Rick Hillegas <[email protected]> writes: > On 6/20/13 11:38 AM, Myrna van Lunteren wrote: >> Thanks Knut, for your quick action. >> >> I wonder, do we need to do anything regarding this in javadoc in >> past releases? Add a comment to the download page >> (http://db.apache.org/derby/derby_downloads.html), alert the user >> list? >> I prefer not to create new releases for older branches because it's >> such a hassle to create a release. > I think that the old releases contain other, more serious security > vulnerabilities which have been addressed in later distributions. We > don't generally regenerate older releases just because we discover and > fix a vulnerability later on. We don't annotate the download page to > call attention to vulnerabilities in old releases. I don't think that > this defect requires a special response. > > We could consider sending a brief note to derby-user, now that we have > fixed our own exposure to this bug. > > We have handled other vulnerabilities by including extra instructions > in the release notes for a later release. I think it would be adequate > to write a release note for DERBY-6270 and mark that issue as fixed in > 10.10.1.3 and 10.11.0.0 so that users will be alerted when they read > the release notes for our next couple releases.
I've uploaded a release note to DERBY-6270 and added 10.11.0.0 to the fix versions (it was already marked as fixed in 10.10.1.3). I've also added verifying that the javadocs don't suffer from this vulnerability as a separate item in the release vetting checklist template on the wiki. And in the checklists for the not yet released 10.9.2, 10.10.2 and 10.11.1 versions. Finally, I've just sent a mail to derby-user suggesting that users read the security advisory and take the appropriate steps. Hopefully, that should cover it. Thanks, -- Knut Anders
