Thanks for taking care of this! We have a CVE in Log4j 2 we can link to on this page as well.
On 21 January 2018 at 10:26, <bode...@apache.org> wrote: > Author: bodewig > Date: Sun Jan 21 16:26:21 2018 > New Revision: 1821805 > > URL: http://svn.apache.org/viewvc?rev=1821805&view=rev > Log: > first cut at a top level security page > > Added: > logging/site/cms/trunk/content/security.twig > > Added: logging/site/cms/trunk/content/security.twig > URL: http://svn.apache.org/viewvc/logging/site/cms/trunk/ > content/security.twig?rev=1821805&view=auto > ============================================================ > ================== > --- logging/site/cms/trunk/content/security.twig (added) > +++ logging/site/cms/trunk/content/security.twig Sun Jan 21 16:26:21 2018 > @@ -0,0 +1,47 @@ > +{% extends "page.html" %} > + > +{% block title %}Apache Logging Reporting Security Problems{% endblock %} > + > +{% block content %} > +{% filter textile %} > +h1. Reporting New Security Problems with Apache Logging Projects > + > +The Apache Software Foundation takes a very active stance in eliminating > security problems and denial of service attacks against its products. > + > +We strongly encourage folks to report such problems to our private > security mailing list first, before disclosing them in a public forum. > + > +Please note that the security mailing list should only be used for > reporting undisclosed security vulnerabilities and managing the process of > fixing such vulnerabilities. We cannot accept regular bug reports or other > queries at this address. All mail sent to this address that does not relate > to an undisclosed security problem in our source code will be ignored. > + > +If you need to report a bug that isn't an undisclosed security > vulnerability, please use the project's issue tracker. > + > +The private security mailing address is: "secur...@apache.org":mailto:s > ecur...@apache.org > + > +h1. Asking_Questions_About_Known_Security_Problems > + > +Questions about: > + > +* if a vulnerability applies to your particular application > +* obtaining further information on a published vulnerability > +* availability of patches and/or new releases< > + > +should be addressed to the users mailing list. Please see the "mailing > lists page":/mail-lists for details of how to subscribe.</p> > + > +{% endfilter %} > +{% endblock %} > + > +{% comment %} > +Licensed to the Apache Software Foundation (ASF) under one or more > +contributor license agreements. See the NOTICE file distributed with > +this work for additional information regarding copyright ownership. > +The ASF licenses this file to You under the Apache License, Version 2.0 > +(the "License"); you may not use this file except in compliance with > +the License. You may obtain a copy of the License at > + > + http://www.apache.org/licenses/LICENSE-2.0 > + > +Unless required by applicable law or agreed to in writing, software > +distributed under the License is distributed on an "AS IS" BASIS, > +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. > +See the License for the specific language governing permissions and > +limitations under the License. > +{% endcomment %} > > > -- Matt Sicker <boa...@gmail.com>
