[ANNOUNCE] Apache Jackrabbit Oak 1.22.5 released
The Apache Jackrabbit community is pleased to announce the release of Apache Jackrabbit Oak 1.22.5. The release is available for download at: http://jackrabbit.apache.org/downloads.html See the full release notes below for details about this release: Release Notes -- Apache Jackrabbit Oak -- Version 1.22.5 Introduction Jackrabbit Oak is a scalable, high-performance hierarchical content repository designed for use as the foundation of modern world-class web sites and other demanding content applications. Jackrabbit Oak 1.22.5 is a patch release that contains fixes and improvements over Oak 1.22. Jackrabbit Oak 1.22.x releases are considered stable and targeted for production use. The Oak effort is a part of the Apache Jackrabbit project. Apache Jackrabbit is a project of the Apache Software Foundation. Changes in Oak 1.22.5 - Bug [OAK-9200] - Oak BlobAccessProvider reference in UserConfigurationImpl fails and leads to performance issue [OAK-9218] - Fix OSGi wiring after netty update to 4.1.52.Final [OAK-9229] - CountingDocumentStore returns documents with incorrect store reference Improvement [OAK-9184] - Very slow, potential endless loop in LucenePropertyIndex.loadDocs() [OAK-9230] - CachingCommitValueResolver with negative cache [OAK-9231] - Enable negative cache of commit value resolver for oak-run index command Task [OAK-9205] - Bump htmlunit from 2.35.0 to 2.43.0 [OAK-9210] - Bump netty dependency from 4.1.17.Final to 4.1.52.Final In addition to the above-mentioned changes, this release contains all changes included up to the previous Apache Jackrabbit Oak 1.22.x release. For more detailed information about all the changes in this and other Oak releases, please see the Oak issue tracker at https://issues.apache.org/jira/browse/OAK Release Contents This release consists of a single source archive packaged as a zip file. The archive can be unpacked with the jar tool from your JDK installation. See the README.md file for instructions on how to build this release. The source archive is accompanied by a SHA512 checksums and a PGP signature that you can use to verify the authenticity of your download. The public key used for the PGP signature can be found at https://www.apache.org/dist/jackrabbit/KEYS. About Apache Jackrabbit Oak --- Jackrabbit Oak is a scalable, high-performance hierarchical content repository designed for use as the foundation of modern world-class web sites and other demanding content applications. The Oak effort is a part of the Apache Jackrabbit project. Apache Jackrabbit is a project of the Apache Software Foundation. For more information, visit http://jackrabbit.apache.org/oak About The Apache Software Foundation Established in 1999, The Apache Software Foundation provides organizational, legal, and financial support for more than 140 freely-available, collaboratively-developed Open Source projects. The pragmatic Apache License enables individual and commercial users to easily deploy Apache software; the Foundation's intellectual property framework limits the legal exposure of its 3,800+ contributors. For more information, visit http://www.apache.org/
[CVE-2020-13957] The checks added to unauthenticated configset uploads in Apache Solr can be circumvented
Severity: High Vendor: The Apache Software Foundation Versions Affected: 6.6.0 to 6.6.5 7.0.0 to 7.7.3 8.0.0 to 8.6.2 Description: Solr prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions. Mitigation: Any of the following are enough to prevent this vulnerability: * Disable UPLOAD command in ConfigSets API if not used by setting the system property: "configset.upload.enabled" to "false" [1] * Use Authentication/Authorization and make sure unknown requests aren't allowed [2] * Upgrade to Solr 8.6.3 or greater. * If upgrading is not an option, consider applying the patch in SOLR-14663 ([3]) * No Solr API, including the Admin UI, is designed to be exposed to non-trusted parties. Tune your firewall so that only trusted computers and people are allowed access Credit: Tomás Fernández Löbbe, András Salamon References: [1] https://lucene.apache.org/solr/guide/8_6/configsets-api.html [2] https://lucene.apache.org/solr/guide/8_6/authentication-and-authorization-plugins.html [3] https://issues.apache.org/jira/browse/SOLR-14663 [4] https://issues.apache.org/jira/browse/SOLR-14925 [5] https://wiki.apache.org/solr/SolrSecurity
The Apache Software Foundation Operations Summary: 1 May - 31 July 2020
[this announcement is available online at https://s.apache.org/2mefr ] FOUNDATION OPERATIONS SUMMARY First Quarter, Fiscal Year 2021 (May - July 2020) "This Foundation has survived more than two decades of change in the software industry and is stronger now than ever before." —Roy Fielding, ASF co-Founder and Chairman > Conferences and Events http://apachecon.com/ During the report period, the Conferences team has been working hard on ApacheCon @Home 2020, which will be the 33rd ApacheCon. Apachecon @Home will feature content from 27 different Apache project communities, including Big Data, Machine Learning, Royale, Pulsar, Tomcat, Geospatial, Community, Camel, and many others. We will also be featuring content in Asia-centric timezones, and, for the first time ever, content in Mandarin, German, and Spanish language. ApacheCon @Home 2020 will feature keynotes by Thomas Huang (NASA), Camille Fournier (Author) and Edmon Begoli and Josh Arnold (Oak Ridge National Labs). This event will be our first 100% online edition of ApacheCon, which makes it available for people in every time zone, many of whom have never been able to travel to ApacheCon before. We expect to have more than 2000 attendees, making it the largest ApacheCon ever. You can learn more about Apachecon (and register!) at https://apachecon.com/acah2020 > Community Development http://community.apache.org/ Throughout this quarter we have been adapting our approach to help mitigate the impact of Covid-19 on our activities. With the changeover of ApacheCon to an online conference (ApacheCon@Home) we have been busy working with the conference team to ensure a good transition. As usual we participated in the ApacheCon@Home CFP and had attracted a lot of submissions. We had enough proposals to plan a 3 day Community track running over two timezones. To help support our global audience it will also the first time that we will be presenting content in languages other than English. We are also planning to have an online booth available at the event and are currently deciding on the type of activities that we can do remotely that will still generate the feeling of community. During this quarter we have also kickstarted our podcast platform Feathercast again as a tool for promoting Apache projects. Our objective is to have a podcast created for every Apache project. An initial request was sent out for people to be interviewed about their project. There has been a lot of interest and feedback has been very positive. Currently 12 interviews have been completed and featured on Feathercast. We hope that this will continue to increase. The Apache Local Community (ALC) initiative is still growing and thanks to Kenneth Paskett from the Central Services team, we now have branding for the ALC chapters that can be customised for each location. The branding helps strengthen the Apache brand locally. ALC Beijing held their first meetup and ALC Indore have held two webinars and will be presenting a range of talks in Hindi for ApacheCon@Home. Our GSoC student evaluations were completed on schedule and our mentors contine to work with their selected students. Our mailing list has seen a decrease in traffic compared to the previous quarter, probably due to the holiday season. We do expect to see increased activity levels as we build up to ApacheCon@Home in September. > Committers and Contributions > http://apache.org/licenses/contributor-agreements.html Over the past quarter, 1,252 contributors committed 41,706 changes that amount to 13,946,950 lines of code across Apache projects. The top 5 contributors, in order, were: Andrea Cosentino (1,013 commits), Gary Gregory (817 commits), Jean-Baptiste Onofré (715 commits), Sebb (614 commits), and Xiaoxiang Yu (537 commits). [image of Committer history available https://s.apache.org/2mefr ] All individuals who are granted write access to the Apache repositories must submit an Individual Contributor License Agreement (ICLA). Corporations that have assigned employees to work on Apache projects as part of an employment agreement may sign a Corporate CLA (CCLA) for contributing intellectual property via the corporation. Individuals or corporations donating a body of existing software or documentation to one of the Apache projects need to execute a formal Software Grant Agreement (SGA) with the ASF. During Q1 FY2021, the ASF Secretary processed 171 ICLAs, 7 CCLAs, and 1 Software Grant. History of Apache committer growth can be seen at https://projects.apache.org/timelines.html > Brand Management http://apache.org/foundation/marks/ Operations —the work of the Brand Management team falls broadly into one of three categories: - trademark transfers and registrations - granting permission to use our marks - addressing potential infringements of our marks The volume of work has remained steady this quarter. Registrations and transfers are lengthy processes but the tr
Inside Infra: Daniel Gruno --Part II
[this interview is available online at https://s.apache.org/InsideInfra-Daniel2 ] The "Inside Infra" series with members of the ASF Infrastructure team continues with Part II of the interview with Daniel Gruno, who shares his experience with Sally Khudairi, ASF VP Marketing & Publicity. - - - "...it speaks of how tenaciously the Foundation guards its core values, one of which really is provenance, because it's the Apache seal of approval, means this has been thoroughly vetted. We know where every single piece of code comes from. And we know that it works." - - - - What about "user demand" --what does it take for you collectively to decide, "OK, we'll support Kubernetes," as you mentioned it earlier, or whatever? Are there strategic technologies that you want to work with or plan to support, or is it all coming from the projects themselves? How does that process work? You're creating projects out of some kind of pain point or some kind of vision. So for you, is it a longer-term thing? Do you have an influence on this? What drives the growth of services delivered? It's a mix. It's a mix of, first of all, the Infrastructure team is paid by The Apache Software Foundation and it's paid by The Apache Software Foundation to help the projects. So what we do must first and foremost be something that helps the projects and not something that just helps Infra. I mean, of course, we can make tools and have services that will assist us in our work, but the ultimate goal must be supporting the projects. First and foremost, we listen for projects that come and tell us, "We would really like this or we would really like that." Having said that, we do not always say yes. We have costs to consider. We have maintainability to consider. So as a general rule of thumb we will say, "Okay, project A wants to use service foo. Does anyone else want to use service foo right now?" On occasion, you get, "Nope. No one else wants to use service foo." And then we go back to project A and say, "It doesn't seem like this is feasible for us economically to maintain if it's just you." But you can also have a situation where 10 projects suddenly say, "Yep, we really, really want to use this." Once you have a trend for something, we are usually not proactive, but reactive to these trends. So a project will come and tell us, "We really want you to use this." We will go out and see if anyone else wants to use this, and they will say, "Yes, please." That's when we'll add that feature or service. We also have ideas of our own that are, by and large, a result of either existing services not doing what they're supposed to, or they're being... Let's say you have... For example, there is Google and there are mail archives that we had in the olden days. At some point we wondered, "Why don't we combine it so you can search for emails in the archive?" That's how lists.apache.org came to be. So we have both things that projects come and say, "We really want this," and we also have this crystal ball where we look at problems we're having with existing services, where we look at possible combinations between existing services and other existing services or new services that are emerging in the Web. Or we just have someone say, "Hey, wouldn't it be wonderful if something like this existed?" So it's really a mix of projects asking us and trends emerging and just blue skying, "Wouldn't it be cool if...?" - Have you guys been in the situation where you found yourselves caught where there was this magical trend that everyone wanted, and it just didn't serve the Foundation, it failed? Were you guys in that situation where you had to back pedal? Or is that not part of your experience? I would say the most prominent or obvious feature or service would probably be GitHub where we started in 2010 with mirrors of our local Subversion and Git repositories. They would be mirrored to GitHub. That was actually a bit later, but around that time, they started mirroring stuff to get up, but you couldn't write to GitHub. We were adamantly against it. Because provenance, provenance, provenance: that is that thing that if you know Apache, you know that provenance is one of our key features. We like to be able to say, "Oh this came from that. This came from this. This came from that." We had concerns at Infra that we were not able to have the exact --emphasis on exact-- same provenance as we had on our own servers, and we got a lot of pushback for that. In the end, we figured that maybe we don't need this kind of providence that we had. Because we had very verbose logging going on for our own service that we couldn't get from GitHub because GitHub is a third party provider. They're not going to fork over sensitive data about their customers to us. So a) we were willing, at some point, to compromise, because it turned out that the data that we had been collecting was maybe not so important after all, and
[SECURITY] CVE-2020-13943 Apache Tomcat HTTP/2 Request mix-up
CVE-2020-13943 Apache Tomcat HTTP/2 Request mix-up Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.0-M7 Apache Tomcat 9.0.0.M5 to 9.0.37 Apache Tomcat 8.5.1 to 8.5.57 Description: If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. Mitigation: - Upgrade to Apache Tomcat 10.0.0-M8 or later - Upgrade to Apache Tomcat 9.0.38 or later - Upgrade to Apache Tomcat 8.5.58 or later Credit: This issue was identified by the Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-10.html [2] http://tomcat.apache.org/security-9.html [3] http://tomcat.apache.org/security-8.html
[ANNOUNCE] Apache Wicket 9.1.0 released
The Apache Wicket PMC is proud to announce Apache Wicket 9.1.0! Apache Wicket is an open source Java component oriented web application framework that powers thousands of web applications and web sites for governments, stores, universities, cities, banks, email providers, and more. You can find more about Apache Wicket at https://wicket.apache.org This release marks another minor release of Wicket 9. We use semantic versioning for the development of Wicket, and as such no API breaks are present breaks are present in this release compared to 9.0.0. Using this release -- With Apache Maven update your dependency to (and don't forget to update any other dependencies on Wicket projects to the same version): org.apache.wicket wicket-core 9.1.0 Or download and build the distribution yourself, or use our convenience binary package you can find here: * Download: http://wicket.apache.org/start/wicket-9.x.html#manually Upgrading from earlier versions --- If you upgrade from 9.y.z this release is a drop in replacement. If you come from a version prior to 9.0.0, please read our Wicket 9 migration guide found at * http://s.apache.org/wicket9migrate Have fun! — The Wicket team The signatures for the source release artefacts: Signature for apache-wicket-9.1.0.zip: -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEE0a6YZHC1pJw+aieyh48B+qjTVuEFAl99/FsACgkQh48B+qjT VuE0kQ//TmQc53B9FrAgSWV8BKFAtxzjAhQiFilWp1/5vLyLZFUYAraQ6DMoH2GR s2JMcbZJGmjplwG2Yy6LGXEksFV9wBTnEA4RGREV06K6ihx7Qm2zjgunZZSswZIr MuLQYMnrXmAM2Qs071b17a5k2Gkw1+CST51KwOUD7u5l7UZOvUcXRL1xTBemOZ9s RMbcbnjesxct3W2ASkGvULE7oHpBXrrDRHbv4mRFjWsSOjoasXJNtKJoUcoVtBnz xwMlN/dZTEJLlj7uG2jW5mqFj+vfWP01UE+XR2HlJmW54puErcGE4+/haAJdvlwe +rP2XNwAAD5rp3jIcpHerBOt7pruWEDhOwaydm0jJvsPh82SibKCmhnlJlxpdJE3 udvMKvU/zcASLHOHZ33wF/JSvO9kCI4LHCEJfYICcNpTktpzNUrhMQkXOVTj3pGS vcFB6/rFWWHxaxtUZKJTCb2tcCN5LMIr1Thcyb5BUCC2ZN8PqNSjI9L6EtzG7Jyd PnkJiJayn6VUVr6WTP+UEVlqPvDTqg/yuhquQmYjz1uYPQS8lL5WpHUvQnmtiJ2S yAeHNJm+pJRxDgs9CIAhAToTM38y09Y/aM2T5R+iOI6u/tLovFWBS8YxUYkUdPHP /9YOBXan7Q1XqBz8W6nfsvrvtbZYhYfU0FOsxcgHK9pGbkxPWnA= =0JCC -END PGP SIGNATURE- Signature for apache-wicket-9.1.0.tar.gz: -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEE0a6YZHC1pJw+aieyh48B+qjTVuEFAl99/FsACgkQh48B+qjT VuE4vQ//ZAhCOuedc/LCKKTQU/uE/nF+i9PcCS/SsFVJbvoCzyVSoSQwQCYbM+E4 kd8YYr8CG1PNpKMyxsNuBEG9ttR8ZCDfEKIVD727y2vLk9L5SefY6/dRanLO/cc0 1rGYwtMfJby//P/pXdjeG6Qta3FHb2AcZtIyzPTFFciIuebccUsM48UDU6HT3weN aKwgr5uUQVInVRV7pEGC0ziRMRkyYRStBLZNioR2BjCV7IxnWdeWTjapD9kAiY5H 2d1J0ItW/4mtohKWiem4JPX1HTf+U2d02qTq2i5ykDKfytoMUvFlIuP0kl7J5K/t NdfOzgcmMgZa+wjy0z46TEEdq63JdRu3Cpy3wkkTy9GF2+6UJdXQ1z9dbGbmNkTy 0WZWGf85s8rekJVwt66TUih6Mlcl1Fb57zOYndrkb/AHB1ehF90JIf/DqLdplfbS fFinL9Q7myeM2GM3uivmR6TF2ZvtCbGfiWQ4DKLTIXJYDsqxTDSDrroxk3j/P64h 1havxw/X45FZsMaoMX7xdVO5drK65LSLpea0OpkHPWr9x0OetI4iQssxpUcoAXj0 OPPZ66Luci/Au9rodmP7bW5X5ttlXxSjkvLRgk2GibD3NpcJHrHLF1UWeDwH5XIJ Bsuw7X2vIgtzu2GCLHoudgGp9yQYXuxI5adnrC9Lyg+BeEQhc+U= =rzeT -END PGP SIGNATURE- CHANGELOG for 9.1.0: ** Bug * [WICKET-6702] - AsynchronousPageStore with NotDetachedModelChecker - "Not detached model found" exception on several fast sequential Ajax calls * [WICKET-6802] - FilePageStore writing to UserDefinedFileAttributeView might be null * [WICKET-6803] - wicket-objectsizeof-agent has no valid automatic module name * [WICKET-6806] - CSP header response decorator breaks JavaScriptFilteredIntoFooterHeaderResponse * [WICKET-6808] - Cannot add page to AjaxRequestTarget * [WICKET-6810] - Asynchronous+encrypted pagestore leads to WicketRuntimeException * [WICKET-6813] - Setting child-src does not update frame-src after initial assignment * [WICKET-6818] - NPE in WicketEndpoint onClose * [WICKET-6822] - AsynchronousPageStore Potential Memory Leak * [WICKET-6825] - wicket-ioc 9.0.0 throws IAE with JDK14, still includes outdated ASM 7.1.0 in cglib-nodep * [WICKET-6837] - Jupiter engine transitively included in war file ** New Feature * [WICKET-6805] - Add Cross-Origin Opener Policy and Cross-Origin Embedder Policy support ** Improvement * [WICKET-6786] - CsrfPreventionRequestCycleListener should support Fetch Metadata Request Headers * [WICKET-6807] - Fake Submitting Button * [WICKET-6821] - Completely disable CSP support * [WICKET-6824] - Use concatenation instead of String.format for frequently called methods * [WICKET-6826] - Improve performance and reduce allocations for Behaviors * [WICKET-6827] - Improve performance of Strings.join and Strings.replaceAll * [WICKET-6828] - Wrong tree branch icon with hidden children * [WICKET-6829] - Use String.isEmpty() instead of "".equals(...) * [WICKET-6830] - Convert Behaviors into a
[ANNOUNCEMENT] Apache SkyWalking CLI 0.4.0 Released
Hi the SkyWalking Community On behalf of the SkyWalking CLI Team, I’m glad to announce that SkyWalking CLI 0.4.0 is now released. SkyWalking CLI: A command line interface for SkyWalking. SkyWalking: APM (application performance monitor) tool for distributed systems, especially designed for microservices, cloud native and container-based (Docker, Kubernetes, Mesos) architectures. Vote Thread: https://lists.apache.org/thread.html/rbb2b94613f31738f34e2ba494d57ff7f7ae7db167eb6b749dc75fe93%40%3Cdev.skywalking.apache.org%3E Download Links: http://skywalking.apache.org/downloads/ Release Notes : https://github.com/apache/skywalking-cli/blob/0.4.0/CHANGES.md Website: http://skywalking.apache.org/ SkyWalking CLI Resources: - Issue: https://github.com/apache/skywalking/issues - Mailing list: d...@skywalkiing.apache.org - Documents: https://github.com/apache/skywalking-cli/blob/0.4.0/README.md The Apache SkyWalking Team
[ANN] Apache Tomcat 10.0.0-M9 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.0-M9. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is under development to aid this process. Apache Tomcat 10.0.0-M9 is a milestone release of the 10.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 10.0.x so that they may provide feedback. The notable changes compared to 10.0.0-M8 include: - Refactor the handling of closed HTTP/2 streams to reduce the heap usage associated with used streams and to retain information for more streams in the priority tree. - Allow using the utility executor for annotation scanning. Patch provided by Jatin Kamnani. - Add a bloom filter to speed up archive lookup and improve deployment speed of applications with a large number of JARs. Patch provided by Jatin Kamnani. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 9.0.39 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.39. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.39 is a bugfix and feature release. The notable changes compared to 9.0.38 include: - Refactor the handling of closed HTTP/2 streams to reduce the heap usage associated with used streams and to retain information for more streams in the priority tree. - Allow using the utility executor for annotation scanning. Patch provided by Jatin Kamnani. - Add a bloom filter to speed up archive lookup and improve deployment speed of applications with a large number of JARs. Patch provided by Jatin Kamnani. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-9.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-90.cgi Migration guides from Apache Tomcat 7.x and 8.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 8.5.59 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.59. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and Java Authentication Service Provider Interface for Containers technologies. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from the 9.0.x branch. The notable changes since 8.5.58 include: - Refactor the handling of closed HTTP/2 streams to reduce the heap usage associated with used streams and to retain information for more streams in the priority tree. - Deprecate the JDBCRealm. - Ensure that none of the methods on a ServletContext instance always fail when running under a SecurityManager. Pull request provided by Kyle Stiemann. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-8.5-doc/changelog.html Downloads: http://tomcat.apache.org/download-80.cgi Migration guides from Apache Tomcat 7.x and 8.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team