Hi, Can someone please get a CVE for the readObject issue? I don’t know what the internal ASF process is for that, but ASF is its own CNA so it seems there must be one.
Also, it’d be good to issue a security advisory concurrent with the release announcement. Regards, David From: Mukul Gandhi [mailto:muk...@apache.org] Sent: Saturday, April 21, 2018 1:05 AM To: j-...@xerces.apache.org Cc: priv...@xerces.apache.org; j-users@xerces.apache.org Subject: [EXTERNAL] Re: [VOTE]: Xerces-J 2.12.0 Release Hi Michael & all, I've fixed all the below mentioned issues that were found in previous RC, within the revised RC for 2.12.0 release. I'll shortly be writing a separate mail, for the Vote for new RC. On Fri, Apr 20, 2018 at 2:29 AM, Michael Glavassevich <mrgla...@ca.ibm.com<mailto:mrgla...@ca.ibm.com>> wrote: Should fix the copyright years in the docs too. It currently has: 1999-2014 in the footer of all the pages. Michael Glavassevich <mrgla...@ca.ibm.com<mailto:mrgla...@ca.ibm.com>> wrote on 04/19/2018 04:40:16 PM: > Hi Mukul, > > I noticed that the copyright year in the NOTICE file still says > 2015. I'm pretty sure that this needs to be updated. > > There's also the discussion on the list about CVE-2018-2799 that we > have an opportunity to address. > > I think we should stop the vote on this release candidate and respin > with fixes for these issues. > > Thanks. > > Michael Glavassevich > XML Technologies and WAS Development > IBM Toronto Lab > E-mail: mrgla...@ca.ibm.com<mailto:mrgla...@ca.ibm.com> > E-mail: mrgla...@apache.org<mailto:mrgla...@apache.org> -- Regards, Mukul Gandhi
