You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Arnout Engelen <en...@apache.org> on 2022/10/18 13:51:46 UTC
Publish statement on Commons Text CVE
Hello Commons,
As you might know Commons Text recently published a CVE. It seems there is
a fair bit of confusion about its severity online, so it seems like a good
idea to publish a statement around that on the website.
I've proposed one at https://github.com/apache/commons-text/pull/374 and
I'd like to ask for your review & help publishing. Given the issue is
getting some attention it might be nice to publish something soon and maybe
refine it later ;). I'll also publish it at
https://blogs.apache.org/security .
I think what would need to happen is:
* review and merge https://github.com/apache/commons-text/pull/374
* check out the commit before the merge commit (since that one still has
1.10.0 as the version in the pom.xml)
* tag it with something clear, like "commons-text-1.10.0-docs-update"(?)
* push the tag
* do a 'mvn site:deploy'
Much appreciated!
Kind regards,
Arnout
Re: Publish statement on Commons Text CVE
Posted by Bruno Kinoshita <ki...@apache.org>.
Not a problem, and thank **you** for the many releases and for working on
CVE, site updates, commons reports, PR reviews :)
Fixed! The Apache Commons Configuration Security page is now live:
> https://commons.apache.org/proper/commons-configuration/security.html
>
It's working fine for me too!
CHeers
Bruno
On Thu, 20 Oct 2022 at 10:29, Gary Gregory <ga...@gmail.com> wrote:
> Fixed! The Apache Commons Configuration Security page is now live:
> https://commons.apache.org/proper/commons-configuration/security.html
>
> Gary
>
> On Wed, Oct 19, 2022 at 4:45 PM Gary Gregory <ga...@gmail.com>
> wrote:
> >
> > Thank you for the brilliant detective work Bruno!
> >
> > Gary
> >
> > On Wed, Oct 19, 2022, 16:16 Bruno Kinoshita <ki...@apache.org> wrote:
> >>
> >> I had a look at the browser network tab, and saw an HTTP 302 location
> >> redirect from Varnish. These redirects normally need to be configured in
> >> Varnish with some sort of rule.
> >>
> >> I went back to your email, grabbed the SVN URL, stepped up a few
> >> directories and saw an .htaccess at a parent level, that has a redirect
> >> rule for some commons components (it has for [configuration], not for
> >> [text]). I think we just need to remove the configuration entry.
> >>
> >>
> https://svn.apache.org/repos/infra/websites/production/commons/content/.htaccess
> >>
> >> HTH,
> >> Bruno
> >>
> >> On Thu, 20 Oct 2022 at 08:22, Gary Gregory <ga...@gmail.com>
> wrote:
> >>
> >> > Well, I published the Configuration site to the usual svn:
> >> >
> >> >
> >> >
> https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/
> >> >
> >> > which should be end up at:
> >> >
> >> > https://commons.apache.org/proper/commons-configuration/index.html
> >> >
> >> > but for me clicking on the "Security" (in the top left menu) does not
> >> > take me to
> >> > https://commons.apache.org/proper/commons-configuration/security.html
> ,
> >> > instead it redirects magically to
> >> > https://commons.apache.org/security.html
> >> >
> >> > Commons Text is fine in this area. What gives?
> >> >
> >> > Gary
> >> >
> >> > On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory <garydgregory@gmail.com
> >
> >> > wrote:
> >> > >
> >> > > TY and merged. I'll publish later today.
> >> > >
> >> > > Gary
> >> > >
> >> > > On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen <engelen@apache.org
> >
> >> > wrote:
> >> > > >
> >> > > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory <
> garydgregory@gmail.com>
> >> > wrote:
> >> > > >>
> >> > > >> Would you be available to update the Commons Configuration page
> >> > > >>
> >> >
> https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml
> >> > > >> in the same way you did for Commons Text? The CVE is basically
> the
> >> > > >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980
> >> > > >
> >> > > >
> >> > > > Happy to! Proposed
> >> > https://github.com/apache/commons-configuration/pull/230
> >> > > >
> >> > > >
> >> > > > Kind regards,
> >> > > >
> >> > > > Arnout
> >> > > >
> >> > > >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory <
> garydgregory@gmail.com>
> >> > wrote:
> >> > > >> >
> >> > > >> > FYI: I updated the security page
> >> > > >> > https://commons.apache.org/proper/commons-text/security.html
> >> > > >> >
> >> > > >> > Gary
> >> > > >> >
> >> > > >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory <
> >> > garydgregory@gmail.com> wrote:
> >> > > >> > >
> >> > > >> > > I have an unpublished security page in the repo already.
> Let's
> >> > not duplicate information like this PR does please. Publishing a
> >> > non-snapshot site is a pain and I don't want to do more than I have
> to.
> >> > There is no need to buy in and promote the FUD on the front page IMO.
> This
> >> > component will soon publish a security page and you can PR that page (
> >> >
> https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml
> )
> >> > if you want to update the details.
> >> > > >> > >
> >> > > >> > > TY!
> >> > > >> > >
> >> > > >> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen <
> engelen@apache.org>
> >> > wrote:
> >> > > >> > >>
> >> > > >> > >> Hello Commons,
> >> > > >> > >>
> >> > > >> > >> As you might know Commons Text recently published a CVE. It
> >> > seems there is
> >> > > >> > >> a fair bit of confusion about its severity online, so it
> seems
> >> > like a good
> >> > > >> > >> idea to publish a statement around that on the website.
> >> > > >> > >>
> >> > > >> > >> I've proposed one at
> >> > https://github.com/apache/commons-text/pull/374 and
> >> > > >> > >> I'd like to ask for your review & help publishing. Given the
> >> > issue is
> >> > > >> > >> getting some attention it might be nice to publish something
> >> > soon and maybe
> >> > > >> > >> refine it later ;). I'll also publish it at
> >> > > >> > >> https://blogs.apache.org/security .
> >> > > >> > >>
> >> > > >> > >> I think what would need to happen is:
> >> > > >> > >> * review and merge
> >> > https://github.com/apache/commons-text/pull/374
> >> > > >> > >> * check out the commit before the merge commit (since that
> one
> >> > still has
> >> > > >> > >> 1.10.0 as the version in the pom.xml)
> >> > > >> > >> * tag it with something clear, like
> >> > "commons-text-1.10.0-docs-update"(?)
> >> > > >> > >> * push the tag
> >> > > >> > >> * do a 'mvn site:deploy'
> >> > > >> > >>
> >> > > >> > >> Much appreciated!
> >> > > >> > >>
> >> > > >> > >>
> >> > > >> > >> Kind regards,
> >> > > >> > >>
> >> > > >> > >> Arnout
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> >> > For additional commands, e-mail: dev-help@commons.apache.org
> >> >
> >> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>
Re: Publish statement on Commons Text CVE
Posted by Gary Gregory <ga...@gmail.com>.
Fixed! The Apache Commons Configuration Security page is now live:
https://commons.apache.org/proper/commons-configuration/security.html
Gary
On Wed, Oct 19, 2022 at 4:45 PM Gary Gregory <ga...@gmail.com> wrote:
>
> Thank you for the brilliant detective work Bruno!
>
> Gary
>
> On Wed, Oct 19, 2022, 16:16 Bruno Kinoshita <ki...@apache.org> wrote:
>>
>> I had a look at the browser network tab, and saw an HTTP 302 location
>> redirect from Varnish. These redirects normally need to be configured in
>> Varnish with some sort of rule.
>>
>> I went back to your email, grabbed the SVN URL, stepped up a few
>> directories and saw an .htaccess at a parent level, that has a redirect
>> rule for some commons components (it has for [configuration], not for
>> [text]). I think we just need to remove the configuration entry.
>>
>> https://svn.apache.org/repos/infra/websites/production/commons/content/.htaccess
>>
>> HTH,
>> Bruno
>>
>> On Thu, 20 Oct 2022 at 08:22, Gary Gregory <ga...@gmail.com> wrote:
>>
>> > Well, I published the Configuration site to the usual svn:
>> >
>> >
>> > https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/
>> >
>> > which should be end up at:
>> >
>> > https://commons.apache.org/proper/commons-configuration/index.html
>> >
>> > but for me clicking on the "Security" (in the top left menu) does not
>> > take me to
>> > https://commons.apache.org/proper/commons-configuration/security.html,
>> > instead it redirects magically to
>> > https://commons.apache.org/security.html
>> >
>> > Commons Text is fine in this area. What gives?
>> >
>> > Gary
>> >
>> > On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory <ga...@gmail.com>
>> > wrote:
>> > >
>> > > TY and merged. I'll publish later today.
>> > >
>> > > Gary
>> > >
>> > > On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen <en...@apache.org>
>> > wrote:
>> > > >
>> > > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory <ga...@gmail.com>
>> > wrote:
>> > > >>
>> > > >> Would you be available to update the Commons Configuration page
>> > > >>
>> > https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml
>> > > >> in the same way you did for Commons Text? The CVE is basically the
>> > > >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980
>> > > >
>> > > >
>> > > > Happy to! Proposed
>> > https://github.com/apache/commons-configuration/pull/230
>> > > >
>> > > >
>> > > > Kind regards,
>> > > >
>> > > > Arnout
>> > > >
>> > > >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory <ga...@gmail.com>
>> > wrote:
>> > > >> >
>> > > >> > FYI: I updated the security page
>> > > >> > https://commons.apache.org/proper/commons-text/security.html
>> > > >> >
>> > > >> > Gary
>> > > >> >
>> > > >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory <
>> > garydgregory@gmail.com> wrote:
>> > > >> > >
>> > > >> > > I have an unpublished security page in the repo already. Let's
>> > not duplicate information like this PR does please. Publishing a
>> > non-snapshot site is a pain and I don't want to do more than I have to.
>> > There is no need to buy in and promote the FUD on the front page IMO. This
>> > component will soon publish a security page and you can PR that page (
>> > https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml)
>> > if you want to update the details.
>> > > >> > >
>> > > >> > > TY!
>> > > >> > >
>> > > >> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen <en...@apache.org>
>> > wrote:
>> > > >> > >>
>> > > >> > >> Hello Commons,
>> > > >> > >>
>> > > >> > >> As you might know Commons Text recently published a CVE. It
>> > seems there is
>> > > >> > >> a fair bit of confusion about its severity online, so it seems
>> > like a good
>> > > >> > >> idea to publish a statement around that on the website.
>> > > >> > >>
>> > > >> > >> I've proposed one at
>> > https://github.com/apache/commons-text/pull/374 and
>> > > >> > >> I'd like to ask for your review & help publishing. Given the
>> > issue is
>> > > >> > >> getting some attention it might be nice to publish something
>> > soon and maybe
>> > > >> > >> refine it later ;). I'll also publish it at
>> > > >> > >> https://blogs.apache.org/security .
>> > > >> > >>
>> > > >> > >> I think what would need to happen is:
>> > > >> > >> * review and merge
>> > https://github.com/apache/commons-text/pull/374
>> > > >> > >> * check out the commit before the merge commit (since that one
>> > still has
>> > > >> > >> 1.10.0 as the version in the pom.xml)
>> > > >> > >> * tag it with something clear, like
>> > "commons-text-1.10.0-docs-update"(?)
>> > > >> > >> * push the tag
>> > > >> > >> * do a 'mvn site:deploy'
>> > > >> > >>
>> > > >> > >> Much appreciated!
>> > > >> > >>
>> > > >> > >>
>> > > >> > >> Kind regards,
>> > > >> > >>
>> > > >> > >> Arnout
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> > For additional commands, e-mail: dev-help@commons.apache.org
>> >
>> >
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: Publish statement on Commons Text CVE
Posted by Gary Gregory <ga...@gmail.com>.
Thank you for the brilliant detective work Bruno!
Gary
On Wed, Oct 19, 2022, 16:16 Bruno Kinoshita <ki...@apache.org> wrote:
> I had a look at the browser network tab, and saw an HTTP 302 location
> redirect from Varnish. These redirects normally need to be configured in
> Varnish with some sort of rule.
>
> I went back to your email, grabbed the SVN URL, stepped up a few
> directories and saw an .htaccess at a parent level, that has a redirect
> rule for some commons components (it has for [configuration], not for
> [text]). I think we just need to remove the configuration entry.
>
>
> https://svn.apache.org/repos/infra/websites/production/commons/content/.htaccess
>
> HTH,
> Bruno
>
> On Thu, 20 Oct 2022 at 08:22, Gary Gregory <ga...@gmail.com> wrote:
>
> > Well, I published the Configuration site to the usual svn:
> >
> >
> >
> https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/
> >
> > which should be end up at:
> >
> > https://commons.apache.org/proper/commons-configuration/index.html
> >
> > but for me clicking on the "Security" (in the top left menu) does not
> > take me to
> > https://commons.apache.org/proper/commons-configuration/security.html,
> > instead it redirects magically to
> > https://commons.apache.org/security.html
> >
> > Commons Text is fine in this area. What gives?
> >
> > Gary
> >
> > On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory <ga...@gmail.com>
> > wrote:
> > >
> > > TY and merged. I'll publish later today.
> > >
> > > Gary
> > >
> > > On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen <en...@apache.org>
> > wrote:
> > > >
> > > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory <
> garydgregory@gmail.com>
> > wrote:
> > > >>
> > > >> Would you be available to update the Commons Configuration page
> > > >>
> >
> https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml
> > > >> in the same way you did for Commons Text? The CVE is basically the
> > > >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980
> > > >
> > > >
> > > > Happy to! Proposed
> > https://github.com/apache/commons-configuration/pull/230
> > > >
> > > >
> > > > Kind regards,
> > > >
> > > > Arnout
> > > >
> > > >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory <
> garydgregory@gmail.com>
> > wrote:
> > > >> >
> > > >> > FYI: I updated the security page
> > > >> > https://commons.apache.org/proper/commons-text/security.html
> > > >> >
> > > >> > Gary
> > > >> >
> > > >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory <
> > garydgregory@gmail.com> wrote:
> > > >> > >
> > > >> > > I have an unpublished security page in the repo already. Let's
> > not duplicate information like this PR does please. Publishing a
> > non-snapshot site is a pain and I don't want to do more than I have to.
> > There is no need to buy in and promote the FUD on the front page IMO.
> This
> > component will soon publish a security page and you can PR that page (
> >
> https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml
> )
> > if you want to update the details.
> > > >> > >
> > > >> > > TY!
> > > >> > >
> > > >> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen <en...@apache.org>
> > wrote:
> > > >> > >>
> > > >> > >> Hello Commons,
> > > >> > >>
> > > >> > >> As you might know Commons Text recently published a CVE. It
> > seems there is
> > > >> > >> a fair bit of confusion about its severity online, so it seems
> > like a good
> > > >> > >> idea to publish a statement around that on the website.
> > > >> > >>
> > > >> > >> I've proposed one at
> > https://github.com/apache/commons-text/pull/374 and
> > > >> > >> I'd like to ask for your review & help publishing. Given the
> > issue is
> > > >> > >> getting some attention it might be nice to publish something
> > soon and maybe
> > > >> > >> refine it later ;). I'll also publish it at
> > > >> > >> https://blogs.apache.org/security .
> > > >> > >>
> > > >> > >> I think what would need to happen is:
> > > >> > >> * review and merge
> > https://github.com/apache/commons-text/pull/374
> > > >> > >> * check out the commit before the merge commit (since that one
> > still has
> > > >> > >> 1.10.0 as the version in the pom.xml)
> > > >> > >> * tag it with something clear, like
> > "commons-text-1.10.0-docs-update"(?)
> > > >> > >> * push the tag
> > > >> > >> * do a 'mvn site:deploy'
> > > >> > >>
> > > >> > >> Much appreciated!
> > > >> > >>
> > > >> > >>
> > > >> > >> Kind regards,
> > > >> > >>
> > > >> > >> Arnout
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
> >
>
Re: Publish statement on Commons Text CVE
Posted by Bruno Kinoshita <ki...@apache.org>.
I had a look at the browser network tab, and saw an HTTP 302 location
redirect from Varnish. These redirects normally need to be configured in
Varnish with some sort of rule.
I went back to your email, grabbed the SVN URL, stepped up a few
directories and saw an .htaccess at a parent level, that has a redirect
rule for some commons components (it has for [configuration], not for
[text]). I think we just need to remove the configuration entry.
https://svn.apache.org/repos/infra/websites/production/commons/content/.htaccess
HTH,
Bruno
On Thu, 20 Oct 2022 at 08:22, Gary Gregory <ga...@gmail.com> wrote:
> Well, I published the Configuration site to the usual svn:
>
>
> https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/
>
> which should be end up at:
>
> https://commons.apache.org/proper/commons-configuration/index.html
>
> but for me clicking on the "Security" (in the top left menu) does not
> take me to
> https://commons.apache.org/proper/commons-configuration/security.html,
> instead it redirects magically to
> https://commons.apache.org/security.html
>
> Commons Text is fine in this area. What gives?
>
> Gary
>
> On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory <ga...@gmail.com>
> wrote:
> >
> > TY and merged. I'll publish later today.
> >
> > Gary
> >
> > On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen <en...@apache.org>
> wrote:
> > >
> > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory <ga...@gmail.com>
> wrote:
> > >>
> > >> Would you be available to update the Commons Configuration page
> > >>
> https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml
> > >> in the same way you did for Commons Text? The CVE is basically the
> > >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980
> > >
> > >
> > > Happy to! Proposed
> https://github.com/apache/commons-configuration/pull/230
> > >
> > >
> > > Kind regards,
> > >
> > > Arnout
> > >
> > >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory <ga...@gmail.com>
> wrote:
> > >> >
> > >> > FYI: I updated the security page
> > >> > https://commons.apache.org/proper/commons-text/security.html
> > >> >
> > >> > Gary
> > >> >
> > >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory <
> garydgregory@gmail.com> wrote:
> > >> > >
> > >> > > I have an unpublished security page in the repo already. Let's
> not duplicate information like this PR does please. Publishing a
> non-snapshot site is a pain and I don't want to do more than I have to.
> There is no need to buy in and promote the FUD on the front page IMO. This
> component will soon publish a security page and you can PR that page (
> https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml)
> if you want to update the details.
> > >> > >
> > >> > > TY!
> > >> > >
> > >> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen <en...@apache.org>
> wrote:
> > >> > >>
> > >> > >> Hello Commons,
> > >> > >>
> > >> > >> As you might know Commons Text recently published a CVE. It
> seems there is
> > >> > >> a fair bit of confusion about its severity online, so it seems
> like a good
> > >> > >> idea to publish a statement around that on the website.
> > >> > >>
> > >> > >> I've proposed one at
> https://github.com/apache/commons-text/pull/374 and
> > >> > >> I'd like to ask for your review & help publishing. Given the
> issue is
> > >> > >> getting some attention it might be nice to publish something
> soon and maybe
> > >> > >> refine it later ;). I'll also publish it at
> > >> > >> https://blogs.apache.org/security .
> > >> > >>
> > >> > >> I think what would need to happen is:
> > >> > >> * review and merge
> https://github.com/apache/commons-text/pull/374
> > >> > >> * check out the commit before the merge commit (since that one
> still has
> > >> > >> 1.10.0 as the version in the pom.xml)
> > >> > >> * tag it with something clear, like
> "commons-text-1.10.0-docs-update"(?)
> > >> > >> * push the tag
> > >> > >> * do a 'mvn site:deploy'
> > >> > >>
> > >> > >> Much appreciated!
> > >> > >>
> > >> > >>
> > >> > >> Kind regards,
> > >> > >>
> > >> > >> Arnout
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>
Re: Publish statement on Commons Text CVE
Posted by Gary Gregory <ga...@gmail.com>.
Well, I published the Configuration site to the usual svn:
https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/
which should be end up at:
https://commons.apache.org/proper/commons-configuration/index.html
but for me clicking on the "Security" (in the top left menu) does not
take me to https://commons.apache.org/proper/commons-configuration/security.html,
instead it redirects magically to
https://commons.apache.org/security.html
Commons Text is fine in this area. What gives?
Gary
On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory <ga...@gmail.com> wrote:
>
> TY and merged. I'll publish later today.
>
> Gary
>
> On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen <en...@apache.org> wrote:
> >
> > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory <ga...@gmail.com> wrote:
> >>
> >> Would you be available to update the Commons Configuration page
> >> https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml
> >> in the same way you did for Commons Text? The CVE is basically the
> >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980
> >
> >
> > Happy to! Proposed https://github.com/apache/commons-configuration/pull/230
> >
> >
> > Kind regards,
> >
> > Arnout
> >
> >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory <ga...@gmail.com> wrote:
> >> >
> >> > FYI: I updated the security page
> >> > https://commons.apache.org/proper/commons-text/security.html
> >> >
> >> > Gary
> >> >
> >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory <ga...@gmail.com> wrote:
> >> > >
> >> > > I have an unpublished security page in the repo already. Let's not duplicate information like this PR does please. Publishing a non-snapshot site is a pain and I don't want to do more than I have to. There is no need to buy in and promote the FUD on the front page IMO. This component will soon publish a security page and you can PR that page (https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) if you want to update the details.
> >> > >
> >> > > TY!
> >> > >
> >> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen <en...@apache.org> wrote:
> >> > >>
> >> > >> Hello Commons,
> >> > >>
> >> > >> As you might know Commons Text recently published a CVE. It seems there is
> >> > >> a fair bit of confusion about its severity online, so it seems like a good
> >> > >> idea to publish a statement around that on the website.
> >> > >>
> >> > >> I've proposed one at https://github.com/apache/commons-text/pull/374 and
> >> > >> I'd like to ask for your review & help publishing. Given the issue is
> >> > >> getting some attention it might be nice to publish something soon and maybe
> >> > >> refine it later ;). I'll also publish it at
> >> > >> https://blogs.apache.org/security .
> >> > >>
> >> > >> I think what would need to happen is:
> >> > >> * review and merge https://github.com/apache/commons-text/pull/374
> >> > >> * check out the commit before the merge commit (since that one still has
> >> > >> 1.10.0 as the version in the pom.xml)
> >> > >> * tag it with something clear, like "commons-text-1.10.0-docs-update"(?)
> >> > >> * push the tag
> >> > >> * do a 'mvn site:deploy'
> >> > >>
> >> > >> Much appreciated!
> >> > >>
> >> > >>
> >> > >> Kind regards,
> >> > >>
> >> > >> Arnout
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: Publish statement on Commons Text CVE
Posted by Gary Gregory <ga...@gmail.com>.
TY and merged. I'll publish later today.
Gary
On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen <en...@apache.org> wrote:
>
> On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory <ga...@gmail.com> wrote:
>>
>> Would you be available to update the Commons Configuration page
>> https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml
>> in the same way you did for Commons Text? The CVE is basically the
>> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980
>
>
> Happy to! Proposed https://github.com/apache/commons-configuration/pull/230
>
>
> Kind regards,
>
> Arnout
>
>> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory <ga...@gmail.com> wrote:
>> >
>> > FYI: I updated the security page
>> > https://commons.apache.org/proper/commons-text/security.html
>> >
>> > Gary
>> >
>> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory <ga...@gmail.com> wrote:
>> > >
>> > > I have an unpublished security page in the repo already. Let's not duplicate information like this PR does please. Publishing a non-snapshot site is a pain and I don't want to do more than I have to. There is no need to buy in and promote the FUD on the front page IMO. This component will soon publish a security page and you can PR that page (https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) if you want to update the details.
>> > >
>> > > TY!
>> > >
>> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen <en...@apache.org> wrote:
>> > >>
>> > >> Hello Commons,
>> > >>
>> > >> As you might know Commons Text recently published a CVE. It seems there is
>> > >> a fair bit of confusion about its severity online, so it seems like a good
>> > >> idea to publish a statement around that on the website.
>> > >>
>> > >> I've proposed one at https://github.com/apache/commons-text/pull/374 and
>> > >> I'd like to ask for your review & help publishing. Given the issue is
>> > >> getting some attention it might be nice to publish something soon and maybe
>> > >> refine it later ;). I'll also publish it at
>> > >> https://blogs.apache.org/security .
>> > >>
>> > >> I think what would need to happen is:
>> > >> * review and merge https://github.com/apache/commons-text/pull/374
>> > >> * check out the commit before the merge commit (since that one still has
>> > >> 1.10.0 as the version in the pom.xml)
>> > >> * tag it with something clear, like "commons-text-1.10.0-docs-update"(?)
>> > >> * push the tag
>> > >> * do a 'mvn site:deploy'
>> > >>
>> > >> Much appreciated!
>> > >>
>> > >>
>> > >> Kind regards,
>> > >>
>> > >> Arnout
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: Publish statement on Commons Text CVE
Posted by Arnout Engelen <en...@apache.org>.
On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory <ga...@gmail.com>
wrote:
> Would you be available to update the Commons Configuration page
>
> https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml
> in the same way you did for Commons Text? The CVE is basically the
> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980
>
Happy to! Proposed https://github.com/apache/commons-configuration/pull/230
Kind regards,
Arnout
On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory <ga...@gmail.com>
> wrote:
> >
> > FYI: I updated the security page
> > https://commons.apache.org/proper/commons-text/security.html
> >
> > Gary
> >
> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory <ga...@gmail.com>
> wrote:
> > >
> > > I have an unpublished security page in the repo already. Let's not
> duplicate information like this PR does please. Publishing a non-snapshot
> site is a pain and I don't want to do more than I have to. There is no need
> to buy in and promote the FUD on the front page IMO. This component will
> soon publish a security page and you can PR that page (
> https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml)
> if you want to update the details.
> > >
> > > TY!
> > >
> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen <en...@apache.org> wrote:
> > >>
> > >> Hello Commons,
> > >>
> > >> As you might know Commons Text recently published a CVE. It seems
> there is
> > >> a fair bit of confusion about its severity online, so it seems like a
> good
> > >> idea to publish a statement around that on the website.
> > >>
> > >> I've proposed one at https://github.com/apache/commons-text/pull/374
> and
> > >> I'd like to ask for your review & help publishing. Given the issue is
> > >> getting some attention it might be nice to publish something soon and
> maybe
> > >> refine it later ;). I'll also publish it at
> > >> https://blogs.apache.org/security .
> > >>
> > >> I think what would need to happen is:
> > >> * review and merge https://github.com/apache/commons-text/pull/374
> > >> * check out the commit before the merge commit (since that one still
> has
> > >> 1.10.0 as the version in the pom.xml)
> > >> * tag it with something clear, like
> "commons-text-1.10.0-docs-update"(?)
> > >> * push the tag
> > >> * do a 'mvn site:deploy'
> > >>
> > >> Much appreciated!
> > >>
> > >>
> > >> Kind regards,
> > >>
> > >> Arnout
>
Re: Publish statement on Commons Text CVE
Posted by Gary Gregory <ga...@gmail.com>.
Hi Arnout,
Would you be available to update the Commons Configuration page
https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml
in the same way you did for Commons Text? The CVE is basically the
same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980
Gary
On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory <ga...@gmail.com> wrote:
>
> FYI: I updated the security page
> https://commons.apache.org/proper/commons-text/security.html
>
> Gary
>
> On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory <ga...@gmail.com> wrote:
> >
> > I have an unpublished security page in the repo already. Let's not duplicate information like this PR does please. Publishing a non-snapshot site is a pain and I don't want to do more than I have to. There is no need to buy in and promote the FUD on the front page IMO. This component will soon publish a security page and you can PR that page (https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) if you want to update the details.
> >
> > TY!
> >
> > On Tue, Oct 18, 2022, 09:52 Arnout Engelen <en...@apache.org> wrote:
> >>
> >> Hello Commons,
> >>
> >> As you might know Commons Text recently published a CVE. It seems there is
> >> a fair bit of confusion about its severity online, so it seems like a good
> >> idea to publish a statement around that on the website.
> >>
> >> I've proposed one at https://github.com/apache/commons-text/pull/374 and
> >> I'd like to ask for your review & help publishing. Given the issue is
> >> getting some attention it might be nice to publish something soon and maybe
> >> refine it later ;). I'll also publish it at
> >> https://blogs.apache.org/security .
> >>
> >> I think what would need to happen is:
> >> * review and merge https://github.com/apache/commons-text/pull/374
> >> * check out the commit before the merge commit (since that one still has
> >> 1.10.0 as the version in the pom.xml)
> >> * tag it with something clear, like "commons-text-1.10.0-docs-update"(?)
> >> * push the tag
> >> * do a 'mvn site:deploy'
> >>
> >> Much appreciated!
> >>
> >>
> >> Kind regards,
> >>
> >> Arnout
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: Publish statement on Commons Text CVE
Posted by Gary Gregory <ga...@gmail.com>.
FYI: I updated the security page
https://commons.apache.org/proper/commons-text/security.html
Gary
On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory <ga...@gmail.com> wrote:
>
> I have an unpublished security page in the repo already. Let's not duplicate information like this PR does please. Publishing a non-snapshot site is a pain and I don't want to do more than I have to. There is no need to buy in and promote the FUD on the front page IMO. This component will soon publish a security page and you can PR that page (https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) if you want to update the details.
>
> TY!
>
> On Tue, Oct 18, 2022, 09:52 Arnout Engelen <en...@apache.org> wrote:
>>
>> Hello Commons,
>>
>> As you might know Commons Text recently published a CVE. It seems there is
>> a fair bit of confusion about its severity online, so it seems like a good
>> idea to publish a statement around that on the website.
>>
>> I've proposed one at https://github.com/apache/commons-text/pull/374 and
>> I'd like to ask for your review & help publishing. Given the issue is
>> getting some attention it might be nice to publish something soon and maybe
>> refine it later ;). I'll also publish it at
>> https://blogs.apache.org/security .
>>
>> I think what would need to happen is:
>> * review and merge https://github.com/apache/commons-text/pull/374
>> * check out the commit before the merge commit (since that one still has
>> 1.10.0 as the version in the pom.xml)
>> * tag it with something clear, like "commons-text-1.10.0-docs-update"(?)
>> * push the tag
>> * do a 'mvn site:deploy'
>>
>> Much appreciated!
>>
>>
>> Kind regards,
>>
>> Arnout
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: Publish statement on Commons Text CVE
Posted by Gary Gregory <ga...@gmail.com>.
I have an unpublished security page in the repo already. Let's not
duplicate information like this PR does please. Publishing a non-snapshot
site is a pain and I don't want to do more than I have to. There is no need
to buy in and promote the FUD on the front page IMO. This component will
soon publish a security page and you can PR that page (
https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml)
if you want to update the details.
TY!
On Tue, Oct 18, 2022, 09:52 Arnout Engelen <en...@apache.org> wrote:
> Hello Commons,
>
> As you might know Commons Text recently published a CVE. It seems there is
> a fair bit of confusion about its severity online, so it seems like a good
> idea to publish a statement around that on the website.
>
> I've proposed one at https://github.com/apache/commons-text/pull/374 and
> I'd like to ask for your review & help publishing. Given the issue is
> getting some attention it might be nice to publish something soon and maybe
> refine it later ;). I'll also publish it at
> https://blogs.apache.org/security .
>
> I think what would need to happen is:
> * review and merge https://github.com/apache/commons-text/pull/374
> * check out the commit before the merge commit (since that one still has
> 1.10.0 as the version in the pom.xml)
> * tag it with something clear, like "commons-text-1.10.0-docs-update"(?)
> * push the tag
> * do a 'mvn site:deploy'
>
> Much appreciated!
>
>
> Kind regards,
>
> Arnout
>