This is an automated email from the ASF dual-hosted git repository.
rgoers pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/flume-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 3ec99f9c Release 1.10.1
3ec99f9c is described below
commit 3ec99f9ca4d6de91921a9ee0a3efe78ac27b139f
Author: Ralph Goers <[email protected]>
AuthorDate: Sat Aug 20 14:27:59 2022 -0700
Release 1.10.1
---
content/.doctrees/environment.pickle | Bin 197347 -> 197434 bytes
content/.doctrees/releases/1.10.1.doctree | Bin 17007 -> 17177 bytes
content/.doctrees/security.doctree | Bin 19591 -> 31749 bytes
content/_sources/releases/1.10.1.txt | 2 +-
content/_sources/security.txt | 33 ++++++++++++++++++++++++++++++
content/releases/1.10.1.html | 2 +-
content/searchindex.js | 2 +-
content/security.html | 33 ++++++++++++++++++++++++++++++
source/sphinx/releases/1.10.1.rst | 2 +-
source/sphinx/security.rst | 33 ++++++++++++++++++++++++++++++
10 files changed, 103 insertions(+), 4 deletions(-)
diff --git a/content/.doctrees/environment.pickle
b/content/.doctrees/environment.pickle
index 699bc75c..7a9d5a8f 100644
Binary files a/content/.doctrees/environment.pickle and
b/content/.doctrees/environment.pickle differ
diff --git a/content/.doctrees/releases/1.10.1.doctree
b/content/.doctrees/releases/1.10.1.doctree
index a830a211..f8bbd202 100644
Binary files a/content/.doctrees/releases/1.10.1.doctree and
b/content/.doctrees/releases/1.10.1.doctree differ
diff --git a/content/.doctrees/security.doctree
b/content/.doctrees/security.doctree
index 76aef37c..30c13470 100644
Binary files a/content/.doctrees/security.doctree and
b/content/.doctrees/security.doctree differ
diff --git a/content/_sources/releases/1.10.1.txt
b/content/_sources/releases/1.10.1.txt
index 4d323179..248cf761 100644
--- a/content/_sources/releases/1.10.1.txt
+++ b/content/_sources/releases/1.10.1.txt
@@ -18,7 +18,7 @@ Apache Flume 1.10.1 is the next release of Flume as an Apache
top-level project
Release Notes - Flume - Version v1.10.1
** Bug
- * [`FLUME-3428 <https://issues.apache.org/jira/browse/FLUME-3428>`__] -
Need better parameter validation
+ * [`FLUME-3428 <https://issues.apache.org/jira/browse/FLUME-3428>`__] -
Fix for CVE-2022-34916, improper use of JNDI in JMSMessageConsumer
* [`FLUME-3434 <https://issues.apache.org/jira/browse/FLUME-3434>`__] -
TwitterSource exceptions on serialization
** Improvement
diff --git a/content/_sources/security.txt b/content/_sources/security.txt
index eef07a2e..ee4ca840 100644
--- a/content/_sources/security.txt
+++ b/content/_sources/security.txt
@@ -10,6 +10,39 @@ If you need help on building or configuring Flume or other
help on following the
If you have encountered an unlisted security vulnerability or other unexpected
behaviour that has security impact, or if the descriptions here are incomplete,
please report them privately to the `Flume SecurityTeam
<mailto:[email protected]>`__. Thank you!
+.. rubric:: Fixed in Flume 1.10.1
+
+`CVE-2022-34916
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34916>`__: Apache
Flume vulnerable to a JNDI RCE in JMSMessageConsumer.
+
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+| `CVE-2022-25167
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34916>`__ |
Deserialization of Untrusted Data |
++====================================================================================+==========================================================================+
+| Severity
| Moderate
|
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+| Base CVSS SCore
| 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
|
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+| Versions Affected
| Flume 1.4.0 through 1.10.0
|
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+
+.. rubric:: Description
+
+Flume's JMSMessageConsumer class can be configured with a destination name. A
JNDI lookup is performed on this name without performing an validation. This
could result in untrusted data being deserialized.
+
+.. rubric:: Mitigation
+
+Upgrade to Flume 1.10.1.
+
+In releases 1.4.0 through 1.10.0 the JMSSource should not be used as it uses
JMSMessageConsumer.
+
+.. rubric:: Release Details
+
+In release 1.10.1, if a protocol is specified in the destination name
parameter only the java protocol will be allowed. If no protocol is specified
it will also be allowed.
+
+.. rubric:: Credit
+
+This issue was found by Frentzen Amaral.
+
+
.. rubric:: Fixed in Flume 1.10.0
`CVE-2022-25167
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25167>`__: Apache
Flume vulnerable to a JNDI RCE in JMSSource.
diff --git a/content/releases/1.10.1.html b/content/releases/1.10.1.html
index 7607ddc7..17daafdb 100644
--- a/content/releases/1.10.1.html
+++ b/content/releases/1.10.1.html
@@ -76,7 +76,7 @@
<dl class="docutils">
<dt>** Bug</dt>
<dd><ul class="first last simple">
-<li>[<a class="reference external"
href="https://issues.apache.org/jira/browse/FLUME-3428";>FLUME-3428</a>] - Need
better parameter validation</li>
+<li>[<a class="reference external"
href="https://issues.apache.org/jira/browse/FLUME-3428";>FLUME-3428</a>] - Fix
for CVE-2022-34916, improper use of JNDI in JMSMessageConsumer</li>
<li>[<a class="reference external"
href="https://issues.apache.org/jira/browse/FLUME-3434";>FLUME-3434</a>] -
TwitterSource exceptions on serialization</li>
</ul>
</dd>
diff --git a/content/searchindex.js b/content/searchindex.js
index 1ff778b3..1d6d8731 100644
--- a/content/searchindex.js
+++ b/content/searchindex.js
@@ -1 +1 @@
-Search.setIndex({objtypes:{},objects:{},titles:["Version 1.0.0 -
Incubating","Version 1.10.0","Version 1.1.0 - Incubating","Version
1.10.1","Version 1.3.1","Version 1.4.0","Version 1.5.0","Version
1.2.0","Version 1.3.0","Flume 1.10.1 Developer Guide","Version 1.8.0","Version
1.9.0","Version 1.5.0.1","Version 1.6.0","Version 1.7.0","Version
1.5.2","Source Repository","Apache Flume Security
Vulnerabilities","Download","Mailing lists","Flume 1.10.1 User
Guide","Testing","Documentation","Wel [...]
\ No newline at end of file
+Search.setIndex({objtypes:{},objects:{},titles:["Version 1.0.0 -
Incubating","Version 1.10.0","Version 1.1.0 - Incubating","Version
1.10.1","Version 1.3.1","Version 1.4.0","Version 1.5.0","Version
1.2.0","Version 1.3.0","Flume 1.10.1 Developer Guide","Version 1.8.0","Version
1.9.0","Version 1.5.0.1","Version 1.6.0","Version 1.7.0","Version
1.5.2","Source Repository","Apache Flume Security
Vulnerabilities","Download","Mailing lists","Flume 1.10.1 User
Guide","Testing","Documentation","Wel [...]
\ No newline at end of file
diff --git a/content/security.html b/content/security.html
index 9e373b3a..fc1e5339 100644
--- a/content/security.html
+++ b/content/security.html
@@ -65,6 +65,39 @@
<p>Binary patches are never provided. If you need to apply a source code
patch, use the building instructions for the Apache Flume version that you are
using.</p>
<p>If you need help on building or configuring Flume or other help on
following the instructions to mitigate the known vulnerabilities listed here,
please subscribe to, and send your questions to the public Flume Users mailing
list.</p>
<p>If you have encountered an unlisted security vulnerability or other
unexpected behaviour that has security impact, or if the descriptions here are
incomplete, please report them privately to the <a class="reference external"
href="mailto:private%40flume.apche.org";>Flume
SecurityTeam</a>. Thank you!</p>
+<p class="rubric">Fixed in Flume 1.10.1</p>
+<p><a class="reference external"
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34916";>CVE-2022-34916</a>:
Apache Flume vulnerable to a JNDI RCE in JMSMessageConsumer.</p>
+<table border="1" class="docutils">
+<colgroup>
+<col width="53%" />
+<col width="47%" />
+</colgroup>
+<thead valign="bottom">
+<tr class="row-odd"><th class="head"><a class="reference external"
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34916";>CVE-2022-25167</a></th>
+<th class="head">Deserialization of Untrusted Data</th>
+</tr>
+</thead>
+<tbody valign="top">
+<tr class="row-even"><td>Severity</td>
+<td>Moderate</td>
+</tr>
+<tr class="row-odd"><td>Base CVSS SCore</td>
+<td>6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)</td>
+</tr>
+<tr class="row-even"><td>Versions Affected</td>
+<td>Flume 1.4.0 through 1.10.0</td>
+</tr>
+</tbody>
+</table>
+<p class="rubric">Description</p>
+<p>Flume’s JMSMessageConsumer class can be configured with a destination
name. A JNDI lookup is performed on this name without performing an validation.
This could result in untrusted data being deserialized.</p>
+<p class="rubric">Mitigation</p>
+<p>Upgrade to Flume 1.10.1.</p>
+<p>In releases 1.4.0 through 1.10.0 the JMSSource should not be used as it
uses JMSMessageConsumer.</p>
+<p class="rubric">Release Details</p>
+<p>In release 1.10.1, if a protocol is specified in the destination name
parameter only the java protocol will be allowed. If no protocol is specified
it will also be allowed.</p>
+<p class="rubric">Credit</p>
+<p>This issue was found by Frentzen Amaral.</p>
<p class="rubric">Fixed in Flume 1.10.0</p>
<p><a class="reference external"
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25167";>CVE-2022-25167</a>:
Apache Flume vulnerable to a JNDI RCE in JMSSource.</p>
<table border="1" class="docutils">
diff --git a/source/sphinx/releases/1.10.1.rst
b/source/sphinx/releases/1.10.1.rst
index 4d323179..248cf761 100644
--- a/source/sphinx/releases/1.10.1.rst
+++ b/source/sphinx/releases/1.10.1.rst
@@ -18,7 +18,7 @@ Apache Flume 1.10.1 is the next release of Flume as an Apache
top-level project
Release Notes - Flume - Version v1.10.1
** Bug
- * [`FLUME-3428 <https://issues.apache.org/jira/browse/FLUME-3428>`__] -
Need better parameter validation
+ * [`FLUME-3428 <https://issues.apache.org/jira/browse/FLUME-3428>`__] -
Fix for CVE-2022-34916, improper use of JNDI in JMSMessageConsumer
* [`FLUME-3434 <https://issues.apache.org/jira/browse/FLUME-3434>`__] -
TwitterSource exceptions on serialization
** Improvement
diff --git a/source/sphinx/security.rst b/source/sphinx/security.rst
index eef07a2e..ee4ca840 100644
--- a/source/sphinx/security.rst
+++ b/source/sphinx/security.rst
@@ -10,6 +10,39 @@ If you need help on building or configuring Flume or other
help on following the
If you have encountered an unlisted security vulnerability or other unexpected
behaviour that has security impact, or if the descriptions here are incomplete,
please report them privately to the `Flume SecurityTeam
<mailto:[email protected]>`__. Thank you!
+.. rubric:: Fixed in Flume 1.10.1
+
+`CVE-2022-34916
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34916>`__: Apache
Flume vulnerable to a JNDI RCE in JMSMessageConsumer.
+
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+| `CVE-2022-25167
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34916>`__ |
Deserialization of Untrusted Data |
++====================================================================================+==========================================================================+
+| Severity
| Moderate
|
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+| Base CVSS SCore
| 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
|
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+| Versions Affected
| Flume 1.4.0 through 1.10.0
|
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+
+.. rubric:: Description
+
+Flume's JMSMessageConsumer class can be configured with a destination name. A
JNDI lookup is performed on this name without performing an validation. This
could result in untrusted data being deserialized.
+
+.. rubric:: Mitigation
+
+Upgrade to Flume 1.10.1.
+
+In releases 1.4.0 through 1.10.0 the JMSSource should not be used as it uses
JMSMessageConsumer.
+
+.. rubric:: Release Details
+
+In release 1.10.1, if a protocol is specified in the destination name
parameter only the java protocol will be allowed. If no protocol is specified
it will also be allowed.
+
+.. rubric:: Credit
+
+This issue was found by Frentzen Amaral.
+
+
.. rubric:: Fixed in Flume 1.10.0
`CVE-2022-25167
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25167>`__: Apache
Flume vulnerable to a JNDI RCE in JMSSource.
