I think this is a good idea. I clarified the CVE details yesterday to note the specific JNDI and LDAP issue, but the FUD is already out there.
— Matt Sicker > On Dec 30, 2021, at 03:02, Volkan Yazıcı <[email protected]> wrote: > > Hello, > > The recent CVE-2021-44832 has been subject to quite some debate whether it > was CVE-worthy or not. I think that one had far fetched assumptions and > could very well be addressed in a patch release, just like we did, but > without a CVE associated with it. The created CVE caused yet another wave > of FUD surrounding the project. I can imagine millions of deployments all > around the world were marked as flagged by monitoring tools and people > rushed to upgrade in panic, most likely, for no reason. I put aside the > damage CVEs cause on the reputation of the project. > > I am told by [email protected] that what is CVE-worthy is up to the PMC. *I > propose creating a VOTE thread for the CVE creation from now on.* I would > appreciate it if others can share their thoughts on this. If the overall > reception is positive, I will send a VOTE email to make this official. > > Kind regards.
