db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Knut Anders Hatlen <knut.hat...@oracle.com>
Subject Re: [jira] [Closed] (DERBY-6270) Run Java API Documentation Updater Tool on the published javadocs
Date Fri, 21 Jun 2013 12:10:02 GMT
Rick Hillegas <rick.hillegas@oracle.com> writes:

> On 6/20/13 11:38 AM, Myrna van Lunteren wrote:
>> Thanks Knut, for your quick action.
>>
>> I wonder, do we need to do anything regarding this in javadoc in
>> past releases? Add a comment to the download page
>> (http://db.apache.org/derby/derby_downloads.html), alert the user
>> list?
>> I prefer not to create new releases for older branches because it's
>> such a hassle to create a release.
> I think that the old releases contain other, more serious security
> vulnerabilities which have been addressed in later distributions. We
> don't generally regenerate older releases just because we discover and
> fix a vulnerability later on. We don't annotate the download page to
> call attention to vulnerabilities in old releases. I don't think that
> this defect requires a special response.
>
> We could consider sending a brief note to derby-user, now that we have
> fixed our own exposure to this bug.
>
> We have handled other vulnerabilities by including extra instructions
> in the release notes for a later release. I think it would be adequate
> to write a release note for DERBY-6270 and mark that issue as fixed in
> 10.10.1.3 and 10.11.0.0 so that users will be alerted when they read
> the release notes for our next couple releases.

I've uploaded a release note to DERBY-6270 and added 10.11.0.0 to the
fix versions (it was already marked as fixed in 10.10.1.3).

I've also added verifying that the javadocs don't suffer from this
vulnerability as a separate item in the release vetting checklist
template on the wiki. And in the checklists for the not yet released
10.9.2, 10.10.2 and 10.11.1 versions.

Finally, I've just sent a mail to derby-user suggesting that users read
the security advisory and take the appropriate steps.

Hopefully, that should cover it.


Thanks,

-- 
Knut Anders

Mime
View raw message