This is an automated email from the ASF dual-hosted git repository.
btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git
The following commit(s) were added to refs/heads/master by this push:
new 0f33615907 [ANNOUNCE] CVE-2024-37358 + CVE-2024-45626 (#2627)
0f33615907 is described below
commit 0f33615907e4866c350acd8f554389b13450fd5f
Author: Benoit TELLIER <[email protected]>
AuthorDate: Wed Feb 5 17:59:51 2025 +0100
[ANNOUNCE] CVE-2024-37358 + CVE-2024-45626 (#2627)
---
CHANGELOG.md | 18 +++++++++++++++---
docs/modules/servers/partials/operate/security.adoc | 19 +++++++++++++++++++
src/homepage/_posts/2025-01-29-james-3.7.6.markdown | 9 +++++++++
src/homepage/_posts/2025-01-29-james-3.8.2.markdown | 9 +++++++++
src/site/xdoc/server/feature-security.xml | 18 ++++++++++++++++++
5 files changed, 70 insertions(+), 3 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 71e6c77e13..916234aba8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -285,10 +285,16 @@ No changes yet.
## [3.8.2] - 2025-02-05
-### Bug fixes
+### Security
+
+- **CVE-2024-37358**: Denial of service through the use of IMAP literals
+- **CVE-2024-45626**: Denial of service through JMAP HTML to text conversion
- [FIX] Prevent HtmlTextExtractor to generate asymmetric outputs
- [IMPROVEMENT] Better manage IMAP literals (3.8.x) (#2281)
+
+### Bug fixes
+
- JAMES-4036 JMS mailQueue should silent interuptedExceptions upon shutdown
- JAMES-4041 Fix OOM upon IMAP COPY
- JAMES-4037 Resolve MailboxTyper for Spring (#2255)
@@ -617,11 +623,17 @@ No changes yet.
## [3.7.6] - 2025-02-05
+### Security
+
+- **CVE-2024-37358**: Denial of service through the use of IMAP literals
+- **CVE-2024-45626**: Denial of service through JMAP HTML to text conversion
+
+- [FIX] Prevent HtmlTextExtractor to generate asymmetric outputs
+- [IMPROVEMENT] Better manage IMAP literals (3.8.x) (#2281)
+
### Bug fixes
- [BUILD] Fully drop glowroot
- - [FIX] Prevent HtmlTextExtractor to generate asymmetric outputs
- - [IMPROVEMENT] Better manage IMAP literals (3.7.x) (#2282)
- [FIX] Solve weave/rest-smtp-sink: Docker image manifest v2 schema 1
deprecation issue (#2152)
- JAMES-3955 Increase consumer timeout for TaskManagerWorkQueue
- JAMES-3955 WARNING logs upon closing channels
diff --git a/docs/modules/servers/partials/operate/security.adoc
b/docs/modules/servers/partials/operate/security.adoc
index 7f84aeb5de..16758d5aee 100644
--- a/docs/modules/servers/partials/operate/security.adoc
+++ b/docs/modules/servers/partials/operate/security.adoc
@@ -109,6 +109,25 @@ outdated dependencies.
We follow the standard procedures within the ASF regarding
link:https://apache.org/security/committers.html#vulnerability-handling[vulnerability
handling]
+=== CVE-2024-37358: Denial of service through the use of IMAP literals
+
+Apache James prior to versions 3.8.2 or 3.7.6 allows an attacker
+to trigger a denial of service by exploiting IMAP literals.
+
+*Severity*: Moderate
+
+*Mitigation*: Update to Apache James 3.8.2 or 3.7.6 onward.
+
+=== CVE-2024-45626: Denial of service through JMAP HTML to text conversion
+
+Apache James prior to versions 3.8.2 or 3.7.6 allows logged in attacker
+to trigger a denial of service by exploiting html to text conversion.
+
+*Severity*: Moderate
+
+*Mitigation*: Update to Apache James 3.8.2 or 3.7.6 onward.
+
+
=== CVE-2024-21742: Mime4J DOM header injection
Apache JAMES MIME4J prior to version 0.8.10 allow attackers able to specify
the value of a header field to craft other header fields.
diff --git a/src/homepage/_posts/2025-01-29-james-3.7.6.markdown
b/src/homepage/_posts/2025-01-29-james-3.7.6.markdown
index f37a0d912f..95cb78fbc1 100644
--- a/src/homepage/_posts/2025-01-29-james-3.7.6.markdown
+++ b/src/homepage/_posts/2025-01-29-james-3.7.6.markdown
@@ -11,6 +11,15 @@ Early adopters can [download it][download], any issue can be
reported on our iss
The Apache James PMC would like to thanks all contributors who made this
release possible!
+## Announcement
+
+This release comprise minor bug fixes enhancing Apache James stability.
+
+This release fixes the following security issues:
+
+- **CVE-2024-37358**: Denial of service through the use of IMAP literals
+- **CVE-2024-45626**: Denial of service through JMAP HTML to text conversion
+
## Release changelog
The full changes included in this release can be seen in the
[CHANGELOG][CHANGELOG].
diff --git a/src/homepage/_posts/2025-01-29-james-3.8.2.markdown
b/src/homepage/_posts/2025-01-29-james-3.8.2.markdown
index ca1cd65eba..67b237779e 100644
--- a/src/homepage/_posts/2025-01-29-james-3.8.2.markdown
+++ b/src/homepage/_posts/2025-01-29-james-3.8.2.markdown
@@ -11,6 +11,15 @@ Early adopters can [download it][download], any issue can be
reported on our iss
The Apache James PMC would like to thank all contributors who made this
release possible!
+## Announcement
+
+This release comprise minor bug fixes enhancing Apache James stability.
+
+This release fixes the following security issues:
+
+- **CVE-2024-37358**: Denial of service through the use of IMAP literals
+- **CVE-2024-45626**: Denial of service through JMAP HTML to text conversion
+
## Release changelog
The full changes included in this release can be seen in the
[CHANGELOG][CHANGELOG].
diff --git a/src/site/xdoc/server/feature-security.xml
b/src/site/xdoc/server/feature-security.xml
index e69ec93365..cebf614e5c 100644
--- a/src/site/xdoc/server/feature-security.xml
+++ b/src/site/xdoc/server/feature-security.xml
@@ -61,6 +61,24 @@
<a
href="https://apache.org/security/committers.html#vulnerability-handling";>vulnerability
handling</a>.
</subsection>
+ <subsection name="CVE-2024-37358: Denial of service through the use of
IMAP literals">
+ <p> Apache James prior to versions 3.8.2 or 3.7.6 allows an
attacker
+ to trigger a denial of service by exploiting IMAP literals.</p>
+
+ <p><b>Severity</b>: Moderate</p>
+
+ <p><b>Mitigation</b>: Update to Apache James 3.8.2 or 3.7.6
onward.</p>
+ </subsection>
+
+ <subsection name="CVE-2024-45626: Denial of service through JMAP HTML
to text conversion">
+ <p> Apache James prior to versions 3.8.2 or 3.7.6 allows logged
in attacker
+ to trigger a denial of service by exploiting html to text
conversion.</p>
+
+ <p><b>Severity</b>: Moderate</p>
+
+ <p><b>Mitigation</b>: Update to Apache James 3.8.2 or 3.7.6
onward.</p>
+ </subsection>
+
<subsection name="CVE-2024-21742: Mime4J DOM header injection">
<p> Apache JAMES MIME4J prior to version 0.8.10 allow attackers
able to specify the value of a header field to craft other header fields.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
