Done! Please guys, review the content if you can, as it is very like I have made some mistakes Regarding to the hen-and-egg problem, I agree with René, I think we should observe the non-disclosure agreement.
Maurizio Cucchiara On 9 September 2011 04:47, Rene Gielen <rene.gie...@googlemail.com> wrote: > One more thing ... :) > > Could you (or someone else) also write a short security bulletin? > https://cwiki.apache.org/confluence/display/WW/Security+Bulletins > > I've updated the Creating and Signing page to refer to creating security > bulletin announcements as an optional release step. > > I've placed it under the "wait for rsync" section. While this has the > disadvantage that the docs exported with the release will not cover the > security announcement for the fixes of this particular release, it will > help to keep the security issue undisclosed until the fix is assured to > be available. It's a hen-and-egg problem, but for me so far an > acceptable trade off - if you guys would prefer to add security > bulletins _before_ exporting the wiki docs, to have them included > up2date in the distribution docs, please speak up! > > - René > > Am 06.09.11 16:47, schrieb Maurizio Cucchiara: >> The Struts 2.2.3.1 test build is now available. It includes the latest >> security patch which fixes a vulnerability that allows to evaluate the >> user input as an OGNL expression when there's a conversion error. >> >> Release notes: >> * [https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.2.3.1] >> >> Distribution: >> * [http://people.apache.org/builds/struts/2.2.3.1/] >> >> Maven 2 staging repository: >> * [https://repository.apache.org/content/repositories/orgapachestruts-031/] >> >> Once you have had a chance to review the test build, please respond >> with a vote on its quality: >> >> [ ] Leave at test build >> [ ] Alpha >> [ ] Beta >> [ ] General Availability (GA) >> >> Everyone who has tested the build is invited to vote. Votes by PMC >> members are considered binding. A vote passes if there are at least >> three binding +1s and more +1s than -1s. >> >> The vote will remain open for at least 72 hours, longer upon request. >> A vote can be amended at any time to upgrade or downgrade the quality >> of the release based on future experience. If an initial vote >> designates the build as "Beta", the release will be submitted for >> mirroring and announced to the user list. Once released as a public >> beta, subsequent quality votes on a build may be held on the user >> list. >> >> As always, the act of voting carries certain obligations. A binding >> vote not only states an opinion, but means that the voter is agreeing >> to help do the work >> >> Thank in advance >> >> Maurizio Cucchiara >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org >> For additional commands, e-mail: dev-h...@struts.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
