Open source projects, ASF or otherwise, have varying procedures for commits of fixes to vulnerabilities. One important aspect of these procedures is whether or not fixes to vulnerabilities can be committed to a repository with commit logs and possibly CHANGES entries which purposefully obscure the vulnerability and omit any available vulnerability tracking information.
(The vulnerabilities I refer to are those which are not already announced or otherwise generally known to the user community, and where the would-be committer knows that a vulnerability is fixed by the code change possibly being committed. Often it will have been discussed previously with fellow httpd developers in a private forum.) [ ] It is an accepted practice (but not required) to obscure or omit the vulnerability impact in CHANGES or commit log information when committing fixes for vulnerabilities to any branch. [ ] It is mandatory to provide best available description and any available tracking information when committing fixes for vulnerabilities to any branch, delaying committing of the fix if the information shouldn't be provided yet. [ ] _______________ (fill in the blank) ---/--- Obscuring details about a code change (the first choice above) presumably wouldn't be done for a very obvious and high severity vulnerability. I think that the possible justification for following the first choice for a particular fix is that the committer feels that the vulnerability isn't severe enough to completely hide it but it is severe enough that the vulnerability impact shouldn't be publicized until there is a proposed release with the fix which is being tested.
