RE: Re: Publish statement on Commons Text CVE
Dear Gary, I’ve sent this exact problem on Dec. 11 2021 to the mail-address mentioned on the above change security page: secur...@commons.apache.org But never received a response… Therefore my question: Is this mail-address still correct? Best regards (and glad, that the default behaviour will be changed as suggested), Wolfgang Jung On 2022/10/19 21:28:59 Gary Gregory wrote: > Fixed! The Apache Commons Configuration Security page is now live: > https://commons.apache.org/proper/commons-configuration/security.html > > Gary > > On Wed, Oct 19, 2022 at 4:45 PM Gary Gregory wrote: > > > > Thank you for the brilliant detective work Bruno! > > > > Gary > > > > On Wed, Oct 19, 2022, 16:16 Bruno Kinoshita wrote: > >> > >> I had a look at the browser network tab, and saw an HTTP 302 location > >> redirect from Varnish. These redirects normally need to be configured in > >> Varnish with some sort of rule. > >> > >> I went back to your email, grabbed the SVN URL, stepped up a few > >> directories and saw an .htaccess at a parent level, that has a redirect > >> rule for some commons components (it has for [configuration], not for > >> [text]). I think we just need to remove the configuration entry. > >> > >> https://svn.apache.org/repos/infra/websites/production/commons/content/.htaccess > >> > >> HTH, > >> Bruno > >> > >> On Thu, 20 Oct 2022 at 08:22, Gary Gregory wrote: > >> > >> > Well, I published the Configuration site to the usual svn: > >> > > >> > > >> > https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/ > >> > > >> > which should be end up at: > >> > > >> > https://commons.apache.org/proper/commons-configuration/index.html > >> > > >> > but for me clicking on the "Security" (in the top left menu) does not > >> > take me to > >> > https://commons.apache.org/proper/commons-configuration/security.html, > >> > instead it redirects magically to > >> > https://commons.apache.org/security.html > >> > > >> > Commons Text is fine in this area. What gives? > >> > > >> > Gary > >> > > >> > On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory > >> > wrote: > >> > > > >> > > TY and merged. I'll publish later today. > >> > > > >> > > Gary > >> > > > >> > > On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen > >> > wrote: > >> > > > > >> > > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory > >> > wrote: > >> > > >> > >> > > >> Would you be available to update the Commons Configuration page > >> > > >> > >> > https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml > >> > > >> in the same way you did for Commons Text? The CVE is basically the > >> > > >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 > >> > > > > >> > > > > >> > > > Happy to! Proposed > >> > https://github.com/apache/commons-configuration/pull/230 > >> > > > > >> > > > > >> > > > Kind regards, > >> > > > > >> > > > Arnout > >> > > > > >> > > >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory > >> > wrote: > >> > > >> > > >> > > >> > FYI: I updated the security page > >> > > >> > https://commons.apache.org/proper/commons-text/security.html > >> > > >> > > >> > > >> > Gary > >> > > >> > > >> > > >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory < > >> > garydgreg...@gmail.com> wrote: > >> > > >> > > > >> > > >> > > I have an unpublished security page in the repo already. Let's > >> > not duplicate information like this PR does please. Publishing a > >> > non-snapshot site is a pain and I don't want to do more than I have to. > >> > There is no need to buy in and promote the FUD on the front page IMO. > >> > This > >> > component will soon publish a security page and you can PR that page ( > >> > https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) > >> > if you want to update the details. > >> > > >> > > > >> > > >> > > TY! > >> > > >> > > > >> > > >> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen > >> > wrote: > >> > > >> > >> > >> > > >> > >> Hello Commons, > >> > > >> > >> > >> > > >> > >> As you might know Commons Text recently published a CVE. It > >> > seems there is > >> > > >> > >> a fair bit of confusion about its severity online, so it seems > >> > like a good > >> > > >> > >> idea to publish a statement around that on the website. > >> > > >> > >> > >> > > >> > >> I've proposed one at > >> > https://github.com/apache/commons-text/pull/374 and > >> > > >> > >> I'd like to ask for your review & help publishing. Given the > >> > issue is > >> > > >> > >> getting some attention it might be nice to publish something > >> > soon and maybe > >> > > >> > >> refine it later ;). I'll also publish it at > >> > > >> > >> https://blogs.apache.org/security . > >> > > >> > >> > >> > > >> > >> I think what would need to happen is: > >> > > >> > >> * review and merge > >> > https://github.com/apache/commons-text/pull/374 > >> > > >> > >> * check out the commit before the merge commit (since that one > >> > still has > >> > > >> > >> 1.10.0 as the versi
Re: Re: Publish statement on Commons Text CVE
Wow, the email issue with the .invalid email address is on the Apache side (DMARC). Gary On Mon, Oct 24, 2022, 14:54 Gary Gregory wrote: > The problem is that you sent your message from what I assume is a bogus > email reply address: p...@wolfgang-jung.net.invalid > > To reply to this email I had to hand edit the reply to and am guessing > that maybe p...@wolfgang-jung.net will reach you, but, who knows... I > usually don't bother fiddling with this type of email address hassle. > > WRT to the CVE, the issue was originally reported in Commons Configuration > where the code is basically the same (in a different package obviously). It > was decided that Commons Configuration warranted a CVE and we pushed a > release out. Since Text and Configuration are pretty much the same in this > area, it seemed consistent to issue a CVE and a new version for Text as > well. > > Gary > > On Mon, Oct 24, 2022, 11:45 Wolfgang Jung > wrote: > >> Dear Gary, >> >> I’ve sent this exact problem on Dec. 11 2021 to the mail-address >> mentioned on the above changed security page: secur...@commons.apache.org >> But never received a response… Therefore my question: Is this >> mail-address still correct? >> >> Best regards (and glad, that the default behaviour will be changed as >> suggested), >> Wolfgang Jung >> >> On 2022/10/19 21:28:59 Gary Gregory wrote: >> > Fixed! The Apache Commons Configuration Security page is now live: >> > https://commons.apache.org/proper/commons-configuration/security.html >> > >> > Gary >> > >> > On Wed, Oct 19, 2022 at 4:45 PM Gary Gregory wrote: >> > > >> > > Thank you for the brilliant detective work Bruno! >> > > >> > > Gary >> > > >> > > On Wed, Oct 19, 2022, 16:16 Bruno Kinoshita wrote: >> > >> >> > >> I had a look at the browser network tab, and saw an HTTP 302 location >> > >> redirect from Varnish. These redirects normally need to be >> configured in >> > >> Varnish with some sort of rule. >> > >> >> > >> I went back to your email, grabbed the SVN URL, stepped up a few >> > >> directories and saw an .htaccess at a parent level, that has a >> redirect >> > >> rule for some commons components (it has for [configuration], not for >> > >> [text]). I think we just need to remove the configuration entry. >> > >> >> > >> >> https://svn.apache.org/repos/infra/websites/production/commons/content/.htaccess >> > >> >> > >> HTH, >> > >> Bruno >> > >> >> > >> On Thu, 20 Oct 2022 at 08:22, Gary Gregory wrote: >> > >> >> > >> > Well, I published the Configuration site to the usual svn: >> > >> > >> > >> > >> > >> > >> https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/ >> > >> > >> > >> > which should be end up at: >> > >> > >> > >> > https://commons.apache.org/proper/commons-configuration/index.html >> > >> > >> > >> > but for me clicking on the "Security" (in the top left menu) does >> not >> > >> > take me to >> > >> > >> https://commons.apache.org/proper/commons-configuration/security.html, >> > >> > instead it redirects magically to >> > >> > https://commons.apache.org/security.html >> > >> > >> > >> > Commons Text is fine in this area. What gives? >> > >> > >> > >> > Gary >> > >> > >> > >> > On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory >> > >> > wrote: >> > >> > > >> > >> > > TY and merged. I'll publish later today. >> > >> > > >> > >> > > Gary >> > >> > > >> > >> > > On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen < >> en...@apache.org> >> > >> > wrote: >> > >> > > > >> > >> > > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory > > >> > >> > wrote: >> > >> > > >> >> > >> > > >> Would you be available to update the Commons Configuration >> page >> > >> > > >> >> > >> > >> https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml >> > >> > > >> in the same way you did for Commons Text? The CVE is >> basically the >> > >> > > >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 >> > >> > > > >> > >> > > > >> > >> > > > Happy to! Proposed >> > >> > https://github.com/apache/commons-configuration/pull/230 >> > >> > > > >> > >> > > > >> > >> > > > Kind regards, >> > >> > > > >> > >> > > > Arnout >> > >> > > > >> > >> > > >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory < >> ga...@gmail.com> >> > >> > wrote: >> > >> > > >> > >> > >> > > >> > FYI: I updated the security page >> > >> > > >> > >> https://commons.apache.org/proper/commons-text/security.html >> > >> > > >> > >> > >> > > >> > Gary >> > >> > > >> > >> > >> > > >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory < >> > >> > garydgreg...@gmail.com> wrote: >> > >> > > >> > > >> > >> > > >> > > I have an unpublished security page in the repo already. >> Let's >> > >> > not duplicate information like this PR does please. Publishing a >> > >> > non-snapshot site is a pain and I don't want to do more than I >> have to. >> > >> > There is no need to buy in and promote the FUD on the front page >> IMO. This >> > >> > component will soon publish a security page and you c
Re: Publish statement on Commons Text CVE
Wow, I had no idea we did this, sure is painful to deal with :-( Gary On Mon, Oct 24, 2022, 15:10 Mark Thomas wrote: > On 24/10/2022 19:54, Gary Gregory wrote: > > The problem is that you sent your message from what I assume is a bogus > > email reply address: p...@wolfgang-jung.net.invalid > > No, the ".invalid" was added by the ASF mail servers. > > See: https://blogs.apache.org/infra/entry/dmarc_filtering_on_lists_that > > We can ask infra to change this behaviour but it requires disbaling all > forms of message munging. For Commons, I think this is limited to the > help message added as a footer. > > > To reply to this email I had to hand edit the reply to and am guessing > that > > maybe p...@wolfgang-jung.net will reach you, but, who knows... I usually > > don't bother fiddling with this type of email address hassle. > > That is the price we (the ASF) have to pay for avoiding DMARC issues. Or > we change the list configuration. > > Mark > > > > WRT to the CVE, the issue was originally reported in Commons > Configuration > > where the code is basically the same (in a different package obviously). > It > > was decided that Commons Configuration warranted a CVE and we pushed a > > release out. Since Text and Configuration are pretty much the same in > this > > area, it seemed consistent to issue a CVE and a new version for Text as > > well. > > > > Gary > > > > On Mon, Oct 24, 2022, 11:45 Wolfgang Jung .invalid> > > wrote: > > > >> Dear Gary, > >> > >> I’ve sent this exact problem on Dec. 11 2021 to the mail-address > mentioned > >> on the above changed security page: secur...@commons.apache.org > >> But never received a response… Therefore my question: Is this > mail-address > >> still correct? > >> > >> Best regards (and glad, that the default behaviour will be changed as > >> suggested), > >> Wolfgang Jung > >> > >> On 2022/10/19 21:28:59 Gary Gregory wrote: > >>> Fixed! The Apache Commons Configuration Security page is now live: > >>> https://commons.apache.org/proper/commons-configuration/security.html > >>> > >>> Gary > >>> > >>> On Wed, Oct 19, 2022 at 4:45 PM Gary Gregory wrote: > > Thank you for the brilliant detective work Bruno! > > Gary > > On Wed, Oct 19, 2022, 16:16 Bruno Kinoshita wrote: > > > > I had a look at the browser network tab, and saw an HTTP 302 location > > redirect from Varnish. These redirects normally need to be configured > >> in > > Varnish with some sort of rule. > > > > I went back to your email, grabbed the SVN URL, stepped up a few > > directories and saw an .htaccess at a parent level, that has a > >> redirect > > rule for some commons components (it has for [configuration], not for > > [text]). I think we just need to remove the configuration entry. > > > > > >> > https://svn.apache.org/repos/infra/websites/production/commons/content/.htaccess > > > > HTH, > > Bruno > > > > On Thu, 20 Oct 2022 at 08:22, Gary Gregory wrote: > > > >> Well, I published the Configuration site to the usual svn: > >> > >> > >> > >> > https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/ > >> > >> which should be end up at: > >> > >> https://commons.apache.org/proper/commons-configuration/index.html > >> > >> but for me clicking on the "Security" (in the top left menu) does > >> not > >> take me to > >> > >> https://commons.apache.org/proper/commons-configuration/security.html, > >> instead it redirects magically to > >> https://commons.apache.org/security.html > >> > >> Commons Text is fine in this area. What gives? > >> > >> Gary > >> > >> On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory > >> wrote: > >>> > >>> TY and merged. I'll publish later today. > >>> > >>> Gary > >>> > >>> On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen >>> > >> wrote: > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory > >> wrote: > > > > Would you be available to update the Commons Configuration page > > > >> > >> > https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml > > in the same way you did for Commons Text? The CVE is basically > >> the > > same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 > > > Happy to! Proposed > >> https://github.com/apache/commons-configuration/pull/230 > > > Kind regards, > > Arnout > > > On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory >>> > >> wrote: > >> > >> FYI: I updated the security page > >> https://commons.apache.org/proper/commons-text/security.html > >> > >> Gary > >> > >> On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory < > >> garydgreg...@gmail.com> wrote: > >>>
Re: Publish statement on Commons Text CVE
On 24/10/2022 19:54, Gary Gregory wrote: The problem is that you sent your message from what I assume is a bogus email reply address: p...@wolfgang-jung.net.invalid No, the ".invalid" was added by the ASF mail servers. See: https://blogs.apache.org/infra/entry/dmarc_filtering_on_lists_that We can ask infra to change this behaviour but it requires disbaling all forms of message munging. For Commons, I think this is limited to the help message added as a footer. To reply to this email I had to hand edit the reply to and am guessing that maybe p...@wolfgang-jung.net will reach you, but, who knows... I usually don't bother fiddling with this type of email address hassle. That is the price we (the ASF) have to pay for avoiding DMARC issues. Or we change the list configuration. Mark WRT to the CVE, the issue was originally reported in Commons Configuration where the code is basically the same (in a different package obviously). It was decided that Commons Configuration warranted a CVE and we pushed a release out. Since Text and Configuration are pretty much the same in this area, it seemed consistent to issue a CVE and a new version for Text as well. Gary On Mon, Oct 24, 2022, 11:45 Wolfgang Jung wrote: Dear Gary, I’ve sent this exact problem on Dec. 11 2021 to the mail-address mentioned on the above changed security page: secur...@commons.apache.org But never received a response… Therefore my question: Is this mail-address still correct? Best regards (and glad, that the default behaviour will be changed as suggested), Wolfgang Jung On 2022/10/19 21:28:59 Gary Gregory wrote: Fixed! The Apache Commons Configuration Security page is now live: https://commons.apache.org/proper/commons-configuration/security.html Gary On Wed, Oct 19, 2022 at 4:45 PM Gary Gregory wrote: Thank you for the brilliant detective work Bruno! Gary On Wed, Oct 19, 2022, 16:16 Bruno Kinoshita wrote: I had a look at the browser network tab, and saw an HTTP 302 location redirect from Varnish. These redirects normally need to be configured in Varnish with some sort of rule. I went back to your email, grabbed the SVN URL, stepped up a few directories and saw an .htaccess at a parent level, that has a redirect rule for some commons components (it has for [configuration], not for [text]). I think we just need to remove the configuration entry. https://svn.apache.org/repos/infra/websites/production/commons/content/.htaccess HTH, Bruno On Thu, 20 Oct 2022 at 08:22, Gary Gregory wrote: Well, I published the Configuration site to the usual svn: https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/ which should be end up at: https://commons.apache.org/proper/commons-configuration/index.html but for me clicking on the "Security" (in the top left menu) does not take me to https://commons.apache.org/proper/commons-configuration/security.html, instead it redirects magically to https://commons.apache.org/security.html Commons Text is fine in this area. What gives? Gary On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory wrote: TY and merged. I'll publish later today. Gary On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen wrote: On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory wrote: Would you be available to update the Commons Configuration page https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml in the same way you did for Commons Text? The CVE is basically the same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 Happy to! Proposed https://github.com/apache/commons-configuration/pull/230 Kind regards, Arnout On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory wrote: FYI: I updated the security page https://commons.apache.org/proper/commons-text/security.html Gary On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory < garydgreg...@gmail.com> wrote: I have an unpublished security page in the repo already. Let's not duplicate information like this PR does please. Publishing a non-snapshot site is a pain and I don't want to do more than I have to. There is no need to buy in and promote the FUD on the front page IMO. This component will soon publish a security page and you can PR that page ( https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml ) if you want to update the details. TY! On Tue, Oct 18, 2022, 09:52 Arnout Engelen < en...@apache.org> wrote: Hello Commons, As you might know Commons Text recently published a CVE. It seems there is a fair bit of confusion about its severity online, so it seems like a good idea to publish a statement around that on the website. I've proposed one at https://github.com/apache/commons-text/pull/374 and I'd like to ask for your review & help publishing. Given the issue is getting some attention it might be nice to publish something soon and maybe refine it later ;). I'll also publish it at https://blo
Re: Re: Publish statement on Commons Text CVE
The problem is that you sent your message from what I assume is a bogus email reply address: p...@wolfgang-jung.net.invalid To reply to this email I had to hand edit the reply to and am guessing that maybe p...@wolfgang-jung.net will reach you, but, who knows... I usually don't bother fiddling with this type of email address hassle. WRT to the CVE, the issue was originally reported in Commons Configuration where the code is basically the same (in a different package obviously). It was decided that Commons Configuration warranted a CVE and we pushed a release out. Since Text and Configuration are pretty much the same in this area, it seemed consistent to issue a CVE and a new version for Text as well. Gary On Mon, Oct 24, 2022, 11:45 Wolfgang Jung wrote: > Dear Gary, > > I’ve sent this exact problem on Dec. 11 2021 to the mail-address mentioned > on the above changed security page: secur...@commons.apache.org > But never received a response… Therefore my question: Is this mail-address > still correct? > > Best regards (and glad, that the default behaviour will be changed as > suggested), > Wolfgang Jung > > On 2022/10/19 21:28:59 Gary Gregory wrote: > > Fixed! The Apache Commons Configuration Security page is now live: > > https://commons.apache.org/proper/commons-configuration/security.html > > > > Gary > > > > On Wed, Oct 19, 2022 at 4:45 PM Gary Gregory wrote: > > > > > > Thank you for the brilliant detective work Bruno! > > > > > > Gary > > > > > > On Wed, Oct 19, 2022, 16:16 Bruno Kinoshita wrote: > > >> > > >> I had a look at the browser network tab, and saw an HTTP 302 location > > >> redirect from Varnish. These redirects normally need to be configured > in > > >> Varnish with some sort of rule. > > >> > > >> I went back to your email, grabbed the SVN URL, stepped up a few > > >> directories and saw an .htaccess at a parent level, that has a > redirect > > >> rule for some commons components (it has for [configuration], not for > > >> [text]). I think we just need to remove the configuration entry. > > >> > > >> > https://svn.apache.org/repos/infra/websites/production/commons/content/.htaccess > > >> > > >> HTH, > > >> Bruno > > >> > > >> On Thu, 20 Oct 2022 at 08:22, Gary Gregory wrote: > > >> > > >> > Well, I published the Configuration site to the usual svn: > > >> > > > >> > > > >> > > https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/ > > >> > > > >> > which should be end up at: > > >> > > > >> > https://commons.apache.org/proper/commons-configuration/index.html > > >> > > > >> > but for me clicking on the "Security" (in the top left menu) does > not > > >> > take me to > > >> > > https://commons.apache.org/proper/commons-configuration/security.html, > > >> > instead it redirects magically to > > >> > https://commons.apache.org/security.html > > >> > > > >> > Commons Text is fine in this area. What gives? > > >> > > > >> > Gary > > >> > > > >> > On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory > > >> > wrote: > > >> > > > > >> > > TY and merged. I'll publish later today. > > >> > > > > >> > > Gary > > >> > > > > >> > > On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen > > > >> > wrote: > > >> > > > > > >> > > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory > > >> > wrote: > > >> > > >> > > >> > > >> Would you be available to update the Commons Configuration page > > >> > > >> > > >> > > https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml > > >> > > >> in the same way you did for Commons Text? The CVE is basically > the > > >> > > >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 > > >> > > > > > >> > > > > > >> > > > Happy to! Proposed > > >> > https://github.com/apache/commons-configuration/pull/230 > > >> > > > > > >> > > > > > >> > > > Kind regards, > > >> > > > > > >> > > > Arnout > > >> > > > > > >> > > >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory > > > >> > wrote: > > >> > > >> > > > >> > > >> > FYI: I updated the security page > > >> > > >> > https://commons.apache.org/proper/commons-text/security.html > > >> > > >> > > > >> > > >> > Gary > > >> > > >> > > > >> > > >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory < > > >> > garydgreg...@gmail.com> wrote: > > >> > > >> > > > > >> > > >> > > I have an unpublished security page in the repo already. > Let's > > >> > not duplicate information like this PR does please. Publishing a > > >> > non-snapshot site is a pain and I don't want to do more than I have > to. > > >> > There is no need to buy in and promote the FUD on the front page > IMO. This > > >> > component will soon publish a security page and you can PR that > page ( > > >> > > https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml > ) > > >> > if you want to update the details. > > >> > > >> > > > > >> > > >> > > TY! > > >> > > >> > > > > >> > > >> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen < > en...@apache.org> > > >> > wrote: > > >> > > >> > >> > >
RE: Re: Publish statement on Commons Text CVE
Dear Gary, I’ve sent this exact problem on Dec. 11 2021 to the mail-address mentioned on the above changed security page: secur...@commons.apache.org But never received a response… Therefore my question: Is this mail-address still correct? Best regards (and glad, that the default behaviour will be changed as suggested), Wolfgang Jung On 2022/10/19 21:28:59 Gary Gregory wrote: > Fixed! The Apache Commons Configuration Security page is now live: > https://commons.apache.org/proper/commons-configuration/security.html > > Gary > > On Wed, Oct 19, 2022 at 4:45 PM Gary Gregory wrote: > > > > Thank you for the brilliant detective work Bruno! > > > > Gary > > > > On Wed, Oct 19, 2022, 16:16 Bruno Kinoshita wrote: > >> > >> I had a look at the browser network tab, and saw an HTTP 302 location > >> redirect from Varnish. These redirects normally need to be configured in > >> Varnish with some sort of rule. > >> > >> I went back to your email, grabbed the SVN URL, stepped up a few > >> directories and saw an .htaccess at a parent level, that has a redirect > >> rule for some commons components (it has for [configuration], not for > >> [text]). I think we just need to remove the configuration entry. > >> > >> https://svn.apache.org/repos/infra/websites/production/commons/content/.htaccess > >> > >> HTH, > >> Bruno > >> > >> On Thu, 20 Oct 2022 at 08:22, Gary Gregory wrote: > >> > >> > Well, I published the Configuration site to the usual svn: > >> > > >> > > >> > https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/ > >> > > >> > which should be end up at: > >> > > >> > https://commons.apache.org/proper/commons-configuration/index.html > >> > > >> > but for me clicking on the "Security" (in the top left menu) does not > >> > take me to > >> > https://commons.apache.org/proper/commons-configuration/security.html, > >> > instead it redirects magically to > >> > https://commons.apache.org/security.html > >> > > >> > Commons Text is fine in this area. What gives? > >> > > >> > Gary > >> > > >> > On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory > >> > wrote: > >> > > > >> > > TY and merged. I'll publish later today. > >> > > > >> > > Gary > >> > > > >> > > On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen > >> > wrote: > >> > > > > >> > > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory > >> > wrote: > >> > > >> > >> > > >> Would you be available to update the Commons Configuration page > >> > > >> > >> > https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml > >> > > >> in the same way you did for Commons Text? The CVE is basically the > >> > > >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 > >> > > > > >> > > > > >> > > > Happy to! Proposed > >> > https://github.com/apache/commons-configuration/pull/230 > >> > > > > >> > > > > >> > > > Kind regards, > >> > > > > >> > > > Arnout > >> > > > > >> > > >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory > >> > wrote: > >> > > >> > > >> > > >> > FYI: I updated the security page > >> > > >> > https://commons.apache.org/proper/commons-text/security.html > >> > > >> > > >> > > >> > Gary > >> > > >> > > >> > > >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory < > >> > garydgreg...@gmail.com> wrote: > >> > > >> > > > >> > > >> > > I have an unpublished security page in the repo already. Let's > >> > not duplicate information like this PR does please. Publishing a > >> > non-snapshot site is a pain and I don't want to do more than I have to. > >> > There is no need to buy in and promote the FUD on the front page IMO. > >> > This > >> > component will soon publish a security page and you can PR that page ( > >> > https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) > >> > if you want to update the details. > >> > > >> > > > >> > > >> > > TY! > >> > > >> > > > >> > > >> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen > >> > wrote: > >> > > >> > >> > >> > > >> > >> Hello Commons, > >> > > >> > >> > >> > > >> > >> As you might know Commons Text recently published a CVE. It > >> > seems there is > >> > > >> > >> a fair bit of confusion about its severity online, so it seems > >> > like a good > >> > > >> > >> idea to publish a statement around that on the website. > >> > > >> > >> > >> > > >> > >> I've proposed one at > >> > https://github.com/apache/commons-text/pull/374 and > >> > > >> > >> I'd like to ask for your review & help publishing. Given the > >> > issue is > >> > > >> > >> getting some attention it might be nice to publish something > >> > soon and maybe > >> > > >> > >> refine it later ;). I'll also publish it at > >> > > >> > >> https://blogs.apache.org/security . > >> > > >> > >> > >> > > >> > >> I think what would need to happen is: > >> > > >> > >> * review and merge > >> > https://github.com/apache/commons-text/pull/374 > >> > > >> > >> * check out the commit before the merge commit (since that one > >> > still has > >> > > >> > >> 1.10.0 as the versi
Re: Publish statement on Commons Text CVE
Not a problem, and thank **you** for the many releases and for working on CVE, site updates, commons reports, PR reviews :) Fixed! The Apache Commons Configuration Security page is now live: > https://commons.apache.org/proper/commons-configuration/security.html > It's working fine for me too! CHeers Bruno On Thu, 20 Oct 2022 at 10:29, Gary Gregory wrote: > Fixed! The Apache Commons Configuration Security page is now live: > https://commons.apache.org/proper/commons-configuration/security.html > > Gary > > On Wed, Oct 19, 2022 at 4:45 PM Gary Gregory > wrote: > > > > Thank you for the brilliant detective work Bruno! > > > > Gary > > > > On Wed, Oct 19, 2022, 16:16 Bruno Kinoshita wrote: > >> > >> I had a look at the browser network tab, and saw an HTTP 302 location > >> redirect from Varnish. These redirects normally need to be configured in > >> Varnish with some sort of rule. > >> > >> I went back to your email, grabbed the SVN URL, stepped up a few > >> directories and saw an .htaccess at a parent level, that has a redirect > >> rule for some commons components (it has for [configuration], not for > >> [text]). I think we just need to remove the configuration entry. > >> > >> > https://svn.apache.org/repos/infra/websites/production/commons/content/.htaccess > >> > >> HTH, > >> Bruno > >> > >> On Thu, 20 Oct 2022 at 08:22, Gary Gregory > wrote: > >> > >> > Well, I published the Configuration site to the usual svn: > >> > > >> > > >> > > https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/ > >> > > >> > which should be end up at: > >> > > >> > https://commons.apache.org/proper/commons-configuration/index.html > >> > > >> > but for me clicking on the "Security" (in the top left menu) does not > >> > take me to > >> > https://commons.apache.org/proper/commons-configuration/security.html > , > >> > instead it redirects magically to > >> > https://commons.apache.org/security.html > >> > > >> > Commons Text is fine in this area. What gives? > >> > > >> > Gary > >> > > >> > On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory > > >> > wrote: > >> > > > >> > > TY and merged. I'll publish later today. > >> > > > >> > > Gary > >> > > > >> > > On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen > > >> > wrote: > >> > > > > >> > > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory < > garydgreg...@gmail.com> > >> > wrote: > >> > > >> > >> > > >> Would you be available to update the Commons Configuration page > >> > > >> > >> > > https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml > >> > > >> in the same way you did for Commons Text? The CVE is basically > the > >> > > >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 > >> > > > > >> > > > > >> > > > Happy to! Proposed > >> > https://github.com/apache/commons-configuration/pull/230 > >> > > > > >> > > > > >> > > > Kind regards, > >> > > > > >> > > > Arnout > >> > > > > >> > > >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory < > garydgreg...@gmail.com> > >> > wrote: > >> > > >> > > >> > > >> > FYI: I updated the security page > >> > > >> > https://commons.apache.org/proper/commons-text/security.html > >> > > >> > > >> > > >> > Gary > >> > > >> > > >> > > >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory < > >> > garydgreg...@gmail.com> wrote: > >> > > >> > > > >> > > >> > > I have an unpublished security page in the repo already. > Let's > >> > not duplicate information like this PR does please. Publishing a > >> > non-snapshot site is a pain and I don't want to do more than I have > to. > >> > There is no need to buy in and promote the FUD on the front page IMO. > This > >> > component will soon publish a security page and you can PR that page ( > >> > > https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml > ) > >> > if you want to update the details. > >> > > >> > > > >> > > >> > > TY! > >> > > >> > > > >> > > >> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen < > enge...@apache.org> > >> > wrote: > >> > > >> > >> > >> > > >> > >> Hello Commons, > >> > > >> > >> > >> > > >> > >> As you might know Commons Text recently published a CVE. It > >> > seems there is > >> > > >> > >> a fair bit of confusion about its severity online, so it > seems > >> > like a good > >> > > >> > >> idea to publish a statement around that on the website. > >> > > >> > >> > >> > > >> > >> I've proposed one at > >> > https://github.com/apache/commons-text/pull/374 and > >> > > >> > >> I'd like to ask for your review & help publishing. Given the > >> > issue is > >> > > >> > >> getting some attention it might be nice to publish something > >> > soon and maybe > >> > > >> > >> refine it later ;). I'll also publish it at > >> > > >> > >> https://blogs.apache.org/security . > >> > > >> > >> > >> > > >> > >> I think what would need to happen is: > >> > > >> > >> * review and merge > >> > https://github.com/apache/commons-text/pull/374 > >> > > >> > >> * check out the commit before the me
Re: Publish statement on Commons Text CVE
Fixed! The Apache Commons Configuration Security page is now live: https://commons.apache.org/proper/commons-configuration/security.html Gary On Wed, Oct 19, 2022 at 4:45 PM Gary Gregory wrote: > > Thank you for the brilliant detective work Bruno! > > Gary > > On Wed, Oct 19, 2022, 16:16 Bruno Kinoshita wrote: >> >> I had a look at the browser network tab, and saw an HTTP 302 location >> redirect from Varnish. These redirects normally need to be configured in >> Varnish with some sort of rule. >> >> I went back to your email, grabbed the SVN URL, stepped up a few >> directories and saw an .htaccess at a parent level, that has a redirect >> rule for some commons components (it has for [configuration], not for >> [text]). I think we just need to remove the configuration entry. >> >> https://svn.apache.org/repos/infra/websites/production/commons/content/.htaccess >> >> HTH, >> Bruno >> >> On Thu, 20 Oct 2022 at 08:22, Gary Gregory wrote: >> >> > Well, I published the Configuration site to the usual svn: >> > >> > >> > https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/ >> > >> > which should be end up at: >> > >> > https://commons.apache.org/proper/commons-configuration/index.html >> > >> > but for me clicking on the "Security" (in the top left menu) does not >> > take me to >> > https://commons.apache.org/proper/commons-configuration/security.html, >> > instead it redirects magically to >> > https://commons.apache.org/security.html >> > >> > Commons Text is fine in this area. What gives? >> > >> > Gary >> > >> > On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory >> > wrote: >> > > >> > > TY and merged. I'll publish later today. >> > > >> > > Gary >> > > >> > > On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen >> > wrote: >> > > > >> > > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory >> > wrote: >> > > >> >> > > >> Would you be available to update the Commons Configuration page >> > > >> >> > https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml >> > > >> in the same way you did for Commons Text? The CVE is basically the >> > > >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 >> > > > >> > > > >> > > > Happy to! Proposed >> > https://github.com/apache/commons-configuration/pull/230 >> > > > >> > > > >> > > > Kind regards, >> > > > >> > > > Arnout >> > > > >> > > >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory >> > wrote: >> > > >> > >> > > >> > FYI: I updated the security page >> > > >> > https://commons.apache.org/proper/commons-text/security.html >> > > >> > >> > > >> > Gary >> > > >> > >> > > >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory < >> > garydgreg...@gmail.com> wrote: >> > > >> > > >> > > >> > > I have an unpublished security page in the repo already. Let's >> > not duplicate information like this PR does please. Publishing a >> > non-snapshot site is a pain and I don't want to do more than I have to. >> > There is no need to buy in and promote the FUD on the front page IMO. This >> > component will soon publish a security page and you can PR that page ( >> > https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) >> > if you want to update the details. >> > > >> > > >> > > >> > > TY! >> > > >> > > >> > > >> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen >> > wrote: >> > > >> > >> >> > > >> > >> Hello Commons, >> > > >> > >> >> > > >> > >> As you might know Commons Text recently published a CVE. It >> > seems there is >> > > >> > >> a fair bit of confusion about its severity online, so it seems >> > like a good >> > > >> > >> idea to publish a statement around that on the website. >> > > >> > >> >> > > >> > >> I've proposed one at >> > https://github.com/apache/commons-text/pull/374 and >> > > >> > >> I'd like to ask for your review & help publishing. Given the >> > issue is >> > > >> > >> getting some attention it might be nice to publish something >> > soon and maybe >> > > >> > >> refine it later ;). I'll also publish it at >> > > >> > >> https://blogs.apache.org/security . >> > > >> > >> >> > > >> > >> I think what would need to happen is: >> > > >> > >> * review and merge >> > https://github.com/apache/commons-text/pull/374 >> > > >> > >> * check out the commit before the merge commit (since that one >> > still has >> > > >> > >> 1.10.0 as the version in the pom.xml) >> > > >> > >> * tag it with something clear, like >> > "commons-text-1.10.0-docs-update"(?) >> > > >> > >> * push the tag >> > > >> > >> * do a 'mvn site:deploy' >> > > >> > >> >> > > >> > >> Much appreciated! >> > > >> > >> >> > > >> > >> >> > > >> > >> Kind regards, >> > > >> > >> >> > > >> > >> Arnout >> > >> > - >> > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> > For additional commands, e-mail: dev-h...@commons.apache.org >> > >> > - To unsubscribe, e-mai
Re: Publish statement on Commons Text CVE
Thank you for the brilliant detective work Bruno! Gary On Wed, Oct 19, 2022, 16:16 Bruno Kinoshita wrote: > I had a look at the browser network tab, and saw an HTTP 302 location > redirect from Varnish. These redirects normally need to be configured in > Varnish with some sort of rule. > > I went back to your email, grabbed the SVN URL, stepped up a few > directories and saw an .htaccess at a parent level, that has a redirect > rule for some commons components (it has for [configuration], not for > [text]). I think we just need to remove the configuration entry. > > > https://svn.apache.org/repos/infra/websites/production/commons/content/.htaccess > > HTH, > Bruno > > On Thu, 20 Oct 2022 at 08:22, Gary Gregory wrote: > > > Well, I published the Configuration site to the usual svn: > > > > > > > https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/ > > > > which should be end up at: > > > > https://commons.apache.org/proper/commons-configuration/index.html > > > > but for me clicking on the "Security" (in the top left menu) does not > > take me to > > https://commons.apache.org/proper/commons-configuration/security.html, > > instead it redirects magically to > > https://commons.apache.org/security.html > > > > Commons Text is fine in this area. What gives? > > > > Gary > > > > On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory > > wrote: > > > > > > TY and merged. I'll publish later today. > > > > > > Gary > > > > > > On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen > > wrote: > > > > > > > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory < > garydgreg...@gmail.com> > > wrote: > > > >> > > > >> Would you be available to update the Commons Configuration page > > > >> > > > https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml > > > >> in the same way you did for Commons Text? The CVE is basically the > > > >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 > > > > > > > > > > > > Happy to! Proposed > > https://github.com/apache/commons-configuration/pull/230 > > > > > > > > > > > > Kind regards, > > > > > > > > Arnout > > > > > > > >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory < > garydgreg...@gmail.com> > > wrote: > > > >> > > > > >> > FYI: I updated the security page > > > >> > https://commons.apache.org/proper/commons-text/security.html > > > >> > > > > >> > Gary > > > >> > > > > >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory < > > garydgreg...@gmail.com> wrote: > > > >> > > > > > >> > > I have an unpublished security page in the repo already. Let's > > not duplicate information like this PR does please. Publishing a > > non-snapshot site is a pain and I don't want to do more than I have to. > > There is no need to buy in and promote the FUD on the front page IMO. > This > > component will soon publish a security page and you can PR that page ( > > > https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml > ) > > if you want to update the details. > > > >> > > > > > >> > > TY! > > > >> > > > > > >> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen > > wrote: > > > >> > >> > > > >> > >> Hello Commons, > > > >> > >> > > > >> > >> As you might know Commons Text recently published a CVE. It > > seems there is > > > >> > >> a fair bit of confusion about its severity online, so it seems > > like a good > > > >> > >> idea to publish a statement around that on the website. > > > >> > >> > > > >> > >> I've proposed one at > > https://github.com/apache/commons-text/pull/374 and > > > >> > >> I'd like to ask for your review & help publishing. Given the > > issue is > > > >> > >> getting some attention it might be nice to publish something > > soon and maybe > > > >> > >> refine it later ;). I'll also publish it at > > > >> > >> https://blogs.apache.org/security . > > > >> > >> > > > >> > >> I think what would need to happen is: > > > >> > >> * review and merge > > https://github.com/apache/commons-text/pull/374 > > > >> > >> * check out the commit before the merge commit (since that one > > still has > > > >> > >> 1.10.0 as the version in the pom.xml) > > > >> > >> * tag it with something clear, like > > "commons-text-1.10.0-docs-update"(?) > > > >> > >> * push the tag > > > >> > >> * do a 'mvn site:deploy' > > > >> > >> > > > >> > >> Much appreciated! > > > >> > >> > > > >> > >> > > > >> > >> Kind regards, > > > >> > >> > > > >> > >> Arnout > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > >
Re: Publish statement on Commons Text CVE
I had a look at the browser network tab, and saw an HTTP 302 location redirect from Varnish. These redirects normally need to be configured in Varnish with some sort of rule. I went back to your email, grabbed the SVN URL, stepped up a few directories and saw an .htaccess at a parent level, that has a redirect rule for some commons components (it has for [configuration], not for [text]). I think we just need to remove the configuration entry. https://svn.apache.org/repos/infra/websites/production/commons/content/.htaccess HTH, Bruno On Thu, 20 Oct 2022 at 08:22, Gary Gregory wrote: > Well, I published the Configuration site to the usual svn: > > > https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/ > > which should be end up at: > > https://commons.apache.org/proper/commons-configuration/index.html > > but for me clicking on the "Security" (in the top left menu) does not > take me to > https://commons.apache.org/proper/commons-configuration/security.html, > instead it redirects magically to > https://commons.apache.org/security.html > > Commons Text is fine in this area. What gives? > > Gary > > On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory > wrote: > > > > TY and merged. I'll publish later today. > > > > Gary > > > > On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen > wrote: > > > > > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory > wrote: > > >> > > >> Would you be available to update the Commons Configuration page > > >> > https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml > > >> in the same way you did for Commons Text? The CVE is basically the > > >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 > > > > > > > > > Happy to! Proposed > https://github.com/apache/commons-configuration/pull/230 > > > > > > > > > Kind regards, > > > > > > Arnout > > > > > >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory > wrote: > > >> > > > >> > FYI: I updated the security page > > >> > https://commons.apache.org/proper/commons-text/security.html > > >> > > > >> > Gary > > >> > > > >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory < > garydgreg...@gmail.com> wrote: > > >> > > > > >> > > I have an unpublished security page in the repo already. Let's > not duplicate information like this PR does please. Publishing a > non-snapshot site is a pain and I don't want to do more than I have to. > There is no need to buy in and promote the FUD on the front page IMO. This > component will soon publish a security page and you can PR that page ( > https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) > if you want to update the details. > > >> > > > > >> > > TY! > > >> > > > > >> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen > wrote: > > >> > >> > > >> > >> Hello Commons, > > >> > >> > > >> > >> As you might know Commons Text recently published a CVE. It > seems there is > > >> > >> a fair bit of confusion about its severity online, so it seems > like a good > > >> > >> idea to publish a statement around that on the website. > > >> > >> > > >> > >> I've proposed one at > https://github.com/apache/commons-text/pull/374 and > > >> > >> I'd like to ask for your review & help publishing. Given the > issue is > > >> > >> getting some attention it might be nice to publish something > soon and maybe > > >> > >> refine it later ;). I'll also publish it at > > >> > >> https://blogs.apache.org/security . > > >> > >> > > >> > >> I think what would need to happen is: > > >> > >> * review and merge > https://github.com/apache/commons-text/pull/374 > > >> > >> * check out the commit before the merge commit (since that one > still has > > >> > >> 1.10.0 as the version in the pom.xml) > > >> > >> * tag it with something clear, like > "commons-text-1.10.0-docs-update"(?) > > >> > >> * push the tag > > >> > >> * do a 'mvn site:deploy' > > >> > >> > > >> > >> Much appreciated! > > >> > >> > > >> > >> > > >> > >> Kind regards, > > >> > >> > > >> > >> Arnout > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
Re: Publish statement on Commons Text CVE
Well, I published the Configuration site to the usual svn: https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/ which should be end up at: https://commons.apache.org/proper/commons-configuration/index.html but for me clicking on the "Security" (in the top left menu) does not take me to https://commons.apache.org/proper/commons-configuration/security.html, instead it redirects magically to https://commons.apache.org/security.html Commons Text is fine in this area. What gives? Gary On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory wrote: > > TY and merged. I'll publish later today. > > Gary > > On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen wrote: > > > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory > > wrote: > >> > >> Would you be available to update the Commons Configuration page > >> https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml > >> in the same way you did for Commons Text? The CVE is basically the > >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 > > > > > > Happy to! Proposed https://github.com/apache/commons-configuration/pull/230 > > > > > > Kind regards, > > > > Arnout > > > >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory > >> wrote: > >> > > >> > FYI: I updated the security page > >> > https://commons.apache.org/proper/commons-text/security.html > >> > > >> > Gary > >> > > >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory > >> > wrote: > >> > > > >> > > I have an unpublished security page in the repo already. Let's not > >> > > duplicate information like this PR does please. Publishing a > >> > > non-snapshot site is a pain and I don't want to do more than I have > >> > > to. There is no need to buy in and promote the FUD on the front page > >> > > IMO. This component will soon publish a security page and you can PR > >> > > that page > >> > > (https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) > >> > > if you want to update the details. > >> > > > >> > > TY! > >> > > > >> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen wrote: > >> > >> > >> > >> Hello Commons, > >> > >> > >> > >> As you might know Commons Text recently published a CVE. It seems > >> > >> there is > >> > >> a fair bit of confusion about its severity online, so it seems like a > >> > >> good > >> > >> idea to publish a statement around that on the website. > >> > >> > >> > >> I've proposed one at https://github.com/apache/commons-text/pull/374 > >> > >> and > >> > >> I'd like to ask for your review & help publishing. Given the issue is > >> > >> getting some attention it might be nice to publish something soon and > >> > >> maybe > >> > >> refine it later ;). I'll also publish it at > >> > >> https://blogs.apache.org/security . > >> > >> > >> > >> I think what would need to happen is: > >> > >> * review and merge https://github.com/apache/commons-text/pull/374 > >> > >> * check out the commit before the merge commit (since that one still > >> > >> has > >> > >> 1.10.0 as the version in the pom.xml) > >> > >> * tag it with something clear, like > >> > >> "commons-text-1.10.0-docs-update"(?) > >> > >> * push the tag > >> > >> * do a 'mvn site:deploy' > >> > >> > >> > >> Much appreciated! > >> > >> > >> > >> > >> > >> Kind regards, > >> > >> > >> > >> Arnout - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Publish statement on Commons Text CVE
TY and merged. I'll publish later today. Gary On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen wrote: > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory wrote: >> >> Would you be available to update the Commons Configuration page >> https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml >> in the same way you did for Commons Text? The CVE is basically the >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 > > > Happy to! Proposed https://github.com/apache/commons-configuration/pull/230 > > > Kind regards, > > Arnout > >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory wrote: >> > >> > FYI: I updated the security page >> > https://commons.apache.org/proper/commons-text/security.html >> > >> > Gary >> > >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory >> > wrote: >> > > >> > > I have an unpublished security page in the repo already. Let's not >> > > duplicate information like this PR does please. Publishing a >> > > non-snapshot site is a pain and I don't want to do more than I have to. >> > > There is no need to buy in and promote the FUD on the front page IMO. >> > > This component will soon publish a security page and you can PR that >> > > page >> > > (https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) >> > > if you want to update the details. >> > > >> > > TY! >> > > >> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen wrote: >> > >> >> > >> Hello Commons, >> > >> >> > >> As you might know Commons Text recently published a CVE. It seems there >> > >> is >> > >> a fair bit of confusion about its severity online, so it seems like a >> > >> good >> > >> idea to publish a statement around that on the website. >> > >> >> > >> I've proposed one at https://github.com/apache/commons-text/pull/374 and >> > >> I'd like to ask for your review & help publishing. Given the issue is >> > >> getting some attention it might be nice to publish something soon and >> > >> maybe >> > >> refine it later ;). I'll also publish it at >> > >> https://blogs.apache.org/security . >> > >> >> > >> I think what would need to happen is: >> > >> * review and merge https://github.com/apache/commons-text/pull/374 >> > >> * check out the commit before the merge commit (since that one still has >> > >> 1.10.0 as the version in the pom.xml) >> > >> * tag it with something clear, like "commons-text-1.10.0-docs-update"(?) >> > >> * push the tag >> > >> * do a 'mvn site:deploy' >> > >> >> > >> Much appreciated! >> > >> >> > >> >> > >> Kind regards, >> > >> >> > >> Arnout - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Publish statement on Commons Text CVE
On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory wrote: > Would you be available to update the Commons Configuration page > > https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml > in the same way you did for Commons Text? The CVE is basically the > same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 > Happy to! Proposed https://github.com/apache/commons-configuration/pull/230 Kind regards, Arnout On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory > wrote: > > > > FYI: I updated the security page > > https://commons.apache.org/proper/commons-text/security.html > > > > Gary > > > > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory > wrote: > > > > > > I have an unpublished security page in the repo already. Let's not > duplicate information like this PR does please. Publishing a non-snapshot > site is a pain and I don't want to do more than I have to. There is no need > to buy in and promote the FUD on the front page IMO. This component will > soon publish a security page and you can PR that page ( > https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) > if you want to update the details. > > > > > > TY! > > > > > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen wrote: > > >> > > >> Hello Commons, > > >> > > >> As you might know Commons Text recently published a CVE. It seems > there is > > >> a fair bit of confusion about its severity online, so it seems like a > good > > >> idea to publish a statement around that on the website. > > >> > > >> I've proposed one at https://github.com/apache/commons-text/pull/374 > and > > >> I'd like to ask for your review & help publishing. Given the issue is > > >> getting some attention it might be nice to publish something soon and > maybe > > >> refine it later ;). I'll also publish it at > > >> https://blogs.apache.org/security . > > >> > > >> I think what would need to happen is: > > >> * review and merge https://github.com/apache/commons-text/pull/374 > > >> * check out the commit before the merge commit (since that one still > has > > >> 1.10.0 as the version in the pom.xml) > > >> * tag it with something clear, like > "commons-text-1.10.0-docs-update"(?) > > >> * push the tag > > >> * do a 'mvn site:deploy' > > >> > > >> Much appreciated! > > >> > > >> > > >> Kind regards, > > >> > > >> Arnout >
Re: Publish statement on Commons Text CVE
Hi Arnout, Would you be available to update the Commons Configuration page https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml in the same way you did for Commons Text? The CVE is basically the same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 Gary On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory wrote: > > FYI: I updated the security page > https://commons.apache.org/proper/commons-text/security.html > > Gary > > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory wrote: > > > > I have an unpublished security page in the repo already. Let's not > > duplicate information like this PR does please. Publishing a non-snapshot > > site is a pain and I don't want to do more than I have to. There is no need > > to buy in and promote the FUD on the front page IMO. This component will > > soon publish a security page and you can PR that page > > (https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) > > if you want to update the details. > > > > TY! > > > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen wrote: > >> > >> Hello Commons, > >> > >> As you might know Commons Text recently published a CVE. It seems there is > >> a fair bit of confusion about its severity online, so it seems like a good > >> idea to publish a statement around that on the website. > >> > >> I've proposed one at https://github.com/apache/commons-text/pull/374 and > >> I'd like to ask for your review & help publishing. Given the issue is > >> getting some attention it might be nice to publish something soon and maybe > >> refine it later ;). I'll also publish it at > >> https://blogs.apache.org/security . > >> > >> I think what would need to happen is: > >> * review and merge https://github.com/apache/commons-text/pull/374 > >> * check out the commit before the merge commit (since that one still has > >> 1.10.0 as the version in the pom.xml) > >> * tag it with something clear, like "commons-text-1.10.0-docs-update"(?) > >> * push the tag > >> * do a 'mvn site:deploy' > >> > >> Much appreciated! > >> > >> > >> Kind regards, > >> > >> Arnout - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Publish statement on Commons Text CVE
FYI: I updated the security page https://commons.apache.org/proper/commons-text/security.html Gary On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory wrote: > > I have an unpublished security page in the repo already. Let's not duplicate > information like this PR does please. Publishing a non-snapshot site is a > pain and I don't want to do more than I have to. There is no need to buy in > and promote the FUD on the front page IMO. This component will soon publish a > security page and you can PR that page > (https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) > if you want to update the details. > > TY! > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen wrote: >> >> Hello Commons, >> >> As you might know Commons Text recently published a CVE. It seems there is >> a fair bit of confusion about its severity online, so it seems like a good >> idea to publish a statement around that on the website. >> >> I've proposed one at https://github.com/apache/commons-text/pull/374 and >> I'd like to ask for your review & help publishing. Given the issue is >> getting some attention it might be nice to publish something soon and maybe >> refine it later ;). I'll also publish it at >> https://blogs.apache.org/security . >> >> I think what would need to happen is: >> * review and merge https://github.com/apache/commons-text/pull/374 >> * check out the commit before the merge commit (since that one still has >> 1.10.0 as the version in the pom.xml) >> * tag it with something clear, like "commons-text-1.10.0-docs-update"(?) >> * push the tag >> * do a 'mvn site:deploy' >> >> Much appreciated! >> >> >> Kind regards, >> >> Arnout - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Publish statement on Commons Text CVE
I have an unpublished security page in the repo already. Let's not duplicate information like this PR does please. Publishing a non-snapshot site is a pain and I don't want to do more than I have to. There is no need to buy in and promote the FUD on the front page IMO. This component will soon publish a security page and you can PR that page ( https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) if you want to update the details. TY! On Tue, Oct 18, 2022, 09:52 Arnout Engelen wrote: > Hello Commons, > > As you might know Commons Text recently published a CVE. It seems there is > a fair bit of confusion about its severity online, so it seems like a good > idea to publish a statement around that on the website. > > I've proposed one at https://github.com/apache/commons-text/pull/374 and > I'd like to ask for your review & help publishing. Given the issue is > getting some attention it might be nice to publish something soon and maybe > refine it later ;). I'll also publish it at > https://blogs.apache.org/security . > > I think what would need to happen is: > * review and merge https://github.com/apache/commons-text/pull/374 > * check out the commit before the merge commit (since that one still has > 1.10.0 as the version in the pom.xml) > * tag it with something clear, like "commons-text-1.10.0-docs-update"(?) > * push the tag > * do a 'mvn site:deploy' > > Much appreciated! > > > Kind regards, > > Arnout >
Publish statement on Commons Text CVE
Hello Commons, As you might know Commons Text recently published a CVE. It seems there is a fair bit of confusion about its severity online, so it seems like a good idea to publish a statement around that on the website. I've proposed one at https://github.com/apache/commons-text/pull/374 and I'd like to ask for your review & help publishing. Given the issue is getting some attention it might be nice to publish something soon and maybe refine it later ;). I'll also publish it at https://blogs.apache.org/security . I think what would need to happen is: * review and merge https://github.com/apache/commons-text/pull/374 * check out the commit before the merge commit (since that one still has 1.10.0 as the version in the pom.xml) * tag it with something clear, like "commons-text-1.10.0-docs-update"(?) * push the tag * do a 'mvn site:deploy' Much appreciated! Kind regards, Arnout
