Hi, Can someone please get a CVE for the readObject issue? I don’t know what the internal ASF process is for that, but ASF is its own CNA so it seems there must be one.
Also, it’d be good to issue a security advisory concurrent with the release announcement. Regards, David From: Mukul Gandhi [mailto:[email protected]] Sent: Saturday, April 21, 2018 1:05 AM To: [email protected] Cc: [email protected]; [email protected] Subject: [EXTERNAL] Re: [VOTE]: Xerces-J 2.12.0 Release Hi Michael & all, I've fixed all the below mentioned issues that were found in previous RC, within the revised RC for 2.12.0 release. I'll shortly be writing a separate mail, for the Vote for new RC. On Fri, Apr 20, 2018 at 2:29 AM, Michael Glavassevich <[email protected]<mailto:[email protected]>> wrote: Should fix the copyright years in the docs too. It currently has: 1999-2014 in the footer of all the pages. Michael Glavassevich <[email protected]<mailto:[email protected]>> wrote on 04/19/2018 04:40:16 PM: > Hi Mukul, > > I noticed that the copyright year in the NOTICE file still says > 2015. I'm pretty sure that this needs to be updated. > > There's also the discussion on the list about CVE-2018-2799 that we > have an opportunity to address. > > I think we should stop the vote on this release candidate and respin > with fixes for these issues. > > Thanks. > > Michael Glavassevich > XML Technologies and WAS Development > IBM Toronto Lab > E-mail: [email protected]<mailto:[email protected]> > E-mail: [email protected]<mailto:[email protected]> -- Regards, Mukul Gandhi
