 1 [ambari]
 1 [subversion]
 1 [spamassassin] (invalid)

5 Vulnerability reports to projects own security lists
 1 [struts] (invalid)
 1 [openoffice]
 1 [tomcat]
 1 [hadoop]
 1 [sling] (rejected)

17 Sep 2014

A report was expected, but not received

20 Aug 2014 [Mark Cox / Rich]

There continues to be a steady stream of reports of various kinds
arriving at security@ in July. These continue to be dealt with by
the security team.

July 2014

1 Support question
1 Phishing/spam/proxy/attacks point to site "powered by Apache"


11 Vulnerability reports to security@apache.org
 3 [website] (closed, invalid)
 2 [trafficserver]
 2 [httpd]
 1 [hc]
 1 [solr/poi/tika]
 1 [axis]
 1 [activemq]

6 Vulnerability reports to projects own security lists
 2 [tomcat]
 1 [subversion]
 1 [sling]
 1 [struts]
 1 [openoffice]

16 Jul 2014 [Mark Cox / Chris]

There continues to be a steady stream of reports of various kinds
arriving at security@ in April. These continue to be dealt with by
the security team.  Apologies for lack of update last month due to
a missed reminder.  You'll notice a trend for reports against the
Apache website which are so far all false positives caused by
people who run third party scanning tools and don't bother to
interpret the results (for example reporting that you can access
a directory listing).  These also included reports that www.apache.org
had a public server status page, which although deliberate for many
years, we asked infrastructure to remove (and is now done).

May 2014

13 Vulnerability reports to security@apache.org
 8 [website] (all 8 closed, invalid)
 1 [karaf]
 1 [axis] (rejected)
 1 [commons]
 1 [httpd]
 1 [trafficserver]

6 Vulnerability reports to projects own security lists
 2 [tomcat]
 1 [couchdb]
 1 [hive]
 1 [hadoop]
 1 [struts]

June 2014

8 Support question
3 Phishing/spam/proxy/attacks point to site "powered by Apache"
11 Vulnerability reports to security@apache.org
 8 [website] (8 closed, invalid)
 1 [shindig] (closed, invalid)
 1 [ofbiz]
 1 [cordova]

6 Vulnerability reports to projects own security lists
 3 [tomcat]
 1 [struts] (closed, not issue)
 1 [cloudstack]
 1 [httpd]

18 Jun 2014

A report was expected, but not received

21 May 2014 [Mark Cox / Roy]

There continues to be a steady stream of reports of various kinds
arriving at security@ in April. These continue to be dealt with by
the security team.

April 2014

1 Support question
2 Phishing/spam/proxy/attacks point to site "powered by Apache"
2 Security vulnerability question, but not a vulnerability report

9 Vulnerability reports to security@apache.org
 3 [website] (3 closed, invalid)
 1 [axis]
 1 [maven] (closed, invalid)
 1 [httpd]
 1 [solr]
 1 [poi]
 1 [struts]

9 Vulnerability reports to projects own security lists
 6 [struts] (1 closed, not issue)
 1 [cloudstack]
 1 [hadoop] (closed, invalid)
 1 [tomcat]

16 Apr 2014 [Mark Cox / Sam]

There continues to be a steady stream of reports of various kinds
arriving at security@ in March. These continue to be dealt with by
the security team.

March 2014

1 Support question
2 Phishing/spam/proxy/attacks point to site "powered by Apache"

8 Vulnerability reports to security@apache.org
 1 [traffic-server]
 3 [website] (closed, not issue)
 2 [httpd] (closed, not issue)
 1 [couchdb] (complete)
 1 [syncope] (in progress)

4 Vulnerability reports to projects own security lists
 2 [hadoop]
 1 [geronimo]
 1 [httpd]

19 Mar 2014 [Mark Cox / Shane]

There continues to be a steady stream of reports of various kinds
arriving at security@ in Feb. These continue to be dealt with by
the security team.

Feb 2014

3 Support question
1 Security vulnerability question, but not a vulnerability report
11 Vulnerability reports to security@apache.org
 1 [traffic server]
 1 [logging]
 1 [poi]
 1 [archiva]
 3 [httpd]
 2 [cordova]
 1 [cxf]
 1 [tomcat]

4 Vulnerability reports to projects own security lists
 1 [sling]
 1 [struts]
 2 [tomcat]

19 Feb 2014 [Mark Cox / Brett]

There continues to be a steady stream of reports of various kinds
arriving at security@ in Jan. These continue to be dealt with by
the security team.

Some effort was made this month to start to chase some old issues
which we forwarded to projects but were there was no visible progress.
One of these was escalated to the board after the reporter had no
response for 6 months (the discussion was ongoing at the time of this
report, but in general the difficulty is where a PMC does not have
complete technical coverage of the project, in these cases we should
make sure the PMC build a separate security team of the folks who can
handle issues.  This is in no way an ASF-only issue, we see exactly
the same problems with other upstreams including Linux kernel etc.)

Jan 2014

1 Security vulnerability question, but not a vulnerability report
4 Phishing/spam/proxy/attacks point to site "powered by Apache"
5 Vulnerability reports to security@apache.org
 1 [cordova]
 1 [directory]
 1 [roller]
 1 [archiva]
 1 [shiro]
10 Vulnerability reports to projects own security lists
 2 [tomcat]
 2 [camel]
 2 [struts]
 1 [cloudstack]
 2 [aoo]
 1 [hadoop]

15 Jan 2014 [Mark Cox / Chris]

There continues to be a steady stream of reports of various kinds
arriving at security@ in Nov/Dec. These continue to be dealt with by
the security team.

Nov 2013

4  Support question
1  Security vulnerability question, but not a vulnerability report
1  Phishing/spam/attacks point to site "powered by Apache"
19 Vulnerability Reports
 1 [axis, via security@apache.org]
 1 [hadoop, via security@hadoop]
 1 [sling, via security@sling]
 1 [tomcat, via security@tomcat]
 15 [cloudstack, via security@cloudstack]

Dec 2013

3  Support question
1  Security vulnerability question, but not a vulnerability report
9  Phishing/spam/proxy/attacks point to site "powered by Apache"
8  Vulnerability reports
 1 [tomcat, via security@tomcat]
 1 [site, via security@]
 2 [httpd, via security@]
 1 [cordova, via security@]
 2 [commons, via security@]
 1 [roller, via security@]

18 Dec 2013

A report was expected, but not received

20 Nov 2013 [Mark Cox / Jim]

There continues to be a steady stream of reports of various kinds
arriving at security@ in October. These continue to be dealt with by
the security team.

1 Support question
5 Security vulnerability question, but not a vulnerability report
2 Phishing/spam/attacks point to site "powered by Apache"
9 Vulnerability Reports
 1 [httpd, via security@]

 1 [aoo, via security@openoffice]
 1 [cloudstack, via security@cloudstack]
 4 [tomcat, via security@tomcat]
 2 [hadoop, via security@hadoop]

Microsoft, Facebook, and others launched a program offering a bug
bounty for flaws found in Apache httpd, https://hackerone.com/ibb
designed to run without interaction or endorsement by the ASF, but
we'll report how that actually works out in future months.

16 Oct 2013 [Mark Cox / Shane]

There continues to be a steady stream of reports of various kinds
arriving at security@, a large number of reports in October. These
continue to be dealt with by the security team.

2 Support question
2 Security vulnerability question, but not a vulnerability report
1 Phishing/spam/attacks point to site "powered by Apache"
14 Vulnerability Reports
 4 [httpd, via security@]
 1 [tomee, via security@]
 3 [struts, via security@]
 1 [xbean, via security@]
 1 [camel, via security@]
 1 [wink, via security@]
 2 [struts, via security@struts]
 1 [sling, via security@sling]

18 Sep 2013 [Mark Cox / Shane]

There continues to be a steady stream of reports of various kinds
arriving at security@, a large number of reports in August. These
continue to be dealt with by the security team.

3 Support question
3 Security vulnerability question, but not a vulnerability report
1 Phishing/spam/attacks point to site "powered by Apache"
19 Vulnerability Reports
 1 [struts, via security@]
 4 [httpd, via security@]
 1 [shindig, via security@]
 1 [tomcat, via security@]
 1 [xalan-j, via security@]
 1 [hadoop, via security@hadoop]
 3 [struts, via security@struts]
 2 [tomcat, via security@tomcat]
 3 [cloudstack, via security@cloudstack]
 1 [sling, via security@sling]
 1 [svn, via security@subversion]

21 Aug 2013 [Mark Cox / Greg]

There continues to be a steady stream of reports of
various kinds arriving at security@. These continue to be dealt with
by the security team.

1 Support question
1 Security vulnerability question, but not a vulnerability report
4 Phishing/spam/attacks point to site "powered by Apache"
7 Vulnerability reports
 3 [struts, via security@struts]
 1 [infrastructure, via security@]
 1 [sling, via security@sling] CVE-2013-2254
 1 [roller, via security@]
 1 [jackrabbit, via security@]

17 Jul 2013 [Mark Cox / Bertrand]

There continues to be a steady stream of reports of
various kinds arriving at security@. These continue to be dealt with
by the security team.

3 Support question
2 Phishing/spam/attacks point to site "powered by Apache"
15 Vulnerability reports
2 [aoo, via officesecurity@lists.freedesktop.org] [1 closed]
1 [sling, via security@sling]
2 [httpd, via security@] [CLOSED]
1 [cloudstack, via security@cloudstack]
1 [hadoop, via security@hadoop]
1 [archiva, via security@]
1 [various, via security@] [CLOSED]
2 [ofbiz, via security@]
1 [tomcat, via security@]
1 tomcat, commons via security@] [CLOSED]
1 [hbase, via security@hadoop, private@hbase]
1 [struts, via security@struts]

19 Jun 2013 [Mark Cox / Bertrand]

For May 2013: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

7      Support question
5      Phishing/spam/attacks point to site "powered by Apache"
9      Vulnerability reports
 2 [httpd, via security@] [1 CLOSED]
 3 [struts, via security@struts] [1 CVE-2013-2115 CLOSED]
 1 [xerces-j, via security@] [CLOSED]
 1 [aoo, via officesecurity@lists.freedesktop.org]
 1 [solr, via security@] [CLOSED]
 1 [cloudstack, via security@cloudstack]

15 May 2013 [Mark Cox / Greg]

For Apr 2013: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

5      Support question
1      Security vulnerability question, but not a vulnerability report
5      Phishing/spam/attacks point to site "powered by Apache"
12     Vulnerability reports
 1 [cloudstack, via private@cloudstack and security@]
 2 [tomcat, via security@tomcat] [CLOSED]
 1 [tomee, via security@]
 1 [ofbiz, via security@]
 1 [ACS, via security@ and private@cloudstack]
 2 [httpd, via security@] [1 CLOSED]
 1 [Santuario, via security@]
 1 [struts, via security@struts]
 1 [xerces-j2, via security@]
 1 [tapestry, via security@]

17 Apr 2013 [Mark Cox / Roy]

For Mar 2013: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

5      Support question
4      Phishing/spam/attacks point to site "powered by Apache"
9      Vulnerability reports
 1 [rave, via security@httpd] [CLOSED, CVE-2013-1814]
 2 [ActiveMQ, via security@] [CLOSED]
 1 [axis, via security@]
 1 [tomcat, via security@]
 1 [qpid, via security@ and private@qpid]
 1 [httpd, via security@]
 1 [subversion, via security@ and private@subversion]
 1 [openoffice, via officesecurity@lists.freedesktop.org]

20 Mar 2013 [Mark Cox / Sam]

For Feb 2013: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

3      Support question
1      Security vulnerability question, but not a vulnerability report
6      Vulnerability reports
 1 [httpd, via security@httpd]
 1 [subversion, via security@] [CLOSING]
 1 [geronimo, via security@geronimo] [CLOSING]
 1 [httpd, via security@] [CLOSED, not security]
 1 [infrastructure, via security@] [CLOSED, not security]
 1 [tomcat, via security@]

20 Feb 2013 [Mark Cox / Greg]

For Jan 2013: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

3      Support question
2      User was hacked, but it wasn't ASF software at fault
7      Vulnerability reports
 1 [directory, via security@apache.org] [CLOSED, not an issue]
 1 [ofbiz, via security@apache.org] [CLOSED, dev version only]
 1 [httpd, via security@apache.org] [CLOSED, not httpd]
 1 [httpd, via security@apache.org] [STALLED, waiting for reporter]
 1 [tomcat, via security@apache.org] [CLOSED, not an issue]
 1 [tomcat, via security@tomcat.apache.org] [CLOSED, not an issue]
 1 [maven, via security@apache.org]

Since the new year we have started a weekly review of open issues to
try to catch situations where the security team have not forwarded
reports correctly or where the project has not responded to the
reporter.

16 Jan 2013 [Mark Cox / Brett]

For Dec 2012: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

4      Support question
1      Security vulnerability question, but not a vulnerability report
2      Phishing/spam/attacks point to site "powered by Apache"
6      Vulnerability reports
  2 [httpd, via security@apache.org]
  1 [tomcat, via security@tomcat.apache.org]
  1 [commons, via security@apache.org]
  1 [openoffice, via security@openoffice.apache.org]
  1 [not asf project, via security@apache.org]

For the calendar year 2012 as a whole we saw

27    Support questions (31 in 2011)
18    Security vulnerability question, but not a vulnerability report
  (19 in 2011)
18    Phishing/spam/attacks point to site "powered by Apache" (15 in 2011)
0     User was hacked, but it wasn't ASF software at fault (0 in 2011)
78    Vulnerability reports  (60 in 2011)
 38 of which came in to security@apache.org, the others direct
   to projects
 25 projects got vulnerability reports, top 4 accounted for majority:
      21% httpd
      15% tomcat
      11% openoffice
      10% hadoop

Note that not all vulnerability reports are valid or lead to a
security fix being issued; we do not track this (resource intensive to
capture).  However in 2012 we managed to annoy several reporters by
failing to respond to their reports in a reasonable time; this is
because our process [http://apache.org/security/committers.html]
relies on the project following up with the reporter and the security
team does not track if this has been done.  Given the relatively low
number of real reports, for 2013 we'll try some approaches to better
close the loop.

19 Dec 2012 [Mark Cox / Rich]

For Nov 2012: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

1      Phishing/spam/attacks point to site "powered by Apache"
3      Vulnerability reports
 1 [cloudstack, via security@apache.org]
 1 [trafficserver, via security@apache.org]
 1 [commons, via security@apache.org]

Reminder: vulnerability handling process explained at
http://apache.org/security/committers.html

21 Nov 2012 [Mark Cox / Ross]

For Oct 2012: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

2      Support question
1      Security vulnerability question, but not a vulnerability report
1      Phishing/spam/attacks point to site "powered by Apache"
10     Vulnerability report
 3 [httpd, 2 via security@httpd.apache.org, 1 via security@apache.org]
 2 [tomcat, via security@tomcat.apache.org]
 2 [hadoop, via security@hadoop.apache.org]
 1 [struts, via security@struts.apache.org]
 1 [cloudstack, via security@apache.org] CVE-2012-4501
 1 [cordova, via security@apache.org]

Reminder: vulnerability handling process explained at
http://apache.org/security/committers.html

17 Oct 2012 [Mark Cox / Bertrand]

For Sept 2012: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

4      Support question
1      Security vulnerability question, but not a vulnerability report
4      Phishing/spam/attacks point to site "powered by Apache"
6      Vulnerability report
 2 [tomcat, via security@tomcat.apache.org]
 1 [solr, via security@apache.org]
 3 [hadoop, via security@hadoop.apache.org]

Reminder: vulnerability handling process explained at
http://apache.org/security/committers.html

19 Sep 2012 [Mark Cox / Jim]

For August 2012: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

1     Support question
3      Security vulnerability question, but not a vulnerability report
9     Vulnerability reports of which:
 1 [axis, via security@apache.org]
 3 [httpd, via security@apache.org]
 1 [james, via root@apache.org]
 1 [ofbiz, via security@apache.org]
 1 [tapestry, via security@apache.org]
 1 [infrastructure, via security@apache.org]
 1 [ooo, via ooo-security@incubator.apache.org]

Reminder: vulnerability handling process explained at
http://apache.org/security/committers.html

15 Aug 2012 [Mark Cox / Greg]

For July 2012: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

1     Support question
1     Phishing/spam/attacks point to site "powered by Apache"
5     Vulnerability reports of which:
 2 [tomcat, via security@tomacat.apache.org]
 1 [rave, via security@tomcat.apache.org]
 1 [batik/fop, via security@apache.org]
 1 [libcloud, via security@apache.org]

Reminder: vulnerability handling process explained at
http://apache.org/security/committers.html

25 Jul 2012 [Mark Cox / Greg]

For June 2012: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

2     Support question
2     Security vulnerability question, but not a vulnerability report
1     Phishing/spam/attacks point to site "powered by Apache"
8     Vulnerability reports of which:
 1 [tomcat, via security@tomcat.apache.org]
 1 [apacheds, via security@apache.org] (already resolved in latest)
 1 [tomcat, via security@tomcat.apache.org] (not an issue)
 1 [struts, via security@struts,apache.org]
 1 [sling, via security@sling.apache.org]
 3 [infrastructure, via security@apache.org]
   all 3 reported that apache.org/server-status was public (deliberate)

Reminder: vulnerability handling process explained at
http://apache.org/security/committers.html

20 Jun 2012 [Mark Cox / Jim]

For May 2012: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

2      Support question
3      Phishing/spam/attacks point to site "powered by Apache"
5      Vulnerability reports, of which:
 3  [aoo, via officesecurity@lists.freedesktop.org]
 1  [httpd, via security@apache.org]
 1  [hadoop, via security@hadoop.apache.org]

Reminder: vulnerability handling process explained at
http://apache.org/security/committers.html

16 May 2012 [Mark Cox / Doug]

For April 2012: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

1      Support question
2      Phishing/spam/attacks point to site "powered by Apache"
9      Vulnerability reports, of which:
 2  [httpd, via security@apache.org]
 2  [aoo, via officesecurity@lists.freedesktop.org]
 2  [sling, via security@sling.apache.org]
 1  [roller, via security@apache.org]
 1  [tomcat, via security@apache.org]
 1  [commons, via security@apache.org]

Reminder: vulnerability handling process explained at
http://apache.org/security/committers.html

18 Apr 2012 [Mark Cox / Jim]

For March 2012: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

2      Security vulnerability question, but not a vulnerability report
7      Vulnerability reports, of which:
 1  [tomcat, via security@apache.org]
 1  [ds, via security@apache.org]
 2  [hadoop, via security@hadoop.apache.org]
 1  [httpd, via security@apache.org]
 1  [aoo, via officesecurity@lists.freedesktop.org]

Reminder: vulnerability handling process explained at
http://apache.org/security/committers.html

21 Mar 2012 [Mark Cox / Sam]

For February 2012: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

5      Support question
2      Security vulnerability question, but not a vulnerability report
6      Vulnerability reports, of which:
 1  [xerces, via security@apache.org]
 1  [httpd, via security@apache.org]
 2  [stuts, via security@struts.apache.org]
 1  [tomcat, via security@tomcat.apache.org]
 1  [poi, via security@apache.org]

Reminder: vulnerability handling process explained at
http://apache.org/security/committers.html

15 Feb 2012 [Mark Cox / Shane]

For January 2012: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

5      Support question
2      Security vulnerability question, but not a vulnerability report
3      Phishing/spam/attacks point to site "powered by Apache"
6      Vulnerability reports, of which:
 2  [httpd, via security@apache.org]
 1  [ws, via security@apache.org]
 1  [apr, via security@apache.org]
 1  [oo, via oo-security@incubator.apache.org]
 1  [struts, via security@struts.apache.org]

Reminder: vulnerability handling process explained at
http://apache.org/security/committers.html

24 Jan 2012 [Mark Cox / Jim]

For December 2011: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

3      Support question
2      Phishing/spam/attacks point to site "powered by Apache"
6      Vulnerability reports, of which:
 3  [httpd, via security@apache.org]
 1  [httpd, via security@httpd.apache.org]
 1  [oo, via securityteam@openoffice.org and officesecurity@lists.freedesktop.org]
 1  [struts, via security@struts.apache.org]

Reminder: vulnerability handling process explained at
http://apache.org/security/committers.html

21 Dec 2011 [Mark Cox / Jim]

For November 2011: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

5      Support question
1      Security vulnerability question, but not a vulnerability report
8      Vulnerability reports, of which:
 3  [httpd, via security@apache.org]
 2  [tomcat, via security@tomcat.apache.org]
 1  [tomcat, via security@apache.org]
 1  [myfaces, via security@apache.org]
 1  [oo, via securityteam@openoffice.org]

The Security project performs really two duties, we receive incoming
reports of security vulnerabilities in ASF software, and we help
projects understand and deal with such reported security
vulnerabilities.  These reports come to security@apache.org usually
from parties outside of the ASF.  We keep track of metrics of how many
issues get reported, in what way, along with the number of
non-security reports just to give the board an idea of the magnitude
of external reports and for trending.  Once an issue is passed to the
appropriate PMC we no longer track it, and therefore we can't give
overall summaries of how quickly ASF respond to issues or severity
trending or total vulnerability counts including those issues dealt
with reported direct to a PMC or found by ASF members internal to a
project. Because our interaction with each issue is minor, there isn't
much additional information we can give in our monthly reports.

Reminder: vulnerability handling process explained at
http://apache.org/security/committers.html

16 Nov 2011 [Mark Cox / Doug]

For October 2011: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

7      Support question
2      Security vulnerability question, but not a vulnerability report
6      Vulnerability reports, of which:
 1  [httpd, via security@httpd.apache.org]
 1  [tomcat, via security@apache.org and geronimo via security@geronimo.apache.org]
 1  [httpd, via security@apache.org]
 2  [oo, via securityteam@openoffice.org]

Reminder: vulnerability handling process explained at
http://apache.org/security/committers.html

It was noted that Larry has an existing action item to discuss security protocol with this PMC. Larry indicated that he will follow up via e-mail.

26 Oct 2011 [Mark Cox / Greg]

For September 2011: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

4     Support question
3     Security vulnerability question, but not a vulnerability report
6     Vulnerability reports, of which:
 3 [httpd, via security@apache.org]
 1 [commons, via security@apache.org]
 2 [struts, via security@struts.apache.org]

21 Sep 2011 [Mark Cox / Doug]

For August 2011: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.  August saw the HTTPD team spend a lot of effort
on CVE-2011-3192 (byterange remote DoS, apache-killer.pl).

2     Support question
2     Security vulnerability question, but not a vulnerability report
2     Phishing/spam/attacks point to site "powered by Apache"
6     Vulnerability reports, of which:
 1     Vulnerability report [tomcat, via security@tomcat.apache.org] [CLOSED]
 1     Vulnerability report [struts, via security@struts.apache.org]
 4     Vulnerability report [httpd, via security@apache.org]

17 Aug 2011 [Mark Cox / Sam]

For July 2011: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

1     Support question
3     Phishing/spam/attacks point to site "powered by Apache"
7     Vulnerability reports of which:
 1     Vulnerability report [couchdb, via security@couchdb.apache.org]
 1     Vulnerability report [openoffice, via security@apache.org]
 2     Vulnerability report [tomcat, via security@tomcat.apache.org]
 2     Vulnerability report [httpd, via security@httpd.apache.org]
 1     Vulnerability report [httpcomponents, via security@apache.org]
       [CLOSED]

Note from last board minute question: not all things listed as
"Vulnerability report" turn out to be real vulnerabilities, and if
they are it's usual for the investigation and final fix to take some
time (especially if a low severity issue), so issues are likely to be
progress over the course of several status reports and not closed in
the same month.

20 Jul 2011 [Mark Cox / Doug]

For Jun 2011: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

3      Security vulnerability question, but not a vulnerability report
1      Phishing/spam/attacks point to site "powered by Apache"
6      Vulnerability reports
 1      [infrastructure, via security@apache.org]
 1      [multiple projects, via security@apache.org]
 3      [tomcat, via security@tomcat.apache.org]
 1      [httpd, via security@apache.org]

15 Jun 2011 [Mark Cox / Geir]

For May 2011: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

1      Support question
2      Security vulnerability question, but not a vulnerability report
1      Phishing/spam/attacks point to site "powered by Apache"
2      Vulnerability reports
 1      [continuum, via security@apache.org]
 1      [camel, via security@apache.org]

19 May 2011 [Mark Cox / Noirin]

For April 2011: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

1      Support question
4      Vulnerability reports
 1      [infrastructure, via security@apache.org]
 1      [xerces, via security@apache.org]
 1      [httpd, via security@apache.org] CLOSED, not an issue
 1      [struts, via security@struts.apache.org] CLOSED, no issues

20 Apr 2011 [Mark Cox / Sam]

For March 2011: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

2     Support question
2     Security vulnerability question, but not a vulnerability report
4     Phishing/spam/attacks point to site "powered by Apache"
1     Vulnerability report [tomcat, via security@tomcat.apache.org]

16 Mar 2011 [Mark Cox / Shane]

Apologies for missing report for Feb board, was due to a failed
commit.  Here it is:

For January 2011: There continues to be a steady
stream of reports of various kinds arriving at security@.  These
continue to be dealt with by the security team.

5      Support question
2      Security vulnerability question, but not a vulnerability report
1      Phishing/spam/attacks point to site "powered by Apache"
5      Vulnerability reports of which:
 2      Vulnerability report [httpd, via security@apache.org]
 1      Vulnerability report [mod_perl, via security@apache.org]
 1      Vulnerability report [tomcat, via security@apache.org]
 1      Vulnerability report [tomcat, via security@tomcat.apache.org]

For February 2011: There continues to be a steady stream of reports of
various kinds arriving at security@.  These continue to be dealt with
by the security team.

3      Security vulnerability question, but not a vulnerability report
1      Phishing/spam/attacks point to site "powered by Apache"
5      Vulnerability reports of which:
 2      Vulnerability report [hadoop, via security@hadoop.apache.org]
 1      Vulnerability report [httpd, via security@apache.org]
 1      Vulnerability report [poi, via security@apache.org]
 1      Vulnerability report [struts, via security@struts.apache.org]

16 Feb 2011 [Mark Cox / Roy]

No report was received.

19 Jan 2011 [Mark Cox / Greg]

For December 2010: There continues to be a steady stream of reports
of various kinds arriving at security@.  These continue to
be dealt with by the security team.

7      Support question
1      Security vulnerability question, but not a vulnerability report
3      Vulnerability reports of which:
 1      Vulnerability report [infrastructure, via security@]
 1      Vulnerability report [roller, via security@]
 1      Vulnerability report [httpd, via security@]

Additionally, the Tomcat and HTTPD security pages were updated to expose
the date each issue was reported to the ASF and the date each issue
was public in addition to the date the issue was fixed.  Vulnerability
databases and researchers find this information useful.  Examples:
http://tomcat.apache.org/security-7.html
http://httpd.apache.org/security/vulnerabilities_22.html

15 Dec 2010 [Mark Cox / Roy]

For November 2010: There continues to be a steady stream of reports
of various kinds arriving at security@apache.org.  These continue to
be dealt with by the security team.

2       Phishing/spam/attacks point to site "powered by Apache"
1       Security vulnerability question, but not a vulnerability report
1       User was hacked, but it wasn't ASF software at fault
5       Vulnerability reports of which:
 1       Vulnerability report [tomcat, via security@apache.org]
 2       Vulnerability report [tomcat, via security@tomcat] (one was CVE-2010-4172)
 1       Vulnerability report [struts, via security@struts]
 1       Vulnerability report [httpd, via security@apache]

17 Nov 2010 [Mark Cox / Greg]

For October 2010: There continues to be a steady stream of reports
of various kinds arriving at security@apache.org.  These continue to
be dealt with by the security team.

4      Support question
2      Security vulnerability question, but not a vulnerability report
6      Vulnerability reports of which
 2      Vulnerability report [couchdb, via security@couchdb]
 2      Vulnerability report [tomcat, via security@tomcat]
 1       Vulnerability report [httpd]
 1       Vulnerability report [shiro] CVE-2010-3863 [CLOSED]

20 Oct 2010 [Mark Cox / Sam]

For September 2010: There continues to be a steady stream of reports
of various kinds arriving at security@apache.org.  These continue to
be dealt with by the security team.

2      Support question
2      Security vulnerability question, but not a vulnerability report
3      Vulnerability reports of which
 1      Vulnerability report [subversion, via security@apache.org]
 1      Vulnerability report [libcloud, via security@apache.org]
 1      Vulnerability report [Archiva, via security@apache.org]

22 Sep 2010 [Mark Cox / Noirin]

For August 2010: There continues to be a steady stream of reports of
various kinds arriving at security@apache.org.  These continue to be
dealt with by the security team.

1      Support question
3      Security vulnerability question, but not a vulnerability report
4      Vulnerability reports of which
 2      Vulnerability report [hadoop via security@hadoop.apache.org]
 1      Vulnerability report [jackrabbit, via security@apache.org] (Was normal bug)
 1      Vulnerability report [Traffic Master, via security@apache.org]

18 Aug 2010 [Mark Cox / Shane]

At DefCon a vulnerability in Apache Struts2 (CVE-2010-1870) received a
Pwnie award (http://pwnies.com/winners/) not just because the flaw was
remote and serious, but because of the mishandling by the ASF
("receiving no response from security@struts.apache.org").  This is
not completely correct: although the reporter did have to send his
report to security@struts twice, the second time it was acted on and a
conversation with the reporter took place.  However the vulnerability
is still not fixed in any released update to Struts, and the Security
Team has found it hard to engage the Struts PMC about this and had to
contact individual Struts committers, also without much success.

Once the Struts team are more back from holidays we'll engage them in
a postmortem of this event to improve future vulnerability handling.

'Security Curmudgeon' mentioned that they have a number of issues they
are tracking in osvdb.org for various Apache projects which may have a
security consequence and should get CVE names.  These issues are
mostly all fixed, but just with undisclosed security context.  The
Security Team intend to work on this list, split it by project, and
contact each of the projects to clean this up.  It will take some
time.

For July 2010:

1      Support question
2      Security vulnerability question, but not a vulnerability report
1      Phishing/spam/attacks point to site "powered by Apache"
3      Vulnerability reports of which
 1      Vulnerability report [commons, via security@apache.org]
 1      Vulnerability report [httpd, via security@apache.org]
 1      Vulnerability report [struts, via security@stuts.apache.org]

Shane wonders how to make PMCs aware of how important security is.

Approved by general consent.

21 Jul 2010 [Mark Cox / Jim]

For June 2010: There continues to be a steady stream of reports
of various kinds arriving at security@apache.org.  These continue to
be triaged by the security team.

2      Support question
3      Security vulnerability question, but not a vulnerability report
6      Vulnerability reports of which:
 2      Vulnerability report [httpd, via security@apache.org]
 1      Vulnerability report [httpd, internal via security@httpd.apache.org]
 1      Vulnerability report [axis, internal via security@apache.org]
 1      Vulnerability report [tomcat, via security@tomcat.apache.org]
 1      Vulnerability report [tomcat, via security@apache.org]

Missing data presumed to be a calendar skew (different starts of month); Jim to verify.

16 Jun 2010 [Mark Cox / Justin]

For May 2010: There continues to be a steady stream of reports
of various kinds arriving at security@apache.org.  These continue to
be triaged by the security team.

5      Support question
2      Security vulnerability question, but not a vulnerability report
7      Vulnerability reports of which:
 3      Vulnerability report [httpd, via security@apache.org]
 1      Vulnerability report [activemq, via security@apache.org]
 1      Vulnerability report [wss4j, via security@apache.org]
 1      Vulnerability report [tomcat, via security@tomcat.apache.org]
 1      Vulnerability report [struts, via security@stuts.apache.org]

(Note that the above counts vulnerability reports in the month they arrive,
and not if they turn into verified issues later fixed later, hence it's just
a useful volume counter and is not appropriate to include CVE names.)

19 May 2010 [Mark Cox / Shane]

For Apr 2010: There continues to be a steady stream of reports
of various kinds arriving at security@apache.org.  These continue to
be dealt with by the security team.

2      Support question
3      Security vulnerability question, but not a vulnerability report
2      Phishing/spam/attacks point to site "powered by Apache"
4      Vulnerability reports of which:
 2      Vulnerability report [wicket, via security@apache.org]
 2      Vulnerability report [tomcat, via security@tomcat.apache.org]

Jim indicated that it would be nice for reports to have CVEs, if applicable as well as a foundation-wide security page which lists all known/addressed security issues

21 Apr 2010 [Mark Cox / Brian]

For Mar 2010: There continues to be a steady stream of reports
of various kinds arriving at security@apache.org.  These continue to
be dealt with by the security team.

2      Support question
3      Security vulnerability question, but not a vulnerability report
3      Phishing/spam/attacks point to site "powered by Apache"
4      Vulnerability reports of which:
 1      Vulnerability report [httpd, via security@httpd.apache.org]
 1      Vulnerability report [httpd, via security@apache.org]
 1      Vulnerability report [struts, via security@struts.apache.org]
 1      Vulnerability report [tomcat, via security@tomcat.apache.org]

17 Mar 2010 [Mark Cox / Justin]

Apologies, last status report had metrics labelled Dec 2009 but
actually was for Jan 2010.

For Feb 2010: There continues to be a steady stream of reports
of various kinds arriving at security@apache.org.  These continue to
be dealt with by the security team.

4      Support question
1      Phishing/spam/attacks point to site "powered by Apache"
4      Vulnerability reports of which:
 1      Vulnerability report [axis, via security@apache.org]
 1      Vulnerability report [ofbiz, via security@apache.org]
 2      Vulnerability report [httpd, via security@apache.org]

Shane to discuss the idea of a central public repository for all security fixes in order to improve security communications with the general public.

17 Feb 2010 [Mark Cox / Brett]

For January 2010: There continues to be a steady stream of reports
of various kinds arriving at security@apache.org.  These continue to
be dealt with by the security team.

4       Security vulnerability question, but not a vulnerability report
5       Vulnerability reports of which:
 4       Vulnerability report [httpd, via security@apache.org]
 1       Vulnerability report [myfaces, via security@apache.org]

Discussion of the relative merits of meeting-to-meeting vs. calendar based reports. General consensus: as long as each project is consistent, the board is OK.

20 Jan 2010 [Mark Cox / Greg]

For December 2009: There continues to be a steady stream of reports
of various kinds arriving at security@apache.org.  These continue to
be dealt with by the security team.

 2       Support question
 2       Security vulnerability question, but not a vulnerability report
 1       Phishing/spam/attacks point to site "powered by Apache"
 6       Vulnerability report of which
         1       [juddi, via security@apache.org]
         2       [tomcat, via security@tomcat.apache.org]
         3       [httpd, via security@apache.org]

16 Dec 2009 [Mark Cox / Shane]

For November 2009: There continues to be a steady stream of reports
of various kinds arriving at security@apache.org.  These continue to
be dealt with by the security team.

 5       Support question
 2       Security vulnerability question, but not a vulnerability report
 1       Vulnerability report of which
 1       [myfaces, via security@apache.org]

Also in November the TLS renegotiation flaw was made public which
requires protocol updates to be corrected.  While the upstream OpenSSL
fix was to disable all renegotiation that can break sites needing to
use client certificates, and so mod_ssl got an alternative mitigation
fix (http://marc.info/?m=125755783724966 ).  This will continue to be
a painful issue for some months as changes to the protocol and OpenSSL
implementation thereof may break some client/server interactions.

18 Nov 2009 [Mark Cox / Justin]

For October 2009: There continues to be a steady stream of reports
of various kinds arriving at security@apache.org.  These continue to
be dealt with by the security team.

 2       Support question
 4       Security vulnerability question, but not a vulnerability report
 2       Vulnerability report of which
         1       [infrastructure xss, via security@apache.org]
         1       [httpd, via security@apache.org]

21 Oct 2009 [Mark Cox / Jim]

For September 2009: There continues to be a steady stream of reports
of various kinds arriving at security@apache.org.  These continue to
be dealt with by the security team.

2   Support question
3   Security vulnerability question, but not a vulnerability report
5   Vulnerability reports, of which:
 1    Vulnerability report [tomcat, via security@tomcat.apache.org]
 1    Vulnerability report [tomcat, via security@apache.org]
 1    Vulnerability report [portals, via security@apache.org]
 2    Vulnerability report [httpd, via security@apache.org]

23 Sep 2009 [Mark Cox / Brian]

For August 2009: There continues to be a steady stream of reports of
various kinds arriving at security@apache.org.  These continue to be
dealt with by the security team.  This month saw additional load due
to questions about the "Slowloris" httpd exploit.  Due to the
outstanding work of the infrastructure team and their rapid and full
disclosures we did not get questions about the infrastructure
compromise.

1    Support question
6    Security vulnerability question, but not a vulnerability report
3    Phishing/spam/attacks point to site "powered by Apache"
5    Vulnerability reports of which
 1    Vulnerability report [apr, via security@apache.org] CVE-2009-2412
 1    Vulnerability report [httpd, via security@apache.org]
      (not an issue)
 1    Vulnerability report [httpd, via security@httpd.apache.org]
 1    Vulnerability report [tomcat, via security@tomcat.apache.org]
 1    Vulnerability report [tomcat, via security@tomcat.apache.org]
      (not an issue)

19 Aug 2009 [Mark Cox / Greg]

For July 2009: There continues to be a steady stream of reports of
various kinds arriving at security@apache.org.  These continue to be
dealt with by the security team.

5    Support question
4    Security vulnerability question, but not a vulnerability report
3    Vulnerability reports of which
 1 Vulnerability report [httpd, via security@apache.org]
 2 Vulnerability report [infrastructure, via security@apache.org]

15 Jul 2009 [Mark Cox / Doug]

For June 2009: There continues to be a steady stream of reports of
various kinds arriving at security@apache.org.  These continue to be
dealt with promptly by the security team.

2    Support question
7    Security vulnerability question, but not a vulnerability report
2    Phishing/spam/attacks point to site "powered by Apache"
1    Vulnerability report
 of which
   1    Vulnerability report [httpd, via security@apache.org]

This month saw the publication of the Apache httpd "Slowloris" DoS
tool which caused a larger number of public questions to the list
(those questions and discussions were correctly redirected to the
public dev list).  Updated Tomcat and APR-util was also released to
address a number of older security issues.

17 Jun 2009 [Mark Cox / Geir]

For May 2009: There continues to be a steady stream of reports of
various kinds arriving at security@apache.org.  These continue to be
dealt with promptly by the security team.

 1    Support question
 3    Vulnerability report
      of which
        1    Vulnerability report [tomcat, via security@apache.org]
        1    Vulnerability report [httpd, via security@apache.org]
        1    Vulnerability report [xerces, via security@apache.org]

20 May 2009 [Mark Cox / Sam]

For Apr 2009: There continues to be a steady stream of reports of
various kinds arriving at security@apache.org.  These continue to be
dealt with promptly by the security team.

 2    Support question
 5    Vulnerability report
      of which
           1    Vulnerability report [tomcat, via security@apache.org]
           2    Vulnerability report [tomcat, direct]
           1    Vulnerability report [httpd, via security@apache.org]
           1    Vulnerability report [Juddi, via security@apache.org]

Bill to get with Mark to ask what "direct" means.

15 Apr 2009 [Mark Cox / Sam]

For Mar 2009: There continues to be a steady stream of reports of
various kinds arriving at security@apache.org.  These continue to be
dealt with promptly by the security team.

 2    Support question
 3    Phishing/spam/attacks point to site "powered by Apache"
 6    Vulnerability report
      of which
      1    Vulnerability report [httpd, via security@apache.org]
      2    Vulnerability report [tomcat, direct]
      2    Vulnerability report [tomcat, via security@apache.org]
      1    Vulnerability report [mod_perl, via security@apache.org]

18 Mar 2009 [Mark Cox / Justin]

For Feb 2009: There continues to be a steady stream of reports of
various kinds arriving at security@apache.org.  These continue to be
dealt with promptly by the security team.

2     Support question
2     Security vulnerability question, but not a vulnerability report
3     Phishing/spam/attacks point to site "powered by Apache"
1     User was hacked, but it wasn't ASF software at fault
4     Vulnerability report

18 Feb 2009 [Mark Cox / Jim]

For Jan 2009: There continues to be a steady stream of reports of
various kinds arriving at security@apache.org.  These continue to be
dealt with promptly by the security team.

2     Support question
1     Security vulnerability question, but not a vulnerability report
6     Phishing/spam/attacks point to site "powered by Apache"
1     User was hacked, but it wasn't ASF software at fault
8     Vulnerability reports

Also in January the security team page was created to 1) tell users
how to report issues in any ASF project along and 2) give guidance
on how to deal with such reports.   http://www.apache.org/security/

We agreed to collapse the Vulnerability reports in the public minutes going forward, omitting the names of the projects.

21 Jan 2009 [Mark Cox / Henning]

For December 2008: There continues to be a steady stream of reports of
various kinds arriving at security@apache.org.  These continue to be
dealt with promptly by the security team.

6      Support question
2      Security vulnerability question, but not a vulnerability report
1      Phishing/spam/attacks point to site "powered by Apache"
1      Vulnerability report [geronimo, direct to geronimo team]
2      Vulnerability report [tomcat, direct to tomcat team]
2      Vulnerability report [httpd, via security@apache.org]
1      Vulnerability report [roller, via security@apache.org]

Partially to address the large number of support questions, in Jan
2009 Mark Thomas has been working on a ASF top level /security page
which better explains the use of the security@apache.org address and
will hopefully cut down on some of the out-of-scope emails.

17 Dec 2008 [Mark Cox / Bill]

There continues to be a steady stream of reports of various kinds
arriving at security@apache.org. These continue to be dealt with
promptly by the security team.  For Nov 2008:

4       Support question
2       Security vulnerability question, but not a vulnerability report
1       Vulnerability report [spamassassin]

No report received. Bill sent a reminder.

19 Nov 2008 [Mark Cox / Justin]

There continues to be a steady stream of reports of various kinds
arriving at security@apache.org. These continue to be dealt with
promptly by the security team.  For Oct 2008:

1      Support question
3      Security vulnerability question, but not a vulnerability report
2      Phishing/spam/attacks point to site "powered by Apache"
1      User was hacked, but it wasn't ASF software at fault
7      Vulnerability reports across four projects containing a mix of
 verified and unverified issues

15 Oct 2008 [Mark Cox / Sam]

There continues to be a steady stream of reports of various kinds
arriving at security@apache.org. These continue to be dealt with
promptly by the security team.

Aug 2008

1      Support question
1      Phishing/spam/attacks point to site "powered by Apache"

Sep 2008

Now also including other security@x.apache.org, note again
"vulnerability report" includes things sent to us that turn out to not
be vulnerabilities (it's an indication of response effort)

4      Support question
3      Security vulnerability question, but not a vulnerability report
1      User was hacked, but it wasn't ASF software at fault
3      Vulnerability report [tomcat]
3      Vulnerability report [httpd]

17 Sep 2008 [Mark Cox / Sam]

There continues to be a steady stream of reports of various kinds
arriving at security@apache.org. These continue to be dealt with
promptly by the security team.  Statistics missing for this month and
will be updated for next month including the breakout of issues per
project as requested at the last board meeting.

20 Aug 2008 [Mark Cox / Geir]

There continues to be a steady stream of reports of various kinds
arriving at security@apache.org. These continue to be dealt with
promptly by the security team.  For July 2008:

 1 Support question
 1 Security vulnerability question, but not a vulnerability report
 1 Phishing/spam/attacks point to site "powered by Apache"
 3 Vulnerability report

Note that the statistics given each month are for queries sent to
security@apache.org and does not include any that are sent to specific
project lists advertised separately such as
security@tomcat.apache.org.  Most projects do not advertise separate
lists (or really need to given the low volume of issues affecting most
projects), and the only one which gets really any direct reports is
security@tomcat.  We'd only advise a project advertising a separate
security response address if they get or expect a significant number
of issues.

For these board reports we do not plan on giving more detail about
specific issues unless they are significant in some way (critical
vulnerability or threat) as issues can take several months through the
lifecycle of dealing with the reporter during which time they are
usually non-public.

For interest now we have two years of data, here is the cummulative
total emails to security@apache.org for each type:

           Jul-Dec06 Jan-Jun07 Jul-Dec07 Jan-Jun08 Total
Support     24        14        25        13         [76]
Query       11        10         4        11         [36]
PoweredBy   17        20        19        11         [67]
NotASFHack   7         5         0         3         [15]
Report      24        23        23        20         [90]
Total      [83]      [72]      [71]      [58]       [284]

Support : Support question, not vulnerability related.  We won't
answer these but will refer them to some public list.

Query : Security vulnerability question, but not a vulnerability
report.  We answer some of these but in most cases refer to a public
list for discussion.

PoweredBy : Phishing/spam/attacks point to site "powered by Apache".
We try to help the users understand what happened, but many still
don't believe us, or don't understand.

NotASFHack : User was hacked, but after investigation it turns out it
wasn't ASF software at fault.  Note that there isn't a "WasASFHack"
row because we've not yet heard from anyone whose machine was
compromised where it turned out to be via some flaw (fixed or unfixed)
in ASF software.

Report : What the list is designed for, a vulnerability report.  We
include here all reports of possible vulnerabilities even if they turn
out not to be vulnerabilities (as they require effort to investigate
and/or respond).  It's pretty constant though the years.

Jim request that the projects for which the vulnerability was reported be included in the report

16 Jul 2008 [Mark Cox / Justin]

There continues to be a steady stream of reports of various kinds
arriving at security@apache.org. These continue to be dealt with
promptly by the security team.  Nice and quiet for June:

1      Support question
3      Vulnerability report

It was noted that not all security reports are httpd related. Henning indicated a desire that a breakdown by projects would be nice, but there was no direction to provide it.

25 Jun 2008 [Mark Cox / Sam]

There continues to be a steady stream of reports of various kinds
arriving at security@apache.org. These continue to be dealt with
promptly by the security team.  May 2008 was mostly quiet although
the release of Apache HTTP Server 2.2.9 addressed two minor issues.

1      Support question
2      Security vulnerability question, but not a vulnerability report
1      User was hacked, but it wasn't ASF software at fault
4      Vulnerability report

21 May 2008 [Mark Cox / J. Aaron]

There continues to be a steady stream of reports of various kinds
arriving at security@apache.org. These continue to be dealt with
promptly by the security team.  Apr 2008 was mostly quiet:

1      Support question
6      Phishing/spam/attacks point to site "powered by Apache"
1      Vulnerability report

16 Apr 2008 [Mark Cox / Greg]

There continues to be a steady stream of reports of various kinds arriving
at security@apache.org. These continue to be dealt with promptly by the
security team.  For Mar 2008:

7      Support question
2      Security vulnerability question, but not a vulnerability report
3      Phishing/spam/attacks point to site "powered by Apache"
6      Vulnerability report

19 Mar 2008 [Mark Cox / Sam]

There continues to be a steady stream of reports of various kinds arriving
at security@apache.org. These continue to be dealt with promptly by the
security team.  For Feb 2008:

2      Support question
4      Security vulnerability question, but not a vulnerability report
1      Phishing/spam/attacks point to site "powered by Apache"
1      User was hacked, but it wasn't ASF software at fault
3      Vulnerability report

Nothing much to note, although three requests this month to remove
emails from mail-archives.apache.org as the addresses are unobsfucated
and indexed by google.

20 Feb 2008 [Mark Cox / Will]

There continues to be a steady stream of reports of various kinds arriving
at security@apache.org. These continue to be dealt with promptly by the
security team.  For Jan 2008:

1       Support question
3       Security vulnerability question, but not a vulnerability report
1       Phishing/spam/attacks point to site "powered by Apache"
1       User was hacked, but it wasn't ASF software at fault
3       Vulnerability report

This month the press reported thousands of Apache HTTP on Linux
servers being compromised and used to serve malicious files to visiting
Windows clients.  Although initial reports were sketchy, in the end the
evidence pointed to the machines being compromised through leaked passwords
and not through any ASF or third party software installed.  The Security
Team gave a short press statement which was used in some stories.

Approved by General Consent.

16 Jan 2008 [Mark Cox / Bill]

There continues to be a steady stream of reports of various kinds arriving
at security@apache.org. These continue to be dealt with promptly by the
security team.  For Dec 2007:

2       Support question
1       Security vulnerability question, but not a vulnerability report
3       Phishing/spam/attacks point to site "powered by Apache"
8       Vulnerability report

For HTTPD Security, this month saw the completion of some
vulnerabilities reported via SecurityReason, but all moderate or low
severity, and finally fixing the security list moderator.

Approved by General Consent.

19 Dec 2007 [Mark Cox / Greg]

This month saw the completion of some vulnerabilities in the HTTPD
project reported via JPCERT although the co-ordination process took a
lot of effort considering the low severity of the issues.

There continues to be a steady stream of reports of various kinds arriving
at security@apache.org. These continue to be dealt with promptly by the
security team.  For Nov 2007:

4       Support question
1       Security vulnerability question, but not a vulnerability report
4       Phishing/spam/attacks point to site "powered by Apache"
3       Vulnerability report

Approved by General Consent.

14 Nov 2007 [Mark Cox / Sam]

There continues to be a steady stream of reports of various kinds arriving
at security@apache.org. These continue to be dealt with promptly by the
security team.  For Oct 2007:

5      Support question
1      Security vulnerability question, but not a vulnerability report
5      Phishing/spam/attacks point to site "powered by Apache"
4      Vulnerability report

Approved by General Consent.

17 Oct 2007 [Mark Cox / Henri]

There continues to be a steady stream of reports of various kinds arriving
at security@apache.org. These continue to be dealt with promptly by the
security team.  For Sep 2007:

5       Support question
1       Security vulnerability question, but not a vulnerability report
4       Phishing/spam/attacks point to site "powered by Apache"
1       Vulnerability report

After some discussion, it was decided that the current set of security mailing lists and advertisements of such on the ASF web sites as they exist today is adequate and appropriate.

Approved by General Consent.

19 Sep 2007 [Mark Cox / Greg]

Security Team Project chair apologies for lack of August status report.

There continues to be a steady stream of reports of various kinds arriving
at security@apache.org. These continue to be dealt with promptly by the
security team.  For July/Aug 2007 we had 19 non-SPAM new issues:

9       Support question
3       Phishing/spam/attacks point to site "powered by Apache"
7       Vulnerability report

A new set of HTTP Server releases this month fixed a number of
moderate severity security issues, and included a work-around for a
browser vulnerability, CVE-2007-4465.  We also gained access to add
comments directly into the National Vulnerability Database, useful for
adding official statements to disputed issues.

Approved by General Consent.

29 Aug 2007 [Mark Cox / Henri]

Henri is to follow up requesting a report for next month

Approved by General Consent.

18 Jul 2007 [Mark Cox / Geir]

There continues to be a steady stream of reports of various kinds arriving
at security@apache.org. These continue to be dealt with promptly by the
security team.  For Jun 2007 we had 10 non-SPAM requests:

5       Security vulnerability question, but not a vulnerability report
5       Phishing/spam/attacks point to site "powered by Apache"
4       Vulnerability report

The board discussed tracking, and we agreed that the role of the committee is to provide advice and to ensure that every issue has an owner.

Approved by General Consent.

20 Jun 2007 [Mark Cox / Aaron]

There continues to be a steady stream of reports of various kinds arriving
at security@apache.org. These continue to be dealt with promptly by the
security team.  For May 2007 we had 10 non-SPAM requests:

3       Support question
2       User was hacked, but it wasn't ASF software at fault
2       Phishing/spam/attacks point to site "powered by Apache"
3       Vulnerability report

One of the vulnerability reports was in fact first reported in May 2006,
but was never responded to as the issues were not deemed important.
Whilst we are very responsive for issues of critical severity and issues
that are not vulnerability reports, issues with no or low security impact
have sometimes get lost: we're looking at ways to prevent this.

Approved by General Consent.

16 May 2007 [Mark Cox / Justin]

In April, Mark Thomas continued his audit of security issues fixed in
Tomcat but not documented with CVE names.  Mark Thomas and Joe Orton
were added to the Security Team Project.  There continues to be a
steady stream of reports of various kinds arriving at
security@apache.org. These continue to be dealt with promptly by the
security team.  For April 2007 we had 13 non-SPAM requests:

 46% ( 6) Actual report of a vulnerability (both valid and invalid)
 38% ( 5) User asks support question
  8% ( 1) Phishing/spam/attacks point to site "powered by Apache"
  8% ( 1) Security vulnerability question, but not a vulnerability report

Approved by General Consent.

25 Apr 2007

Update Apache Security Team Membership

 WHEREAS, the Apache Software Foundation (ASF) Board Commmittee,
 known as the Apache Security Team expects to better serve
 its purpose through the periodic update of its membership; and

 WHEREAS, the Apache Security Team is a Board-appointed committee
 whose membership must be approved by Board resolution.

 NOW, THEREFORE, BE IT RESOLVED, that the following ASF
 members be added as Apache Security Team members:

     Joe Orton <jorton@apache.org>
     Mark Thomas <markt@apache.org>

 Special Order 6B, Update Apache Security Team Membership, was
 approved by Unanimous Vote.

25 Apr 2007 [Mark Cox / Ken]

There continues to be a steady stream of reports of various kinds arriving
at security@apache.org. These continue to be dealt with promptly by the
security team. We have a proposed resolution for this board meeting to
expand the security team to include Joe Orton and Mark Thomas, both of
whom have been doing significant security-related work.

Approved by General Consent.

28 Mar 2007 [Cliff]

There continues to be a steady stream of reports of various kinds
arriving at security@apache.org. These continue to be dealt with
promptly by the security team. We had some interesting issues where
the vulnerability was in the interaction between two projects.  For
Jan and Feb 2007 we had 28 non-SPAM requests:

 36% (10) Actual report of a vulnerability (both valid and invalid)
 21% ( 6) User asks support question
 21% ( 6) Phishing/spam/attacks point to site "powered by Apache"
 11% ( 3) Security vulnerability question, but not a vulnerability report
 11% ( 3) User was hacked, but it wasn't ASF software at fault

Most serious issue dealt with was a critical severity issue affecting
recent versions of mod_jk where we worked successfully for the first
time with researchers at TippingPoint.

I have proposed a new Legal Affairs Committee to distribute the current legal affairs workload to a coordinated group ASF members, to assign responsibility for legal policy deliberation and decision making to the same group under the supervision of the board, and to provide a structured means of participation and familiarization for those interested in taking over the Legal VP job one day. The resolution is on the agenda. It is currently written as an Executive committee, but we can discuss if that is best.

I've worked with Geir on issues related to the JCK licensing problems, but I will let him report on that.

21 Feb 2007 [Cliff]

The CLA FAQ proposed at last month's meeting was reviewed by our counsel. Small changes were made and an additional Q&A was added to clarify the future patent claims issue. The FAQs have been posted to legal-discuss where there is some discussion to make a very minor clarification. In short, I believe this issue is pretty much resolved.

A pretty bad trademark violation was reported, which I forwarded to the PRC and assisted them in an initial draft (with a review through counsel).

17 Jan 2007 [Mark Cox / Henri]

There continues to be a steady stream of reports of various kinds
arriving at security@apache.org. These continue to be dealt with
promptly by the security team.  For Oct-Dec 2006 we had 39 non-SPAM
requests out of about 1270 messages that made it through the spamfilter.

 31% (12) User asks support question
 26% (10) Actual report of a vulnerability (both valid and invalid)
 20% ( 8) Phishing/spam/attacks point to site "powered by Apache"
 18% ( 7) Security vulnerability question, but not a vulnerability report
  5% ( 2)  User was hacked, but it wasn't ASF software at fault

Sam noted, with approval, that we are now receiving board reports from the team.

Approved by General Consent.

20 Dec 2006

Update Apache Security Team Membership

 WHEREAS, the Apache Software Foundation (ASF) Board Commmittee,
 known as the Apache Security Team expects to better serve
 its purpose through the periodic update of its membership; and

 WHEREAS, the Apache Security Team is a Board-appointed committee
 whose membership must be approved by Board resolution.

 NOW, THEREFORE, BE IT RESOLVED, that the following ASF
 members be added as Apache Security Team members:

    * Lars Eilebrecht     (lars@apache.org)
    * William A. Rowe     (wrowe@apache.org)
    * Sander Striker      (striker@apache.org)

 Special Order 6A, Updating the Apache Security Team Membership, was
 approved by Unanimous Vote.

25 Oct 2006 [Mark Cox / Cliff]

There continues to be a steady stream of reports of various kinds
arriving at security@apache.org. These continue to be dealt with
promptly by the security team.  For July-Sep 2006 we had 44 non-SPAM
requests (out of about 1670 messages that made it through the
spamfilter)

 32% (14) Actual report of a vulnerability (both valid and invalid)
 27% (12) Phishing/spam/attacks point to site "powered by Apache"
 27% (12) User asks support question
 10% ( 4) Security vulnerability question, but not a vulnerability report
  4% ( 2) User was hacked, but it wasn't ASF software at fault

Still outstanding is some requests to fix the committee info and
outreach to some projects to understand how to interface with us.

It was noted that the board should suggest to Mark to work on growing the committee.

Approved by General Consent

20 Sep 2006

Reestablishing the Apache Security Team

  WHEREAS, the Board of Directors deems it to be in the best
  interests of the Foundation and consistent with the
  Foundation's purpose to establish the ASF Board Committee
  charged with maintaining the security of software produced by
  the various projects established under the ASF's umbrella,
  but not for the security of the servers and other
  infrastructure used by the ASF.

  NOW, THEREFORE, BE IT RESOLVED, that the ASF Board Committee,
  known as the "Apache Security Team", be and hereby is
  reestablished pursuant to Bylaws of the Foundation; and be it
  further

  RESOLVED, that the Apache Security Team be and hereby is
  responsible for organization and oversight of efforts to
  maintain the security of ASF projects and shall act as a
  single point of contact between the ASF and any entity
  wishing to report or fix any security related issue in any
  project.

  RESOLVED, that each project shall appoint at least one
  non-voting liaison to the committee, who shall have commit
  privilege for the project's repository, and the technical
  ability to release new versions, advisories or security
  patches on behalf of the project.

  RESOLVED, that the committee shall have the power to act on
  behalf of any project in matters of security.

  RESOLVED, that Mark Cox shall serve at the direction of
  the Board of Directors as the chair of the Security Team and
  have primary responsibility for managing the Security Team;
  and be it further

  RESOLVED, that the persons listed immediately below be and
  hereby are appointed to serve as the members of the Apache
  Security Team:

      Ben Laurie
      Mark Cox

  There was some discussion over the small number of "initial"
  members of the team. It was noted that it was expected that
  new members would be added as soon as the team rebooted.

 Special Order 6A, Reestablishing the Apache Security Team, was
 approved by Unanimous Vote.

19 Jul 2006 [Ben Laurie / Justin]

No report provided

Jim asked when was the last time we had a report and asked if it was time to propose a more active chair? Henri noted that the last report was February 2006 but the board noted that reports were few and sparse. Sander said that he had talked to Ben Laurie and that he has been in touch with Mark J. Cox as a possible candidate to take over.

26 Apr 2006 [Ben Laurie]

There was no report. Sander was tasked with getting a security report.

15 Feb 2006 [Ben Laurie]

There continues to be a steady stream of reports of various kinds
arriving at security@apache.org. These continue to be dealt with
promptly by the security team, most notably Mark Cox. The good news is
that the majority of projects new appear to have security@ addresses
so its possible to have the reports dealt with by the right
people. The bad news is that we continue to not properly track issues,
resulting in them getting dropped on the floor too often.

Approved by General Consent.

6. Special Orders

18 Jan 2006 [Ben Laurie]

There was no report yet again. The board expressed concern that the Security Team consistantly neglects to file reports. Sander was to talk to Ben about this concern.

26 Oct 2005 [Ben Laurie]

Action Item: Sander to track down report

27 Apr 2005 [Ben Laurie]

No report. The board expressed serious concern that no report from the Security Team has been submitted for several times in a row. Greg asked for volunteers to contact Ben Laurie to determine why this is the case. Sander agreed to contact Ben and report back to the board.

19 Jan 2005 [Ben Laurie]

No report submitted. It was noted that the Security Team had not submitted a report for almost a year. Greg indicated he would contact Ben regarding this.

6. Special Orders

20 Oct 2004 [Ben Laurie]

No report was provided. It was agreed that Greg or Dirk would send a polite but firm reminder that these reports are required, and that the Security Team does not have a good track record of providing these reports.

18 Aug 2004 [Ben Laurie]

No report submitted.

21 Jul 2004 [Ben Laurie]

A report was expected, but not received

18 Feb 2004 [Ben Laurie]

As discussed at the last board meeting, there's little to report on
the security team front, except that we continue to deal with incoming
reports by forwarding to the appropriate team, and we continue to not
do a fantastic job with the less critical problems - critical ones are
dealt with promptly, as always, but others are quite often dropped on
the floor until outside forces refocus our attention.

Although I don't see this as an enormous problem, it would be nice to
find a way to fix it. Sadly, with volunteer effort, it is hard to
do. I have idly wondered if it might be a suitable item for corporate
sponsorship (i.e. providing the monitoring/tracking/ass-kicking
function).

It was noted that new PMCs need to be aware of the Security Team and must ensure that they work with the team.

Approved via General Consent.

21 Jan 2004 [Ben Laurie]

No report received or submitted.

22 Jan 2003 [Ben Laurie]

The security team now has its own mailing list
(security-team@apache.org), for discussion of team business and _not_
security issues.

security@apache.org is still the primary contact for security issues,
which are then dispatched to the security list for the appropriate
(sub-)project. These are being set up on a piecemeal basis, as needed
for new security issues, and are of the form
<project>-security@apache.org, security@<project>.apache.org or
<subproject>-security@<project>.apache.org. This diversity is
regrettable, but needed in order to match the list to the correct
audience, without breaking intuitiveness of naming.

security@apache.org is subscribed to _all_ these mailing lists, so the
core security team remain aware of developments.

So far these lists only exist for httpd and Tomcat, but this is
probably a good thing, so we can work out any wrinkles in the plan
without having to modify dozens of lists to conform.

There is also a CVS repository, security, which is used to (manually)
track the status of reports. It is currently proposed to break this
into subdirectories for each (sub-)project, with group access as
appropriate to the subdirectory (which I support, but has not yet had
time for discussion).

I've also unilaterally adopted a numbering scheme for tracking
reports, of the form AST-yyyymmdd(-nn), with no complaints yet heard.

Although it is early days, it seems clear that this system has already
resulted in two clear positive benefits:

a) issues are not getting (permanently) dropped on the floor

b) issues are being dispatched to the project teams and are no longer
 summarily dealt with by the security core team.

. By general consent, this report was recorded as entered and approved.

18 Nov 2002 [Ben Laurie]

Ben reported that things are moving slightly slowly. Currently, the team
is getting the liasons added from each ASF PMC, project and subproject.