[ANNOUNCE] Apache Qpid Proton-J 0.34.0 released

The Apache Qpid (https://qpid.apache.org) community is pleased to announce the immediate availability of Apache Qpid Proton-J 0.34.0. Apache Qpid Proton-J is a messaging library for the Advanced Message Queuing Protocol 1.0 (AMQP 1.0, ISO/IEC 19464, https://www.amqp.org). It can be used in a wide

Apache OFBiz - Unauth Stored XSS (CVE-2022-25370)

Severity: High Vendor: The Apache Software Foundation Versions Affected: OFBiz versions prior to 18.12.06 Description: The Birt viewer version 4.5.0 has a security issue that allows this exploit. We waited long for https://github.com/eclipse/birt/issues/625 to resolve but eventually decided to

Apache OFBiz - Unauth Path Traversal with file corruption (CVE-2022-25371)

Severity: High Vendor: The Apache Software Foundation Versions Affected: OFBiz versions prior to 18.12.06 Description: The Birt viewer version 4.5.0 has a security issue that allows this exploit. We waited long for https://github.com/eclipse/birt/issues/625 to resolve but eventually decided to

Apache OFBiz - Unauth Path Traversal with file corruption (CVE-2022-25371)

Severity: High Vendor: The Apache Software Foundation Versions Affected: OFBiz versions prior to 18.12.06 Description: The Birt viewer version 4.5.0 has a security issue that allows this exploit. We waited long for https://github.com/eclipse/birt/issues/625 to resolve but eventually decided to

Apache OFBiz - Java Deserialization via RMI Connection (CVE-2022-29063)

Severity: Low (only on shared servers) Vendor: The Apache Software Foundation Versions Affected: OFBiz versions prior to 18.12.06 Description: The OFBiz Solr plugin is configured by default to automatically make a RMI request on localhost, port 1099. By hosting a malicious RMI server on

Subject: Apache OFBiz - Server-Side Template Injection (CVE-2022-25813)

Severity: High (SSTI then possible RCE) Vendor: The Apache Software Foundation Versions Affected: OFBiz versions prior to 18.12.06 Description: As an ecommerce anonymous client, an external attacker can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a

[ANNOUNCE] Apache OFBiz 18.12 End-Of-Life (EOL) announcement

The Apache OFBiz Project Team would like to inform you that OFBiz 18.12.06 is the last release of the 18.12 branch, which has reached its end of life and won't be longer officially supported. https://ofbiz.apache.org/release-notes-18.12.06.html This announcement takes place on 2022-09-02 and

CVE-2022-38170: Apache Airflow: Overly permissive umask for deamons

Description: In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--deamon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary

CVE-2022-38054: Apache Airflow: Session Fixation

Description: In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation. Credit: The Apache Airflow PMC would like to thank Kai Zhao for reporting this issue.

The Apache Weekly News Round-up: week ending 2 September 2022

Welcome, September --we’re opening the month with another great week.Here’s what the Apache community has been up to: ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998. - Registrations are open for ApacheCon North America, 2022