It's worth triaging the bug tracker sometime. At a quick glance I saw several other issues that are arguably security related, mostly around character escaping and unescaping.
On Tue, Oct 24, 2023 at 11:43 AM Gary Gregory <garydgreg...@gmail.com> wrote: > > The issue is a year old with zero comments, I downgraded it to "Major". > > What's worse is that if it were a real security issue, it should have gone > through our security protocol and not a Jira (initially at least). > > Gary > > On Tue, Oct 24, 2023, 10:32 AM Elliotte Rusty Harold <elh...@ibiblio.org> > wrote: > > > > > https://issues.apache.org/jira/projects/TEXT/issues/TEXT-220?filter=allopenissues > > is prirotized as a blocker. I haven't analyzed it in detail so I'm not > > sure, but it is security related. If it is a blocker it should be > > resolved before 1.11.0. If it is not a blocker, then the priority > > should be downgraded. > > > > On Tue, Oct 24, 2023 at 9:47 AM Gary Gregory <garydgreg...@gmail.com> > > wrote: > > > > > > We have fixed quite a few bugs and added some significant enhancements > > > since Apache Commons Text 1.10.0 was released, so I would like to > > > release Apache Commons Text 1.11.0. > > > > > > Apache Commons Text 1.11.0 RC1 is available for review here: > > > https://dist.apache.org/repos/dist/dev/commons/text/1.11.0-RC1 > > > (svn revision 64797) > > > > > > The Git tag commons-text-1.11.0-RC1 commit for this RC is > > > 6e2be58f54bb8e376fbb5188ad964cde2ff6f362 which you can browse here: > > > > > https://gitbox.apache.org/repos/asf?p=commons-text.git;a=commit;h=6e2be58f54bb8e376fbb5188ad964cde2ff6f362 > > > You may checkout this tag using: > > > git clone https://gitbox.apache.org/repos/asf/commons-text.git > > > --branch commons-text-1.11.0-RC1 commons-text-1.11.0-RC1 > > > > > > Maven artifacts are here: > > > > > https://repository.apache.org/content/repositories/orgapachecommons-1670/org/apache/commons/commons-text/1.11.0/ > > > > > > These are the artifacts and their hashes: > > > > > > #Release SHA-512s > > > #Tue Oct 24 09:39:25 EDT 2023 > > > > > commons-text-1.11.0-bin.tar.gz=2e94877000dd270b69e2e8cbf49f258a90b4c628b6b6b0814e300a2f0e9c391f0816dceb0707e596ae3b7c9532f93e7a4917df47c77f44b3a810e14042ce5f3f > > > > > commons-text-1.11.0-bin.zip=f2480ffc6e9d1d678233830602da1c525814cfb8e951872dc4725d3a8e1957dcef8291309dc6ad20789003f04d61e21901eeb606d8f7a946e41c599dd0f35141 > > > > > commons-text-1.11.0-bom.json=1acd3a1a3b297f7460b8eb13d0e156644076186de422eaefd74af38e35885190c87e1ff4179222b6d96537a06069df2d03eb77b1bb24ccce8f854bb491e78334 > > > > > commons-text-1.11.0-bom.xml=e17bdf02c8704b62b5a3e27d500675704ffba3dd6d934b5f0877261feebac52037faa6f85eea3823422d5dcdcbc35314ec874c189c0cd20a82093a8598bfa7b9 > > > > > commons-text-1.11.0-javadoc.jar=63eb0a2c9004854d43ed3ea6e113af07aa2d11632af5beb17a3b1da8f65ef0cecb74e10ac2b496f67e4760cdeaf6925647d4b1fccd40dd6ce66dc076009c42d8 > > > > > commons-text-1.11.0-sources.jar=d937fe2eb28fa28a7b345338cc05b5101f3303baa501f8f6ad4a0efb604375b90997292bcccbdc994889415c3ea709b8b18497a04f83f050661db92a7f5ccaae > > > > > commons-text-1.11.0-src.tar.gz=3a97b58eae3e8a51fe46c3296021622bfe912869b2d9666c745f345d574bbc86307acfb39b329c6a544728b35d200487c6b752de1909a209692a2f00fb260460 > > > > > commons-text-1.11.0-src.zip=72d75261812df2f004aa680d6fbe5c71b77558f89ff03d117363f77811dfbda891c5f489dbae40132063ab1db1d5d30ca81da0674c79c817e9527b260d7a8560 > > > > > commons-text-1.11.0-test-sources.jar=44191a4135b572397131517eac9394564fef0129693110ced2e0d1c8585857b6eedebec8f653bb70f79d74e0334dcc7cc1f663a9101c262651e6e973251e875a > > > > > commons-text-1.11.0-tests.jar=e7d8c3d6e8c056fe793864d8cac4aa84e49789609fc7ea73270a3ba9829451300d4b6663641a013e3fc25d0ae97f57fc1258b303d89f6ed23c44116b22c0989c > > > > > org.apache.commons_commons-text-1.11.0.spdx.json=64b008e082a13db858015e8680183a83d4a29be73dba66b5eb49b6ea77e11b676f1f8b997ab4fce49f0778423b97612516139679af1cb552b3adf65f296cccb7 > > > > > > I have tested this with: > > > > > > mvn -V -Prelease -Ptest-deploy -P jacoco -P japicmp clean package site > > deploy > > > > > > Using: > > > > > > Apache Maven 3.9.5 (57804ffe001d7215b5e7bcb531cf83df38f93546) > > > Maven home: /usr/local/Cellar/maven/3.9.5/libexec > > > Java version: 21, vendor: Homebrew, runtime: > > > /usr/local/Cellar/openjdk/21/libexec/openjdk.jdk/Contents/Home > > > Default locale: en_US, platform encoding: UTF-8 > > > OS name: "mac os x", version: "14.0", arch: "x86_64", family: "mac" > > > Darwin gdg-mac-mini.local 23.0.0 Darwin Kernel Version 23.0.0: Fri Sep > > > 15 14:42:42 PDT 2023; root:xnu-10002.1.13~1/RELEASE_X86_64 x86_64 > > > > > > Details of changes since 1.10.0 are in the release notes: > > > > > https://dist.apache.org/repos/dist/dev/commons/text/1.11.0-RC1/RELEASE-NOTES.txt > > > > > https://dist.apache.org/repos/dist/dev/commons/text/1.11.0-RC1/site/changes-report.html > > > > > > Site: > > > > > https://dist.apache.org/repos/dist/dev/commons/text/1.11.0-RC1/site/index.html > > > (note some *relative* links are broken and the 1.11.0 directories > > > are not yet created - these will be OK once the site is deployed.) > > > > > > JApiCmp Report (compared to 1.10.0): > > > > > https://dist.apache.org/repos/dist/dev/commons/text/1.11.0-RC1/site/japicmp.html > > > > > > RAT Report: > > > > > https://dist.apache.org/repos/dist/dev/commons/text/1.11.0-RC1/site/rat-report.html > > > > > > KEYS: > > > https://downloads.apache.org/commons/KEYS > > > > > > Please review the release candidate and vote. > > > This vote will close no sooner than 72 hours from now. > > > > > > [ ] +1 Release these artifacts > > > [ ] +0 OK, but... > > > [ ] -0 OK, but really should fix... > > > [ ] -1 I oppose this release because... > > > > > > Thank you, > > > > > > Gary Gregory, > > > Release Manager (using key 86fdc7e2a11262cb) > > > > > > For following is intended as a helper and refresher for reviewers. > > > > > > Validating a release candidate > > > ============================== > > > > > > These guidelines are NOT complete. > > > > > > Requirements: Git, Java, Maven. > > > > > > You can validate a release from a release candidate (RC) tag as follows. > > > > > > 1a) Clone and checkout the RC tag > > > > > > git clone https://gitbox.apache.org/repos/asf/commons-text.git > > > --branch commons-text-1.11.0-RC1 commons-text-1.11.0-RC1 > > > cd commons-text-1.11.0-RC1 > > > > > > 1b) Download and unpack the source archive from: > > > > > > https://dist.apache.org/repos/dist/dev/commons/text/1.11.0-RC1/source > > > > > > 2) Check Apache licenses > > > > > > This step is not required if the site includes a RAT report page which > > > you then must check. > > > > > > mvn apache-rat:check > > > > > > 3) Check binary compatibility > > > > > > Older components still use Apache Clirr: > > > > > > This step is not required if the site includes a Clirr report page > > > which you then must check. > > > > > > mvn clirr:check > > > > > > Newer components use JApiCmp with the japicmp Maven Profile: > > > > > > This step is not required if the site includes a JApiCmp report page > > > which you then must check. > > > > > > mvn install -DskipTests -P japicmp japicmp:cmp > > > > > > 4) Build the package > > > > > > mvn -V clean package > > > > > > You can record the Maven and Java version produced by -V in your VOTE > > reply. > > > To gather OS information from a command line: > > > Windows: ver > > > Linux: uname -a > > > > > > 5) Build the site for a single module project > > > > > > Note: Some plugins require the components to be installed instead of > > packaged. > > > > > > mvn site > > > Check the site reports in: > > > - Windows: target\site\index.html > > > - Linux: target/site/index.html > > > > > > -the end- > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > > > > > -- > > Elliotte Rusty Harold > > elh...@ibiblio.org > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > -- Elliotte Rusty Harold elh...@ibiblio.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
