I thought the CVE was mentioned in the release announcement. The security team did eventually respond to us and said we shouldn't need a new CVE since it's the same source code that's affected.
Thanks. Michael Glavassevich XML Technologies and WAS Development IBM Toronto Lab E-mail: mrgla...@ca.ibm.com E-mail: mrgla...@apache.org David Dillard <david.dill...@veritas.com> wrote on 05/21/2018 10:25:25 AM: > From: David Dillard <david.dill...@veritas.com> > To: "j-...@xerces.apache.org" <j-...@xerces.apache.org> > Cc: "j-users@xerces.apache.org" <j-users@xerces.apache.org>, > "muk...@apache.org" <muk...@apache.org>, "priv...@xerces.apache.org" > <priv...@xerces.apache.org> > Date: 05/22/2018 09:45 AM > Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release > > Any news on this? > > > From: Michael Glavassevich [mailto:mrgla...@ca.ibm.com] > Sent: Monday, April 30, 2018 11:54 AM > To: j-...@xerces.apache.org > Cc: j-users@xerces.apache.org; muk...@apache.org; priv...@xerces.apache.org > Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release > > I have asked security@ for guidance on what to do next. > > Michael Glavassevich > XML Technologies and WAS Development > IBM Toronto Lab > E-mail: mrgla...@ca.ibm.com > E-mail: mrgla...@apache.org > > David Dillard <david.dill...@veritas.com> wrote on 04/30/2018 11:02:28 AM: > > > From: David Dillard <david.dill...@veritas.com> > > To: "j-...@xerces.apache.org" <j-...@xerces.apache.org>, > > "muk...@apache.org" <muk...@apache.org>, "priv...@xerces.apache.org" > > <priv...@xerces.apache.org>, "j-users@xerces.apache.org" <j- > > us...@xerces.apache.org> > > > > Date: 04/30/2018 11:32 AM > > Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release > > > > I asked before about getting a CVE for the issue I raised that was > > fixed, and about a security advisory. I don’t recall seeing a response. > > > > Can that please be done as well? I don’t know what the internal > > Apache process is for getting CVEs, but there’s got to be one. > > > > > > From: Mukul Gandhi [mailto:muk...@apache.org] > > Sent: Sunday, April 29, 2018 11:45 PM > > To: j-...@xerces.apache.org; priv...@xerces.apache.org; j- > > us...@xerces.apache.org > > Subject: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release > > > > Hi all, > > The vote to release Xerces-J 2.12.0 resulted in 3 +1 votes (all > > from PMC members) and no other votes: > > > > +1 by: > > Gareth Reakes (PMC) > > Michael Glavassevich (PMC) > > Mukul Gandhi (PMC) > > > > The release should be up on the mirror sites very soon. > > > > > > On Mon, Apr 23, 2018 at 5:36 PM, Mukul Gandhi <muk...@apache.org> wrote: > > Hi all, > > The 1st voting for Xerces-J 2.12.0 release was stopped, due to > > certain issues that were in the release candidates (RC) that were > > found by the reviewers ([5]). Those have been fixed now, and I'm > > initiating this new mail for the Vote for new RC. > > > > I've uploaded Xerces-J 2.12.0 release candidates (the revised one) > > to [1] for review. In this release candidate there are two sets of > > packages, the main release built from the trunk [2] and the XML > > Schema 1.1 release built from the XML Schema 1.1 development branch > > [3]. The change summary is available here [4] in JIRA. 81 issues > > (plus issues that were mentioned, during the review of 1st RC) > were resolved. > > > > Test results have been looking good, so I'd like to call an official > > vote now on the release. > > > > To start, here's my +1. > > > > Great work everyone. > > > > [1] https://dist.apache.org/repos/dist/dev/xerces/j/2.12.0/ > > Revision 26468 > > > > [2] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0/ > > Directory revision: 1829687 (of 1829689) > > > > [3] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0- > > xml-schema-1.1/ > > Directory revision: 1829688 (of 1829689) > > > > [4] https://issues.apache.org/jira/secure/ReleaseNote.jspa? > > projectId=10520&version=12336542 > > > > [5] https://markmail.org/message/54obpdyqrn6nfzgi: discussion about > > previous RC, suggesting a revote > > > > [6] Deleting .md5 hash files from the RC distribution at, https:// > > dist.apache.org/repos/dist/dev/xerces/j/2.12.0/. Mentioned Revision > > number in point [1] above. (suggestions from sebb, seb...@gmail.com > > during this voting) > > > > > > > > > -- > > Regards, > > Mukul Gandhi
