[ANNOUNCE] Apache Buildr 1.4.19 released

2014-07-07 Thread Peter Donald 
Apache Buildr is a build system for Java-based applications, including support
for Scala, Groovy and a growing number of JVM languages and tools.  We wanted
something that's simple and intuitive to use, so we only need to tell it what
to do, and it takes care of the rest.  But also something we can easily extend
for those one-off tasks, with a language that's a joy to use.


New in this release:

  * Fixed:  BUILDR-700 - Ensure SNAPSHOT artifacts, constructed using the
download(artifact('group:artifact:jar:1-SNAPSHOT') =>
'http://example.com/...') construct will correctly download the
artifacts from configured URL.
  * Fixed:  BUILDR-700 - Fix bug where buildr was truncating SNAPSHOT files
that had not changed since last update check and HTTP was returning
"HTTP Not Modified" status.
  * Fixed:  Fix bug introduced in 1.4.18 version of custom_pom addon where
poms are created for artifacts that have a classifier.


To learn more about Buildr and get started:
http://buildr.apache.org/

Thanks!
The Apache Buildr Team

[SECURITY] CVE-2014-3503 Apache Syncope

2014-07-07 Thread Francesco Chicchiriccò 


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



CVE-2014-3503: Insecure Random implementations used to generate passwords in
Apache Syncope

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache Syncope 1.1.x prior to 
1.1.8 'Ad libitum'. The 1.0.x releases are not affected.

Description:

A password is generated for a user in Apache Syncope under certain
circumstances, when no existing password is found. However, the password
generation code is relying on insecure Random implementations, which means that
an attacker could attempt to guess a generated password.

This has been fixed in revision:

http://svn.apache.org/viewvc?view=revision&revision=1596537

Migration:

Syncope 1.0.x users are not affected by this issue.
Syncope 1.1.x users should upgrade to 1.1.8 'Ad libitum' as soon as possible.

References: http://syncope.apache.org/security.html

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJTunsUAAoJEGe/gLEK1TmDj4AH/05J9ZOB/gyem18F9MTcG+PB
tuX7EGemHCU+fyKeTetyGdhzZzdNquMA3mR4UXOEKH1Fok4LvkBWF+BoKMSY8DgY
vtWcZUfdJFeUd1XpdUrW0D/GEbbIdmijkbVoAZ3703RMpRiDBiVBkaBr/tjC6tuf
WUoBueRmNTkInBQhabaNYXvC0vyPA5ARhu1CprJ5QpA3aFoIEaVdlJTd+Mg58vJS
tlwoyGIUEUY/pusBKaZDkTVAJhrOS9b5atjlqCPlT3kGUbQOYgRPPTihX+0CMIY2
JE4yUXR8Kx6tvgebtft2IoUp6oZdR+XqHnEe3Tv1UnSRmlHj6o+tTCBDMmm1YOY=
=o17e
-END PGP SIGNATURE-

[ANN] Apache Syncope 1.1.8 released

2014-07-07 Thread Francesco Chicchiriccò 

The Apache Syncope team is pleased to announce the release of Syncope 1.1.8.

Apache Syncope is an Open Source system for managing digital identities
in enterprise environments, implemented in JEE technology .

The release will be available within 24h from:
http://syncope.apache.org/downloads.html

The full change log is available here:
http://s.apache.org/syncope118

We welcome your help and feedback. For more information on how to report
problems, and to get involved, visit the project website at

http://syncope.apache.org/

The Apache Syncope Team