I'm not reporting an unpublished vulnerability ...I'd like to know if published certain vulnerabilities in XML processing have been addressed. The 'vulnerabilities' are overcome by configuration (features).... which may or may not be set by this project in order to do that.
Even though they are published, the fact that a particular project might expose one or more my not be publicly known. I don't want to break etiquette or otherwise ruin anything by spilling beans, as it were. It's up to the project. On Sun, Jan 13, 2013 at 11:07 PM, Yegor Kozlov <[email protected]> wrote: > Are you going to report a vulnerability or discuss whether POI is > secure in terms of processing XML ? > > The Apache Software Foundation strongly encourages people to report > security vulnerabilities to the private security mailing list first, > before disclosing them in a public forum. See > http://www.apache.org/security/ > > Yegor > > On Mon, Jan 14, 2013 at 8:46 AM, Jon Gorrono <[email protected]> wrote: >> Hello. >> >> Who can I interact with WRT mitigation of possible XML processing >> vulnerabilities in POI? >> >> I dont know that it is appropriate to be too specific on this list. >> >> The topic might be more appropriate for the dev list or ? >> >> Regards. >> -- >> Jon Gorrono >> PGP Key: 0x5434509D - >> http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} >> http{middleware.ucdavis.edu} >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > -- Jon Gorrono PGP Key: 0x5434509D - http{pgp.mit.edu:11371/pks/lookup?search=0x5434509D&op=index} http{middleware.ucdavis.edu} --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
