Re: [jxpath] reported CVE and path forward
On 15/10/2022 17:12, Mark Thomas wrote: On 11/10/2022 16:25, Mike Drob wrote: Thanks for this outline, Mark. Some questions in line. Mike On Tue, Oct 11, 2022 at 6:13 AM Mark Thomas wrote: Roman - don't do anything yet. Commons folk, I suggest the following which is based on how we have oss-fuzz setup on Tomcat. 1. Create a Google account for fuzz-testing@c.a.o 2. Put the password for the account in the PMC private shared repo so any PMC member can access these reports. If the dashboard doesn't support groups then maybe this is the only way. Otherwise I think it would be very nice if we could use ASF committer info or possibly github info since that often has mirrored groups of our internal organizational structure. Yes this would be ideal, but isn't currently possible. 3. Get Roman to add this account to the JXPath oss-fuzz project and the projects for any other Commons components they have set up Maybe it makes sense to group all of the apache-commons-* projects under the general apache-commons module at https://github.com/google/oss-fuzz/tree/master/projects/ That module is the one that was initially set up, including compress and imaging as mentioned by Matt S upthread. +1. 4. Review the reports once we have access via fuzz-testing@c.a.o (I'll volunteer to help with this as I have some experience from Tomcat which should speed things up) I would be happy to volunteer. Tx 5. Ask the ASF security to get all CVEs allocated by Google to Apache Commons components transferred to the ASF (we can edit them once we have ownership) 6. Ask the ASF security team to contact Google to make sure that Google follows the CNA rules and stops allocating CVEs for projects outside of its scope. If there is agreement to this approach, I'll volunteer to get the things on the list above done. Depending on the number of issues, I may be asking for help with 4. Given this is all public, I don't see any need to use the security@c.a.o list unless we come across a valid, non-public issue. Based on the feedback I'm amending my proposal to replace the original step 3) with: 3a) Get the new shared account added to the existing apache-commons module 3b) Request that Code Intelligence move these individual modules under the existing apache-commons module. I'm going to go ahead and start this process with one further small amendment after double-checking how Tomcat is set up. The Google account will be for secur...@commons.apache.org so that reports are delivered directly to the security@c.a.o list. Mark - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Correctly configuring Apache Commons components for oss-fuzz
Hi, You are receiving this email as you are currently configured as the recipients for oss-fuzz reports for Apache Commons JXPath. As per the discussion on the Apache Commons dev list[1], please make the following configuration changes to the oss-fuzz integrations with immediate effect: - Move all oss-fuzz integrations added for *ALL* Apache Commons components to the oss-fuzz module for Apache-Commons: https://github.com/google/oss-fuzz/tree/master/projects/apache-commons There should *NOT* be separate oss-fuzz modules for each component - Add the Google account for "secur...@commons.apache.org" to - the notifications for these issues - the ACL to enable this account to access the details for each report Please notify dev@commons.apache.org and secur...@commons.apache.org when these changes have been completed. Thanks, Mark [1] https://lists.apache.org/thread/53vwy3g8w3f8nydz7jvxm8snrqx7msln - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Publish statement on Commons Text CVE
Hi Arnout, Would you be available to update the Commons Configuration page https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml in the same way you did for Commons Text? The CVE is basically the same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 Gary On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory wrote: > > FYI: I updated the security page > https://commons.apache.org/proper/commons-text/security.html > > Gary > > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory wrote: > > > > I have an unpublished security page in the repo already. Let's not > > duplicate information like this PR does please. Publishing a non-snapshot > > site is a pain and I don't want to do more than I have to. There is no need > > to buy in and promote the FUD on the front page IMO. This component will > > soon publish a security page and you can PR that page > > (https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) > > if you want to update the details. > > > > TY! > > > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen wrote: > >> > >> Hello Commons, > >> > >> As you might know Commons Text recently published a CVE. It seems there is > >> a fair bit of confusion about its severity online, so it seems like a good > >> idea to publish a statement around that on the website. > >> > >> I've proposed one at https://github.com/apache/commons-text/pull/374 and > >> I'd like to ask for your review & help publishing. Given the issue is > >> getting some attention it might be nice to publish something soon and maybe > >> refine it later ;). I'll also publish it at > >> https://blogs.apache.org/security . > >> > >> I think what would need to happen is: > >> * review and merge https://github.com/apache/commons-text/pull/374 > >> * check out the commit before the merge commit (since that one still has > >> 1.10.0 as the version in the pom.xml) > >> * tag it with something clear, like "commons-text-1.10.0-docs-update"(?) > >> * push the tag > >> * do a 'mvn site:deploy' > >> > >> Much appreciated! > >> > >> > >> Kind regards, > >> > >> Arnout - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons CSV 1.10.0 based on RC1
> You have added test data for CSVFormat for 1.7 and 1.8 and these do not work (commented out). I take it this means serialization has been broken since the CSVFormat.delimiter was changed from char to String in 1.9.0. That's correct, Alex. I added the comments for documentation. Should we decide to fix serialization from version 1.7 and version 1.8 upwards, the test and test data can be enabled. > So given serialization was already broken in the last release does it make any sense to fix it for 1.9.0 to 1.10.0 for the new field? According to the number of Maven central downloads versions 1.8 and 1.9.0 are the most popular of commons-csv. So I think there is merit in fixing serialization issues from 1.9.0 to 1.10.0 Besides the PR already offers the fix, why abandon it? Will PR #276 be part of version 1.10.0? Do we have a volunteer to review and merge it? regards, Markus From: Alex Herbert Sent: Monday, October 17, 2022 19:53 To: Commons Developers List Subject: Re: [VOTE] Release Apache Commons CSV 1.10.0 based on RC1 On Mon, 17 Oct 2022 at 17:11, wrote: > > Hello > > > This is the logic from the current builder: > > DuplicateHeaderMode mode = allowDuplicateHeaderNames ? > > DuplicateHeaderMode.ALLOW_ALL : DuplicateHeaderMode.ALLOW_EMPTY > > This is true only if Builder.setAllowDuplicateHeaderNames is actually called, > which is at the library user's discretion. I was only discussing the deserialization path and the logic that would be required in custom deserialization code to support backwards compatibility. However I do not think this library is supporting Serializable going forward. It is already known to be broken for CSVRecord and now also CSVFormat. > > Otherwise CSVFormat.Builder.duplicateHeaderMode remains null. > Also, the method Builder.setDuplicateHeaderMode(DuplicateHeaderMode) accepts > null. A non-null parameter should be enforced. > > Besides, shouldn't the above statement be: > allowDuplicateHeaderNames ? ALLOW_ALL : DISALLOW > ? > > duplicateHeaderMode should default to DISALLOW for backward compatibility. Duplicate header support was added in 1.7. Before that I do not know what happened without checking the old code. It may have thrown an exception or silently ignored it. I would have to track down the Jira ticket for when the feature was added. > > Found another small bug in setNullString where member quotedNullString was > inconsistently written (missing write in setQuote): > > this.quotedNullString = quoteCharacter + nullString + > quoteCharacter; > > All of the above in pull request > https://github.com/apache/commons-csv/pull/276 > > @Alex would you review my PR please? Sure. You have added test data for CSVFormat for 1.7 and 1.8 and these do not work (commented out). I take it this means serialization has been broken since the CSVFormat.delimiter was changed from char to String in 1.9.0. So given serialization was already broken in the last release does it make any sense to fix it for 1.9.0 to 1.10.0 for the new field? I agree that the quotedNullString is inconsistently handled. Regards, Alex - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons CSV 1.10.0 based on RC1
My +1 Gary On 2022/10/16 12:48:50 Gary Gregory wrote: > To: dev@commons.apache.org > We have fixed a few bugs and added some enhancements since Apache > Commons CSV 1.9.0 was released, so I would like to release Apache > Commons CSV 1.10.0. > > Apache Commons CSV 1.10.0 RC1 is available for review here: > https://dist.apache.org/repos/dist/dev/commons/csv/1.10.0-RC1 (svn > revision 57404) > > The Git tag commons-csv-1.10.0-RC1 commit for this RC is > 1bd1fd8e6065da9d07b5a3a1723b059246b14001 which you can browse here: > > https://gitbox.apache.org/repos/asf?p=commons-csv.git;a=commit;h=1bd1fd8e6065da9d07b5a3a1723b059246b14001 > You may checkout this tag using: > git clone https://gitbox.apache.org/repos/asf/commons-csv.git > --branch commons-csv-1.10.0-RC1 commons-csv-1.10.0-RC1 > > Maven artifacts are here: > > https://repository.apache.org/content/repositories/orgapachecommons-1600/org/apache/commons/commons-csv/1.10.0/ > > These are the artifacts and their hashes: > > #Release SHA-512s > #Sun Oct 16 08:32:39 EDT 2022 > Apache\ Commons\ > CSV-1.10.0.spdx.rdf.xml=c8cf7495637ce5282c72aa8e8ef4b93f206fbbdf21c7b337a34daa3b89af9816073d0185118cab4cdbed5104cc7f090e81efb614594079b02829c96829fe8aeb > commons-csv-1.10.0-bin.tar.gz=5b0ff3f5cc4aeff6c2aa2c11e92ea8b1b1fbbcd098ba79d97bcfd9af3ea08a9ebc922e5237bda8abcb238eb0d2fe7a5ef27534d0d796a1fc77691684a698f3d1 > commons-csv-1.10.0-bin.zip=a52caa6ccda5b830c133c965fd6843d8f960e1ce3ef83decf5435022481746093cf8b4308c1fded21a168b751724b4a9f5e72f3eca34381828968bff89e7239b > commons-csv-1.10.0-bom.json=0e3e6652e520afb697461a3f6b33458dc8ef1dd157c2b1442664b8f12f7504226916e64960cea5cc92dd2b923d18047ed921be60eb7febfbeffc8ac3e3254fc0 > commons-csv-1.10.0-bom.xml=91e494b94eea35ee7d85c8d8dbdc5029f981e0c5a8b1aae2b0f3cd77d1cea0fb0fc8c857d18d41ca055d12c4c4eb1adf70582f178a88751b836861c3286283db > commons-csv-1.10.0-javadoc.jar=719656f5399e0889af2e8b40f49458d0dec6e8ae85413f36caa2187235c68d9e42502bf07c66c0bcc7c5c3427bc0aac51f9897581842d303501bbff5ec73bdc0 > commons-csv-1.10.0-sources.jar=c78c8fa112ef35d6d6c061b05e08816ce516a3acd56d720c59dbdaeb9d1202b16294233bd2aa2fac91cfa759456f8d7e08951876d85decdf0b8fb215a8e31754 > commons-csv-1.10.0-src.tar.gz=a0d3a7aedab567aaa32a3dd1ceddeff412e686f3fd2b0805993db7e3dd4804b4d5d59e70f1500f23e8d0ba6531832e9f20d0c298bd443d9825724d5d1b1c87b3 > commons-csv-1.10.0-src.zip=5cbdbcf367c9dd78e76228817592d70378b3cd8d919fdcd7df5c3eb2d7ebd8bd47fbb17376a631efb640be4115d42d3cc7aafa866bfefdfe073d5a4fcf625e0b > commons-csv-1.10.0-test-sources.jar=0d77c791934609b176457df5c60fdd5bfa3c6f392375adef81e5e7cd31de7fb25bd91b0bbe60a9ff46acb62efc2a33660adff24850370b7546a71374aa267f94 > commons-csv-1.10.0-tests.jar=9a08e4d2ec865d9e1dafc01e4ee58804490b2d50f886bac47a5235581077b31a15dda5b3f8f2adb5a70be8794cca886126d980d6d3722eec2e10471fc24e1940 > > I have tested this with 'mvn' and 'mvn -V -Duser.name=$my_apache_id > -Prelease -Ptest-deploy -P jacoco -P japicmp clean package site > deploy' using: > > Darwin *** 21.6.0 Darwin Kernel Version 21.6.0: Mon Aug 22 20:17:10 > PDT 2022; root:xnu-8020.140.49~2/RELEASE_X86_64 x86_64 > > Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) > Maven home: /usr/local/Cellar/maven/3.8.6/libexec > Java version: 1.8.0_345, vendor: Homebrew, runtime: > /usr/local/Cellar/openjdk@8/1.8.0+345/libexec/openjdk.jdk/Contents/Home/jre > Default locale: en_US, platform encoding: UTF-8 > OS name: "mac os x", version: "12.6", arch: "x86_64", family: "mac" > > Details of changes since 1.9.0 are in the release notes: > > https://dist.apache.org/repos/dist/dev/commons/csv/1.10.0-RC1/RELEASE-NOTES.txt > > https://dist.apache.org/repos/dist/dev/commons/csv/1.10.0-RC1/site/changes-report.html > > Site: > > https://dist.apache.org/repos/dist/dev/commons/csv/1.10.0-RC1/site/index.html > (note some *relative* links are broken and the 1.10.0 directories > are not yet created - these will be OK once the site is deployed.) > > JApiCmp Report (compared to 1.9.0): > > https://dist.apache.org/repos/dist/dev/commons/csv/1.10.0-RC1/site/japicmp.html > > RAT Report: > > https://dist.apache.org/repos/dist/dev/commons/csv/1.10.0-RC1/site/rat-report.html > > KEYS: > https://downloads.apache.org/commons/KEYS > > Please review the release candidate and vote. > This vote will close no sooner than 72 hours from now. > > [ ] +1 Release these artifacts > [ ] +0 OK, but... > [ ] -0 OK, but really should fix... > [ ] -1 I oppose this release because... > > Thank you, > > Gary Gregory, > Release Manager (using key 86fdc7e2a11262cb) > > For following is intended as a helper and refresher for reviewers. > > Validating a release candidate > == > > These guidelines are NOT complete. > > Requirements: Git, Java, Maven. > > You can validate a release from a release candidate (RC) tag as follows. > > 1) Clone and checkout the RC tag > > git clone https://gitbox.apache.org/repos/asf/c
Re: [VOTE] Release Apache Commons CSV 1.10.0 based on RC1
On Wed, 19 Oct 2022 at 14:52, wrote: > > > You have added test data for CSVFormat for 1.7 and 1.8 and these do > not work (commented out). I take it this means serialization has been > broken since the CSVFormat.delimiter was changed from char to String > in 1.9.0. > > That's correct, Alex. I added the comments for documentation. Should we > decide to fix serialization from version 1.7 and version 1.8 upwards, the > test and test data can be enabled. > > > So given serialization was already broken in the last > release does it make any sense to fix it for 1.9.0 to 1.10.0 for the new > field? > > According to the number of Maven central downloads versions 1.8 and 1.9.0 are > the most popular of commons-csv. > So I think there is merit in fixing serialization issues from 1.9.0 to 1.10.0 > Besides the PR already offers the fix, why abandon it? Serialization is already broken for CSVRecord from 1.7+. It is broken for CSVFormat 1.7+. It will be removed in 2.0. So I think that serialization should be ignored going forward. > > Will PR #276 be part of version 1.10.0? Perhaps it should be. Alex - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons CSV 1.10.0 based on RC1
On Wed, 19 Oct 2022 at 14:57, Gary D. Gregory wrote: > > My +1 > > Gary Gary, PR #276 highlights a behavioural compatibility error in the 1.10.0 RC1. AllowDuplicates enum may be set to the incorrect value when setting the allow duplicates boolean. Have you reviewed this? I believe it is valid. Alex - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons CSV 1.10.0 based on RC1
Hi Markus, Anyone can vote, please see https://www.apache.org/foundation/voting.html Note that PMC member votes are binding, while others are advisory. Gary On 2022/10/17 10:00:13 sma...@outlook.de wrote: > Hello > > CSV-264 (Add DuplicateHeaderMode) introduces bugs that should be fixed before > shipping 1.10.0 IMO > - missing default > - broken serialization of class CSVFormat > > I raised these issues in CSV-302. > > The serialization issue is caught by Revapi. I had suggested to include > Revapi in the project (CSV-303) or alternatively add revapi and drop clirr in > commons-parent but that more or less fell on deaf ears. > > mvn org.revapi:revapi-maven-plugin:check > > [INFO] > > [INFO] BUILD FAILURE > [INFO] > > [INFO] Total time: 3.560 s > [INFO] Finished at: 2022-10-17T11:30:21+02:00 > [INFO] > > [ERROR] Failed to execute goal org.revapi:revapi-maven-plugin:0.14.7:check > (default-cli) on project commons-csv: The following API problems caused the > build to fail: > [ERROR] java.field.serialVersionUIDUnchanged: field > org.apache.commons.csv.CSVFormat.serialVersionUID: The class changed in an > incompatible way with regards to serialization but the serialVersionUID field > stayed unchanged. This might be ok and/or desired but is suspicious. > https://revapi.org/revapi-java/differences.html#java.field.serialVersionUIDUnchanged > [ERROR] java.method.exception.checkedRemoved: method > java.util.List > org.apache.commons.csv.CSVParser::getRecords(): Method no longer throws > checked exceptions: java.io.IOException. > https://revapi.org/revapi-java/differences.html#java.method.exception.checkedRemoved > > Also noticed that class DuplicateHeaderMode and method > CSVFormat.getDuplicateHeaderMode() are incorrectly annotated with "@since > 1.9.0". Both are new in version 1.10.0. > > My vote is -1 assuming I am allowed to vote. > > Kind regards, > Markus > > From: Gary Gregory > Sent: Sunday, October 16, 2022 14:48 > To: Commons Developers List > Subject: [VOTE] Release Apache Commons CSV 1.10.0 based on RC1 > > To: dev@commons.apache.org > We have fixed a few bugs and added some enhancements since Apache > Commons CSV 1.9.0 was released, so I would like to release Apache > Commons CSV 1.10.0. > > Apache Commons CSV 1.10.0 RC1 is available for review here: > https://dist.apache.org/repos/dist/dev/commons/csv/1.10.0-RC1 (svn > revision 57404) > > The Git tag commons-csv-1.10.0-RC1 commit for this RC is > 1bd1fd8e6065da9d07b5a3a1723b059246b14001 which you can browse here: > > https://gitbox.apache.org/repos/asf?p=commons-csv.git;a=commit;h=1bd1fd8e6065da9d07b5a3a1723b059246b14001 > You may checkout this tag using: > git clone https://gitbox.apache.org/repos/asf/commons-csv.git > --branch commons-csv-1.10.0-RC1 commons-csv-1.10.0-RC1 > > Maven artifacts are here: > > https://repository.apache.org/content/repositories/orgapachecommons-1600/org/apache/commons/commons-csv/1.10.0/ > > These are the artifacts and their hashes: > > #Release SHA-512s > #Sun Oct 16 08:32:39 EDT 2022 > Apache\ Commons\ > CSV-1.10.0.spdx.rdf.xml=c8cf7495637ce5282c72aa8e8ef4b93f206fbbdf21c7b337a34daa3b89af9816073d0185118cab4cdbed5104cc7f090e81efb614594079b02829c96829fe8aeb > commons-csv-1.10.0-bin.tar.gz=5b0ff3f5cc4aeff6c2aa2c11e92ea8b1b1fbbcd098ba79d97bcfd9af3ea08a9ebc922e5237bda8abcb238eb0d2fe7a5ef27534d0d796a1fc77691684a698f3d1 > commons-csv-1.10.0-bin.zip=a52caa6ccda5b830c133c965fd6843d8f960e1ce3ef83decf5435022481746093cf8b4308c1fded21a168b751724b4a9f5e72f3eca34381828968bff89e7239b > commons-csv-1.10.0-bom.json=0e3e6652e520afb697461a3f6b33458dc8ef1dd157c2b1442664b8f12f7504226916e64960cea5cc92dd2b923d18047ed921be60eb7febfbeffc8ac3e3254fc0 > commons-csv-1.10.0-bom.xml=91e494b94eea35ee7d85c8d8dbdc5029f981e0c5a8b1aae2b0f3cd77d1cea0fb0fc8c857d18d41ca055d12c4c4eb1adf70582f178a88751b836861c3286283db > commons-csv-1.10.0-javadoc.jar=719656f5399e0889af2e8b40f49458d0dec6e8ae85413f36caa2187235c68d9e42502bf07c66c0bcc7c5c3427bc0aac51f9897581842d303501bbff5ec73bdc0 > commons-csv-1.10.0-sources.jar=c78c8fa112ef35d6d6c061b05e08816ce516a3acd56d720c59dbdaeb9d1202b16294233bd2aa2fac91cfa759456f8d7e08951876d85decdf0b8fb215a8e31754 > commons-csv-1.10.0-src.tar.gz=a0d3a7aedab567aaa32a3dd1ceddeff412e686f3fd2b0805993db7e3dd4804b4d5d59e70f1500f23e8d0ba6531832e9f20d0c298bd443d9825724d5d1b1c87b3 > commons-csv-1.10.0-src.zip=5cbdbcf367c9dd78e76228817592d70378b3cd8d919fdcd7df5c3eb2d7ebd8bd47fbb17376a631efb640be4115d42d3cc7aafa866bfefdfe073d5a4fcf625e0b > commons-csv-1.10.0-test-sources.jar=0d77c791934609b176457df5c60fdd5bfa3c6f392375adef81e5e7cd31de7fb25bd91b0bbe60a9ff46acb62efc2a33660adff24850370b7546a71374aa267f94 > commons-csv-1.10.0-tests.jar=9a08e4d2ec865d9e1dafc01e4ee58804490b2d50f886ba
Re: Publish statement on Commons Text CVE
On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory wrote: > Would you be available to update the Commons Configuration page > > https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml > in the same way you did for Commons Text? The CVE is basically the > same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 > Happy to! Proposed https://github.com/apache/commons-configuration/pull/230 Kind regards, Arnout On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory > wrote: > > > > FYI: I updated the security page > > https://commons.apache.org/proper/commons-text/security.html > > > > Gary > > > > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory > wrote: > > > > > > I have an unpublished security page in the repo already. Let's not > duplicate information like this PR does please. Publishing a non-snapshot > site is a pain and I don't want to do more than I have to. There is no need > to buy in and promote the FUD on the front page IMO. This component will > soon publish a security page and you can PR that page ( > https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) > if you want to update the details. > > > > > > TY! > > > > > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen wrote: > > >> > > >> Hello Commons, > > >> > > >> As you might know Commons Text recently published a CVE. It seems > there is > > >> a fair bit of confusion about its severity online, so it seems like a > good > > >> idea to publish a statement around that on the website. > > >> > > >> I've proposed one at https://github.com/apache/commons-text/pull/374 > and > > >> I'd like to ask for your review & help publishing. Given the issue is > > >> getting some attention it might be nice to publish something soon and > maybe > > >> refine it later ;). I'll also publish it at > > >> https://blogs.apache.org/security . > > >> > > >> I think what would need to happen is: > > >> * review and merge https://github.com/apache/commons-text/pull/374 > > >> * check out the commit before the merge commit (since that one still > has > > >> 1.10.0 as the version in the pom.xml) > > >> * tag it with something clear, like > "commons-text-1.10.0-docs-update"(?) > > >> * push the tag > > >> * do a 'mvn site:deploy' > > >> > > >> Much appreciated! > > >> > > >> > > >> Kind regards, > > >> > > >> Arnout >
Re: Publish statement on Commons Text CVE
TY and merged. I'll publish later today. Gary On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen wrote: > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory wrote: >> >> Would you be available to update the Commons Configuration page >> https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml >> in the same way you did for Commons Text? The CVE is basically the >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 > > > Happy to! Proposed https://github.com/apache/commons-configuration/pull/230 > > > Kind regards, > > Arnout > >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory wrote: >> > >> > FYI: I updated the security page >> > https://commons.apache.org/proper/commons-text/security.html >> > >> > Gary >> > >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory >> > wrote: >> > > >> > > I have an unpublished security page in the repo already. Let's not >> > > duplicate information like this PR does please. Publishing a >> > > non-snapshot site is a pain and I don't want to do more than I have to. >> > > There is no need to buy in and promote the FUD on the front page IMO. >> > > This component will soon publish a security page and you can PR that >> > > page >> > > (https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) >> > > if you want to update the details. >> > > >> > > TY! >> > > >> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen wrote: >> > >> >> > >> Hello Commons, >> > >> >> > >> As you might know Commons Text recently published a CVE. It seems there >> > >> is >> > >> a fair bit of confusion about its severity online, so it seems like a >> > >> good >> > >> idea to publish a statement around that on the website. >> > >> >> > >> I've proposed one at https://github.com/apache/commons-text/pull/374 and >> > >> I'd like to ask for your review & help publishing. Given the issue is >> > >> getting some attention it might be nice to publish something soon and >> > >> maybe >> > >> refine it later ;). I'll also publish it at >> > >> https://blogs.apache.org/security . >> > >> >> > >> I think what would need to happen is: >> > >> * review and merge https://github.com/apache/commons-text/pull/374 >> > >> * check out the commit before the merge commit (since that one still has >> > >> 1.10.0 as the version in the pom.xml) >> > >> * tag it with something clear, like "commons-text-1.10.0-docs-update"(?) >> > >> * push the tag >> > >> * do a 'mvn site:deploy' >> > >> >> > >> Much appreciated! >> > >> >> > >> >> > >> Kind regards, >> > >> >> > >> Arnout - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons CSV 1.10.0 based on RC1
On Wed, Oct 19, 2022 at 9:52 AM wrote: > > > You have added test data for CSVFormat for 1.7 and 1.8 and these do > not work (commented out). I take it this means serialization has been > broken since the CSVFormat.delimiter was changed from char to String > in 1.9.0. > > That's correct, Alex. I added the comments for documentation. Should we > decide to fix serialization from version 1.7 and version 1.8 upwards, the > test and test data can be enabled. > > > So given serialization was already broken in the last > release does it make any sense to fix it for 1.9.0 to 1.10.0 for the new > field? > > According to the number of Maven central downloads versions 1.8 and 1.9.0 are > the most popular of commons-csv. > So I think there is merit in fixing serialization issues from 1.9.0 to 1.10.0 > Besides the PR already offers the fix, why abandon it? It's not abandoned, it will be for the next go around. This is a not a blocker. > > Will PR #276 be part of version 1.10.0? No. > Do we have a volunteer to review and merge it? Me, later. TY, Gary > > regards, > Markus > > > > From: Alex Herbert > Sent: Monday, October 17, 2022 19:53 > To: Commons Developers List > Subject: Re: [VOTE] Release Apache Commons CSV 1.10.0 based on RC1 > > On Mon, 17 Oct 2022 at 17:11, wrote: > > > > Hello > > > > > This is the logic from the current builder: > > > DuplicateHeaderMode mode = allowDuplicateHeaderNames ? > > > DuplicateHeaderMode.ALLOW_ALL : DuplicateHeaderMode.ALLOW_EMPTY > > > > This is true only if Builder.setAllowDuplicateHeaderNames is actually > > called, which is at the library user's discretion. > > I was only discussing the deserialization path and the logic that > would be required in custom deserialization code to support backwards > compatibility. However I do not think this library is supporting > Serializable going forward. It is already known to be broken for > CSVRecord and now also CSVFormat. > > > > > Otherwise CSVFormat.Builder.duplicateHeaderMode remains null. > > Also, the method Builder.setDuplicateHeaderMode(DuplicateHeaderMode) > > accepts null. A non-null parameter should be enforced. > > > > Besides, shouldn't the above statement be: > > allowDuplicateHeaderNames ? ALLOW_ALL : DISALLOW > > ? > > > > duplicateHeaderMode should default to DISALLOW for backward compatibility. > > Duplicate header support was added in 1.7. Before that I do not know > what happened without checking the old code. It may have thrown an > exception or silently ignored it. I would have to track down the Jira > ticket for when the feature was added. > > > > > Found another small bug in setNullString where member quotedNullString was > > inconsistently written (missing write in setQuote): > > > > this.quotedNullString = quoteCharacter + nullString + > > quoteCharacter; > > > > All of the above in pull request > > https://github.com/apache/commons-csv/pull/276 > > > > @Alex would you review my PR please? > > Sure. > > You have added test data for CSVFormat for 1.7 and 1.8 and these do > not work (commented out). I take it this means serialization has been > broken since the CSVFormat.delimiter was changed from char to String > in 1.9.0. So given serialization was already broken in the last > release does it make any sense to fix it for 1.9.0 to 1.10.0 for the > new field? > > I agree that the quotedNullString is inconsistently handled. > > Regards, > > Alex > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons CSV 1.10.0 based on RC1
On Wed, Oct 19, 2022 at 10:01 AM Alex Herbert wrote: > > On Wed, 19 Oct 2022 at 14:57, Gary D. Gregory wrote: > > > > My +1 > > > > Gary > > Gary, > > PR #276 highlights a behavioural compatibility error in the 1.10.0 RC1. > > AllowDuplicates enum may be set to the incorrect value when setting > the allow duplicates boolean. Have you reviewed this? I believe it is > valid. I will re-read later tonight... Gary > > Alex > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Publish statement on Commons Text CVE
Well, I published the Configuration site to the usual svn: https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/ which should be end up at: https://commons.apache.org/proper/commons-configuration/index.html but for me clicking on the "Security" (in the top left menu) does not take me to https://commons.apache.org/proper/commons-configuration/security.html, instead it redirects magically to https://commons.apache.org/security.html Commons Text is fine in this area. What gives? Gary On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory wrote: > > TY and merged. I'll publish later today. > > Gary > > On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen wrote: > > > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory > > wrote: > >> > >> Would you be available to update the Commons Configuration page > >> https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml > >> in the same way you did for Commons Text? The CVE is basically the > >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 > > > > > > Happy to! Proposed https://github.com/apache/commons-configuration/pull/230 > > > > > > Kind regards, > > > > Arnout > > > >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory > >> wrote: > >> > > >> > FYI: I updated the security page > >> > https://commons.apache.org/proper/commons-text/security.html > >> > > >> > Gary > >> > > >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory > >> > wrote: > >> > > > >> > > I have an unpublished security page in the repo already. Let's not > >> > > duplicate information like this PR does please. Publishing a > >> > > non-snapshot site is a pain and I don't want to do more than I have > >> > > to. There is no need to buy in and promote the FUD on the front page > >> > > IMO. This component will soon publish a security page and you can PR > >> > > that page > >> > > (https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) > >> > > if you want to update the details. > >> > > > >> > > TY! > >> > > > >> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen wrote: > >> > >> > >> > >> Hello Commons, > >> > >> > >> > >> As you might know Commons Text recently published a CVE. It seems > >> > >> there is > >> > >> a fair bit of confusion about its severity online, so it seems like a > >> > >> good > >> > >> idea to publish a statement around that on the website. > >> > >> > >> > >> I've proposed one at https://github.com/apache/commons-text/pull/374 > >> > >> and > >> > >> I'd like to ask for your review & help publishing. Given the issue is > >> > >> getting some attention it might be nice to publish something soon and > >> > >> maybe > >> > >> refine it later ;). I'll also publish it at > >> > >> https://blogs.apache.org/security . > >> > >> > >> > >> I think what would need to happen is: > >> > >> * review and merge https://github.com/apache/commons-text/pull/374 > >> > >> * check out the commit before the merge commit (since that one still > >> > >> has > >> > >> 1.10.0 as the version in the pom.xml) > >> > >> * tag it with something clear, like > >> > >> "commons-text-1.10.0-docs-update"(?) > >> > >> * push the tag > >> > >> * do a 'mvn site:deploy' > >> > >> > >> > >> Much appreciated! > >> > >> > >> > >> > >> > >> Kind regards, > >> > >> > >> > >> Arnout - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Publish statement on Commons Text CVE
I had a look at the browser network tab, and saw an HTTP 302 location redirect from Varnish. These redirects normally need to be configured in Varnish with some sort of rule. I went back to your email, grabbed the SVN URL, stepped up a few directories and saw an .htaccess at a parent level, that has a redirect rule for some commons components (it has for [configuration], not for [text]). I think we just need to remove the configuration entry. https://svn.apache.org/repos/infra/websites/production/commons/content/.htaccess HTH, Bruno On Thu, 20 Oct 2022 at 08:22, Gary Gregory wrote: > Well, I published the Configuration site to the usual svn: > > > https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/ > > which should be end up at: > > https://commons.apache.org/proper/commons-configuration/index.html > > but for me clicking on the "Security" (in the top left menu) does not > take me to > https://commons.apache.org/proper/commons-configuration/security.html, > instead it redirects magically to > https://commons.apache.org/security.html > > Commons Text is fine in this area. What gives? > > Gary > > On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory > wrote: > > > > TY and merged. I'll publish later today. > > > > Gary > > > > On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen > wrote: > > > > > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory > wrote: > > >> > > >> Would you be available to update the Commons Configuration page > > >> > https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml > > >> in the same way you did for Commons Text? The CVE is basically the > > >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 > > > > > > > > > Happy to! Proposed > https://github.com/apache/commons-configuration/pull/230 > > > > > > > > > Kind regards, > > > > > > Arnout > > > > > >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory > wrote: > > >> > > > >> > FYI: I updated the security page > > >> > https://commons.apache.org/proper/commons-text/security.html > > >> > > > >> > Gary > > >> > > > >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory < > garydgreg...@gmail.com> wrote: > > >> > > > > >> > > I have an unpublished security page in the repo already. Let's > not duplicate information like this PR does please. Publishing a > non-snapshot site is a pain and I don't want to do more than I have to. > There is no need to buy in and promote the FUD on the front page IMO. This > component will soon publish a security page and you can PR that page ( > https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) > if you want to update the details. > > >> > > > > >> > > TY! > > >> > > > > >> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen > wrote: > > >> > >> > > >> > >> Hello Commons, > > >> > >> > > >> > >> As you might know Commons Text recently published a CVE. It > seems there is > > >> > >> a fair bit of confusion about its severity online, so it seems > like a good > > >> > >> idea to publish a statement around that on the website. > > >> > >> > > >> > >> I've proposed one at > https://github.com/apache/commons-text/pull/374 and > > >> > >> I'd like to ask for your review & help publishing. Given the > issue is > > >> > >> getting some attention it might be nice to publish something > soon and maybe > > >> > >> refine it later ;). I'll also publish it at > > >> > >> https://blogs.apache.org/security . > > >> > >> > > >> > >> I think what would need to happen is: > > >> > >> * review and merge > https://github.com/apache/commons-text/pull/374 > > >> > >> * check out the commit before the merge commit (since that one > still has > > >> > >> 1.10.0 as the version in the pom.xml) > > >> > >> * tag it with something clear, like > "commons-text-1.10.0-docs-update"(?) > > >> > >> * push the tag > > >> > >> * do a 'mvn site:deploy' > > >> > >> > > >> > >> Much appreciated! > > >> > >> > > >> > >> > > >> > >> Kind regards, > > >> > >> > > >> > >> Arnout > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
Re: Publish statement on Commons Text CVE
Thank you for the brilliant detective work Bruno! Gary On Wed, Oct 19, 2022, 16:16 Bruno Kinoshita wrote: > I had a look at the browser network tab, and saw an HTTP 302 location > redirect from Varnish. These redirects normally need to be configured in > Varnish with some sort of rule. > > I went back to your email, grabbed the SVN URL, stepped up a few > directories and saw an .htaccess at a parent level, that has a redirect > rule for some commons components (it has for [configuration], not for > [text]). I think we just need to remove the configuration entry. > > > https://svn.apache.org/repos/infra/websites/production/commons/content/.htaccess > > HTH, > Bruno > > On Thu, 20 Oct 2022 at 08:22, Gary Gregory wrote: > > > Well, I published the Configuration site to the usual svn: > > > > > > > https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/ > > > > which should be end up at: > > > > https://commons.apache.org/proper/commons-configuration/index.html > > > > but for me clicking on the "Security" (in the top left menu) does not > > take me to > > https://commons.apache.org/proper/commons-configuration/security.html, > > instead it redirects magically to > > https://commons.apache.org/security.html > > > > Commons Text is fine in this area. What gives? > > > > Gary > > > > On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory > > wrote: > > > > > > TY and merged. I'll publish later today. > > > > > > Gary > > > > > > On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen > > wrote: > > > > > > > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory < > garydgreg...@gmail.com> > > wrote: > > > >> > > > >> Would you be available to update the Commons Configuration page > > > >> > > > https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml > > > >> in the same way you did for Commons Text? The CVE is basically the > > > >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 > > > > > > > > > > > > Happy to! Proposed > > https://github.com/apache/commons-configuration/pull/230 > > > > > > > > > > > > Kind regards, > > > > > > > > Arnout > > > > > > > >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory < > garydgreg...@gmail.com> > > wrote: > > > >> > > > > >> > FYI: I updated the security page > > > >> > https://commons.apache.org/proper/commons-text/security.html > > > >> > > > > >> > Gary > > > >> > > > > >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory < > > garydgreg...@gmail.com> wrote: > > > >> > > > > > >> > > I have an unpublished security page in the repo already. Let's > > not duplicate information like this PR does please. Publishing a > > non-snapshot site is a pain and I don't want to do more than I have to. > > There is no need to buy in and promote the FUD on the front page IMO. > This > > component will soon publish a security page and you can PR that page ( > > > https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml > ) > > if you want to update the details. > > > >> > > > > > >> > > TY! > > > >> > > > > > >> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen > > wrote: > > > >> > >> > > > >> > >> Hello Commons, > > > >> > >> > > > >> > >> As you might know Commons Text recently published a CVE. It > > seems there is > > > >> > >> a fair bit of confusion about its severity online, so it seems > > like a good > > > >> > >> idea to publish a statement around that on the website. > > > >> > >> > > > >> > >> I've proposed one at > > https://github.com/apache/commons-text/pull/374 and > > > >> > >> I'd like to ask for your review & help publishing. Given the > > issue is > > > >> > >> getting some attention it might be nice to publish something > > soon and maybe > > > >> > >> refine it later ;). I'll also publish it at > > > >> > >> https://blogs.apache.org/security . > > > >> > >> > > > >> > >> I think what would need to happen is: > > > >> > >> * review and merge > > https://github.com/apache/commons-text/pull/374 > > > >> > >> * check out the commit before the merge commit (since that one > > still has > > > >> > >> 1.10.0 as the version in the pom.xml) > > > >> > >> * tag it with something clear, like > > "commons-text-1.10.0-docs-update"(?) > > > >> > >> * push the tag > > > >> > >> * do a 'mvn site:deploy' > > > >> > >> > > > >> > >> Much appreciated! > > > >> > >> > > > >> > >> > > > >> > >> Kind regards, > > > >> > >> > > > >> > >> Arnout > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > >
[numbers] user guide
I have added an initial user guide to Numbers. To build locally: Full: mvn package site site:stage -Pcommons-numbers-examples # [ ... wait ...] open target/staging/userguide/index.html Quick: mvn site -DgenerateReports=false -N open target/site/userguide/index.html The code examples are verified with the same code in a UserGuideTest class in each respective module. Let me know if you spot any errors. Alex - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Publish statement on Commons Text CVE
Fixed! The Apache Commons Configuration Security page is now live: https://commons.apache.org/proper/commons-configuration/security.html Gary On Wed, Oct 19, 2022 at 4:45 PM Gary Gregory wrote: > > Thank you for the brilliant detective work Bruno! > > Gary > > On Wed, Oct 19, 2022, 16:16 Bruno Kinoshita wrote: >> >> I had a look at the browser network tab, and saw an HTTP 302 location >> redirect from Varnish. These redirects normally need to be configured in >> Varnish with some sort of rule. >> >> I went back to your email, grabbed the SVN URL, stepped up a few >> directories and saw an .htaccess at a parent level, that has a redirect >> rule for some commons components (it has for [configuration], not for >> [text]). I think we just need to remove the configuration entry. >> >> https://svn.apache.org/repos/infra/websites/production/commons/content/.htaccess >> >> HTH, >> Bruno >> >> On Thu, 20 Oct 2022 at 08:22, Gary Gregory wrote: >> >> > Well, I published the Configuration site to the usual svn: >> > >> > >> > https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/ >> > >> > which should be end up at: >> > >> > https://commons.apache.org/proper/commons-configuration/index.html >> > >> > but for me clicking on the "Security" (in the top left menu) does not >> > take me to >> > https://commons.apache.org/proper/commons-configuration/security.html, >> > instead it redirects magically to >> > https://commons.apache.org/security.html >> > >> > Commons Text is fine in this area. What gives? >> > >> > Gary >> > >> > On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory >> > wrote: >> > > >> > > TY and merged. I'll publish later today. >> > > >> > > Gary >> > > >> > > On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen >> > wrote: >> > > > >> > > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory >> > wrote: >> > > >> >> > > >> Would you be available to update the Commons Configuration page >> > > >> >> > https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml >> > > >> in the same way you did for Commons Text? The CVE is basically the >> > > >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 >> > > > >> > > > >> > > > Happy to! Proposed >> > https://github.com/apache/commons-configuration/pull/230 >> > > > >> > > > >> > > > Kind regards, >> > > > >> > > > Arnout >> > > > >> > > >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory >> > wrote: >> > > >> > >> > > >> > FYI: I updated the security page >> > > >> > https://commons.apache.org/proper/commons-text/security.html >> > > >> > >> > > >> > Gary >> > > >> > >> > > >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory < >> > garydgreg...@gmail.com> wrote: >> > > >> > > >> > > >> > > I have an unpublished security page in the repo already. Let's >> > not duplicate information like this PR does please. Publishing a >> > non-snapshot site is a pain and I don't want to do more than I have to. >> > There is no need to buy in and promote the FUD on the front page IMO. This >> > component will soon publish a security page and you can PR that page ( >> > https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) >> > if you want to update the details. >> > > >> > > >> > > >> > > TY! >> > > >> > > >> > > >> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen >> > wrote: >> > > >> > >> >> > > >> > >> Hello Commons, >> > > >> > >> >> > > >> > >> As you might know Commons Text recently published a CVE. It >> > seems there is >> > > >> > >> a fair bit of confusion about its severity online, so it seems >> > like a good >> > > >> > >> idea to publish a statement around that on the website. >> > > >> > >> >> > > >> > >> I've proposed one at >> > https://github.com/apache/commons-text/pull/374 and >> > > >> > >> I'd like to ask for your review & help publishing. Given the >> > issue is >> > > >> > >> getting some attention it might be nice to publish something >> > soon and maybe >> > > >> > >> refine it later ;). I'll also publish it at >> > > >> > >> https://blogs.apache.org/security . >> > > >> > >> >> > > >> > >> I think what would need to happen is: >> > > >> > >> * review and merge >> > https://github.com/apache/commons-text/pull/374 >> > > >> > >> * check out the commit before the merge commit (since that one >> > still has >> > > >> > >> 1.10.0 as the version in the pom.xml) >> > > >> > >> * tag it with something clear, like >> > "commons-text-1.10.0-docs-update"(?) >> > > >> > >> * push the tag >> > > >> > >> * do a 'mvn site:deploy' >> > > >> > >> >> > > >> > >> Much appreciated! >> > > >> > >> >> > > >> > >> >> > > >> > >> Kind regards, >> > > >> > >> >> > > >> > >> Arnout >> > >> > - >> > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> > For additional commands, e-mail: dev-h...@commons.apache.org >> > >> > - To unsubscribe, e-mai
Re: Publish statement on Commons Text CVE
Not a problem, and thank **you** for the many releases and for working on CVE, site updates, commons reports, PR reviews :) Fixed! The Apache Commons Configuration Security page is now live: > https://commons.apache.org/proper/commons-configuration/security.html > It's working fine for me too! CHeers Bruno On Thu, 20 Oct 2022 at 10:29, Gary Gregory wrote: > Fixed! The Apache Commons Configuration Security page is now live: > https://commons.apache.org/proper/commons-configuration/security.html > > Gary > > On Wed, Oct 19, 2022 at 4:45 PM Gary Gregory > wrote: > > > > Thank you for the brilliant detective work Bruno! > > > > Gary > > > > On Wed, Oct 19, 2022, 16:16 Bruno Kinoshita wrote: > >> > >> I had a look at the browser network tab, and saw an HTTP 302 location > >> redirect from Varnish. These redirects normally need to be configured in > >> Varnish with some sort of rule. > >> > >> I went back to your email, grabbed the SVN URL, stepped up a few > >> directories and saw an .htaccess at a parent level, that has a redirect > >> rule for some commons components (it has for [configuration], not for > >> [text]). I think we just need to remove the configuration entry. > >> > >> > https://svn.apache.org/repos/infra/websites/production/commons/content/.htaccess > >> > >> HTH, > >> Bruno > >> > >> On Thu, 20 Oct 2022 at 08:22, Gary Gregory > wrote: > >> > >> > Well, I published the Configuration site to the usual svn: > >> > > >> > > >> > > https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/ > >> > > >> > which should be end up at: > >> > > >> > https://commons.apache.org/proper/commons-configuration/index.html > >> > > >> > but for me clicking on the "Security" (in the top left menu) does not > >> > take me to > >> > https://commons.apache.org/proper/commons-configuration/security.html > , > >> > instead it redirects magically to > >> > https://commons.apache.org/security.html > >> > > >> > Commons Text is fine in this area. What gives? > >> > > >> > Gary > >> > > >> > On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory > > >> > wrote: > >> > > > >> > > TY and merged. I'll publish later today. > >> > > > >> > > Gary > >> > > > >> > > On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen > > >> > wrote: > >> > > > > >> > > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory < > garydgreg...@gmail.com> > >> > wrote: > >> > > >> > >> > > >> Would you be available to update the Commons Configuration page > >> > > >> > >> > > https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml > >> > > >> in the same way you did for Commons Text? The CVE is basically > the > >> > > >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 > >> > > > > >> > > > > >> > > > Happy to! Proposed > >> > https://github.com/apache/commons-configuration/pull/230 > >> > > > > >> > > > > >> > > > Kind regards, > >> > > > > >> > > > Arnout > >> > > > > >> > > >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory < > garydgreg...@gmail.com> > >> > wrote: > >> > > >> > > >> > > >> > FYI: I updated the security page > >> > > >> > https://commons.apache.org/proper/commons-text/security.html > >> > > >> > > >> > > >> > Gary > >> > > >> > > >> > > >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory < > >> > garydgreg...@gmail.com> wrote: > >> > > >> > > > >> > > >> > > I have an unpublished security page in the repo already. > Let's > >> > not duplicate information like this PR does please. Publishing a > >> > non-snapshot site is a pain and I don't want to do more than I have > to. > >> > There is no need to buy in and promote the FUD on the front page IMO. > This > >> > component will soon publish a security page and you can PR that page ( > >> > > https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml > ) > >> > if you want to update the details. > >> > > >> > > > >> > > >> > > TY! > >> > > >> > > > >> > > >> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen < > enge...@apache.org> > >> > wrote: > >> > > >> > >> > >> > > >> > >> Hello Commons, > >> > > >> > >> > >> > > >> > >> As you might know Commons Text recently published a CVE. It > >> > seems there is > >> > > >> > >> a fair bit of confusion about its severity online, so it > seems > >> > like a good > >> > > >> > >> idea to publish a statement around that on the website. > >> > > >> > >> > >> > > >> > >> I've proposed one at > >> > https://github.com/apache/commons-text/pull/374 and > >> > > >> > >> I'd like to ask for your review & help publishing. Given the > >> > issue is > >> > > >> > >> getting some attention it might be nice to publish something > >> > soon and maybe > >> > > >> > >> refine it later ;). I'll also publish it at > >> > > >> > >> https://blogs.apache.org/security . > >> > > >> > >> > >> > > >> > >> I think what would need to happen is: > >> > > >> > >> * review and merge > >> > https://github.com/apache/commons-text/pull/374 > >> > > >> > >> * check out the commit before the me
Re: [VOTE] Release Apache Commons CSV 1.10.0 based on RC1
I've commented on the PR. TY. Gary On 2022/10/19 16:51:57 Gary Gregory wrote: > On Wed, Oct 19, 2022 at 10:01 AM Alex Herbert > wrote: > > > > On Wed, 19 Oct 2022 at 14:57, Gary D. Gregory wrote: > > > > > > My +1 > > > > > > Gary > > > > Gary, > > > > PR #276 highlights a behavioural compatibility error in the 1.10.0 RC1. > > > > AllowDuplicates enum may be set to the incorrect value when setting > > the allow duplicates boolean. Have you reviewed this? I believe it is > > valid. > > I will re-read later tonight... > > Gary > > > > > Alex > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
