I’m ok with that for the release announcement.
From: Mukul Gandhi [mailto:muk...@apache.org] Sent: Wednesday, May 2, 2018 3:33 AM To: j-...@xerces.apache.org Cc: priv...@xerces.apache.org; j-users@xerces.apache.org Subject: Re: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release Hi David, On Mon, Apr 30, 2018 at 8:32 PM, David Dillard <david.dill...@veritas.com<mailto:david.dill...@veritas.com>> wrote: I asked before about getting a CVE for the issue I raised that was fixed, and about a security advisory. I don’t recall seeing a response. Can that please be done as well? I don’t know what the internal Apache process is for getting CVEs, but there’s got to be one. Looking at the 2.12.0 release notes in JIRA, and the CVE which you pointed that we fixed, I propose to have following written within our 2.12.0 release announcement, <text> The following security issues, raised by users were fixed: CVE-2012-0881 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881 CVE-2013-4002 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002 CVE-2018-2799 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2799 </text> Please let us know your opinion about this. Anyone else could also comment. -- Regards, Mukul Gandhi