On 30 June 2015 at 14:45, Simon Phipps <si...@webmink.com> wrote: > On Tue, Jun 30, 2015 at 1:38 PM, jan i <j...@apache.org> wrote: > > > On 30 June 2015 at 13:54, Simon Phipps <si...@webmink.com> wrote: > > > > > On Tue, Jun 30, 2015 at 12:51 PM, jan i <j...@apache.org> wrote: > > > > > > > Hi. > > > > > > > > It is again time to make a board report, you can find my proposal at > > > > https://cwiki.apache.org/confluence/display/OOOUSERS/2015+July > > > > > > > > comments and changes are welcome. > > > > > > > > > > Should the fact CVE-2015-1774 is still unresolved in the released > version > > > be mentioned? > > > > > It is kind of obvious, no new release so of course it is still > unresolved. > > > > The previous Board report was issued just before the CVE was made public, > and is thus not mentioned. Given it's been unresolved for four months, two > public, shouldn't it be mentioned this time? >
Allow me to correct your statement, it is not unresolved. We discussed it on this list and a workaround has been provided. That is the important part, had we not issued a workaround (and please do remember the theoretical nature of the problem), then it would have been escalated through other channels. But apart from that it is not custom to mention CVE in board reports, independent of their status. I have nothing against mentioning it, if the community at large feels it is needed, even though it would be exceptional. rgds jan i. > > Thanks, > > Simon >
