> Am 09.06.2021 um 22:10 schrieb Christophe JAILLET
> <christophe.jail...@wanadoo.fr>:
>
> Le 08/06/2021 à 13:42, m...@apache.org a écrit :
>> Author: mjc
>> Date: Tue Jun 8 11:42:36 2021
>> New Revision: 1890598
>> URL: http://svn.apache.org/viewvc?rev=1890598&view=rev
>> Log:
>> Fix the release date and version
>> Modified:
>> httpd/site/trunk/content/security/json/CVE-2019-17567.json
>> httpd/site/trunk/content/security/json/CVE-2020-13938.json
>> httpd/site/trunk/content/security/json/CVE-2020-13950.json
>> httpd/site/trunk/content/security/json/CVE-2020-35452.json
>> httpd/site/trunk/content/security/json/CVE-2021-26690.json
>> httpd/site/trunk/content/security/json/CVE-2021-26691.json
>> httpd/site/trunk/content/security/json/CVE-2021-30641.json
>> httpd/site/trunk/content/security/json/CVE-2021-31618.json
>> Modified: httpd/site/trunk/content/security/json/CVE-2019-17567.json
>> URL:
>> http://svn.apache.org/viewvc/httpd/site/trunk/content/security/json/CVE-2019-17567.json?rev=1890598&r1=1890597&r2=1890598&view=diff
>> ==============================================================================
>> --- httpd/site/trunk/content/security/json/CVE-2019-17567.json (original)
>> +++ httpd/site/trunk/content/security/json/CVE-2019-17567.json Tue Jun 8
>> 11:42:36 2021
>> @@ -13,14 +13,14 @@
>> "value": "reported"
>> },
>> {
>> - "time": "--",
>> + "time": "2021-06-01",
>> "lang": "eng",
>> "value": "public"
>> },
>> {
>> - "time": "--",
>> + "time": "2021-06-01",
>> "lang": "eng",
>> - "value": "2.4.47 released"
>> + "value": "2.4.48 released"
>> }
>> ],
>> "CNA_private": {
>> @@ -30,7 +30,7 @@
>> "ASSIGNER": "secur...@apache.org",
>> "AKA": "",
>> "STATE": "PUBLIC",
>> - "DATE_PUBLIC": "--",
>> + "DATE_PUBLIC": "2021-06-01",
>> "ID": "CVE-2019-17567",
>> "TITLE": "mod_proxy_wstunnel tunneling of non Upgraded connections"
>> },
>> @@ -210,4 +210,4 @@
>> ]
>> }
>> }
>> -}
>> \ No newline at end of file
>> +}
>
> Not a big issue from my point of view, but now cvetool, CHANGES and
> CHANGES_2.48 are not in line anymore with vulnerabilities_xx.html
>
> My own preference is for keeping 2.4.47 because it was really fixed in this
> version, even if not announced.
>
> I guess that it is mostly a matter of taste and that both point of view are
> acceptable.
>
> CJ
From users's point of view, it seems more usable when CVE announcements point
to releases they can actually get from us, I guess.
The fact that one has to explain the httpd release numbering to everyone
outside the project, says that we are outside the main stream. It seems for no
other reason than history. All fair enough.
Stefan