Ok, thanks for that. Hopefully there won't be a next time, but if there is, we'll be sure to get the right reviews done first.
mike On Wed, Jul 7, 2010 at 11:16 AM, Kevan Miller <[email protected]> wrote: > > On Jul 6, 2010, at 12:46 PM, Mike Rheinheimer wrote: > >> The Wink team recently discovered a security issue that may allow an >> attacker to carry out denial of service attacks and to read arbitrary >> files on the file system of the node where Wink runs. Details of the >> vulnerability are described in the following advisory: >> >> https://svn.apache.org/repos/asf/incubator/wink/trunk/security/CVE-2010-2245.docx >> >> This vulnerability may potentially be exploited on any Wink >> installation that receives XML messages from untrusted sources. We >> strongly recommend to all users who manage this type of installation >> to follow the instructions in the above advisory in order to mitigate >> the security risk caused by this vulnerability. >> >> -- The Wink team > > Hi Mike, > Thanks! > > One minor point -- the general practice at apache projects is to review an > advisory, like this, on either the projects private mailing list or a > security mailing list (if the project has one). This gives the PMC (PPMC) a > chance to review the advisory, make editorial updates, change document format > types, etc. > > --kevan
