On 15/10/2022 17:12, Mark Thomas wrote:
On 11/10/2022 16:25, Mike Drob wrote:
Thanks for this outline, Mark. Some questions in line.
Mike
On Tue, Oct 11, 2022 at 6:13 AM Mark Thomas wrote:
Roman - don't do anything yet.
Commons folk, I suggest the following which is based on how we have
os
; > > >>>>> Here's the workflow I have been using for Commons Imaging:
> > > > >>>>>
> > > > >>>>>
> > > > >>>>> 1. View issues
> > > > >>>>>1. Log in to oss-fuzz.com wi
On 11/10/2022 16:25, Mike Drob wrote:
Thanks for this outline, Mark. Some questions in line.
Mike
On Tue, Oct 11, 2022 at 6:13 AM Mark Thomas wrote:
Roman - don't do anything yet.
Commons folk, I suggest the following which is based on how we have
oss-fuzz setup on Tomcat.
1. Create a Goog
gt; > > >>>>>for the apache-commons project, so it shows the
> “Testcases”
> > > >> with
> > > >>> crashes
> > > >>>>> for the fuzzer. OR
> > > >>>>>2. Get the direct link to a Testca
ad the Unminimized Testcase - this is the payload
used
> > >> for
> > >>>>> testing, in the case of Imaging this is normally a PNG, GIF,
etc.
> > >>> image
> > >>>>> file that was automatically generated by the fuzzer
>
the project,
> >>> identifying
> >>>>> issues I or other maintainers wouldn't have picked otherwise. We
> >>> follow the
> >>>>> Commons and ASF security process as best as we can as volunteers
> >> (i.e.
> >>>>> with
JXPATH/issues/JXPATH-200?filter=allopenissues
Get Outlook for iOS<https://aka.ms/o0ukef>
From: Eric Bresie
Sent: Monday, October 10, 2022 4:22:42 PM
To: Commons Developers List
Subject: Re: [jxpath] reported CVE and path forward
So then discussed here (1) (which assu
s as best as we can as volunteers
> (i.e.
> > > > within a time frame we can allocate to work on this issue) to fix the
> > issue
> > > > and prepare a CVE if needed, cutting a new release.
> > > >
> > > > This is the complete process that I
https://www.apache.org/security/
Get Outlook for iOS<https://aka.ms/o0ukef>
From: Roman Wagner
Sent: Monday, October 10, 2022 4:44:58 PM
To: dev@commons.apache.org
Subject: RE: Re: [jxpath] reported CVE and path forward
Hi all,
I am working fo
someone from ASF would receive notifications (by being CC'ed in
> > >> oss-fuzz notifications). We decided against using the dev-list, so
> only
> > >> those that volunteered at the time receive emails.
> > >>
> > >> I checked the Git
delines and processes.
> >
> > -Bruno
> >
> >
> > On Tue, 11 Oct 2022 at 10:25, Eric Bresie wrote:
> >
> >> Or is that this
> >> https://issues.apache.org/jira/projects/JXPATH/issues/JXPATH-200?filter=allopenissues
> >>
> >&
Hi all,
I am working for Code Intelligence and we did our best to find a maintainer
for the oss-fuzz project Unfortunately, we've have failed and got no
feedback until now, but It seems to be an unmaintained project except for
some typo fixes since some years. I am not sure yet to which mailing li
lines and processes.
>
> -Bruno
>
>
> On Tue, 11 Oct 2022 at 10:25, Eric Bresie wrote:
>
>> Or is that this
>> https://issues.apache.org/jira/projects/JXPATH/issues/JXPATH-200?filter=allopenissues
>>
>> Get Outlook for iOS<https://aka.ms/o0ukef>
>>
tober 10, 2022 4:22:42 PM
> To: Commons Developers List
> Subject: Re: [jxpath] reported CVE and path forward
>
> So then discussed here (1) (which assume is what’s being done here) and
> bugs raised here (2)? Has (2) been done yet?
>
> 1. https://commons.apache.org/proper/
Get Outlook for iOS<https://aka.ms/o0ukef>
From: Bruno Kinoshita
Sent: Monday, October 10, 2022 4:15:03 PM
To: Commons Developers List
Subject: Re: [jxpath] reported CVE and path forward
Hi Eric,
For my understanding, is oss-fuzz an open source pro
tps://aka.ms/o0ukef>
From: Bruno Kinoshita
Sent: Monday, October 10, 2022 4:15:03 PM
To: Commons Developers List
Subject: Re: [jxpath] reported CVE and path forward
Hi Eric,
For my understanding, is oss-fuzz an open source project that is maintained
> and m
ed as a bug and
> fix as applicable?
>
>
> Get Outlook for iOS<https://aka.ms/o0ukef>
>
> From: Bruno Kinoshita
> Sent: Monday, October 10, 2022 3:51:30 PM
> To: Commons Developers List
> Subject: Re: Re: [jxpath] reported CVE
commons. So any findings would be identified as a bug and fix as
applicable?
Get Outlook for iOS<https://aka.ms/o0ukef>
From: Bruno Kinoshita
Sent: Monday, October 10, 2022 3:51:30 PM
To: Commons Developers List
Subject: Re: Re: [jxpath] reported CVE an
Hi,
I commented in another thread about oss-fuzz and new components, maybe that
could be part of the issue here.
See that thread in the archives, or TL;DR: someone is adding more Commons
Components to oss-fuzz, directly as components instead of using the shared
apache-commons project. This latter
Hi Matt,
I am also subscribed to oss-fuzz for Imaging.
Looks like someone added jxpath to oss-fuzz here:
https://github.com/google/oss-fuzz/pull/7582
The initial oss-fuzz for ASF was, if I recall correctly, all put under a
single project:
https://github.com/google/oss-fuzz/tree/master/projects/a
I get emails about some of the Commons fuzzing things, but I was only
aware of it being enabled for compress and imaging.
On Mon, Oct 10, 2022 at 1:37 PM Roman Wagner
wrote:
>
> Hi all,
>
> I am working for Code Intelligence we did our best to find a maintainer for
> the oss-fuzz project. Unfortu
Hi all,
I am working for Code Intelligence we did our best to find a maintainer for
the oss-fuzz project. Unfortunately we've got no feedback until now, but It
seems to be an unmaintained project except for some typo fixes since some
years. I am not sure yet to which mailing list the bug report wa
Hmm.
There are various red flags here that suggest to me that this issue is
likely not valid.
1. The source is oss-fuzz. I have been dealing with oss-fuzz issues for
Apache Tomcat and so far out of the 30+ issues raised (the majority
marked as security relevant) not one of the issues was a v
23 matches
Mail list logo
