On Wed, 10 Feb 2021 at 22:26, Erik Huelsmann <ehu...@gmail.com> wrote:
> How can a link be more important than an announcement for a fix of an > *unauthenticated* remote DoS ? > > When I checked the download page, there were no links for versions 1.10.7 or 1.14.1. i.e. the 2 announce mails were telling people to download versions that were not on the download page. As such, I felt I had to reject the announce email. It looks as though the page has since been updated. Same for the KEYS file??? > > I never said that was equally important. Don't you think that's way out of proportion? > > Erik. > > On Wed, Feb 10, 2021 at 4:50 PM Private List Moderation > <mod-priv...@gsuite.cloud.apache.org> wrote: > > > > I don't see how the missing links can be regarded as trivial. > > This obviously needs to be fixed before the announce can be accepted. > > > > At the same time, I asked for the KEYS file link to be standardised. > > There is already a KEYS file at the standard location - why not link to > that instead? > > > > > > On Wed, 10 Feb 2021 at 15:35, Stefan Sperling <s...@apache.org> wrote: > >> > >> Sebb, blocking our release announcements over trivialities like this > >> really is not a nice thing to do. Last time it happened in May 2020. > >> It was already discussed back then and raised with the announce@ > >> moderation team. > >> > >> The Subversion PMC came to the conclusion that our handling of > >> the KEYS files is adequate for our purposes: > >> https://svn.haxx.se/dev/archive-2020-05/0156.shtml > >> > >> Please raise the issue on our dev@subversion.a.o list if it bothers > you. > >> The moderation mechanism is supposed to prevent spam. Using it to > enforce > >> release workflow policies amounts to misuse of your moderation > privileges. > >> > >> Regards, > >> Stefan > >> > >> On Wed, Feb 10, 2021 at 03:20:41PM -0000, announce-ow...@apache.org > wrote: > >> > > >> > Hi! This is the ezmlm program. I'm managing the > >> > annou...@apache.org mailing list. > >> > > >> > I'm working for my owner, who can be reached > >> > at announce-ow...@apache.org. > >> > > >> > I'm sorry, your message (enclosed) was not accepted by the moderator. > >> > If the moderator has made any comments, they are shown below. > >> > > >> > >>>>> -------------------- >>>>> > >> > Sorry, but the announce cannot be accepted. > >> > The linked download page does not contain links for the version in the > >> > email. > >> > > >> > Also, the standard name for the KEYS file is KEYS - no prefix, no > suffix. > >> > Please correct the download page, check it, and submit a corrected > announce > >> > mail. > >> > > >> > Thanks, > >> > Sebb. > >> > <<<<< -------------------- <<<<< > >> > > >> > >> > Date: Wed, 10 Feb 2021 14:37:00 +0100 > >> > From: Stefan Sperling <s...@apache.org> > >> > To: annou...@subversion.apache.org, us...@subversion.apache.org, > >> > dev@subversion.apache.org, annou...@apache.org > >> > Cc: secur...@apache.org, oss-secur...@lists.openwall.com, > >> > bugt...@securityfocus.com > >> > Subject: [SECURITY][ANNOUNCE] Apache Subversion 1.10.7 released > >> > Message-ID: <ycphfdancjgpy...@byrne.stsp.name> > >> > Reply-To: us...@subversion.apache.org > >> > Content-Type: text/plain; charset=utf-8 > >> > > >> > I'm happy to announce the release of Apache Subversion 1.10.7. > >> > Please choose the mirror closest to you by visiting: > >> > > >> > https://subversion.apache.org/download.cgi#supported-releases > >> > > >> > This is a stable bugfix and security release of the Apache Subversion > >> > open source version control system. > >> > > >> > THIS RELEASE CONTAINS AN IMPORTANT SECURITY FIX: > >> > > >> > CVE-2020-17525 > >> > "Remote unauthenticated denial-of-service in Subversion > mod_authz_svn" > >> > > >> > The full security advisory for CVE-2020-17525 is available at: > >> > https://subversion.apache.org/security/CVE-2020-17525-advisory.txt > >> > > >> > A brief summary of this advisory follows: > >> > > >> > Subversion's mod_authz_svn module will crash if the server is using > >> > in-repository authz rules with the AuthzSVNReposRelativeAccessFile > >> > option and a client sends a request for a non-existing repository > URL. > >> > > >> > This can lead to disruption for users of the service. > >> > > >> > We recommend all users to upgrade to the 1.10.7 or 1.14.1 release > >> > of the Subversion mod_dav_svn server. > >> > > >> > As a workaround, the use of in-repository authz rules files with > >> > the AuthzSVNReposRelativeAccessFile can be avoided by switching > >> > to an alternative configuration which fetches an authz rules file > >> > from the server's filesystem, rather than from an SVN repository. > >> > > >> > This issue was reported by Thomas Åkesson. > >> > > >> > SHA-512 checksums are available at: > >> > > >> > > https://www.apache.org/dist/subversion/subversion-1.10.7.tar.bz2.sha512 > >> > > https://www.apache.org/dist/subversion/subversion-1.10.7.tar.gz.sha512 > >> > > https://www.apache.org/dist/subversion/subversion-1.10.7.zip.sha512 > >> > > >> > PGP Signatures are available at: > >> > > >> > > https://www.apache.org/dist/subversion/subversion-1.10.7.tar.bz2.asc > >> > > https://www.apache.org/dist/subversion/subversion-1.10.7.tar.gz.asc > >> > https://www.apache.org/dist/subversion/subversion-1.10.7.zip.asc > >> > > >> > For this release, the following people have provided PGP signatures: > >> > > >> > Stefan Sperling [2048R/4F7DBAA99A59B973] with fingerprint: > >> > 8BC4 DAE0 C5A4 D65F 4044 0107 4F7D BAA9 9A59 B973 > >> > Branko Čibej [4096R/1BCA6586A347943F] with fingerprint: > >> > BA3C 15B1 337C F0FB 222B D41A 1BCA 6586 A347 943F > >> > Johan Corveleyn [4096R/B59CE6D6010C8AAD] with fingerprint: > >> > 8AA2 C10E EAAD 44F9 6972 7AEA B59C E6D6 010C 8AAD > >> > > >> > These public keys are available at: > >> > > >> > https://www.apache.org/dist/subversion/subversion-1.10.7.KEYS > >> > > >> > Release notes for the 1.10.x release series may be found at: > >> > > >> > https://subversion.apache.org/docs/release-notes/1.10.html > >> > > >> > You can find the list of changes between 1.10.7 and earlier versions > at: > >> > > >> > https://svn.apache.org/repos/asf/subversion/tags/1.10.7/CHANGES > >> > > >> > Questions, comments, and bug reports to us...@subversion.apache.org. > >> > > >> > Thanks, > >> > - The Subversion Team > >> > > >> > -- > >> > To unsubscribe, please see: > >> > > >> > https://subversion.apache.org/mailing-lists.html#unsubscribing > >> > > >> > > > -- > Bye, > > Erik. > > http://efficito.com -- Hosted accounting and ERP. > Robust and Flexible. No vendor lock-in. >
