How can a link be more important than an announcement for a fix of an *unauthenticated* remote DoS ?
Same for the KEYS file??? Don't you think that's way out of proportion? Erik. On Wed, Feb 10, 2021 at 4:50 PM Private List Moderation <mod-priv...@gsuite.cloud.apache.org> wrote: > > I don't see how the missing links can be regarded as trivial. > This obviously needs to be fixed before the announce can be accepted. > > At the same time, I asked for the KEYS file link to be standardised. > There is already a KEYS file at the standard location - why not link to that > instead? > > > On Wed, 10 Feb 2021 at 15:35, Stefan Sperling <s...@apache.org> wrote: >> >> Sebb, blocking our release announcements over trivialities like this >> really is not a nice thing to do. Last time it happened in May 2020. >> It was already discussed back then and raised with the announce@ >> moderation team. >> >> The Subversion PMC came to the conclusion that our handling of >> the KEYS files is adequate for our purposes: >> https://svn.haxx.se/dev/archive-2020-05/0156.shtml >> >> Please raise the issue on our dev@subversion.a.o list if it bothers you. >> The moderation mechanism is supposed to prevent spam. Using it to enforce >> release workflow policies amounts to misuse of your moderation privileges. >> >> Regards, >> Stefan >> >> On Wed, Feb 10, 2021 at 03:20:41PM -0000, announce-ow...@apache.org wrote: >> > >> > Hi! This is the ezmlm program. I'm managing the >> > annou...@apache.org mailing list. >> > >> > I'm working for my owner, who can be reached >> > at announce-ow...@apache.org. >> > >> > I'm sorry, your message (enclosed) was not accepted by the moderator. >> > If the moderator has made any comments, they are shown below. >> > >> > >>>>> -------------------- >>>>> >> > Sorry, but the announce cannot be accepted. >> > The linked download page does not contain links for the version in the >> > email. >> > >> > Also, the standard name for the KEYS file is KEYS - no prefix, no suffix. >> > Please correct the download page, check it, and submit a corrected announce >> > mail. >> > >> > Thanks, >> > Sebb. >> > <<<<< -------------------- <<<<< >> > >> >> > Date: Wed, 10 Feb 2021 14:37:00 +0100 >> > From: Stefan Sperling <s...@apache.org> >> > To: annou...@subversion.apache.org, us...@subversion.apache.org, >> > dev@subversion.apache.org, annou...@apache.org >> > Cc: secur...@apache.org, oss-secur...@lists.openwall.com, >> > bugt...@securityfocus.com >> > Subject: [SECURITY][ANNOUNCE] Apache Subversion 1.10.7 released >> > Message-ID: <ycphfdancjgpy...@byrne.stsp.name> >> > Reply-To: us...@subversion.apache.org >> > Content-Type: text/plain; charset=utf-8 >> > >> > I'm happy to announce the release of Apache Subversion 1.10.7. >> > Please choose the mirror closest to you by visiting: >> > >> > https://subversion.apache.org/download.cgi#supported-releases >> > >> > This is a stable bugfix and security release of the Apache Subversion >> > open source version control system. >> > >> > THIS RELEASE CONTAINS AN IMPORTANT SECURITY FIX: >> > >> > CVE-2020-17525 >> > "Remote unauthenticated denial-of-service in Subversion mod_authz_svn" >> > >> > The full security advisory for CVE-2020-17525 is available at: >> > https://subversion.apache.org/security/CVE-2020-17525-advisory.txt >> > >> > A brief summary of this advisory follows: >> > >> > Subversion's mod_authz_svn module will crash if the server is using >> > in-repository authz rules with the AuthzSVNReposRelativeAccessFile >> > option and a client sends a request for a non-existing repository URL. >> > >> > This can lead to disruption for users of the service. >> > >> > We recommend all users to upgrade to the 1.10.7 or 1.14.1 release >> > of the Subversion mod_dav_svn server. >> > >> > As a workaround, the use of in-repository authz rules files with >> > the AuthzSVNReposRelativeAccessFile can be avoided by switching >> > to an alternative configuration which fetches an authz rules file >> > from the server's filesystem, rather than from an SVN repository. >> > >> > This issue was reported by Thomas Åkesson. >> > >> > SHA-512 checksums are available at: >> > >> > https://www.apache.org/dist/subversion/subversion-1.10.7.tar.bz2.sha512 >> > https://www.apache.org/dist/subversion/subversion-1.10.7.tar.gz.sha512 >> > https://www.apache.org/dist/subversion/subversion-1.10.7.zip.sha512 >> > >> > PGP Signatures are available at: >> > >> > https://www.apache.org/dist/subversion/subversion-1.10.7.tar.bz2.asc >> > https://www.apache.org/dist/subversion/subversion-1.10.7.tar.gz.asc >> > https://www.apache.org/dist/subversion/subversion-1.10.7.zip.asc >> > >> > For this release, the following people have provided PGP signatures: >> > >> > Stefan Sperling [2048R/4F7DBAA99A59B973] with fingerprint: >> > 8BC4 DAE0 C5A4 D65F 4044 0107 4F7D BAA9 9A59 B973 >> > Branko Čibej [4096R/1BCA6586A347943F] with fingerprint: >> > BA3C 15B1 337C F0FB 222B D41A 1BCA 6586 A347 943F >> > Johan Corveleyn [4096R/B59CE6D6010C8AAD] with fingerprint: >> > 8AA2 C10E EAAD 44F9 6972 7AEA B59C E6D6 010C 8AAD >> > >> > These public keys are available at: >> > >> > https://www.apache.org/dist/subversion/subversion-1.10.7.KEYS >> > >> > Release notes for the 1.10.x release series may be found at: >> > >> > https://subversion.apache.org/docs/release-notes/1.10.html >> > >> > You can find the list of changes between 1.10.7 and earlier versions at: >> > >> > https://svn.apache.org/repos/asf/subversion/tags/1.10.7/CHANGES >> > >> > Questions, comments, and bug reports to us...@subversion.apache.org. >> > >> > Thanks, >> > - The Subversion Team >> > >> > -- >> > To unsubscribe, please see: >> > >> > https://subversion.apache.org/mailing-lists.html#unsubscribing >> > >> -- Bye, Erik. http://efficito.com -- Hosted accounting and ERP. Robust and Flexible. No vendor lock-in.
