[ANN] Apache Syncope 2.1.6
The Apache Syncope team is pleased to announce the release of Syncope 2.1.6 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . The release will be available within 24h from: https://syncope.apache.org/downloads Read the full change log available here: https://s.apache.org/syncope216 Upgrading from 2.1.5? There are some notes about this process: https://s.apache.org/5esvf We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team
[ANN] Apache Syncope 2.0.15
The Apache Syncope team is pleased to announce the release of Syncope 2.0.15 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . The release will be available within 24h from: https://syncope.apache.org/downloads Read the full change log available here: https://s.apache.org/syncope2015 Upgrading from 2.0.14? There are some notes about this process: https://s.apache.org/fra2f We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://syncope.apache.org/ The Apache Syncope Team
[CVE-2020-1959] Multiple Remote Code Execution Vulnerabilities
Description: A Server-Side Template Injection was identified in Syncope enabling attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR 380) custom constraint validators. When building custom constraint violation error messages, they support different types of interpolation, including Java EL expressions. Therefore, if an attacker can inject arbitrary data in the error message template being passed, they will be able to run arbitrary Java code. Severity: Important Vendor: The Apache Software Foundation Affects: 2.1.X releases prior to 2.1.6 Solution: Upgrade to 2.1.6 Credit: This issue was discovered by GitHub Security Labs team member Alvaro Muñoz - https//github.com/pwntester. References: https://syncope.apache.org/security
[ANNOUNCE] Apache ZooKeeper 3.6.1
The Apache ZooKeeper team is proud to announce Apache ZooKeeper version 3.6.1 ZooKeeper is a high-performance coordination service for distributed applications. It exposes common services - such as naming, configuration management, synchronization, and group services - in a simple interface so you don't have to write them from scratch. You can use it off-the-shelf to implement consensus, group management, leader election, and presence protocols. And you can build on it for your own, specific needs. For ZooKeeper release details and downloads, visit: https://zookeeper.apache.org/releases.html ZooKeeper 3.6.1 Release Notes are at: https://zookeeper.apache.org/doc/r3.6.1/releasenotes.html We would like to thank the contributors that made the release possible. Regards, The ZooKeeper Team