Hi Sam,
I also received those emails this morning. A bit later than you, I
wasn't on the right computer...
Better thing to do would be to create an issue asking to upgrade Tomcat
in OFBiz.
For the other questions you asked, I don't think that something exists.
Cheers,
Le 25/01/2010 03:33, Sam Hamilton a écrit :
> Hey List,
>
> This morning (here in Shanghai) Tomcat sent off three low severity
> security email alerts and it got me thinking that the included .jar
> files could become stale and pose a potential security risk within the
> project.
>
> Is there right now a way to track upgrades/security patches as they
> become available and get them committed back into the project? Or put it
> another way, is there a file in OFBiz which tracks all the included
> jars, a bit like OPTIONAL_LIBRARIES file tells you were to get the jars
> we cant include?
>
> Or should someone subscribe the dev list to the security announcements
> where they are available? Perhaps also before the branch is created we
> could have a check list of actions needed and checking/upgrading
> components could be one of them - at least then we know that the branch
> was secure at the time of creation?
>
> Excuse me if that turned into a ramble but I just woke up this morning
> with this on the brain!
>
> Cheers
> Sam
>
--
Erwan de FERRIERES
www.nereide.biz