OpenAM Community Edition and security advisory #201608

This topic has 6 replies, 3 voices, and was last updated 3 years, 11 months ago by FireBurn.

  • Author
  • #18714


    I was just having a poke around at the OpenAM Community Edition, and looking at the github commit log, it appears as though the latest security advisories for OpenAM 11.0.3 are not included:

    As I can see the dates jump from 2015 to 2017, skipping 2016, when the latest advisory happened #201608.

    Are there any plans to make add the #201608 security patches to OpenAM CE? Or is it basically just the risk you run with the community edition?

    Without the security patches, I think this drastically reduces the value of the community edition.

    • This topic was modified 4 years, 1 month ago by japearson.
     Peter Major

    I’m not aware of any plans that would bring the community versions up to date with the latest security advisories.
    I believe the expectation is that the open source community fixes the affected versions.


    Woah, fair enough.

    So I guess that means that the community edition is missing:

    #201601 1 Critical 8 Highs 5 Medium 1 Low
    #201604 1 Critical 3 High 3 Medium
    #201605 2 Critical 3 High 1 Medium 1 Low
    #201608 2 High


    4 Critical
    16 High
    9 Medium
    2 Low

    eesh, that’s a bit nasty. *unstars community edition on github*


    I suppose you’d have to apply all the workarounds instead.

     Peter Major

    It’s more like:

    #201601 1 Critical 6 High 5 Medium 1 Low
    #201604 1 Critical 3 High 1 Medium
    #201605 1 Critical 3 High 1 Low
    #201608 1 High

    Totalling 3 Critical 13 High 6 Medium 2 Low

    You should keep the “Affected versions” field in mind.


    That’s true. Still, not amazing. Although all the critical vulnerabilities do have some form of workaround at least.


    This is very poor form. I understand if new issues were found in the community edition that it should be up to the community to fix them. These however are known issues and already fixed by Forgerock

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?