Folks - I just sent out 2 security advisories that should have been sent out several months ago - luckily the ASF security team was aware of them and prodded the ACS security team as to what was up. Earlier today I realized the announcements hadn’t gone out, so they were just sent.
I just put up a blog post[1] explaining how this happened and what we’re going to do in the future to minimize the chance of it happening again. If folks have further questions about the advisories or the mixup in posting them, I’m happy to discuss privately or on-list. With apologies... John 1: https://blogs.apache.org/cloudstack/entry/two_late_announced_security_advisories
