DUE TO SPAM, SIGN-UP IS DISABLED. Goto Selfserve wiki signup and request an account.
This webpage attempts to capture the experience of announcing the fix for CVE-2022-46337 after Derby 10.17.1.0 was published.
By the time you have finished publishing a CVE-fix-bearing release, you will have completed most of the steps listed in the Committer's Security Guide. The remaining steps are:
1) Agree on the announcement text. I used the recommended Tomcat announcement of CVE-2008-2370 as my template. Ask the PMC, the bug reporter, and the Apache Security Team to review your draft announcement. Your announcement will have the following sections. They are derived from fields in the EDITOR pane of the security portal for your CVE. The EDITOR tab is the read/write source for the read-only mail messages in the "OSS/ASF Emails" tab:
a) Announcement recipients. These will be derby-dev@db.apache.org, derby-user@db.apache.org, general@db.apache.org. Don't add announce@apache.org; the security portal will automatically add this address.
b) Package collection URL. This is supposed to be the public maven repositories to which you published the release artifacts. This EDITOR field requires a well-formed URL, so you cannot list both of our public maven repositories. I put https://repo1.maven.org/maven2 into this field. I put org.apache.derby as the package name.
c) Affected versions. You will have already added these to the Versions field of your CVE's EDITOR tab as part of describing the bug (before you fixed it).
d) CVE description. You will have filled in this EDITOR field already too. However, you may want to revise your description.
e) Mitigation. There may be a Mitigation field in the EDITOR tab by the time you read this. If not, add a Mitigation section to your description. The Mitigation text tells users how to apply your fix.
f) Credit. You may have filled in this EDITOR field also, but your ongoing interaction with the bug reporter may prompt you to update this field.
2) Send the announcement text. After you have SAVED your EDITOR fields, they will appear as read-only sections in the security portal's "OSS/ASF Emails" tab. Hit the "Send these emails" button. For me, an error window flashed too fast for me to read, followed by a page which said that the mail messages were sent successfully. Apparently they were.
3) Reference the CVE announcement email. Wait for the message to turn up in the archive for apache announcements. Add the link to the message to the References field in the EDITOR tab of your CVE's security portal. Put "vendor-advisory" in the corresponding tag field.
4) Add the CVE id to the commit text for the subversion commit which applied your fix. In a shell window parked at the top of your subversion client for the development trunk, issue the following command:
svn propset -r $subversionCommitNumber --revprop svn:log $newCommitMessage
For instance, this was the command I issued for CVE-2022-46337:
svn propset -r 1905550 --revprop svn:log "DERBY-7147: Fix an LDAP injection bug; commit derby-7147-02-ab-escapeLDAPsearchFilter.diff; this fixes CVE-2022-46337."