I would bring this up in secur...@commons.apache.org if you have something noteworthy. Though a lot of people don’t understand that text manipulation is an extremely general toolkit making security concerns something that would occur at a higher lever with regards to the system using commons-text. Granted, I don’t know your specific situation, thus I would suggest emailing the security list and having a conversation there as security conversations in the open yield the public knowing about defects before they can be remediated.
Cheers, -Rob > On Oct 24, 2023, at 11:46 AM, Elliotte Rusty Harold <elh...@ibiblio.org> > wrote: > > It's worth triaging the bug tracker sometime. At a quick glance I saw > several other issues that are arguably security related, mostly around > character escaping and unescaping. > > On Tue, Oct 24, 2023 at 11:43 AM Gary Gregory <garydgreg...@gmail.com> wrote: >> >> The issue is a year old with zero comments, I downgraded it to "Major". >> >> What's worse is that if it were a real security issue, it should have gone >> through our security protocol and not a Jira (initially at least). >> >> Gary >> >> On Tue, Oct 24, 2023, 10:32 AM Elliotte Rusty Harold <elh...@ibiblio.org> >> wrote: >> >>> >>> https://issues.apache.org/jira/projects/TEXT/issues/TEXT-220?filter=allopenissues >>> is prirotized as a blocker. I haven't analyzed it in detail so I'm not >>> sure, but it is security related. If it is a blocker it should be >>> resolved before 1.11.0. If it is not a blocker, then the priority >>> should be downgraded. >>> >>> On Tue, Oct 24, 2023 at 9:47 AM Gary Gregory <garydgreg...@gmail.com> >>> wrote: >>>> >>>> We have fixed quite a few bugs and added some significant enhancements >>>> since Apache Commons Text 1.10.0 was released, so I would like to >>>> release Apache Commons Text 1.11.0. >>>> >>>> Apache Commons Text 1.11.0 RC1 is available for review here: >>>> https://dist.apache.org/repos/dist/dev/commons/text/1.11.0-RC1 >>>> (svn revision 64797) >>>> >>>> The Git tag commons-text-1.11.0-RC1 commit for this RC is >>>> 6e2be58f54bb8e376fbb5188ad964cde2ff6f362 which you can browse here: >>>> >>> https://gitbox.apache.org/repos/asf?p=commons-text.git;a=commit;h=6e2be58f54bb8e376fbb5188ad964cde2ff6f362 >>>> You may checkout this tag using: >>>> git clone https://gitbox.apache.org/repos/asf/commons-text.git >>>> --branch commons-text-1.11.0-RC1 commons-text-1.11.0-RC1 >>>> >>>> Maven artifacts are here: >>>> >>> https://repository.apache.org/content/repositories/orgapachecommons-1670/org/apache/commons/commons-text/1.11.0/ >>>> >>>> These are the artifacts and their hashes: >>>> >>>> #Release SHA-512s >>>> #Tue Oct 24 09:39:25 EDT 2023 >>>> >>> commons-text-1.11.0-bin.tar.gz=2e94877000dd270b69e2e8cbf49f258a90b4c628b6b6b0814e300a2f0e9c391f0816dceb0707e596ae3b7c9532f93e7a4917df47c77f44b3a810e14042ce5f3f >>>> >>> commons-text-1.11.0-bin.zip=f2480ffc6e9d1d678233830602da1c525814cfb8e951872dc4725d3a8e1957dcef8291309dc6ad20789003f04d61e21901eeb606d8f7a946e41c599dd0f35141 >>>> >>> commons-text-1.11.0-bom.json=1acd3a1a3b297f7460b8eb13d0e156644076186de422eaefd74af38e35885190c87e1ff4179222b6d96537a06069df2d03eb77b1bb24ccce8f854bb491e78334 >>>> >>> commons-text-1.11.0-bom.xml=e17bdf02c8704b62b5a3e27d500675704ffba3dd6d934b5f0877261feebac52037faa6f85eea3823422d5dcdcbc35314ec874c189c0cd20a82093a8598bfa7b9 >>>> >>> commons-text-1.11.0-javadoc.jar=63eb0a2c9004854d43ed3ea6e113af07aa2d11632af5beb17a3b1da8f65ef0cecb74e10ac2b496f67e4760cdeaf6925647d4b1fccd40dd6ce66dc076009c42d8 >>>> >>> commons-text-1.11.0-sources.jar=d937fe2eb28fa28a7b345338cc05b5101f3303baa501f8f6ad4a0efb604375b90997292bcccbdc994889415c3ea709b8b18497a04f83f050661db92a7f5ccaae >>>> >>> commons-text-1.11.0-src.tar.gz=3a97b58eae3e8a51fe46c3296021622bfe912869b2d9666c745f345d574bbc86307acfb39b329c6a544728b35d200487c6b752de1909a209692a2f00fb260460 >>>> >>> commons-text-1.11.0-src.zip=72d75261812df2f004aa680d6fbe5c71b77558f89ff03d117363f77811dfbda891c5f489dbae40132063ab1db1d5d30ca81da0674c79c817e9527b260d7a8560 >>>> >>> commons-text-1.11.0-test-sources.jar=44191a4135b572397131517eac9394564fef0129693110ced2e0d1c8585857b6eedebec8f653bb70f79d74e0334dcc7cc1f663a9101c262651e6e973251e875a >>>> >>> commons-text-1.11.0-tests.jar=e7d8c3d6e8c056fe793864d8cac4aa84e49789609fc7ea73270a3ba9829451300d4b6663641a013e3fc25d0ae97f57fc1258b303d89f6ed23c44116b22c0989c >>>> >>> org.apache.commons_commons-text-1.11.0.spdx.json=64b008e082a13db858015e8680183a83d4a29be73dba66b5eb49b6ea77e11b676f1f8b997ab4fce49f0778423b97612516139679af1cb552b3adf65f296cccb7 >>>> >>>> I have tested this with: >>>> >>>> mvn -V -Prelease -Ptest-deploy -P jacoco -P japicmp clean package site >>> deploy >>>> >>>> Using: >>>> >>>> Apache Maven 3.9.5 (57804ffe001d7215b5e7bcb531cf83df38f93546) >>>> Maven home: /usr/local/Cellar/maven/3.9.5/libexec >>>> Java version: 21, vendor: Homebrew, runtime: >>>> /usr/local/Cellar/openjdk/21/libexec/openjdk.jdk/Contents/Home >>>> Default locale: en_US, platform encoding: UTF-8 >>>> OS name: "mac os x", version: "14.0", arch: "x86_64", family: "mac" >>>> Darwin gdg-mac-mini.local 23.0.0 Darwin Kernel Version 23.0.0: Fri Sep >>>> 15 14:42:42 PDT 2023; root:xnu-10002.1.13~1/RELEASE_X86_64 x86_64 >>>> >>>> Details of changes since 1.10.0 are in the release notes: >>>> >>> https://dist.apache.org/repos/dist/dev/commons/text/1.11.0-RC1/RELEASE-NOTES.txt >>>> >>> https://dist.apache.org/repos/dist/dev/commons/text/1.11.0-RC1/site/changes-report.html >>>> >>>> Site: >>>> >>> https://dist.apache.org/repos/dist/dev/commons/text/1.11.0-RC1/site/index.html >>>> (note some *relative* links are broken and the 1.11.0 directories >>>> are not yet created - these will be OK once the site is deployed.) >>>> >>>> JApiCmp Report (compared to 1.10.0): >>>> >>> https://dist.apache.org/repos/dist/dev/commons/text/1.11.0-RC1/site/japicmp.html >>>> >>>> RAT Report: >>>> >>> https://dist.apache.org/repos/dist/dev/commons/text/1.11.0-RC1/site/rat-report.html >>>> >>>> KEYS: >>>> https://downloads.apache.org/commons/KEYS >>>> >>>> Please review the release candidate and vote. >>>> This vote will close no sooner than 72 hours from now. >>>> >>>> [ ] +1 Release these artifacts >>>> [ ] +0 OK, but... >>>> [ ] -0 OK, but really should fix... >>>> [ ] -1 I oppose this release because... >>>> >>>> Thank you, >>>> >>>> Gary Gregory, >>>> Release Manager (using key 86fdc7e2a11262cb) >>>> >>>> For following is intended as a helper and refresher for reviewers. >>>> >>>> Validating a release candidate >>>> ============================== >>>> >>>> These guidelines are NOT complete. >>>> >>>> Requirements: Git, Java, Maven. >>>> >>>> You can validate a release from a release candidate (RC) tag as follows. >>>> >>>> 1a) Clone and checkout the RC tag >>>> >>>> git clone https://gitbox.apache.org/repos/asf/commons-text.git >>>> --branch commons-text-1.11.0-RC1 commons-text-1.11.0-RC1 >>>> cd commons-text-1.11.0-RC1 >>>> >>>> 1b) Download and unpack the source archive from: >>>> >>>> https://dist.apache.org/repos/dist/dev/commons/text/1.11.0-RC1/source >>>> >>>> 2) Check Apache licenses >>>> >>>> This step is not required if the site includes a RAT report page which >>>> you then must check. >>>> >>>> mvn apache-rat:check >>>> >>>> 3) Check binary compatibility >>>> >>>> Older components still use Apache Clirr: >>>> >>>> This step is not required if the site includes a Clirr report page >>>> which you then must check. >>>> >>>> mvn clirr:check >>>> >>>> Newer components use JApiCmp with the japicmp Maven Profile: >>>> >>>> This step is not required if the site includes a JApiCmp report page >>>> which you then must check. >>>> >>>> mvn install -DskipTests -P japicmp japicmp:cmp >>>> >>>> 4) Build the package >>>> >>>> mvn -V clean package >>>> >>>> You can record the Maven and Java version produced by -V in your VOTE >>> reply. >>>> To gather OS information from a command line: >>>> Windows: ver >>>> Linux: uname -a >>>> >>>> 5) Build the site for a single module project >>>> >>>> Note: Some plugins require the components to be installed instead of >>> packaged. >>>> >>>> mvn site >>>> Check the site reports in: >>>> - Windows: target\site\index.html >>>> - Linux: target/site/index.html >>>> >>>> -the end- >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >>>> For additional commands, e-mail: dev-h...@commons.apache.org >>>> >>> >>> >>> -- >>> Elliotte Rusty Harold >>> elh...@ibiblio.org >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >>> For additional commands, e-mail: dev-h...@commons.apache.org >>> >>> > > > > -- > Elliotte Rusty Harold > elh...@ibiblio.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
