September 1, 2017 at 12:42 pm #18714
I was just having a poke around at the OpenAM Community Edition, and looking at the github commit log, it appears as though the latest security advisories for OpenAM 11.0.3 are not included: https://github.com/ForgeRock/openam-community-edition/commits/master?after=3c00cd9146c3e6212372e97bf1f9ff78331bbbde+34
As I can see the dates jump from 2015 to 2017, skipping 2016, when the latest advisory happened #201608.
Are there any plans to make add the #201608 security patches to OpenAM CE? Or is it basically just the risk you run with the community edition?
Without the security patches, I think this drastically reduces the value of the community edition.
September 1, 2017 at 12:49 pm #18716Peter MajorModerator
- This topic was modified 4 years, 1 month ago by japearson.
I’m not aware of any plans that would bring the community versions up to date with the latest security advisories.
I believe the expectation is that the open source community fixes the affected versions.September 1, 2017 at 1:01 pm #18718
Woah, fair enough.
So I guess that means that the community edition is missing:
eesh, that’s a bit nasty. *unstars community edition on github*September 1, 2017 at 1:05 pm #18719
I suppose you’d have to apply all the workarounds instead.September 1, 2017 at 1:46 pm #18720Peter MajorModerator
It’s more like:
#201601 1 Critical 6 High 5 Medium 1 Low
#201604 1 Critical 3 High 1 Medium
#201605 1 Critical 3 High 1 Low
#201608 1 High
Totalling 3 Critical 13 High 6 Medium 2 Low
You should keep the “Affected versions” field in mind.September 1, 2017 at 1:50 pm #18721
That’s true. Still, not amazing. Although all the critical vulnerabilities do have some form of workaround at least.November 20, 2017 at 5:54 pm #19667FireBurnParticipant
This is very poor form. I understand if new issues were found in the community edition that it should be up to the community to fix them. These however are known issues and already fixed by Forgerock
You must be logged in to reply to this topic.