Wow, the email issue with the .invalid email address is on the Apache side (DMARC).
Gary On Mon, Oct 24, 2022, 14:54 Gary Gregory <garydgreg...@gmail.com> wrote: > The problem is that you sent your message from what I assume is a bogus > email reply address: p...@wolfgang-jung.net.invalid > > To reply to this email I had to hand edit the reply to and am guessing > that maybe p...@wolfgang-jung.net will reach you, but, who knows... I > usually don't bother fiddling with this type of email address hassle. > > WRT to the CVE, the issue was originally reported in Commons Configuration > where the code is basically the same (in a different package obviously). It > was decided that Commons Configuration warranted a CVE and we pushed a > release out. Since Text and Configuration are pretty much the same in this > area, it seemed consistent to issue a CVE and a new version for Text as > well. > > Gary > > On Mon, Oct 24, 2022, 11:45 Wolfgang Jung <p...@wolfgang-jung.net.invalid> > wrote: > >> Dear Gary, >> >> I’ve sent this exact problem on Dec. 11 2021 to the mail-address >> mentioned on the above changed security page: secur...@commons.apache.org >> But never received a response… Therefore my question: Is this >> mail-address still correct? >> >> Best regards (and glad, that the default behaviour will be changed as >> suggested), >> Wolfgang Jung >> >> On 2022/10/19 21:28:59 Gary Gregory wrote: >> > Fixed! The Apache Commons Configuration Security page is now live: >> > https://commons.apache.org/proper/commons-configuration/security.html >> > >> > Gary >> > >> > On Wed, Oct 19, 2022 at 4:45 PM Gary Gregory <ga...@gmail.com> wrote: >> > > >> > > Thank you for the brilliant detective work Bruno! >> > > >> > > Gary >> > > >> > > On Wed, Oct 19, 2022, 16:16 Bruno Kinoshita <ki...@apache.org> wrote: >> > >> >> > >> I had a look at the browser network tab, and saw an HTTP 302 location >> > >> redirect from Varnish. These redirects normally need to be >> configured in >> > >> Varnish with some sort of rule. >> > >> >> > >> I went back to your email, grabbed the SVN URL, stepped up a few >> > >> directories and saw an .htaccess at a parent level, that has a >> redirect >> > >> rule for some commons components (it has for [configuration], not for >> > >> [text]). I think we just need to remove the configuration entry. >> > >> >> > >> >> https://svn.apache.org/repos/infra/websites/production/commons/content/.htaccess >> > >> >> > >> HTH, >> > >> Bruno >> > >> >> > >> On Thu, 20 Oct 2022 at 08:22, Gary Gregory <ga...@gmail.com> wrote: >> > >> >> > >> > Well, I published the Configuration site to the usual svn: >> > >> > >> > >> > >> > >> > >> https://svn.apache.org/repos/infra/websites/production/commons/content/proper/commons-configuration/ >> > >> > >> > >> > which should be end up at: >> > >> > >> > >> > https://commons.apache.org/proper/commons-configuration/index.html >> > >> > >> > >> > but for me clicking on the "Security" (in the top left menu) does >> not >> > >> > take me to >> > >> > >> https://commons.apache.org/proper/commons-configuration/security.html, >> > >> > instead it redirects magically to >> > >> > https://commons.apache.org/security.html >> > >> > >> > >> > Commons Text is fine in this area. What gives? >> > >> > >> > >> > Gary >> > >> > >> > >> > On Wed, Oct 19, 2022 at 12:48 PM Gary Gregory <ga...@gmail.com> >> > >> > wrote: >> > >> > > >> > >> > > TY and merged. I'll publish later today. >> > >> > > >> > >> > > Gary >> > >> > > >> > >> > > On Wed, Oct 19, 2022 at 11:13 AM Arnout Engelen < >> en...@apache.org> >> > >> > wrote: >> > >> > > > >> > >> > > > On Wed, Oct 19, 2022 at 12:23 PM Gary Gregory <ga...@gmail.com >> > >> > >> > wrote: >> > >> > > >> >> > >> > > >> Would you be available to update the Commons Configuration >> page >> > >> > > >> >> > >> > >> https://github.com/apache/commons-configuration/blob/master/src/site/xdoc/security.xml >> > >> > > >> in the same way you did for Commons Text? The CVE is >> basically the >> > >> > > >> same: https://nvd.nist.gov/vuln/detail/CVE-2022-33980 >> > >> > > > >> > >> > > > >> > >> > > > Happy to! Proposed >> > >> > https://github.com/apache/commons-configuration/pull/230 >> > >> > > > >> > >> > > > >> > >> > > > Kind regards, >> > >> > > > >> > >> > > > Arnout >> > >> > > > >> > >> > > >> On Tue, Oct 18, 2022 at 11:20 PM Gary Gregory < >> ga...@gmail.com> >> > >> > wrote: >> > >> > > >> > >> > >> > > >> > FYI: I updated the security page >> > >> > > >> > >> https://commons.apache.org/proper/commons-text/security.html >> > >> > > >> > >> > >> > > >> > Gary >> > >> > > >> > >> > >> > > >> > On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory < >> > >> > garydgreg...@gmail.com> wrote: >> > >> > > >> > > >> > >> > > >> > > I have an unpublished security page in the repo already. >> Let's >> > >> > not duplicate information like this PR does please. Publishing a >> > >> > non-snapshot site is a pain and I don't want to do more than I >> have to. >> > >> > There is no need to buy in and promote the FUD on the front page >> IMO. This >> > >> > component will soon publish a security page and you can PR that >> page ( >> > >> > >> https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml >> ) >> > >> > if you want to update the details. >> > >> > > >> > > >> > >> > > >> > > TY! >> > >> > > >> > > >> > >> > > >> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen < >> en...@apache.org> >> > >> > wrote: >> > >> > > >> > >> >> > >> > > >> > >> Hello Commons, >> > >> > > >> > >> >> > >> > > >> > >> As you might know Commons Text recently published a CVE. >> It >> > >> > seems there is >> > >> > > >> > >> a fair bit of confusion about its severity online, so it >> seems >> > >> > like a good >> > >> > > >> > >> idea to publish a statement around that on the website. >> > >> > > >> > >> >> > >> > > >> > >> I've proposed one at >> > >> > https://github.com/apache/commons-text/pull/374 and >> > >> > > >> > >> I'd like to ask for your review & help publishing. Given >> the >> > >> > issue is >> > >> > > >> > >> getting some attention it might be nice to publish >> something >> > >> > soon and maybe >> > >> > > >> > >> refine it later ;). I'll also publish it at >> > >> > > >> > >> https://blogs.apache.org/security . >> > >> > > >> > >> >> > >> > > >> > >> I think what would need to happen is: >> > >> > > >> > >> * review and merge >> > >> > https://github.com/apache/commons-text/pull/374 >> > >> > > >> > >> * check out the commit before the merge commit (since >> that one >> > >> > still has >> > >> > > >> > >> 1.10.0 as the version in the pom.xml) >> > >> > > >> > >> * tag it with something clear, like >> > >> > "commons-text-1.10.0-docs-update"(?) >> > >> > > >> > >> * push the tag >> > >> > > >> > >> * do a 'mvn site:deploy' >> > >> > > >> > >> >> > >> > > >> > >> Much appreciated! >> > >> > > >> > >> >> > >> > > >> > >> >> > >> > > >> > >> Kind regards, >> > >> > > >> > >> >> > >> > > >> > >> Arnout >> > >> > >> > >> > >> --------------------------------------------------------------------- >> > >> > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> > >> > For additional commands, e-mail: dev-h...@commons.apache.org >> > >> > >> > >> > >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> > For additional commands, e-mail: dev-h...@commons.apache.org >> > >> > >> >> >> Wolfgang Jung >> >> >> >>
