This is an automated email from the ASF dual-hosted git repository.

oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git


The following commit(s) were added to refs/heads/main by this push:
     new e52b7489 Add a Trust section on the security advisory workload (#1695)
e52b7489 is described below

commit e52b7489e23efa4daa9a902c777767cd3417668c
Author: Andrea Cosentino <[email protected]>
AuthorDate: Mon Jul 13 18:41:36 2026 +0200

    Add a Trust section on the security advisory workload (#1695)
    
    Recent releases have shipped a large batch of CVE advisories. Add a box to 
the Trust page that frames that volume as evidence of an active security effort 
rather than a failing framework, and explains the work and timing behind each 
advisory: triage against the Security Model, a fix with regression tests, a 
backport to every supported release line, a CVE assignment, and a signed 
advisory with affected ranges and a workaround, none of it public until the 
fixes have shipped. Also notes  [...]
    
    Signed-off-by: Andrea Cosentino <[email protected]>
    Co-authored-by: Claude Opus 4.8 (1M context) <[email protected]>
---
 content/trust/_index.md | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/content/trust/_index.md b/content/trust/_index.md
index f186bae2..8db881b8 100644
--- a/content/trust/_index.md
+++ b/content/trust/_index.md
@@ -78,6 +78,39 @@ someone else to find the problem.
 
 {{< div "box" >}}
 
+<a href="/security/" class="icon" title="The work behind every advisory">{{< 
icon "security" "Padlock" >}}</a>
+
+{{< div "content" >}}
+
+## A busy advisory page is a good sign
+
+The 4.14.8, 4.18.3 and 4.21.0 releases fixed and disclosed
+[**32 vulnerabilities**](/security/) between them, and every one of them got a 
full public advisory.
+That is what an active security effort looks like from the outside — not a 
framework springing
+leaks. Researchers across the industry report their findings to the ASF's 
private security list, and
+we go looking ourselves: when one component turns out to mishandle inbound 
message headers, we sweep
+the connector portfolio for the same pattern instead of patching only the one 
that was reported. That
+is why advisories arrive in families, and why every reporter is credited by 
name in the advisory that
+follows.
+
+Each one costs work you never see: triage against the [Security 
Model](/manual/security-model.html),
+a fix with regression tests, a CVE assignment, and a written, signed advisory 
carrying the affected
+version ranges and a workaround you can apply today — and then the backport. 
**26 of those 32 fixes
+were carried all the way back to the 4.14.x LTS line**, so teams on the older 
LTS get them without a
+major upgrade. None of it becomes public until the fixes have shipped, and we 
publish even when a
+hardening change has no known exploit path — because the alternative is asking 
you to trust a silence
+you cannot check.
+
+<p>
+<a class="button dark" href="/security/">See every advisory</a>
+</p>
+
+{{< /div >}}
+
+{{< /div >}}
+
+{{< div "box" >}}
+
 <a href="/community/" class="icon" title="The Apache Camel community">{{< icon 
"community" "People" >}}</a>
 
 {{< div "content" >}}

Reply via email to