Hi Alan, Thanks a lot for your suggestions and these examples. I have updated the contents to make the announcements clearer and more detailed.
-- Zhang Yonglun Apache ShenYu (Incubating) Apache ShardingSphere Alan Coopersmith <[email protected]> 于2022年1月26日周三 06:27写道: > > On 1/25/22 03:39, Zhang Yonglun wrote: > > Description: > > > > User can access /plugin api without authentication. This issue > > affected Apache ShenYu 2.4.0 and 2.4.1. > > Thanks for informing oss-security of these issues, but good security > announcements have a little more detail, like what actions users or > distributors need to take (upgrade to a new version? what version?) > and information on where to find more details, like a bug id in your > bug tracker. If you look at the announcements from other Apache > projects, you'll see they often include those. > > Some good examples: > https://www.openwall.com/lists/oss-security/2021/12/18/2 > https://www.openwall.com/lists/oss-security/2022/01/05/4 > https://www.openwall.com/lists/oss-security/2022/01/06/2 > > -- > -Alan Coopersmith- [email protected] > Oracle Solaris Engineering - https://blogs.oracle.com/solaris
