I have no objection to this but it obviously has to be done on the private list.
I happen to disagree with your assessment of 44832. As far as I am concerned any uncontrolled use of JNDI requires a CVE. People don’t seem to understand just how bad it is. Any design that lets you download code from a random web server that then runs in your JVM is a disaster, and that is exactly the way JNDI/LDAP works. Ralph > On Dec 30, 2021, at 2:02 AM, Volkan Yazıcı <[email protected]> wrote: > > Hello, > > The recent CVE-2021-44832 has been subject to quite some debate whether it > was CVE-worthy or not. I think that one had far fetched assumptions and > could very well be addressed in a patch release, just like we did, but > without a CVE associated with it. The created CVE caused yet another wave > of FUD surrounding the project. I can imagine millions of deployments all > around the world were marked as flagged by monitoring tools and people > rushed to upgrade in panic, most likely, for no reason. I put aside the > damage CVEs cause on the reputation of the project. > > I am told by [email protected] that what is CVE-worthy is up to the PMC. *I > propose creating a VOTE thread for the CVE creation from now on.* I would > appreciate it if others can share their thoughts on this. If the overall > reception is positive, I will send a VOTE email to make this official. > > Kind regards.
