[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [io] Black Duck apparently sees vulnerability in 2.5

I believe all security related issues and vulnerabilities need to be
handled privately by the PMC for the project.
Has this issue gone through he PMC?

On May 16, 2018 at 10:50:21, Gilles (gilles@xxxxxxxxxxxxxxxxxxxxx) wrote:

On Wed, 16 May 2018 07:33:54 -0700, Otto Fowler wrote:
> Is there a PMC for IO?

There is a PMC for all of "Commons".
Components are unequal wrt the number of contributors (and
attention they get from the PMC).


> On May 16, 2018 at 02:24:44, Stefan Bodewig (bodewig@xxxxxxxxxx)
> wrote:
> Hi all
> https://issues.apache.org/jira/browse/IO-559 says BlackDuck would
> call
> IO 2.5 vulnerable because of this issue - so far I've not been able
> to
> verify this claim. I guess it is because of IO-556 that has been
> closed
> as a duplicate of IO-559.
> There is a PR (by me) to fix the bug
> https://github.com/apache/commons-io/pull/52 - as this is my first
> contribution to IO I'd appreciate if anybody else could spare some
> time
> and verify it. I'll rebase it onto master soon.
> Also, would there be any reason to not cut a new release from master?
> I
> mean is there any work in progress that needs to be finished?
> Stefan

To unsubscribe, e-mail: dev-unsubscribe@xxxxxxxxxxxxxxxxxx
For additional commands, e-mail: dev-help@xxxxxxxxxxxxxxxxxx