Hi Andrew, On Fri, Apr 6, 2012 at 10:02 AM, Andrew Purtell <[email protected]> wrote:
> This is not a helpful disclosure. > It's certainly helpful for users of 0.20.20x. and 1.0.x, who can immediately upgrade to 1.0.2, which was released yesterday. I agree it's not very helpful for users of 0.23.x, but the assumption is that there are far fewer of those than users of 0.20.20x and 1.0.x. Now we know our "secure" deployment is vulnerable, but have no idea how to > mitigate. Claiming an upgrade to a nonexistent version with an, apparently, > uncommitted fix as a mitigation is not viable. Where is the JIRA for this? > Per the Apache security guidelines ( http://www.apache.org/security/committers.html), there is no up-stream JIRA. I trust you understand the sensitivity of this issue, and the need to balance a desire to disclose the issue fully to all users with a desire to not publish exploits of the issue. -- Aaron T. Myers Software Engineer, Cloudera
