This is an automated email from the ASF dual-hosted git repository. btellier pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/james-project.git
The following commit(s) were added to refs/heads/master by this push: new b5580d13d6 [DOC] CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES (#1378) b5580d13d6 is described below commit b5580d13d6c74ecbf647127eff1a3ac1086f5493 Author: Benoit TELLIER <btell...@linagora.com> AuthorDate: Mon Jan 9 10:01:17 2023 +0700 [DOC] CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES (#1378) --- CHANGELOG.md | 3 +-- .../docs/modules/ROOT/pages/operate/security.adoc | 11 ++++++++++- src/homepage/_posts/2022-12-30-james-3.7.3.markdown | 2 ++ src/site/xdoc/server/feature-security.xml | 7 +++++++ 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5caea63b68..1d4d43361f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -235,8 +235,7 @@ Multiple performance enhancements for Distributed server mailbox, IMAP, SMTP and ### Security -Upcoming security announcements. - + - CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES - [UPGRADE] commons-text 1.9 -> 1.10 (#1291) - JAMES-3832 RemoteDelivery will do TLS host name verification when contacting remote mail servers - JAMES-3860 Rely on Files.createTempFile (#1325) diff --git a/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc b/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc index 0b5e7060c3..bdc765ef2a 100644 --- a/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc +++ b/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc @@ -104,6 +104,15 @@ outdated dependencies. We follow the standard procedures within the ASF regarding link:https://apache.org/security/committers.html#vulnerability-handling[vulnerability handling] +=== CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES + +Apache James distribution prior to release 3.7.3 is vulnerable to a temporary File Information Disclosure. + +*Severity*: Moderate + +*Mitigation*: We recommend to upgrade to Apache James 3.7.3 or higher, which fixes this vulnerability. + + === CVE-2021-44228: STARTTLS command injection in Apache JAMES Apache James distribution prior to release 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. @@ -112,7 +121,7 @@ Fix of CVE-2021-38542, which solved similar problem from Apache James 3.6.1, is *Severity*: Moderate -*Mitigation<*: We recommend to upgrade to Apache James 3.7.1 or higher, which fixes this vulnerability. +*Mitigation*: We recommend to upgrade to Apache James 3.7.1 or higher, which fixes this vulnerability. === CVE-2021-38542: Apache James vulnerable to STARTTLS command injection (IMAP and POP3) diff --git a/src/homepage/_posts/2022-12-30-james-3.7.3.markdown b/src/homepage/_posts/2022-12-30-james-3.7.3.markdown index 95332f486d..5ced48c9b8 100644 --- a/src/homepage/_posts/2022-12-30-james-3.7.3.markdown +++ b/src/homepage/_posts/2022-12-30-james-3.7.3.markdown @@ -13,6 +13,8 @@ The Apache James PMC would like to thanks all contributors who made this release ## Announcement +This release fixes CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES. + This release proposes stability related bug fixes and updates some dependencies for security reasons. ## Release changelog diff --git a/src/site/xdoc/server/feature-security.xml b/src/site/xdoc/server/feature-security.xml index 07cbc9ddf9..8d0340f8ea 100644 --- a/src/site/xdoc/server/feature-security.xml +++ b/src/site/xdoc/server/feature-security.xml @@ -53,6 +53,13 @@ We follow the standard procedures within the ASF regarding <a href="https://apache.org/security/committers.html#vulnerability-handling">vulnerability handling</a>. </subsection> + <subsection name="CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES"> + <p>Apache James distribution prior to release 3.7.3 is vulnerable to a temporary File Information Disclosure.</p> + + <p><b>Severity</b>: Moderate</p> + + <p><b>Mitigation</b>: We recommend to upgrade to Apache James 3.7.3 or higher, which fixes this vulnerability.</p> + </subsection> <subsection name="CVE-2021-44228: STARTTLS command injection in Apache JAMES"> <p>Apache James distribution prior to release 3.7.3 is vulnerable to a buffering attack relying on the use of the STARTTLS command.</p> --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org For additional commands, e-mail: notifications-h...@james.apache.org