On Wed, May 29, 2024 at 8:17 AM Gary Gregory wrote:
> (Sorry for the top post, phone)
>
> A case I can imagine an empty '' occurring is when the format string itself
> is built programmatically for example a '%s' or using string concatenate of
> a variable that holds a string where that string
On Thu, Dec 14, 2023 at 8:31 AM Arnout Engelen wrote:
> On Thu, Dec 14, 2023 at 2:00 PM Elliotte Rusty Harold
> wrote:
>
> > On Thu, Dec 14, 2023 at 6:09 AM Arnout Engelen
> wrote:
> > > * I'd say parsing/decompression/decoding should never allow malicious
> > input
> > > to trigger arbitrary
But often [VOTE] and [RESULT] are send with the same otherwise subject (and
sometimes even [DISCUSS] before the vote, on other projects)
On Thu, Oct 5, 2023 at 11:43 AM sebb wrote:
> On Thu, 5 Oct 2023 at 17:25, Gary Gregory wrote:
> >
> > Should we use (VOTE) instead of [VOTE]?
>
> I doubt
I think the natural next question is whether we can have a major version
change?
Mike
On Fri, Sep 29, 2023 at 6:24 AM sebb wrote:
> On Fri, 29 Sept 2023 at 12:13, Filip Strajnar
> wrote:
> >
> > Greetings,
> >
> >
> > I've noticed that some methods on the org.apache.commons.mail.Email
> >
Hello commons-dev!
I found the very lovely https://commons.apache.org/security.html page and I
very much appreciate the links out to individual project's security pages.
However, it looks like a little under half (9/21) have security pages linked.
Does this mean that the other 12 projects have
Can we move implementations, have old definitions be thin proxies to the
new locations, mark existing methods as deprecated, and document that
future development happens somewhere else?
On Mon, Jul 17, 2023 at 9:55 AM sebb wrote:
> On Mon, 17 Jul 2023 at 14:31, Elliotte Rusty Harold
> wrote:
>
Thanks for this outline, Mark. Some questions in line.
Mike
On Tue, Oct 11, 2022 at 6:13 AM Mark Thomas wrote:
> Roman - don't do anything yet.
>
> Commons folk, I suggest the following which is based on how we have
> oss-fuzz setup on Tomcat.
>
> 1. Create a Google account for
Howdy folks,
I recently saw that there was a reported CVE[1] for Apache JXPath that became
public due to no response to the reporter over 90 days. I am uncertain if the
reporter had tried reaching out to the appropriate security lists before-hand
and was ignored, or failed to follow our
