Re: [VOTE] Release Apache Commons BCEL 6.7.0 based on RC1

2022-12-03 Thread Gary Gregory 
Please take the time to review and vote on this RC.

Gary

On Fri, Dec 2, 2022 at 8:54 AM Gary Gregory  wrote:
>
> ping ;-)
>
> On Mon, Nov 28, 2022 at 2:12 PM Bruno Kinoshita  wrote:
> >
> >[x] +1 Release these artifacts
> >
> > Building OK from tag with:
> >
> > Apache Maven 3.8.5 (3599d3414f046de2324203b78ddcf9b5e4388aa0)
> > Maven home: /opt/apache-maven-3.8.5
> > Java version: 17.0.5, vendor: Private Build, runtime:
> > /usr/lib/jvm/java-17-openjdk-amd64
> > Default locale: en_US, platform encoding: UTF-8
> > OS name: "linux", version: "5.15.0-53-generic", arch: "amd64", family:
> > "unix"
> >
> > Site reports look OK too.
> >
> > Thanks!
> >
> > Bruno
> >
> > On Mon, 28 Nov 2022 at 18:13, Gary Gregory  wrote:
> >
> > > We have fixed a few bugs and added some enhancements since Apache
> > > Commons BCEL 6.6.1 was released, so I would like to release Apache
> > > Commons BCEL 6.7.0.
> > >
> > > Apache Commons BCEL 6.7.0 RC1 is available for review here:
> > > https://dist.apache.org/repos/dist/dev/commons/bcel/6.7.0-RC1 (svn
> > > revision 58280)
> > >
> > > The Git tag commons-bcel-6.7.0-RC1 commit for this RC is
> > > 6fc2135e6b1dca14716287e72bf813cb209bdbbd which you can browse here:
> > >
> > > https://gitbox.apache.org/repos/asf?p=commons-bcel.git;a=commit;h=6fc2135e6b1dca14716287e72bf813cb209bdbbd
> > > You may checkout this tag using:
> > > git clone https://gitbox.apache.org/repos/asf/commons-bcel.git
> > > --branch 
> > > commons-bcel-6.7.0-RC1 commons-bcel-6.7.0-RC1
> > >
> > > Maven artifacts are here:
> > >
> > > https://repository.apache.org/content/repositories/orgapachecommons-1608/org/apache/bcel/bcel/6.7.0/
> > >
> > > These are the artifacts and their hashes:
> > >
> > > #Release SHA-512s
> > > #Mon Nov 28 12:01:26 EST 2022
> > > Apache\ Commons\
> > >
> > > BCEL-6.7.0.spdx.rdf.xml=e49b149ae8d6f1eb74da8cc82a6aed64530344f12034f6cbe26d36471929332c91df72ef4f4152c9555043494c148d174e16dd3c3eb0aff733d7da902a4d7688
> > >
> > > bcel-6.7.0-bin.tar.gz=ad5286b1ff628007f7ff3f4fd5af6d859e93a86cf9a127c04e2e3ca2ebac5eb7dc65d7e1a431a588f303d37264c80334dee5ecfc7957f6b4892688f2a72859d6
> > >
> > > bcel-6.7.0-bin.zip=65313338cf5911f06630d3083195e7e5fff358e6b39fda86f617bb5002ac49b9e9a4aae5f5bad610b402434aadd9db9ed61c492db9a40766044bd4615d1b4927
> > >
> > > bcel-6.7.0-bom.json=3b34ce1343cfb84cd91cf8b3b6e099025e022cf2275db68ba0b4ed7ed8cbe5836ed755d2c2d47cba2379cf2620222a9925b34ed14d2279c649a4f6d9e305af9f
> > >
> > > bcel-6.7.0-bom.xml=a696e74e7b555b5a366e98b87c6801518756907a02731efb569d3536ed536c4f3b42a7d252e7f7992355d1b334ea58356b4f415d883dba35fa0767e026359bd5
> > >
> > > bcel-6.7.0-javadoc.jar=c09f52ac63443a235508a8898949c226772c514e175851ec0cc6b182740069e463a89153b0bbbc7be67405e962e83db5738d2ca97881f3d92bfff196310ce5e5
> > >
> > > bcel-6.7.0-sources.jar=cbb3d2feb83f2e78626822dc64235c02d619d5e13442b52e115748d5618af0f78868f4e29d16e577cb1c78653fab92ee9d8de1dd89777e03eb0f4941805cca0a
> > >
> > > bcel-6.7.0-src.tar.gz=71f0e227dbc558296f535507b3640ce4c91dddf12ef06502b5fca95b35510b02d09ca649f121427b4b47deb96c2edfe0de70999261cffbcbe170a835730096a0
> > >
> > > bcel-6.7.0-src.zip=bb1d9763bbeaf5af228ed850727d4d8ca15963e6e68b0581d7b93111daceba64a5ca5036a7acce3d15073d77d511ecf32a6cc45bd40567ae5d46ba43b79c30c6
> > >
> > > bcel-6.7.0-test-sources.jar=ca894df73511b4b06c2a9c876fec7f43cdbb13554b23be5af0b6e429a68e4f8e84faf1236c313166a4dbb62dba8768a47006c4a3e0cb5a5885b003eace07434c
> > >
> > > bcel-6.7.0-tests.jar=1ff0c0cd4191f7f21400bd9d2d2f1b98c11fd43bcfb0bcd9b4e9879cf781618877d04a568ae7b851920313a46f8b2902767e0f6a9dbfc3ff5128a650a4d69c75
> > >
> > > I have tested this with 'mvn -V -Duser.name=$my_apache_id -Prelease
> > > -Ptest-deploy -P jacoco -P japicmp clean package site deploy' using:
> > >
> > > Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63)
> > > Maven home: /usr/local/Cellar/maven/3.8.6/libexec
> > > Java version: 1.8.0_352, vendor: Homebrew, runtime:
> > > /usr/local/Cellar/openjdk@8
> > > /1.8.0+352/libexec/openjdk.jdk/Contents/Home/jre
> > > Default locale: en_US, platform encoding: UTF-8
> > > OS name: "mac os x", version: "13.0.1", arch: "x86_64", family: "mac"
> > > Darwin  22.1.0 Darwin Kernel Version 22.1.0: Sun Oct  9 20:14:54
> > > PDT 2022; root:xnu-8792.41.9~2/RELEASE_X86_64 x86_64
> > >
> > > Details of changes since 6.6.1 are in the release notes:
> > >
> > > https://dist.apache.org/repos/dist/dev/commons/bcel/6.7.0-RC1/RELEASE-NOTES.txt
> > >
> > > https://dist.apache.org/repos/dist/dev/commons/bcel/6.7.0-RC1/site/changes-report.html
> > >
> > > Site:
> > >
> > > https://dist.apache.org/repos/dist/dev/commons/bcel/6.7.0-RC1/site/index.html
> > > (note some *relative* links are broken and the 6.7.0 directories
> > > are not yet created - these will be OK once the site is deployed.)
> > >
> > > JApiCmp Report (compared to 6.6.1):
> > >
> > > https://dist.apache.org/repos/dist/dev/commons/bcel/6.7.0-RC1/s

CVE-2021-37533: Apache Commons Net's FTP client trusts the host from PASV response by default

2022-12-03 Thread Gary D. Gregory 
Severity: low

Description:

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV 
response by default. A malicious server can redirect the Commons Net code to 
use a different host, but the user has to connect to the malicious server in 
the first place. This may lead to leakage of information about services running 
on the private network of the client.
The default in version 3.9.0 is now false to ignore such hosts, as cURL does. 
See https://issues.apache.org/jira/browse/NET-711.


This issue is being tracked as NET-711

Credit:

Apache Commons would like to thank ZeddYu Lu for reporting this issue.


-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org