In the past week, a few people have called me to task about referencing the dotProject vulnerability in the Project Importer Release and Risk Management Module update without giving details or even proof.  Since the release of the fix (dotProject 2.1.2), I finally feel that it is appropriate to discuss this in detail.

First of all, congrats to the dotProject team on the latest release.  Rolling a release is always a painful thing and coordinating the pieces it takes for a successful Open Source project - and more importantly - and solid community is difficult by all measures.