This is an automated email from the ASF dual-hosted git repository.
oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git
The following commit(s) were added to refs/heads/main by this push:
new e52b7489 Add a Trust section on the security advisory workload (#1695)
e52b7489 is described below
commit e52b7489e23efa4daa9a902c777767cd3417668c
Author: Andrea Cosentino <[email protected]>
AuthorDate: Mon Jul 13 18:41:36 2026 +0200
Add a Trust section on the security advisory workload (#1695)
Recent releases have shipped a large batch of CVE advisories. Add a box to
the Trust page that frames that volume as evidence of an active security effort
rather than a failing framework, and explains the work and timing behind each
advisory: triage against the Security Model, a fix with regression tests, a
backport to every supported release line, a CVE assignment, and a signed
advisory with affected ranges and a workaround, none of it public until the
fixes have shipped. Also notes [...]
Signed-off-by: Andrea Cosentino <[email protected]>
Co-authored-by: Claude Opus 4.8 (1M context) <[email protected]>
---
content/trust/_index.md | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/content/trust/_index.md b/content/trust/_index.md
index f186bae2..8db881b8 100644
--- a/content/trust/_index.md
+++ b/content/trust/_index.md
@@ -78,6 +78,39 @@ someone else to find the problem.
{{< div "box" >}}
+<a href="/security/" class="icon" title="The work behind every advisory">{{<
icon "security" "Padlock" >}}</a>
+
+{{< div "content" >}}
+
+## A busy advisory page is a good sign
+
+The 4.14.8, 4.18.3 and 4.21.0 releases fixed and disclosed
+[**32 vulnerabilities**](/security/) between them, and every one of them got a
full public advisory.
+That is what an active security effort looks like from the outside — not a
framework springing
+leaks. Researchers across the industry report their findings to the ASF's
private security list, and
+we go looking ourselves: when one component turns out to mishandle inbound
message headers, we sweep
+the connector portfolio for the same pattern instead of patching only the one
that was reported. That
+is why advisories arrive in families, and why every reporter is credited by
name in the advisory that
+follows.
+
+Each one costs work you never see: triage against the [Security
Model](/manual/security-model.html),
+a fix with regression tests, a CVE assignment, and a written, signed advisory
carrying the affected
+version ranges and a workaround you can apply today — and then the backport.
**26 of those 32 fixes
+were carried all the way back to the 4.14.x LTS line**, so teams on the older
LTS get them without a
+major upgrade. None of it becomes public until the fixes have shipped, and we
publish even when a
+hardening change has no known exploit path — because the alternative is asking
you to trust a silence
+you cannot check.
+
+<p>
+<a class="button dark" href="/security/">See every advisory</a>
+</p>
+
+{{< /div >}}
+
+{{< /div >}}
+
+{{< div "box" >}}
+
<a href="/community/" class="icon" title="The Apache Camel community">{{< icon
"community" "People" >}}</a>
{{< div "content" >}}