[ANN] [SECURITY] Immediately upgrade commons-fileupload to version 1.3.3 when running Struts 2.3.36 or prior
The Apache Struts Team recommends to immediately upgrade your Struts 2.3.36 based projects to use the latest released version of Commons FileUpload library, which is currently 1.3.3. This is necessary to prevent your publicly accessible web site from being exposed to possible Remote Code Execution attacks (see [1] [2]). This affects Struts 2.3.36 and prior. Struts versions from 2.5.12 are already using the latest commons-fileupload version [3]. Your project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload. The updated commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For Maven based Struts 2 projects, the following dependency needs to be added: commons-fileupload commons-fileupload 1.3.3 More details can be found here: [1] https://issues.apache.org/jira/browse/FILEUPLOAD-279 [2] https://nvd.nist.gov/vuln/detail/CVE-2016-131 [3] https://issues.apache.org/jira/browse/WW-4812 All developers are strongly advised to perform this action. on behalf of the Apache Struts Team Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANNOUNCE] Apache Jackrabbit 2.12.10 released
The Apache Jackrabbit community is pleased to announce the release of Apache Jackrabbit 2.12.10. The release is available for download at: http://jackrabbit.apache.org/downloads.html See the full release notes below for details about this release: Release Notes -- Apache Jackrabbit -- Version 2.12.10 Introduction This is Apache Jackrabbit(TM) 2.12.10, a fully compliant implementation of the Content Repository for Java(TM) Technology API, version 2.0 (JCR 2.0) as specified in the Java Specification Request 283 (JSR 283). Apache Jackrabbit 2.12.10 is a patch release that contains fixes and improvements over Jackrabbit 2.12. Jackrabbit 2.12.x releases are considered stable and targeted for production use. Changes in Jackrabbit 2.12.10 - Bug [JCR-3632] - ConnectionFactoryTest failed under Java 8 [JCR-4006] - TestCachingFDS.testDeleteRecord() fails occasionally [JCR-4008] - Restore TestCachingFDS.testDeleteRecord() to fix it with disabling AsyncUpload in unit tests [JCR-4093] - IndexRule are meant to be applied based on both primaryType and mixin type based inheritance. Currently it appears that only primaryType based inheritance is working [JCR-4291] - FileInputStream for workspace.xml not closed in RepositoryConfig.loadWorkspaceConfig(File) [JCR-4324] - NPE on Version.getLinearPredecessor() implementation Improvement [JCR-4253] - RepositoryConfig: add some handling for mkdir failure [JCR-4292] - davex: preserve cause in exceptions and log affected URI Task [JCR-4231] - Upgrade aws-java-sdk-s3 dependency to 1.11.241 [JCR-4233] - Update H2DB test dependency [JCR-4254] - Update Logback version to >= 1.2.0, SLF4J accordingly [JCR-4256] - create announcement mail template for releases [JCR-4261] - webapp: align jsons-simple dependencies internally and with oak [JCR-4262] - jcr-server: align org.apache.felix.scr.annotations with oak [JCR-4263] - jcr-server, jackrabbit-bundle: align org.osgi dependencies with oak [JCR-4264] - jackrabbit-standalone: align commons-cli dependency with oak [JCR-4272] - Upgrade surefire and failsafe plugins to 2.21.0 [JCR-4293] - jackrabbit-core: observation tests should not rely on mix:lockable mixin type [JCR-4294] - TCK tests should pass on repositories without locking support [JCR-4302] - BTreeManager: fix Eclipse compiler error [JCR-4307] - Update animal-sniffer-maven-plugin to 1.16 [JCR-4318] - Update failsafe and surefire plugin versions to 2.22.0 [JCR-4320] - Update spotbugs plugin to 3.1.5 [JCR-4321] - Update maven plugins from org.apache.maven.plugins [JCR-4322] - Consistent use of log4j versions [JCR-4326] - Update aws java sdk version to 1.11.330 (consistent with Oak) [JCR-4328] - Update 7.0.* Tomcat dependencies once 7.0.90 is released [JCR-4333] - Update javax.transaction dependency to 1.3 Sub-task [JCR-4190] - maven-assembly-plugin:2.6:single failing with Java 9 [JCR-4196] - update surefire and failsafe plugins for use with java 9 [JCR-4200] - javax.transaction.UserTransaction hidden by surefire plugin in with Java 9 [JCR-4280] - code coverage checks fail on Java 10 [JCR-4306] - switch to findbugs replacement that is still maintained (spotbugs) [JCR-4338] - avoid use of javax.rmi.PortableRemoteObject (removed in Java 11) Release Contents This release consists of a single source archive packaged as a zip file. The archive can be unpacked with the jar tool from your JDK installation. See the README.txt file for instructions on how to build this release. The source archive is accompanied by SHA1 and SHA512 checksums and a PGP signature that you can use to verify the authenticity of your download. The public key used for the PGP signature can be found at https://www.apache.org/dist/jackrabbit/KEYS. About Apache Jackrabbit --- Apache Jackrabbit is a fully conforming implementation of the Content Repository for Java Technology API (JCR). A content repository is a hierarchical content store with support for structured and unstructured content, full text search, versioning, transactions, observation, and more. For more information, visit http://jackrabbit.apache.org/ About The Apache Software Foundation Established in 1999, The Apache Software Foundation provides organizational, legal, and financial support for more than 140 freely-available, collaboratively-developed Open Source projects. The pragmatic Apache License enables individual and commercial users to easily deploy Apache software; the Foundation's intellectual property framework limits the legal exposure of its 3,800+ contributors. For more information, visit http://www.apache.org/ Trademarks -- Apache Jackrabbit, Jackrabbit, Apache, the Apache feather logo, and the Apache Jackrabbit project logo are trademar
Success at Apache: Wearing Small Hats
[this announcement is available online at https://s.apache.org/TGuO ] by Rich Bowen Within The Apache Software Foundation, many of us have different roles. I am a committer on the Apache httpd project, and also a PMC member on that project. I am the Vice President, Conferences. I am a board member. And I’m a member of the Foundation. I'm also an employee of Red Hat, and may, at times, be perceived to be speaking for my employer. I am a father, husband, brother, son, employee, and so on. How I interact with my daughter is very different from how I interact with my manager. I use different language, wield different authority, and expect different results. Ten years ago at ApacheCon in Oakland, Bertrand Delacretaz gave a talk about hats [photo at https://blogs.apache.org/foundation/entry/success-at-apache-wearing-small ]. We all laughed a lot. But he was making a serious point. At the Apache Software Foundation –indeed, in life– we all wear many different hats. However, whereas it's pretty clear, in real life, whether I’m addressing my daughter or my manager, on Apache mailing lists it's seldom, if ever, clear which hat I'm wearing in any given situation. I like to operate on the following principle when communicating in the Apache community: Wear the smallest hat possible for the situation, but assume that everyone is seeing the biggest hat possible. So, what does that mean? In the list above of my Apache hats (Committer, PMC Member, Foundation Member, V.P. Conferences, Director), there are various levels of authority. As a project committer, I can make code changes, but as a PMC member, I can reject other people’s changes. As a Foundation Member, I can express an opinion, but as a Director, I can state the official position of the Foundation. The difficulty comes when, on a mailing list, I say something, intending it to be my personal opinion (i.e., Foundation Member hat) and someone reads it as the official position of the Foundation (i.e., Foundation Director hat). Thus, in any given situation, I have an obligation to wield the smallest stick I possibly can, appropriate to the situation. Also, to clearly communicate how I am speaking, if there’s any chance of confusion, by saying things like "speaking as a member, and expressing my private opinion …", or "It is the opinion of the Board of Directors that …" And, since there’s always a chance of confusion, due to many factors, it’s worthwhile to make this clarification almost every time, if you’re in a position where you do, in fact, wear multiple hats. By wearing the smallest hat possible –i.e., speaking with the voice with the least authority– you allow other people to be free to express their own dissenting opinions without feeling that they have already been overruled. This is in line with our culture of providing a level playing field, where all voices are equal, and all opinions are weighed the same. Rich Bowen has been doing open source-y stuff since about 1995, and has been a member of the Apache Software Foundation since 2002. He currently serves on the ASF Board of Directors. By day, he's the CentOS Community Manager, working for Red Hat. = = = "Success at Apache" is a monthly blog series that focuses on the processes behind why the ASF "just works" https://blogs.apache.org/foundation/category/SuccessAtApache NOTE: you are receiving this message because you are subscribed to the announce@apache.org distribution list. To unsubscribe, send email from the recipient account to announce-unsubscr...@apache.org with the word "Unsubscribe" in the subject line.