Hello, I was trying to come up with a Victims-cve-db entry for CVE-2016-3092 and I noticed a few odd things (https://github.com/victims/victims-cve-db/pull/47 ):
a) the original mail from Jochen did contain a link to a security page but Commons FileUpload does not have one: http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3c45a20804-abff-4fed-a297-69ac95ab9...@apache.org%3E -> https://commons.apache.org/proper/commons-fileupload/security.html b) the change for the release notes is only in trunk, not published to the site or the archives. This makes it hard to link to a definitive source. Gruss Bernd