[SECURITY] CVE-2018-11759 Apache Tomcat JK (mod_jk) Connector path traversal

2018-10-31 Thread Mark Thomas 

CVE-2018-11759 Apache Tomcat JK (mod_jk) Connector path traversal

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Apache Tomcat JK mod_jk Connector 1.2.0 to 1.2.44

Description:
The Apache Web Server (httpd) specific code that normalised the 
requested path before matching it to the URI-worker map did not handle 
some edge cases correctly. If only a sub-set of the URLs supported by 
Tomcat were exposed via httpd, then it was possible for a specially 
constructed request to expose application functionality through the 
reverse proxy that was not intended for clients accessing the 
application via the reverse proxy. It was also possible in some 
configurations for a specially constructed request to bypass the access 
controls configured in httpd.
While there is some overlap between this issue and CVE-2018-1323, they 
are not identical.


Mitigation:
Users of affected versions should apply one of the following mitigations:
- Upgrade to Apache Tomcat JK ISAPI Connector 1.2.46 or later.
- Use alternative measures (e.g. the remote address filter) to restrict
  access to trusted users.

Credit:
This issue was first discovered by Alphan YAVAS from Biznet Bilisim A.S. 
and reported responsibly to the Apache Tomcat Security Team. Additional 
attack vectors were identified by Raphaël Arrouas (Xel) and Jean Lejeune 
(Nitrax) from immunIT.



References:
[1] http://tomcat.apache.org/security-jk.html

The Apache Software Foundation Announces Apache® Subversion® v1.11.0

2018-10-31 Thread Sally Khudairi 
[this announcement is available online at https://s.apache.org/N3fL ]

Popular Open Source version control system used by millions across an array of 
applications worldwide.

Wakefield, MA —31 October 2018— The Apache Software Foundation (ASF), the 
all-volunteer developers, stewards, and incubators of more than 350 Open Source 
projects and initiatives, announced today Apache® Subversion® v1.11.0, the 
latest version of the popular centralized software version control system.

Apache Subversion is characterized by its reliability as a safe haven for 
valuable data; the simplicity of its model and usage; and its ability to 
support the needs of a wide variety of users and projects, from individuals to 
large-scale enterprise operations.

"Subversion 1.11 is the first release which follows our new six-month release 
cycle," said Stefan Sperling, Vice President of Apache Subversion. "Subversion 
1.11 provides iterative improvements of features released in Subversion 1.10, 
and will be supported for six months."

Apache Subversion v1.11.0 highlights include:

 - More robust shelving of changes in the working copy;
 - Interactive conflict resolution supports more conflict situations involving 
moved files and directories; and
 - New command to write out a view specification describing the current working 
copy shape.

Based on the new release cycle, Apache Subversion 1.10 is now considered a 
long-term support (LTS) release, with a planned support period of four years. 
The next LTS release will be Subversion 1.14, which is anticipated 18 months 
from now.

"Our new release plan gives users who value stability plenty of time to 
schedule upgrades between LTS releases, while users who prefer quick access to 
new features will be able to get updated approximately every 6 months," added 
Sperling. "Several new client-side features are marked ‘experimental’ in this 
1.11 release. We encourage all our users to test these features and provide 
feedback."

Availability and Oversight
Apache Subversion software is released under the Apache License v2.0 and is 
overseen by a self-selected team of active contributors to the project. A 
Project Management Committee (PMC) guides the Project's day-to-day operations, 
including community development and product releases. For downloads, 
documentation, and ways to become involved with Apache Subversion, visit 
http://subversion.apache.org/

About The Apache Software Foundation (ASF)
Established in 1999, the all-volunteer Foundation oversees more than 350 
leading Open Source projects, including Apache HTTP Server --the world's most 
popular Web server software. Through the ASF's meritocratic process known as 
"The Apache Way," more than 730 individual Members and 6,800 Committers across 
six continents successfully collaborate to develop freely available 
enterprise-grade software, benefiting millions of users worldwide: thousands of 
software solutions are distributed under the Apache License; and the community 
actively participates in ASF mailing lists, mentoring initiatives, and 
ApacheCon, the Foundation's official user conference, trainings, and expo. The 
ASF is a US 501(c)(3) charitable organization, funded by individual donations 
and corporate sponsors including Aetna, Anonymous, ARM, Bloomberg, Budget 
Direct, Capital One, Cerner, Cloudera, Comcast, Facebook, Google, Handshake, 
Hortonworks, Huawei, IBM, Indeed, Inspur, LeaseWeb, Microsoft, Oath, ODPi, 
Pineapple Fund, Pivotal, Private Internet Access, Red Hat, Target, and Union 
Investment. For more information, visit http://apache.org/ and 
https://twitter.com/TheASF

© The Apache Software Foundation. "Apache", "Subversion", "Apache Subversion", 
and "ApacheCon" are registered trademarks or trademarks of the Apache Software 
Foundation in the United States and/or other countries. All other brands and 
trademarks are the property of their respective owners.

# # #

NOTE: you are receiving this message because you are subscribed to the 
announce@apache.org distribution list. To unsubscribe, send email from the 
recipient account to announce-unsubscr...@apache.org with the word 
"Unsubscribe" in the subject line.

[ANNOUNCE] Apache Allura 1.10.0 released

2018-10-31 Thread Dave Brondsema 
The Apache Allura team is pleased to announce the release of Apache Allura 
1.10.0

Allura is an open source implementation of a software forge, a web site that
manages source code repositories, bug reports, discussions, wiki pages, blogs,
and more for any number of individual projects.

The 1.10.0 release includes the following new features:

* interactive checkmark lists * [x] done!
* emoji shortcode support :rocket: 
* attachment support for blog posts, and new forum topics

This release also includes a critical security fix, so upgrading is strongly
encouraged.

There are many smaller improvements and fixes as well. To see all the details
and upgrade instructions, check out the release changelog at
https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES

Download and installation instructions are available at 
https://allura.apache.org/