Re: [jxpath] reported CVE and path forward

2022-10-10 Thread Roman Wagner
Hi Bruno, hi Eric, I think we've just missed the discussion that you want to get notifications about Bug reports for all apache-commons projects integrated in oss-fuzz. For that reason, we have tried to reach to the projects maintainers via public issues for every new project during the

Re: [jxpath] reported CVE and path forward

2022-10-10 Thread Eric Bresie
https://www.apache.org/security/ Get Outlook for iOS From: Roman Wagner Sent: Monday, October 10, 2022 4:44:58 PM To: dev@commons.apache.org Subject: RE: Re: [jxpath] reported CVE and path forward Hi all, I am working for Code

Re: [jxpath] reported CVE and path forward

2022-10-10 Thread Bruno Kinoshita
Hi Matt, I don't think this fuzz project should be making any of these issues > public unless they plan to donate some developers to fix the issues, > too. This is an ASF project, not some Google-sponsored OSS project > staffed with Google employees. > I agree. This was the reason for the

Re: [jxpath] reported CVE and path forward

2022-10-10 Thread Matt Sicker
I don't think this fuzz project should be making any of these issues public unless they plan to donate some developers to fix the issues, too. This is an ASF project, not some Google-sponsored OSS project staffed with Google employees. On Mon, Oct 10, 2022 at 4:41 PM Bruno Kinoshita wrote: > >

RE: Re: [jxpath] reported CVE and path forward

2022-10-10 Thread Roman Wagner
Hi all, I am working for Code Intelligence and we did our best to find a maintainer for the oss-fuzz project Unfortunately, we've have failed and got no feedback until now, but It seems to be an unmaintained project except for some typo fixes since some years. I am not sure yet to which mailing

Re: [jxpath] reported CVE and path forward

2022-10-10 Thread Bruno Kinoshita
The JIRA issue linked appears to be one of those reported based on the existing CVE's that were generated for jxpath. I opened the CVE, and the link is to an oss-fuzz bug indeed: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133 If you look at the left side bar, there is a list of

Re: [jxpath] reported CVE and path forward

2022-10-10 Thread Bruno Kinoshita
Hi Eric, As far as I know, there is no integration between issues found in OSS Fuzz and our JIRA. Issues reported in OSS Fuzz exist only there. And security issues shouldn't go to JIRA if possible (according to ASF's security policies, I believe?). Here's the workflow I have been using for

Re: [jxpath] reported CVE and path forward

2022-10-10 Thread Eric Bresie
Or is that this https://issues.apache.org/jira/projects/JXPATH/issues/JXPATH-200?filter=allopenissues Get Outlook for iOS From: Eric Bresie Sent: Monday, October 10, 2022 4:22:42 PM To: Commons Developers List Subject: Re: [jxpath]

Re: [jxpath] reported CVE and path forward

2022-10-10 Thread Eric Bresie
So then discussed here (1) (which assume is what’s being done here) and bugs raised here (2)? Has (2) been done yet? 1. https://commons.apache.org/proper/commons-jxpath/mail-lists.html 2. https://commons.apache.org/proper/commons-jxpath/issue-tracking.html Get Outlook for

Re: [jxpath] reported CVE and path forward

2022-10-10 Thread Bruno Kinoshita
Hi Eric, For my understanding, is oss-fuzz an open source project that is maintained > and managed by Google (and is not an Apache project) but is for “fuzz > testing” with portion focused on Apache common products? > That's my understanding too, although I am not sure if it is maintained and

Re: [jxpath] reported CVE and path forward

2022-10-10 Thread Eric Bresie
For my understanding, is oss-fuzz an open source project that is maintained and managed by Google (and is not an Apache project) but is for “fuzz testing” with portion focused on Apache common products? So am I correct in saying run oss-fuzz against Apache-common, which may find problems in

Re: [jxpath] reported CVE and path forward

2022-10-10 Thread Bruno Kinoshita
Hi, I commented in another thread about oss-fuzz and new components, maybe that could be part of the issue here. See that thread in the archives, or TL;DR: someone is adding more Commons Components to oss-fuzz, directly as components instead of using the shared apache-commons project. This

Re: Re: [jxpath] reported CVE and path forward

2022-10-10 Thread Bruno Kinoshita
Hi Matt, I am also subscribed to oss-fuzz for Imaging. Looks like someone added jxpath to oss-fuzz here: https://github.com/google/oss-fuzz/pull/7582 The initial oss-fuzz for ASF was, if I recall correctly, all put under a single project:

Re: [VOTE][RC1] Release Commons RNG 1.5

2022-10-10 Thread Bruno Kinoshita
(I mean, to customize RNG's CONTRIBUTING.md to add that info, not the templated file from the parent or release-plugin) On Tue, 11 Oct 2022 at 09:37, Bruno Kinoshita wrote: > Hi Alex, > > The updated changes report looks great! > > The Unit Tests [2] looks really useful to new contributors. I

Re: [VOTE][RC1] Release Commons RNG 1.5

2022-10-10 Thread Bruno Kinoshita
Hi Alex, The updated changes report looks great! The Unit Tests [2] looks really useful to new contributors. I think our CONTRIBUTING.md files are generated automatically, but perhaps there's a way to add a link there to the developers.html page some day? Cheers Bruno On Tue, 11 Oct 2022 at

Re: Re: [jxpath] reported CVE and path forward

2022-10-10 Thread Matt Sicker
I get emails about some of the Commons fuzzing things, but I was only aware of it being enabled for compress and imaging. On Mon, Oct 10, 2022 at 1:37 PM Roman Wagner wrote: > > Hi all, > > I am working for Code Intelligence we did our best to find a maintainer for > the oss-fuzz project.

RE: Re: [jxpath] reported CVE and path forward

2022-10-10 Thread Roman Wagner
Hi all, I am working for Code Intelligence we did our best to find a maintainer for the oss-fuzz project. Unfortunately we've got no feedback until now, but It seems to be an unmaintained project except for some typo fixes since some years. I am not sure yet to which mailing list the bug report

Re: [jxpath] reported CVE and path forward

2022-10-10 Thread Mark Thomas
Hmm. There are various red flags here that suggest to me that this issue is likely not valid. 1. The source is oss-fuzz. I have been dealing with oss-fuzz issues for Apache Tomcat and so far out of the 30+ issues raised (the majority marked as security relevant) not one of the issues was a

[jxpath] reported CVE and path forward

2022-10-10 Thread Mike Drob
Howdy folks, I recently saw that there was a reported CVE[1] for Apache JXPath that became public due to no response to the reporter over 90 days. I am uncertain if the reporter had tried reaching out to the appropriate security lists before-hand and was ignored, or failed to follow our

[ANNOUNCEMENT] Commons Daemon 1.3.2 Released

2022-10-10 Thread Mark Thomas
The Apache Commons Team is pleased to announce the availability of Apache Commons Daemon 1.3.2. The Apache Commons Daemon software library provides a generic Daemon (unix) or Service (Windows) wrapper for Java code. Version 1.3.2 is a bugfix release. A full list of changes can be found at

Re: [VOTE][RC1] Release Commons RNG 1.5

2022-10-10 Thread Alex Herbert
On Mon, 10 Oct 2022 at 09:22, Alex Herbert wrote: > > > On Mon, 10 Oct 2022 at 08:26, Bruno Kinoshita wrote: >> >> >> Changes report >> look OK too, confirmed the Java version in the description. The text could >> be probably trimmed a little (see the changes-report.html in the parent >> site),

[VOTE][RESULT] Release Apache Commons Daemon 1.3.2 based on RC1

2022-10-10 Thread Mark Thomas
The following votes were cast: Binding: +1: markt, linow, ggregory No other votes were cast. The vote therefore passes. Thanks to everyone who contributed to this release. Mark On 05/10/2022 15:36, Mark Thomas wrote: We have fixed a few bugs since Apache Commons Daemon 1.3.1 was released,

[VOTE][RESULT] Release Commons RNG 1.5 based on RC1

2022-10-10 Thread Alex Herbert
This vote passes with the following votes: +1: Gilles Sadowski (binding) +1: Bruno Kinoshita (binding) +1: Alex Herbert (binding) Thank you to the reviewers. I will proceed with the release promotion. Alex

Re: [VOTE][RC1] Release Commons RNG 1.5

2022-10-10 Thread Alex Herbert
On Mon, 10 Oct 2022 at 08:26, Bruno Kinoshita wrote: > > Changes report > look OK too, confirmed the Java version in the description. The text could > be probably trimmed a little (see the changes-report.html in the parent > site), but not a blocker. > > Thanks Bruno. For the description there

Re: [VOTE][RC1] Release Commons RNG 1.5

2022-10-10 Thread Bruno Kinoshita
[x] +1 Release these artifacts Built from tag successfully running `mvn clean install site` on Apache Maven 3.8.5 (3599d3414f046de2324203b78ddcf9b5e4388aa0) Maven home: /opt/apache-maven-3.8.5 Java version: 17.0.4, vendor: Private Build, runtime: /usr/lib/jvm/java-17-openjdk-amd64 Default

Re: [VOTE][RC1] Release Commons RNG 1.5

2022-10-10 Thread Bruno Kinoshita
I have 20 mins before a quick dinner and meeting. Cloning the repository now. On Mon, 10 Oct 2022 at 19:38, Alex Herbert wrote: > Can I get another PMC vote for this please? > > Thanks, > > Alex > > On Wed, 5 Oct 2022 at 11:25, Alex Herbert wrote: > > > We have fixed quite a few bugs and added

Re: [VOTE][RC1] Release Commons RNG 1.5

2022-10-10 Thread Alex Herbert
My +1 Alex On Wed, 5 Oct 2022 at 11:25, Alex Herbert wrote: > We have fixed quite a few bugs and added some significant enhancements > since Apache Commons RNG 1.4 was released, so I would like to release > Apache Commons RNG 1.5. > > Apache Commons RNG 1.5 RC1 is available for review here: >

Re: [VOTE][RC1] Release Commons RNG 1.5

2022-10-10 Thread Alex Herbert
Can I get another PMC vote for this please? Thanks, Alex On Wed, 5 Oct 2022 at 11:25, Alex Herbert wrote: > We have fixed quite a few bugs and added some significant enhancements > since Apache Commons RNG 1.4 was released, so I would like to release > Apache Commons RNG 1.5. > > Apache