Wow, I had no idea we did this, sure is painful to deal with :-( Gary
On Mon, Oct 24, 2022, 15:10 Mark Thomas <ma...@apache.org> wrote: > On 24/10/2022 19:54, Gary Gregory wrote: > > The problem is that you sent your message from what I assume is a bogus > > email reply address: p...@wolfgang-jung.net.invalid > > No, the ".invalid" was added by the ASF mail servers. > > See: https://blogs.apache.org/infra/entry/dmarc_filtering_on_lists_that > > We can ask infra to change this behaviour but it requires disbaling all > forms of message munging. For Commons, I think this is limited to the > help message added as a footer. > > > To reply to this email I had to hand edit the reply to and am guessing > that > > maybe p...@wolfgang-jung.net will reach you, but, who knows... I usually > > don't bother fiddling with this type of email address hassle. > > That is the price we (the ASF) have to pay for avoiding DMARC issues. Or > we change the list configuration. > > Mark > > > > WRT to the CVE, the issue was originally reported in Commons > Configuration > > where the code is basically the same (in a different package obviously). > It > > was decided that Commons Configuration warranted a CVE and we pushed a > > release out. Since Text and Configuration are pretty much the same in > this > > area, it seemed consistent to issue a CVE and a new version for Text as > > well. > > > > Gary > > > > On Mon, Oct 24, 2022, 11:45 Wolfgang Jung <p...@wolfgang-jung.net > .invalid> > > wrote: > > > >> Dear Gary, > >> > >> I’ve sent this exact problem on Dec. 11 2021 to the mail-address > mentioned > >> on the above changed security page: secur...@commons.apache.org > >> But never received a response… Therefore my question: Is this > mail-address > >> still correct? > >> > >> Best regards (and glad, that the default behaviour will be changed as > >> suggested), > >> Wolfgang Jung > >> > >> On 2022/10/19 21:28:59 Gary Gregory wrote: > >>> Fixed! The Apache Commons Configuration Security page is now live: > >>> https://commons.apache.org/proper/commons-configuration/security.html > >>> > >>> Gary > >>> > >>> On Wed, Oct 19, 2022 at 4:45 PM Gary Gregory <ga...@gmail.com> wrote: > >>>> > >>>> Thank you for the brilliant detective work Bruno! > >>>> > >>>> Gary > >>>> > >>>> On Wed, Oct 19, 2022, 16:16 Bruno Kinoshita <ki...@apache.org> wrote: > >>>>> > >>>>> I had a look at the browser network tab, and saw an HTTP 302 location > >>>>> redirect from Varnish. These redirects normally need to be configured > >> in > >>>>> Varnish with some sort of rule. > >>>>> > >>>>> I went back to your email, grabbed the SVN URL, stepped up a few > >>>>> directories and saw an .htaccess at a parent level, that has a > >> redirect > >>>>> rule for some commons components (it has for [configuration], not for > >>>>> [text]). I think we just need to remove the configuration entry. > >>>>> > >>>>> > >> > https://svn.apache.org/repos/infra/websites/production/commons/content/.htaccess > >>>>> > >>>>> HTH, > >>>>> Bruno > >>>>> > >>>>> On Thu, 20 Oct 2022 at 08:22, Gary Gregory <ga...@gmail.com> wrote: > >>>>> > >>>>>> Well, I published the Configuration site to the usual svn: > >>>>>> > >>>>>> > >>>>>> > >> > https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/ > >>>>>> > >>>>>> which should be end up at: > >>>>>> > >>>>>> https://commons.apache.org/proper/commons-configuration/index.html > >>>>>> > >>>>>> but for me clicking on the "Security" (in the top left menu) does > >> not > >>>>>> take me to > >>>>>> > >> https://commons.apache.org/proper/commons-configuration/security.html, > >>>>>> instead it redirects magically to > >>>>>> https://commons.apache.org/security.html > >>>>>> > >>>>>> Commons Text is fine in this area. What gives? > >>>>>> > >>>>>> Gary > >>>>>> > >>>>>> On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory <ga...@gmail.com> > >>>>>> wrote: > >>>>>>> > >>>>>>> TY and merged. I'll publish later today. > >>>>>>> > >>>>>>> Gary > >>>>>>> > >>>>>>> On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen <en...@apache.org > >>> > >>>>>> wrote: > >>>>>>>> > >>>>>>>> On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory <ga...@gmail.com> > >>>>>> wrote: > >>>>>>>>> > >>>>>>>>> Would you be available to update the Commons Configuration page > >>>>>>>>> > >>>>>> > >> > https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml > >>>>>>>>> in the same way you did for Commons Text? The CVE is basically > >> the > >>>>>>>>> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 > >>>>>>>> > >>>>>>>> > >>>>>>>> Happy to! Proposed > >>>>>> https://github.com/apache/commons-configuration/pull/230 > >>>>>>>> > >>>>>>>> > >>>>>>>> Kind regards, > >>>>>>>> > >>>>>>>> Arnout > >>>>>>>> > >>>>>>>>> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory <ga...@gmail.com > >>> > >>>>>> wrote: > >>>>>>>>>> > >>>>>>>>>> FYI: I updated the security page > >>>>>>>>>> https://commons.apache.org/proper/commons-text/security.html > >>>>>>>>>> > >>>>>>>>>> Gary > >>>>>>>>>> > >>>>>>>>>> On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory < > >>>>>> garydgreg...@gmail.com> wrote: > >>>>>>>>>>> > >>>>>>>>>>> I have an unpublished security page in the repo already. > >> Let's > >>>>>> not duplicate information like this PR does please. Publishing a > >>>>>> non-snapshot site is a pain and I don't want to do more than I have > >> to. > >>>>>> There is no need to buy in and promote the FUD on the front page > >> IMO. This > >>>>>> component will soon publish a security page and you can PR that > >> page ( > >>>>>> > >> > https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml > >> ) > >>>>>> if you want to update the details. > >>>>>>>>>>> > >>>>>>>>>>> TY! > >>>>>>>>>>> > >>>>>>>>>>> On Tue, Oct 18, 2022, 09:52 Arnout Engelen < > >> en...@apache.org> > >>>>>> wrote: > >>>>>>>>>>>> > >>>>>>>>>>>> Hello Commons, > >>>>>>>>>>>> > >>>>>>>>>>>> As you might know Commons Text recently published a CVE. > >> It > >>>>>> seems there is > >>>>>>>>>>>> a fair bit of confusion about its severity online, so it > >> seems > >>>>>> like a good > >>>>>>>>>>>> idea to publish a statement around that on the website. > >>>>>>>>>>>> > >>>>>>>>>>>> I've proposed one at > >>>>>> https://github.com/apache/commons-text/pull/374 and > >>>>>>>>>>>> I'd like to ask for your review & help publishing. Given > >> the > >>>>>> issue is > >>>>>>>>>>>> getting some attention it might be nice to publish > >> something > >>>>>> soon and maybe > >>>>>>>>>>>> refine it later ;). I'll also publish it at > >>>>>>>>>>>> https://blogs.apache.org/security . > >>>>>>>>>>>> > >>>>>>>>>>>> I think what would need to happen is: > >>>>>>>>>>>> * review and merge > >>>>>> https://github.com/apache/commons-text/pull/374 > >>>>>>>>>>>> * check out the commit before the merge commit (since > >> that one > >>>>>> still has > >>>>>>>>>>>> 1.10.0 as the version in the pom.xml) > >>>>>>>>>>>> * tag it with something clear, like > >>>>>> "commons-text-1.10.0-docs-update"(?) > >>>>>>>>>>>> * push the tag > >>>>>>>>>>>> * do a 'mvn site:deploy' > >>>>>>>>>>>> > >>>>>>>>>>>> Much appreciated! > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> Kind regards, > >>>>>>>>>>>> > >>>>>>>>>>>> Arnout > >>>>>> > >>>>>> > >> --------------------------------------------------------------------- > >>>>>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > >>>>>> For additional commands, e-mail: dev-h...@commons.apache.org > >>>>>> > >>>>>> > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > >>> For additional commands, e-mail: dev-h...@commons.apache.org > >>> > >>> > >> > >> > >> Wolfgang Jung > >> > >> > >> > >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
