On 24/10/2022 19:54, Gary Gregory wrote:
The problem is that you sent your message from what I assume is a bogus
email reply address: p...@wolfgang-jung.net.invalid
No, the ".invalid" was added by the ASF mail servers.
See: https://blogs.apache.org/infra/entry/dmarc_filtering_on_lists_that
We can ask infra to change this behaviour but it requires disbaling all
forms of message munging. For Commons, I think this is limited to the
help message added as a footer.
To reply to this email I had to hand edit the reply to and am guessing that
maybe p...@wolfgang-jung.net will reach you, but, who knows... I usually
don't bother fiddling with this type of email address hassle.
That is the price we (the ASF) have to pay for avoiding DMARC issues. Or
we change the list configuration.
Mark
WRT to the CVE, the issue was originally reported in Commons Configuration
where the code is basically the same (in a different package obviously). It
was decided that Commons Configuration warranted a CVE and we pushed a
release out. Since Text and Configuration are pretty much the same in this
area, it seemed consistent to issue a CVE and a new version for Text as
well.
Gary
On Mon, Oct 24, 2022, 11:45 Wolfgang Jung <p...@wolfgang-jung.net.invalid>
wrote:
Dear Gary,
I’ve sent this exact problem on Dec. 11 2021 to the mail-address mentioned
on the above changed security page: secur...@commons.apache.org
But never received a response… Therefore my question: Is this mail-address
still correct?
Best regards (and glad, that the default behaviour will be changed as
suggested),
Wolfgang Jung
On 2022/10/19 21:28:59 Gary Gregory wrote:
Fixed! The Apache Commons Configuration Security page is now live:
https://commons.apache.org/proper/commons-configuration/security.html
Gary
On Wed, Oct 19, 2022 at 4:45 PM Gary Gregory <ga...@gmail.com> wrote:
Thank you for the brilliant detective work Bruno!
Gary
On Wed, Oct 19, 2022, 16:16 Bruno Kinoshita <ki...@apache.org> wrote:
I had a look at the browser network tab, and saw an HTTP 302 location
redirect from Varnish. These redirects normally need to be configured
in
Varnish with some sort of rule.
I went back to your email, grabbed the SVN URL, stepped up a few
directories and saw an .htaccess at a parent level, that has a
redirect
rule for some commons components (it has for [configuration], not for
[text]). I think we just need to remove the configuration entry.
https://svn.apache.org/repos/infra/websites/production/commons/content/.htaccess
HTH,
Bruno
On Thu, 20 Oct 2022 at 08:22, Gary Gregory <ga...@gmail.com> wrote:
Well, I published the Configuration site to the usual svn:
https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/
which should be end up at:
https://commons.apache.org/proper/commons-configuration/index.html
but for me clicking on the "Security" (in the top left menu) does
not
take me to
https://commons.apache.org/proper/commons-configuration/security.html,
instead it redirects magically to
https://commons.apache.org/security.html
Commons Text is fine in this area. What gives?
Gary
On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory <ga...@gmail.com>
wrote:
TY and merged. I'll publish later today.
Gary
On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen <en...@apache.org
wrote:
On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory <ga...@gmail.com>
wrote:
Would you be available to update the Commons Configuration page
https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml
in the same way you did for Commons Text? The CVE is basically
the
same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980
Happy to! Proposed
https://github.com/apache/commons-configuration/pull/230
Kind regards,
Arnout
On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory <ga...@gmail.com
wrote:
FYI: I updated the security page
https://commons.apache.org/proper/commons-text/security.html
Gary
On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory <
garydgreg...@gmail.com> wrote:
I have an unpublished security page in the repo already.
Let's
not duplicate information like this PR does please. Publishing a
non-snapshot site is a pain and I don't want to do more than I have
to.
There is no need to buy in and promote the FUD on the front page
IMO. This
component will soon publish a security page and you can PR that
page (
https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml
)
if you want to update the details.
TY!
On Tue, Oct 18, 2022, 09:52 Arnout Engelen <
en...@apache.org>
wrote:
Hello Commons,
As you might know Commons Text recently published a CVE.
It
seems there is
a fair bit of confusion about its severity online, so it
seems
like a good
idea to publish a statement around that on the website.
I've proposed one at
https://github.com/apache/commons-text/pull/374 and
I'd like to ask for your review & help publishing. Given
the
issue is
getting some attention it might be nice to publish
something
soon and maybe
refine it later ;). I'll also publish it at
https://blogs.apache.org/security .
I think what would need to happen is:
* review and merge
https://github.com/apache/commons-text/pull/374
* check out the commit before the merge commit (since
that one
still has
1.10.0 as the version in the pom.xml)
* tag it with something clear, like
"commons-text-1.10.0-docs-update"(?)
* push the tag
* do a 'mvn site:deploy'
Much appreciated!
Kind regards,
Arnout
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org
Wolfgang Jung
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org
