Author: bodewig Date: Tue Aug 1 18:33:48 2017 New Revision: 1803679 URL: http://svn.apache.org/viewvc?rev=1803679&view=rev Log: prepare for next iteration
Added: commons/proper/email/trunk/README.md - copied unchanged from r1803511, commons/proper/email/tags/EMAIL_1_5_RC1/README.md commons/proper/email/trunk/src/site/xdoc/security-reports.xml (with props) Modified: commons/proper/email/trunk/ (props changed) commons/proper/email/trunk/RELEASE-NOTES.txt commons/proper/email/trunk/pom.xml commons/proper/email/trunk/src/changes/changes.xml commons/proper/email/trunk/src/site/site.xml Propchange: commons/proper/email/trunk/ ------------------------------------------------------------------------------ svn:mergeinfo = /commons/proper/email/tags/EMAIL_1_5_RC1:1803366-1803511 Modified: commons/proper/email/trunk/RELEASE-NOTES.txt URL: http://svn.apache.org/viewvc/commons/proper/email/trunk/RELEASE-NOTES.txt?rev=1803679&r1=1803678&r2=1803679&view=diff ============================================================================== --- commons/proper/email/trunk/RELEASE-NOTES.txt (original) +++ commons/proper/email/trunk/RELEASE-NOTES.txt Tue Aug 1 18:33:48 2017 @@ -1,4 +1,4 @@ - Commons Email Package + Apache Commons Email Version 1.5 Release Notes @@ -15,8 +15,12 @@ downloads, reports, and bug status: http://commons.apache.org/email/ -This is a major release which adds some new features and fixes several bugs -present in the 1.4.0 release. All current users are encouraged to upgrade. +This is a major and security bugfix release which adds some new +features and fixes several bugs present in the 1.4 release. All +current users are encouraged to upgrade. + +For the security bugfix see +https://commons.apache.org/proper/commons-email/security-reports.html#Fixed_in_Apache_Commons_Email_1.5 CHANGES FROM 1.4: ----------------- @@ -55,6 +59,9 @@ Issue: EMAIL-154. Thanks to Ken Geis, Ba * DataSourceClassPathResolver doesn't close InputStream when resolving resources Issue: EMAIL-167. Thanks to Lucian Burja. +* CVE-2017-9801 - stripped all line-breaks from subjects in order to + prevent SMTP header injection. + CHANGES FROM 1.3.3: ----------------- @@ -315,4 +322,4 @@ Java 2 Enterprise Edition 1.4 users must JavaMail and JAF indicated above are available to their applications; the J2EE 1.4 specification only requires earlier versions. -Earlier versions of J2EE are not supported. \ No newline at end of file +Earlier versions of J2EE are not supported. Modified: commons/proper/email/trunk/pom.xml URL: http://svn.apache.org/viewvc/commons/proper/email/trunk/pom.xml?rev=1803679&r1=1803678&r2=1803679&view=diff ============================================================================== --- commons/proper/email/trunk/pom.xml (original) +++ commons/proper/email/trunk/pom.xml Tue Aug 1 18:33:48 2017 @@ -24,7 +24,7 @@ <modelVersion>4.0.0</modelVersion> <groupId>org.apache.commons</groupId> <artifactId>commons-email</artifactId> - <version>1.5-SNAPSHOT</version> + <version>1.6-SNAPSHOT</version> <name>Apache Commons Email</name> <inceptionYear>2001</inceptionYear> @@ -41,9 +41,9 @@ </issueManagement> <scm> - <connection>scm:svn:http://svn.apache.org/repos/asf/commons/proper/email/trunk</connection> + <connection>scm:svn:http://svn.apache.org/repos/asf/commons/proper/email/tags/EMAIL_1_5</connection> <developerConnection>scm:svn:https://svn.apache.org/repos/asf/commons/proper/email/trunk</developerConnection> - <url>http://svn.apache.org/viewvc/commons/proper/email/trunk</url> + <url>http://svn.apache.org/viewvc/commons/proper/email/tags/EMAIL_1_5</url> </scm> <developers> Modified: commons/proper/email/trunk/src/changes/changes.xml URL: http://svn.apache.org/viewvc/commons/proper/email/trunk/src/changes/changes.xml?rev=1803679&r1=1803678&r2=1803679&view=diff ============================================================================== --- commons/proper/email/trunk/src/changes/changes.xml (original) +++ commons/proper/email/trunk/src/changes/changes.xml Tue Aug 1 18:33:48 2017 @@ -22,7 +22,9 @@ </properties> <body> - <release version="1.5" date="2017-MM-DD"> + <release version="1.6" date="2017-MM-DD"> + </release> + <release version="1.5" date="2017-08-01"> <!-- N.B. AFAICT the date attribute is not used anywhere so no point in adding it --> <action dev="kinow" type="fix" issue="EMAIL-172" due-to="Thomas Grainger"> Grammar error in comment @@ -45,6 +47,10 @@ <action dev="ggregory" type="add" issue="EMAIL-154" date="2015-07-26" due-to="Ken Geis, Balachandran Sivakumar"> Add Email#getHeader(String) and Email#getHeaders() methods. </action> + <action dev="ggregory" type="fix"> + CVE-2017-9801 - stripped all line-breaks from subjects in + order to prevent SMTP header injection. + </action> </release> <release version="1.4" date="2015-05-23"> <action dev="tn" type="fix" issue="EMAIL-149" date="2015-03-10" due-to="Richard DiCroce"> Modified: commons/proper/email/trunk/src/site/site.xml URL: http://svn.apache.org/viewvc/commons/proper/email/trunk/src/site/site.xml?rev=1803679&r1=1803678&r2=1803679&view=diff ============================================================================== --- commons/proper/email/trunk/src/site/site.xml (original) +++ commons/proper/email/trunk/src/site/site.xml Tue Aug 1 18:33:48 2017 @@ -27,6 +27,7 @@ <item name="Overview" href="/index.html"/> <item name="Download" href="http://commons.apache.org/email/download_email.cgi"/> <item name="User guide" href="/userguide.html"/> + <item name="Security Reports" href="/security-reports.html"/> <item name="Latest API docs (development)" href="/apidocs/index.html"/> <item name="Javadoc (1.5 release)" href="/javadocs/api-release/index.html"/> <item name="Javadoc (1.4 release)" href="/javadocs/api-1.4/index.html"/> Added: commons/proper/email/trunk/src/site/xdoc/security-reports.xml URL: http://svn.apache.org/viewvc/commons/proper/email/trunk/src/site/xdoc/security-reports.xml?rev=1803679&view=auto ============================================================================== --- commons/proper/email/trunk/src/site/xdoc/security-reports.xml (added) +++ commons/proper/email/trunk/src/site/xdoc/security-reports.xml Tue Aug 1 18:33:48 2017 @@ -0,0 +1,82 @@ +<?xml version="1.0"?> +<!-- + + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<document> + <properties> + <title>Commons Email Security Reports</title> + <author email="d...@commons.apache.org">Commons Documentation Team</author> + </properties> + <body> + <section name="General Information"> + <p>For information about reporting or asking questions about + security problems, please see the <a + href="http://commons.apache.org/security.html">security page + of the Commons project</a>.</p> + </section> + + <section name="Apache Commons Email Security Vulnerabilities"> + <p>This page lists all security vulnerabilities fixed in + released versions of Apache Commons Email. Each + vulnerability is given a security impact rating by the + development team - please note that this rating may vary from + platform to platform. We also list the versions of Commons + Email the flaw is known to affect, and where a flaw has not + been verified list the version with a question mark.</p> + + <p>Please note that binary patches are never provided. If you + need to apply a source code patch, use the building + instructions for the Commons Email version that you are + using.</p> + + <p>If you need help on building Commons Email or other help + on following the instructions to mitigate the known + vulnerabilities listed here, please send your questions to the + public <a href="mail-lists.html">Commons Users mailing + list</a>.</p> + + <p>If you have encountered an unlisted security vulnerability + or other unexpected behaviour that has security impact, or if + the descriptions here are incomplete, please report them + privately to the Apache Security Team. Thank you.</p> + + <subsection name="Fixed in Apache Commons Email 1.5"> + <p><b>Low: SMTP header injection vulnerabilty</b> <a + href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9801">CVE-2017-9801</a></p> + + <p>When passing text that contains line-breaks as the + subject of an email arbitrary SMTP headers can be added.</p> + + <p>This was fixed in revisions + <a href="https://svn.apache.org/viewvc?view=revision&revision=1801385">1801385</a> + <a href="https://svn.apache.org/viewvc?view=revision&revision=1801388">1801388</a> and + <a href="https://svn.apache.org/viewvc?view=revision&revision=1801389">1801389</a>.</p> + + <p>This was first reported to the Security Team on 27 June + 2017 and made public on 1 August 2017.</p> + + <p>Affects: 1.0 - 1.4</p> + + </subsection> + </section> + + <section name="Errors and Ommissions"> + <p>Please report any errors or omissions to <a + href="mail-lists.html">the dev mailing list</a>.</p> + </section> + </body> +</document> Propchange: commons/proper/email/trunk/src/site/xdoc/security-reports.xml ------------------------------------------------------------------------------ svn:eol-style = native