Hi Arnout, Would you be available to update the Commons Configuration page https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml in the same way you did for Commons Text? The CVE is basically the same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980
Gary On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory <garydgreg...@gmail.com> wrote: > > FYI: I updated the security page > https://commons.apache.org/proper/commons-text/security.html > > Gary > > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory <garydgreg...@gmail.com> wrote: > > > > I have an unpublished security page in the repo already. Let's not > > duplicate information like this PR does please. Publishing a non-snapshot > > site is a pain and I don't want to do more than I have to. There is no need > > to buy in and promote the FUD on the front page IMO. This component will > > soon publish a security page and you can PR that page > > (https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) > > if you want to update the details. > > > > TY! > > > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen <enge...@apache.org> wrote: > >> > >> Hello Commons, > >> > >> As you might know Commons Text recently published a CVE. It seems there is > >> a fair bit of confusion about its severity online, so it seems like a good > >> idea to publish a statement around that on the website. > >> > >> I've proposed one at https://github.com/apache/commons-text/pull/374 and > >> I'd like to ask for your review & help publishing. Given the issue is > >> getting some attention it might be nice to publish something soon and maybe > >> refine it later ;). I'll also publish it at > >> https://blogs.apache.org/security . > >> > >> I think what would need to happen is: > >> * review and merge https://github.com/apache/commons-text/pull/374 > >> * check out the commit before the merge commit (since that one still has > >> 1.10.0 as the version in the pom.xml) > >> * tag it with something clear, like "commons-text-1.10.0-docs-update"(?) > >> * push the tag > >> * do a 'mvn site:deploy' > >> > >> Much appreciated! > >> > >> > >> Kind regards, > >> > >> Arnout --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
