cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joerg Heinicke <>
Subject Re: Release 2.1.3? (Was: Re: [FYI] Apache Cocoon Directory Traversal Vulnerability)
Date Fri, 24 Oct 2003 19:28:22 GMT
On 24.10.2003 21:09, Tony Collen wrote:

> In this case, do we have any procedure for fixing something "bad" like 
> the directory traveral bug, and getting a fix out to users in a timely 
> fashion?
> One possible solution:  Fix the problem in CVS HEAD, and then backport 
> it to the last released version (in this case 2.1.2), and make a small 
> security update release -- maybe as 2.1.3 or 2.1.2pl1 or something.
> Even though the problem isn't that bad since it's in a sample, something 
> may come down the road later where we have to fix something of a more 
> serious nature, and get a new version out.  Waiting for a freeze/release 
> cycle might be too long if the problem is urgent enough.
> Thoughts?

IMO Cocoon core is so stable that we can do a release at every time.

Even an immediate fix is possible:

cvs co cocoon-2.1 -r 2.1.2

Fix it on the local checkout and release it as you suggested. A freeze 
period is not necessary then of course.


View raw message