[ANNOUNCE] Apache Wicket 7.9.0 released
The Apache Wicket PMC is proud to announce Apache Wicket 7.9.0! Apache Wicket is an open source Java component oriented web application framework that powers thousands of web applications and web sites for governments, stores, universities, cities, banks, email providers, and more. You can find more about Apache Wicket at https://wicket.apache.org This release marks another minor release of Wicket 7. We use semantic versioning for the development of Wicket, and as such no API breaks are present breaks are present in this release compared to 7.0.0. New and noteworthy -- This release fixes WICKET-6457 and WICKET-6465 which caused the page store not to be cleared when session ends. Using this release -- With Apache Maven update your dependency to (and don't forget to update any other dependencies on Wicket projects to the same version): org.apache.wicket wicket-core 7.9.0 Or download and build the distribution yourself, or use our convenience binary package * Source: http://www.apache.org/dyn/closer.cgi/wicket/7.9.0 * Binary: http://www.apache.org/dyn/closer.cgi/wicket/7.9.0/binaries Upgrading from earlier versions --- If you upgrade from 7.y.z this release is a drop in replacement. If you come from a version prior to 7.0.0, please read our Wicket 7 migration guide found at * http://s.apache.org/wicket7migrate Have fun! — The Wicket team The signatures for the source release artefacts: Signature for apache-wicket-7.9.0.zip: -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAABAgAGBQJZvBu5AAoJEAzCjx+CMhBVaPMP/0pZ+1p6uIfnzV7EHDNqv35F WJ82gFCqWZov29EUFcb+2YOCjFOU6BG61pgP98IzB+qhXomHf34hhrzomuEZCtlR hxYjMxnvaPHR5C/2SEkbtGtHs8YFE5SylmKB2V9Qchpx0ClicApSu1JvAb8q3rnL CDLIOEDEtKsioLcsVZpXT67ctgKc/Pp5Gdd0lRClnEOUONQ1WJ7yQ1uy5JfxS+Xv 48zdiIumzgdTWgm1HJXzM41Lp4NdpwZx6/GVvD/9RjNMMOxxsPw5ZZUG/P9jtPTg anSXIjA2q40Y2NDRwdMMgKFNBsPoef4QHqgniiNTTZVsitGHo/jl0LqSjyXZ7MSE VwzSv/FOQcEfiVCMklJG+8JFIpq2/CLDCIWvlNpBC1QTqzw97xLW0gw/R88rcAoe ESrl7k4OSKS/YWilDRgCgaw5nBhGwqpN/Luv5Yzvxe91BFi1RXcBVq4xs/ceQd8c r7Sa8ZC2uvCFGdRBbMK1OjYU7Y8DjTJb3Fp2EzQRjIqAqaj6PMINEYdYvKJG8d3Y Z90qMv2QqF3q5BNbBU9Lf9z0Kau/W3jGXFC0wxj9tYj5gz3F5EEWDLbHj3pRiH0/ vAHPPMZekI7GQbsYel+nGtkHBj3osPGUQ/ESQDLutJiqJ9t1e1Eijd/CdX+r5pUL JG97c19NWfJaKfKdCT60 =ReUR -END PGP SIGNATURE- Signature for apache-wicket-7.9.0.tar.gz: -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAABAgAGBQJZvBu5AAoJEAzCjx+CMhBVtzkQAKjDi4eBTH9A/gl0e4r5VQxP E+RPPVzo1Jf2+1Szz4gR4cLgFGGFqLQoqBM7YGWRSSaxdI1/ys7sn91MTg+pLCSB I5Xh145t/Ok58czr1N5VsIPLo3pU0pHMZwmPv+xDjv42EbogpsoFaEQsN3XorKyo DlrtN9WAh3pXj2y05nHqFNsUUuWACPmo+CCAuAPsTIqYbxDyB0OjlFA54ovSY41Q sP5UP7EuhM7W9Px38RzArUUT2WNIJlDdHogISZrurkj3aS5K5qTe1KGx2u15B6Gi gjU9P2aw3pzpHiBXsBInAthwGXWecIkvvRst85mQo3ivLydmyIla00+DZCe3vgkE cJHDCFig8QwF9kC1rtma3Rep3aXDiq+mLdDWXPqMC66s1BzzuH4xeX78/OadyVOB 7PIjs3vUfJUIwITVG4RlLNQebDeIeFaWubT19zjcelet325WlAJpwAOGtWxj31bG 7pWmUUAkJo0yUuK1wLBb+TN+GHQBsjwSMTxs/PTAAsq6m53fPkOFerzL5ygCshvt dlFAd48VZVIzWZTc0yYq0X5oHtQETIDgIKcFuJp88uBfTc0Io9r+QMdAWTgUIuzH OqMV4TXjaM/YBWurQ4B/Xz1KPgR7gtSjifnw3hytEIT7RHq/Av+3bJTjvby4t7r9 CeQiIicC2Ghx4BrN1Lxk =b9ky -END PGP SIGNATURE- CHANGELOG for 7.9.0: ** Bug * [WICKET-6429] - AbstractRequestLogger should not create new Sessions * [WICKET-6455] - AjaxFormSubmitBehavior doesn't submit inner forms * [WICKET-6457] - PageStore not cleared at session end * [WICKET-6459] - Ajax re-renders of enclosures do not render their children's header contributions * [WICKET-6462] - When an Ajax Button is submitted, AjaxFormSubmitBehavior # onSubmit is called twice * [WICKET-6465] - PageStore not cleared at session end ** Improvement * [WICKET-6454] - WicketApplication behind a proxy with restrictive internet access can not initialized * [WICKET-6463] - Please add additional constructor to Roles
[ANNOUNCE] Apache Arrow 0.7.0 released
The Apache Arrow community is pleased to announce the 0.7.0 release. It includes 133 resolved issues ([1]) since the 0.6.0 release. The release is available now from our website and [2]: http://arrow.apache.org/install/ Read about what's new in the release http://arrow.apache.org/blog/2017/09/19/0.7.0-release/ Changelog http://arrow.apache.org/release/0.7.0.html What is Apache Arrow? - Apache Arrow is a columnar in-memory analytics layer designed to accelerate big data. It houses a set of canonical in-memory representations of flat and hierarchical data along with multiple language-bindings for structure manipulation. It also provides low-overhead streaming and batch messaging, zero-copy interprocess communication (IPC), and vectorized in-memory analytics libraries. Please report any feedback to the mailing lists ([3]) Regards, The Apache Arrow community [1]: https://issues.apache.org/jira/issues/?jql=project%20%3D%20ARROW%20AND%20fixVersion%20%3D%200.7.0%20ORDER%20BY%20priority%20DESC [2]: https://www.apache.org/dyn/closer.cgi/arrow/arrow-0.7.0/ [3]: https://lists.apache.org/list.html?d...@arrow.apache.org
[CORRECTION][SECURITY] CVE-2017-12616 Apache Tomcat Information Disclosure
The body of the original advisory referred to CVE-2017-7674. This was incorrect. It was a copy and paste error from a previous Tomcat advisory. The correct CVE reference is CVE-2017-12616, as per the subject line. On 19/09/17 11:58, Mark Thomas wrote: > CVE-2017-7674 Apache Tomcat Information Disclosure > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: > Apache Tomcat 7.0.0 to 7.0.80 > > Description: > When using a VirtualDirContext it was possible to bypass security > constraints and/or view the source code of JSPs for resources served by > the VirtualDirContext using a specially crafted request. > > Mitigation: > Users of the affected versions should apply one of the following > mitigations: > - Upgrade to Apache Tomcat 7.0.81 > > Credit: > This issue was identified by the Tomcat Security Team while > investigating CVE-2017-12615. > > History: > 2017-09-19 Original advisory > > References: > [1] http://tomcat.apache.org/security-7.html >
[CORRECTION][SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload
The body of the original advisory referred to CVE-2017-7674. This was incorrect. It was a copy and paste error from a previous Tomcat advisory. The correct CVE reference is CVE-2017-12615, as per the subject line. On 19/09/17 11:58, Mark Thomas wrote: > CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP Upload > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: > Apache Tomcat 7.0.0 to 7.0.79 > > Description: > When running on Windows with HTTP PUTs enabled (e.g. via setting the > readonly initialisation parameter of the Default to false) it was > possible to upload a JSP file to the server via a specially crafted > request. This JSP could then be requested and any code it contained > would be executed by the server. > > Mitigation: > Users of the affected versions should apply one of the following > mitigations: > - Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released) > > Credit: > This issue was reported responsibly to the Apache Tomcat Security Team > by iswin from 360-sg-lab (360观星实验室) > > History: > 2017-09-19 Original advisory > > References: > [1] http://tomcat.apache.org/security-7.html >
[SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload
CVE-2017-7674 Apache Tomcat Remote Code Execution via JSP Upload Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 7.0.0 to 7.0.79 Description: When running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released) Credit: This issue was reported responsibly to the Apache Tomcat Security Team by iswin from 360-sg-lab (360观星实验室) History: 2017-09-19 Original advisory References: [1] http://tomcat.apache.org/security-7.html
[SECURITY] CVE-2017-12616 Apache Tomcat Information Disclosure
CVE-2017-7674 Apache Tomcat Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 7.0.0 to 7.0.80 Description: When using a VirtualDirContext it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 7.0.81 Credit: This issue was identified by the Tomcat Security Team while investigating CVE-2017-12615. History: 2017-09-19 Original advisory References: [1] http://tomcat.apache.org/security-7.html
[ANNOUNCE] Apache Commons BCEL 6.1 released!
Hello, the Apache Commons Community is happy to announce the release of Apache Commons BCEL 6.1. The Byte Code Engineering Library (Apache Commons BCEL) is intended to give users a convenient way to analyze, create, and manipulate (binary) Java class files (those ending with .class). Classes are represented by objects which contain all the symbolic information of the given class: methods, fields and byte code instructions, in particular. Source and binary distributions are available for download from the Apache Commons download site: http://commons.apache.org/proper/commons-bcel/download_bcel.cgi When downloading, please verify signatures using the KEYS file available at the above location. Alternatively the release can be pulled via maven: org.apache.bcel bcel 6.1 The release notes can be viewed at: http://www.apache.org/dist/commons/bcel/RELEASE-NOTES.txt For complete information on Commons BCEL, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Commons BCEL website: http://commons.apache.org/proper/commons-bcel/ Best regards, Benedikt Ritter on behalf of the Apache Commons community