> With respect to the advisory, since the original one[0] claims the issue was > fixed in 3.2.3, we're not allowed to 'widen' the version range, we'll have to > allocate a new one[1]. I can take care of that on your behalf if you prefer?
I updated the existing advisory [1] when I did the release, so if something else needs to happen that would need to be handled by others. > Also, I noticed the download page still seem to be referring to 3.2.0 - it > might be nice to update that as well :). The page I control is inside the generated site [2], I don't know what the other pages might be or how they're managed. My suggestion would be to get rid of that (or at least the sections pertaining to Xerces-C). Duplication isn't ideal for this sort of thing, I can't maintain the information in multiple places. But I don’t know who would be able to excise that material. -- Scott [1] https://xerces.apache.org/xerces-c/secadv/CVE-2018-1311.txt [2] https://xerces.apache.org/xerces-c/download.cgi
