On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory <garydgreg...@gmail.com> wrote:
> Would you be available to update the Commons Configuration page > > https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml > in the same way you did for Commons Text? The CVE is basically the > same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 > Happy to! Proposed https://github.com/apache/commons-configuration/pull/230 Kind regards, Arnout On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory <garydgreg...@gmail.com> > wrote: > > > > FYI: I updated the security page > > https://commons.apache.org/proper/commons-text/security.html > > > > Gary > > > > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory <garydgreg...@gmail.com> > wrote: > > > > > > I have an unpublished security page in the repo already. Let's not > duplicate information like this PR does please. Publishing a non-snapshot > site is a pain and I don't want to do more than I have to. There is no need > to buy in and promote the FUD on the front page IMO. This component will > soon publish a security page and you can PR that page ( > https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) > if you want to update the details. > > > > > > TY! > > > > > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen <enge...@apache.org> wrote: > > >> > > >> Hello Commons, > > >> > > >> As you might know Commons Text recently published a CVE. It seems > there is > > >> a fair bit of confusion about its severity online, so it seems like a > good > > >> idea to publish a statement around that on the website. > > >> > > >> I've proposed one at https://github.com/apache/commons-text/pull/374 > and > > >> I'd like to ask for your review & help publishing. Given the issue is > > >> getting some attention it might be nice to publish something soon and > maybe > > >> refine it later ;). I'll also publish it at > > >> https://blogs.apache.org/security . > > >> > > >> I think what would need to happen is: > > >> * review and merge https://github.com/apache/commons-text/pull/374 > > >> * check out the commit before the merge commit (since that one still > has > > >> 1.10.0 as the version in the pom.xml) > > >> * tag it with something clear, like > "commons-text-1.10.0-docs-update"(?) > > >> * push the tag > > >> * do a 'mvn site:deploy' > > >> > > >> Much appreciated! > > >> > > >> > > >> Kind regards, > > >> > > >> Arnout >
