The problem is that you sent your message from what I assume is a bogus email reply address: p...@wolfgang-jung.net.invalid
To reply to this email I had to hand edit the reply to and am guessing that maybe p...@wolfgang-jung.net will reach you, but, who knows... I usually don't bother fiddling with this type of email address hassle. WRT to the CVE, the issue was originally reported in Commons Configuration where the code is basically the same (in a different package obviously). It was decided that Commons Configuration warranted a CVE and we pushed a release out. Since Text and Configuration are pretty much the same in this area, it seemed consistent to issue a CVE and a new version for Text as well. Gary On Mon, Oct 24, 2022, 11:45 Wolfgang Jung <p...@wolfgang-jung.net.invalid> wrote: > Dear Gary, > > I’ve sent this exact problem on Dec. 11 2021 to the mail-address mentioned > on the above changed security page: secur...@commons.apache.org > But never received a response… Therefore my question: Is this mail-address > still correct? > > Best regards (and glad, that the default behaviour will be changed as > suggested), > Wolfgang Jung > > On 2022/10/19 21:28:59 Gary Gregory wrote: > > Fixed! The Apache Commons Configuration Security page is now live: > > https://commons.apache.org/proper/commons-configuration/security.html > > > > Gary > > > > On Wed, Oct 19, 2022 at 4:45 PM Gary Gregory <ga...@gmail.com> wrote: > > > > > > Thank you for the brilliant detective work Bruno! > > > > > > Gary > > > > > > On Wed, Oct 19, 2022, 16:16 Bruno Kinoshita <ki...@apache.org> wrote: > > >> > > >> I had a look at the browser network tab, and saw an HTTP 302 location > > >> redirect from Varnish. These redirects normally need to be configured > in > > >> Varnish with some sort of rule. > > >> > > >> I went back to your email, grabbed the SVN URL, stepped up a few > > >> directories and saw an .htaccess at a parent level, that has a > redirect > > >> rule for some commons components (it has for [configuration], not for > > >> [text]). I think we just need to remove the configuration entry. > > >> > > >> > https://svn.apache.org/repos/infra/websites/production/commons/content/.htaccess > > >> > > >> HTH, > > >> Bruno > > >> > > >> On Thu, 20 Oct 2022 at 08:22, Gary Gregory <ga...@gmail.com> wrote: > > >> > > >> > Well, I published the Configuration site to the usual svn: > > >> > > > >> > > > >> > > https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/ > > >> > > > >> > which should be end up at: > > >> > > > >> > https://commons.apache.org/proper/commons-configuration/index.html > > >> > > > >> > but for me clicking on the "Security" (in the top left menu) does > not > > >> > take me to > > >> > > https://commons.apache.org/proper/commons-configuration/security.html, > > >> > instead it redirects magically to > > >> > https://commons.apache.org/security.html > > >> > > > >> > Commons Text is fine in this area. What gives? > > >> > > > >> > Gary > > >> > > > >> > On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory <ga...@gmail.com> > > >> > wrote: > > >> > > > > >> > > TY and merged. I'll publish later today. > > >> > > > > >> > > Gary > > >> > > > > >> > > On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen <en...@apache.org > > > > >> > wrote: > > >> > > > > > >> > > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory <ga...@gmail.com> > > >> > wrote: > > >> > > >> > > >> > > >> Would you be available to update the Commons Configuration page > > >> > > >> > > >> > > https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml > > >> > > >> in the same way you did for Commons Text? The CVE is basically > the > > >> > > >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 > > >> > > > > > >> > > > > > >> > > > Happy to! Proposed > > >> > https://github.com/apache/commons-configuration/pull/230 > > >> > > > > > >> > > > > > >> > > > Kind regards, > > >> > > > > > >> > > > Arnout > > >> > > > > > >> > > >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory <ga...@gmail.com > > > > >> > wrote: > > >> > > >> > > > >> > > >> > FYI: I updated the security page > > >> > > >> > https://commons.apache.org/proper/commons-text/security.html > > >> > > >> > > > >> > > >> > Gary > > >> > > >> > > > >> > > >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory < > > >> > garydgreg...@gmail.com> wrote: > > >> > > >> > > > > >> > > >> > > I have an unpublished security page in the repo already. > Let's > > >> > not duplicate information like this PR does please. Publishing a > > >> > non-snapshot site is a pain and I don't want to do more than I have > to. > > >> > There is no need to buy in and promote the FUD on the front page > IMO. This > > >> > component will soon publish a security page and you can PR that > page ( > > >> > > https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml > ) > > >> > if you want to update the details. > > >> > > >> > > > > >> > > >> > > TY! > > >> > > >> > > > > >> > > >> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen < > en...@apache.org> > > >> > wrote: > > >> > > >> > >> > > >> > > >> > >> Hello Commons, > > >> > > >> > >> > > >> > > >> > >> As you might know Commons Text recently published a CVE. > It > > >> > seems there is > > >> > > >> > >> a fair bit of confusion about its severity online, so it > seems > > >> > like a good > > >> > > >> > >> idea to publish a statement around that on the website. > > >> > > >> > >> > > >> > > >> > >> I've proposed one at > > >> > https://github.com/apache/commons-text/pull/374 and > > >> > > >> > >> I'd like to ask for your review & help publishing. Given > the > > >> > issue is > > >> > > >> > >> getting some attention it might be nice to publish > something > > >> > soon and maybe > > >> > > >> > >> refine it later ;). I'll also publish it at > > >> > > >> > >> https://blogs.apache.org/security . > > >> > > >> > >> > > >> > > >> > >> I think what would need to happen is: > > >> > > >> > >> * review and merge > > >> > https://github.com/apache/commons-text/pull/374 > > >> > > >> > >> * check out the commit before the merge commit (since > that one > > >> > still has > > >> > > >> > >> 1.10.0 as the version in the pom.xml) > > >> > > >> > >> * tag it with something clear, like > > >> > "commons-text-1.10.0-docs-update"(?) > > >> > > >> > >> * push the tag > > >> > > >> > >> * do a 'mvn site:deploy' > > >> > > >> > >> > > >> > > >> > >> Much appreciated! > > >> > > >> > >> > > >> > > >> > >> > > >> > > >> > >> Kind regards, > > >> > > >> > >> > > >> > > >> > >> Arnout > > >> > > > >> > > --------------------------------------------------------------------- > > >> > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > >> > For additional commands, e-mail: dev-h...@commons.apache.org > > >> > > > >> > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > > > Wolfgang Jung > > > >
