You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2018/06/25 09:41:43 UTC
svn commit: r1834288 - /httpd/site/trunk/content/dev/release.mdtext
Author: mjc
Date: Mon Jun 25 09:41:42 2018
New Revision: 1834288
URL: http://svn.apache.org/viewvc?rev=1834288&view=rev
Log:
Add details of the extra step needed for security releases, updating vulnerabilities-httpd.xml. This
got missed in the past and Eric reminded me to add some details about this here.
Modified:
httpd/site/trunk/content/dev/release.mdtext
Modified: httpd/site/trunk/content/dev/release.mdtext
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/dev/release.mdtext?rev=1834288&r1=1834287&r2=1834288&view=diff
==============================================================================
--- httpd/site/trunk/content/dev/release.mdtext (original)
+++ httpd/site/trunk/content/dev/release.mdtext Mon Jun 25 09:41:42 2018
@@ -328,9 +328,18 @@ also has the RM's name and key ID for ve
are published by CMS. More information can be found
[here](https://svn.apache.org/repos/asf/httpd/site/trunk/README).
-Immediately after the announcement, if the release contained any CVE fixes,
-some additional work is required to perform notifications. See the final stages of
-https://www.apache.org/security/committers.html for details.
+# What extra steps for releases containing security fixes?
+
+If a release contains a fix for any security issues then you need to ensure that the
+extra steps [here](https://www.apache.org/security/committers.html) are followed.
+
+Additionally you need to update the ( `httpd/site/trunk/content/security/vulnerabilities-httpd.xml` ) file
+with details of all the security fixes. Once committed this will automatically generate the relevant
+security pages. This information can also be used to help generate the annoucement emails. Make sure
+to use CMS to publish these page updates.
+
+You may wish to stage the xml file in the private SECURITY repo prior to the release to allow
+issues to be spotted.
# Should the announcement wait for binaries? #