On 2024/01/11 16:27:22 "Cantor, Scott" wrote: > > With respect to the advisory, since the original one[0] claims the issue was > > fixed in 3.2.3, we're not allowed to 'widen' the version range, we'll have > > to > > allocate a new one[1]. I can take care of that on your behalf if you prefer? > > I updated the existing advisory [1] when I did the release, so if something > else needs to happen that would need to be handled by others.
Gotcha! I have populated https://cveprocess.apache.org/cve5/CVE-2024-23807 and unless there's any objections I'll publish it in a few days. > > Also, I noticed the download page still seem to be referring to 3.2.0 - it > > might be nice to update that as well :). > > The page I control is inside the generated site [2], I don't know what the > other pages might be or how they're managed. > > My suggestion would be to get rid of that (or at least the sections > pertaining to Xerces-C). Duplication isn't ideal for this sort of thing, I > can't maintain the information in multiple places. But I don’t know who would > be able to excise that material. Sounds good to me! I think the change could look something like https://paste.apache.org/3cuav , but I don't have the authorizations to push that to https://svn.apache.org/viewvc/xerces/site/trunk/production/ . Kind regards, Arnout > [1] https://xerces.apache.org/xerces-c/secadv/CVE-2018-1311.txt > [2] https://xerces.apache.org/xerces-c/download.cgi --------------------------------------------------------------------- To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org