JAMES-2197 Add blog post about JAMES-3.0.1 release
Project: http://git-wip-us.apache.org/repos/asf/james-project/repo Commit: http://git-wip-us.apache.org/repos/asf/james-project/commit/524da5a9 Tree: http://git-wip-us.apache.org/repos/asf/james-project/tree/524da5a9 Diff: http://git-wip-us.apache.org/repos/asf/james-project/diff/524da5a9 Branch: refs/heads/master Commit: 524da5a98cc4b7b91ba442949043b448ebdadcf2 Parents: c5cccba Author: benwa <btell...@linagora.com> Authored: Fri Oct 20 10:35:57 2017 +0700 Committer: Matthieu Baechler <matth...@apache.org> Committed: Fri Oct 20 15:11:27 2017 +0200 ---------------------------------------------------------------------- .../_posts/2017-10-20-james-3.0.1.markdown | 28 ++++++++++++++++++++ 1 file changed, 28 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/james-project/blob/524da5a9/src/homepage/_posts/2017-10-20-james-3.0.1.markdown ---------------------------------------------------------------------- diff --git a/src/homepage/_posts/2017-10-20-james-3.0.1.markdown b/src/homepage/_posts/2017-10-20-james-3.0.1.markdown new file mode 100644 index 0000000..aa56c2a --- /dev/null +++ b/src/homepage/_posts/2017-10-20-james-3.0.1.markdown @@ -0,0 +1,28 @@ +--- +layout: post +title: "Security release: Apache James server 3.0.1" +date: 2017-10-20 00:00:22 +0200 +categories: james update +--- + +The Apache James PMCs are glad to announce you the release +version 3.0.1 of Apache James server. + +It fixes vulnerability described in CVE-2017-12628. The JMX server, also +used by the command line client is exposed to a java de-serialization +issue, and thus can be used to execute arbitrary commands. As James +exposes JMX socket by default only on local-host, this vulnerability can +only be used for privilege escalation. + +Release 3.0.1 upgrades the incriminated library. + +Note that you can take additional defensive steps in order to mitigate this vulnerability: + + - Ensure that you restrict the access to JMX only on local-host + - Ensure that you are using a recent Java Run-time Environment. For instance OpenJDK 8 u111 is vulnerable but OpenJDK 8 u 141 is not. + - You can additionally run James in a container to limit damages of potential exploits + - And of course upgrade to the newest 3.0.1 version. + +Read more about Java deserialization [issues]. + +[issues]: https://www.sourceclear.com/blog/Commons-Collections-Deserialization-Vulnerability-Research-Findings/ \ No newline at end of file --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org
