Sally, I completely agree with you. It demonstrates that we prioritize security issues and that project is actively maintained. I see no downside to broadcasting this announcement far and wide.
Thanks, -Johm john.burw...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London VA WC2N 4HSUK @shapeblue On Oct 29, 2016, at 11:01 AM, Sally Khudairi <s...@apache.org<mailto:s...@apache.org>> wrote: Thanks, Rohit. To play devil's advocate in terms of communication --from the ASF perspective, we'd rather see over-sharing than not, in alignment with our culture of transparency. We have nothing to hide. Vulnerabilities occur in virtually all software. Better to state what we know rather than give nay-sayers/haters a reason to poke us in the eye. Cheers, Sally = = = = = vox +1 617 921 8656 gvox +1 646 598 4616 skype sallykhudairi ________________________________ From: Rohit Yadav <bhais...@apache.org<mailto:bhais...@apache.org>> To: Sally Khudairi <s...@apache.org<mailto:s...@apache.org>> Cc: "marketing@cloudstack.apache.org<mailto:marketing@cloudstack.apache.org>" <marketing@cloudstack.apache.org<mailto:marketing@cloudstack.apache.org>> Sent: Saturday, October 29, 2016 6:06 AM Subject: Re: [ANNOUNCE] Apache CloudStack Security Releases 4.8.1.1, 4.9.0.1 Thanks Sally and John. Since the disclosure has been announced, explicit release announcement may not be necessary on announce@. We'll make sure to send announcements on annouce@ in future. Regards. On Sat, Oct 29, 2016 at 1:30 AM, Sally Khudairi <s...@apache.org<mailto:s...@apache.org>> wrote: Thank you, John. I just moderated the message through. This should appear in the apache.org<http://apache.org/> archives within the next hour. Kind regards, Sally = = = = = vox +1 617 921 8656 gvox +1 646 598 4616 skype sallykhudairi ________________________________ From: John Kinsella <jlkin...@gmail.com<mailto:jlkin...@gmail.com>> To: Sally Khudairi <s...@apache.org<mailto:s...@apache.org>> Cc: "<marketing@cloudstack.apache. org<mailto:marketing@cloudstack.apache.org>>" <marketing@cloudstack.apache. org<mailto:marketing@cloudstack.apache.org>>; Rohit Yadav <bhais...@apache.org<mailto:bhais...@apache.org>> Sent: Friday, October 28, 2016 3:44 PM Subject: Re: [ANNOUNCE] Apache CloudStack Security Releases 4.8.1.1, 4.9.0.1 My bad, didn’t realize that. I’ll send the advisory message to announce@, and update our security release guidelines to follow that in the future. On Oct 28, 2016, at 12:38 PM, Sally Khudairi <s...@apache.org<mailto:s...@apache.org>> wrote: Thanks, John. However the Project wishes to announce is fine, however, the annou...@apache.org<mailto:annou...@apache.org> channel is where projects commonly list CVE notices, which is why I mentioned it. Examples are at [1], [2], and [3]. Do let me know should you reconsider. Kind regards, Sally [1] http://mail-archives. apache.org/mod_mbox/www- announce/201607.mbox/browser<http://mail-archives.apache.org/mod_mbox/www-announce/201607.mbox/browser> [2] http://mail-archives.apache. org/mod_mbox/www-announce/ 201606.mbox/browser<http://mail-archives.apache.org/mod_mbox/www-announce/201606.mbox/browser> [3] http://mail-archives. apache.org/mod_mbox/www- announce/201610.mbox/browser<http://mail-archives.apache.org/mod_mbox/www-announce/201610.mbox/browser> - -both pages 1 and 2 (=6 notices from Apache Tomcat) = = = = = vox +1 617 921 8656 gvox +1 646 598 4616 skype sallykhudairi ________________________________ From: John Kinsella <jlkin...@gmail.com<mailto:jlkin...@gmail.com>> To: "<marketing@cloudstack.apache. org<mailto:marketing@cloudstack.apache.org>>" <marketing@cloudstack.apache. org<mailto:marketing@cloudstack.apache.org>>; Sally Khudairi <s...@apache.org<mailto:s...@apache.org>> Cc: Rohit Yadav <bhais...@apache.org<mailto:bhais...@apache.org>> Sent: Friday, October 28, 2016 2:13 PM Subject: Re: [ANNOUNCE] Apache CloudStack Security Releases 4.8.1.1, 4.9.0.1 Seems like it’d be better to use that channel for upcoming releases that have new functionality, not “just” a security fix? On Oct 28, 2016, at 11:09 AM, Sally Khudairi <s...@apache.org<mailto:s...@apache.org>> wrote: Thanks, Rohit. If you'd like to send this to annou...@apache.org<mailto:annou...@apache.org> (Foundation-wide announcements; will be included in the weekly Apache News Round-Up), I will be happy to moderate it through. Kind regards, Sally = = = = = vox +1 617 921 8656 gvox +1 646 598 4616 skype sallykhudairi ________________________________ From: Rohit Yadav <bhais...@apache.org<mailto:bhais...@apache.org>> To: annou...@cloudstack.apache.org<mailto:annou...@cloudstack.apache.org> ; "d...@cloudstack.apache.org<mailto:d...@cloudstack.apache.org>" <d...@cloudstack.apache.org<mailto:d...@cloudstack.apache.org>>; "us...@cloudstack.apache.org<mailto:us...@cloudstack.apache.org>" <us...@cloudstack.apache.org<mailto:us...@cloudstack.apache.org>>; "marketing@cloudstack.apache. org<mailto:marketing@cloudstack.apache.org>" <marketing@cloudstack.apache. org<mailto:marketing@cloudstack.apache.org>> Sent: Thursday, October 27, 2016 12:07 AM Subject: [ANNOUNCE] Apache CloudStack Security Releases 4.8.1.1, 4.9.0.1 # Apache CloudStack Security Releases 4.8.1.1, 4.9.0.1 The Apache CloudStack project announces security releases 4.8.1.1, 4.9.0.1 that fixes the bug causing vulnerability over previously released minor versions 4.8.1 and 4.9.0 respectively. As a security release, no new features are included but only includes the fix for CVE-2016-6813. Apache CloudStack is an integrated Infrastructure-as-a-Service (IaaS) software platform that allows users to build feature-rich public and private cloud environments. CloudStack includes an intuitive user interface and rich API for managing the compute, networking, software, and storage resources. The project became an Apache top level project in March 2013. More information about Apache CloudStack can be found at: http://cloudstack.apache.org/ ## Upgrade Notes Affected users are only required to upgrade their management server(s) to suitable security release version. The upgrade does not require any database or systemvm-template related change. ## Downloads The official source code release can be downloaded from: http://cloudstack.apache.org/ downloads.html<http://cloudstack.apache.org/downloads.html> In addition to the official source code release, individual contributors have also made convenience binaries available on the Apache CloudStack download page, and as follows: http://www.shapeblue.com/ packages/<http://www.shapeblue.com/packages/> http://cloudstack.apt-get.eu/ ubuntu/dists/<http://cloudstack.apt-get.eu/ubuntu/dists/> (packages to be published soon) http://cloudstack.apt-get.eu/ centos/6/<http://cloudstack.apt-get.eu/centos/6/> (packages to be published soon) http://cloudstack.apt-get.eu/ centos/7/<http://cloudstack.apt-get.eu/centos/7/> (packages to be published soon) ### Regards, Rohit Yadav
