announce

Messages by Thread

CVE-2026-25917: Apache Airflow: API extra-links triggers XCom deserialization/class instantiation (Airflow 3.1.5) Rahul Vats
CVE-2026-32228: Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to Rahul Vats
CVE-2026-30898: Apache Airflow: Bad example of BashOperator shell injection via dag_run.conf Rahul Vats
CVE-2026-32690: Apache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1 Rahul Vats
[ANN] Apache Maven 3.9.15 released Slawomir Jaranowski
[ANNOUNCE] Apache Pulsar Client Python 3.11.0 released Yunze Xu
CVE-2026-30912: Apache Airflow: Exposing stack trace in case of constraint error Rahul Vats
CVE-2025-66335: Apache Doris MCP Server: MCP SQL inject Mingyu Chen
CVE-2026-33558: Apache Kafka, Apache Kafka Clients: Information Exposure Through Network Client Log Output Luke Chen
CVE-2026-33557: Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication Luke Chen
CVE-2026-31987: Apache Airflow: JWT token appearing in logs Rahul Vats
[ANNOUNCE] Apache Camel 4.19.0 Released Gregor Zurowski
[ANNOUNCE] Apache Grails 7.1.0 James Daugherty
[ANNOUNCE] Apache Pinot 1.5.0 Released Yash Mayya
[ANNOUNCE] Apache Pulsar C# Client DotPulsar 5.3.0 released David Jensen
[ANNOUNCE] Apache Pulsar Go Client 0.19.0 released Zike Yang
CVE-2026-25219: Apache Airlfow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access Jarek Potiuk
[ANNOUNCE] Apache Cloudberry (Incubating) 2.1.0 released Dianjin Wang
CVE-2026-30778: Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. Kai Wan
CVE-2025-54550: Apache Airflow: RCE by race condition in example_xcom dag Jarek Potiuk
[ANNOUNCE] Apache APISIX 3.16.0 has been released Abhishek Choudhary
[ANNOUNCE] Apache IoTDB 2.0.8 released Haonan Hou
[ANNOUNCE] Apache Airflow Providers prepared on 2026-04-12 are released Jarek Potiuk
CVE-2026-31908: Apache APISIX: forward auth plugin allows header injection Abhishek Choudhary
CVE-2026-31924: Apache APISIX: Plugin tencent-cloud-cls log export uses plaintext HTTP Abhishek Choudhary
CVE-2026-33929: Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code Tilman Hausherr
CVE-2026-31923: Apache APISIX: Openid-connect `tls_verify` field is disabled by default Abhishek Choudhary
CVE-2026-39816: Apache NiFi: Missing Execute Code Required Permission on TinkerpopClientService David Handermann
CVE-2026-33858: Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API Rahul Vats
CVE-2025-66236: Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI Rahul Vats
CVE-2026-34884: Apache SkyWalking MCP: SSRF via set_skywalking_url Tool and GraphQL Expression Injection in MCP Server Qiuxia Fan
CVE-2026-34476: Apache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP Server Qiuxia Fan
[ANNOUNCE] Apache Airflow Providers prepared on 2026-04-08 are released Jarek Potiuk
[ANNOUNCE] Apache Storm 2.8.6 Released Richard Zowalla
CVE-2026-35565: Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI Richard Zowalla
CVE-2026-35337: Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handling Richard Zowalla
[ANNOUNCE] Apache SkyWalking MCP 0.2.0 Released xue fan
[ANNOUNCE] Apache Pulsar Node.js client 1.17.0 released Baodi Shi
[ANN] Apache Ant 1.10.17 Released Stefan Bodewig
[ANNOUNCE] Apache NiFi 2.9.0 Released Pierre Villard
CVE-2026-40023: Apache Log4cxx, Apache Log4cxx (Conan), Apache Log4cxx (Brew): Silent log event loss in XMLLayout due to unescaped XML 1.0 forbidden characters Piotr Karwasz
CVE-2026-34481: Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout Piotr Karwasz
CVE-2026-34480: Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters Piotr Karwasz
CVE-2026-40021: Apache Log4net: Silent log event loss in XmlLayout and XmlLayoutSchemaLog4J due to unescaped XML 1.0 forbidden characters Piotr Karwasz
CVE-2026-34479: Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters Piotr Karwasz
CVE-2026-34478: Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility Piotr Karwasz
CVE-2026-34477: Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass Piotr Karwasz
[ANNOUNCE] Apache Jackrabbit 2.23.4-beta released Julian Reschke
[SECURITY] CVE-2026-34500 Apache Tomcat - OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled Mark Thomas
[SECURITY] CVE-2026-32990 Apache Tomcat - The fix for CVE-2025-66614 is incomplete Mark Thomas
[SECURITY] CVE-2026-34483 Apache Tomcat - Incomplete escaping of JSON access logs Mark Thomas
[SECURITY] CVE-2026-34487 Apache Tomcat - Cloud membership for clustering component exposed the Kubernetes bearer token Mark Thomas
[SECURITY] CVE-2026-34486 Apache Tomcat - Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor Mark Thomas
[SECURITY] CVE-2026-29145 Apache Tomcat and Tomcat Native - OCSP checks sometimes soft-fail even when soft-fail is disabled Mark Thomas
[SECURITY] CVE-2026-29146 Apache Tomcat - EncryptInterceptor vulnerable to padding oracle attack by default Mark Thomas
[SECURITY] CVE-2026-25854 Apache Tomcat - Occasionally open redirect Mark Thomas
[SECURITY] CVE-2026-29129 Apache Tomcat - Configured TLS cipher preference order not preserved Mark Thomas
[SECURITY] CVE-2026-24880 Apache Tomcat - Request smuggling via invalid chunk extension Mark Thomas
The Apache Software Foundation Welcomes 45 New Members Brian Proffitt
CVE-2026-34020: Apache OpenMeetings: Login Credentials Passed via GET Query Parameters Maxim Solodovnik
CVE-2026-33266: Apache OpenMeetings: Hardcoded Remember-Me Cookie Encryption Key and Salt Maxim Solodovnik
CVE-2026-33005: Apache OpenMeetings: Insufficient checks in FileWebService Maxim Solodovnik
[ANNOUNCE] Apache ActiveMQ 6.2.4 has been released! Christopher Shannon
[ANNOUNCE] Apache ActiveMQ 5.19.5 has been released! Christopher Shannon
CVE-2026-40046: Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT: Missing fix for CVE-2025-66168: MQTT control packet remaining length field is not properly validated Christopher L. Shannon
CVE-2026-39304: Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incorrect handling of TLSv1.3 KeyUpdate can be exploited to cause DoS via OOM Christopher L. Shannon
[ANNOUNCE] Apache OpenMeetings 9.0.0 is released Maxim Solodovnik
[ANNOUNCE] Apache Arrow ADBC 23 Released David Li
CVE-2025-57735: Apache Airflow: Airflow Logout Not Invalidating JWT Rahul Vats
CVE-2026-34538: Apache Airflow: Authorization bypass in DagRun wait endpoint (XCom exposure) Rahul Vats
[ANNOUNCE] Apache Commons Configuration 2.14.0 Gary Gregory
[ANNOUNCE] Release Apache Fluss (fluss-rust) 0.1.0-incubating yunhong Zheng
[ANNOUNCE] Apache Xalan Java xslt 3.0 alpha1 released Mukul Gandhi
[ANNOUNCE] Apache Airflow 3.2.0 Released Rahul Vats
CASSANDRA-21202: CVE-2026-32588: Apache Cassandra: Authenticated DoS via ALTER ROLE Password Hashing Michael Semb Wever
CVE-2026-27315: Apache Cassandra: cqlsh history sensitive information leak Michael Semb Wever
CVE-2026-27314: Apache Cassandra: Privilege escalation via ADD IDENTITY authorization bypass Michael Semb Wever
CVE-2026-35554: Apache Kafka Clients: Kafka Producer Message Corruption and Misrouting via Buffer Pool Race Condition Manikumar
[ANNOUNCE] Apache MINA SSHD 3.0.0-M3 released Thomas Wolf
CVE-2026-34197: Apache ActiveMQ Broker, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans Christopher L. Shannon
CVE-2026-33227: Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ Web: Improper Limitation of a Pathname to a Restricted Directory Christopher L. Shannon
[ANNOUNCE] Apache Ratis 3.2.2 Release Xinyu Tan
[ANNOUNCE] Apache Pekko (Core) 1.5.0 released PJ Fanning
[ANNOUNCE] Apache Grails 7.0.10 James Daugherty
[ANN] Apache Tomcat 11.0.21 Available Mark Thomas
[ANNOUNCE] Apache Grails 7.1.0-RC1 James Daugherty
[ANNOUNCE] Apache log4cxx 1.7.0 released Stephen Webb
[ANNOUNCE] Apache SkyWalking 10.4.0 released Sheng Wu
[ANN] Apache Syncope 4.0.5 Francesco Chicchiriccò
[ANN] Apache Syncope 4.1.0 Francesco Chicchiriccò
[ANN] Apache Tomcat 9.0.117 available Rémy Maucherat
[ANN] Apache Tomcat 10.1.54 Available Christopher Schultz
[ANN] End Of Support for Tomcat Native 1.x Christopher Schultz
[ANNOUNCE] Apache Traffic Server 10.1.2 Release Chris McFarlen
[ANNOUNCE] Apache Pulsar Client C++ 4.1.0 released Yunze Xu
[ANNOUNCE] Apache Accumulo Access 1.0.0-beta2 Christopher
[ANNOUNCE] Apache ActiveMQ 5.19.4 has been released! Jean-Baptiste Onofré
[ANN] Apache Ant 1.10.16 Released Stefan Bodewig
[ANNOUNCE] Apache Pulsar 4.2.0 released Lari Hotari
Apache Beam 2.72.0 Released! Vitalii Terentev
[ANNOUNCE] Apache ActiveMQ 6.2.3 has been released! Jean-Baptiste Onofré
CVE-2026-32794: Apache Airflow Provider for Databricks: TLS Certificate Verification Disabled in Databricks Provider K8s Token Exchange Jens Scheffler
[ANNOUNCE] Release Apache SkyWalking Client JS version 1.1.0 xue fan
[ANNOUNCE] Apache Groovy 5.0.5 Released Paul King
[ANNOUNCE] Apache Groovy 4.0.31 Released Paul King
[ANNOUNCE] Apache Airflow Providers prepared on 2026-03-24 are released Jens Scheffler
[ANNOUNCE] Apache Log4j `2.25.4` released Piotr P. Karwasz
[ANNOUNCE] Apache Camel 4.18.1 (LTS) Released Gregor Zurowski
[ANNOUNCE] Apache Kyuubi v1.11.1 is available Cheng Pan
[ANNOUNCEMENT] HttpComponents Core 5.5-alpha1 released Oleg Kalnichevski
[ANNOUNCE] Apache SkyWalking MCP 0.1.0 Released xue fan
[ANNOUNCE] Apache TsFile 2.2.1 released Haonan Hou
[ANNOUNCE] Apache Storm 2.8.5 Released Rui Abreu
[ANNOUNCE] Apache ActiveMQ 6.2.2 has been released! Jean-Baptiste Onofré
[ANNOUNCE] Apache ActiveMQ 5.19.3 has been released! Jean-Baptiste Onofré
[ANNOUNCE] Apache Tika 3.3.0 released Tim Allison
[ANN] Apache Tomcat 10.1.53 Available Christopher Schultz
[ANNOUNCE] Apache Airflow Helm Chart version 1.20.0 Released Jens Scheffler
CVE-2026-32642: Apache Artemis, Apache ActiveMQ Artemis: Temporary address auto-created for OpenWire consumer without createAddress permission Justin Bertram
[ANNOUNCE] Apache Creadur RAT 0.18 P. Ottlinger
[ANN] Apache Tomcat 9.0.116 available Rémy Maucherat
[ANN] Apache Maven Daemon 1.0.5 released Tamás Cservenák
[ANN] Apache Tomcat 11.0.20 Available Mark Thomas
[ANNOUNCE] Apache Airflow CTl 0.1.3 from 0.1.3rc2 released Bugra Ozturk
[ANNOUNCE] Apache Commons Net 3.13.0 Gary Gregory
[ANNOUNCE] Apache Fory 0.16.0 released Shawn Yang
[ANNOUNCE] Apache Kafka 4.1.2 Andrew Schofield
Fwd: [ANNOUNCE] Apache Arrow Java 19.0.0 released Jean-Baptiste Onofré
[ANNOUNCE] Apache Seatunnel 2.3.13 released lidongdai
[ANNOUNCE] Apache Grails 7.0.9 James Daugherty
CVE-2026-28563: Apache Airflow: DAG authorization bypass Rahul Vats
CVE-2026-26929: Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata Rahul Vats
CVE-2026-28779: Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications Rahul Vats
CVE-2026-30911: Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization Rahul Vats
[ANNOUNCE] Apache Pekko Connectors 1.3.0 released PJ Fanning
[ANN] Apache Maven Daemon 1.0.4 released Tamás Cservenák
[ANNOUNCE] Apache PDFBox 2.0.36 released Andreas Lehmkühler
[ANNOUNCE] Apache Airflow 2.11.2 Released Jarek Potiuk
[ANNOUNCE] Apache Airflow Providers prepared on 2026-03-09 are released Vincent Beck
CVE-2025-54920: Apache Spark: Spark History Server Code Execution Vulnerability Holden Karau
CVE-2025-60012: Apache Livy: Restrict file access György Gál
CVE-2025-66249: Apache Livy: Unauthorized directory access György Gál
[ANN] Apache Maven 3.9.14 released Tamás Cservenák
[ANNOUNCE] Apache Airflow 3.1.8 Released Rahul Vats
[ANNOUNCE] Apache Gluten 1.6.0 released Hongze Zhang
[ANNOUNCE] Apache Pekko Management 1.2.1 released PJ Fanning
[ANN] Apache Tomcat Native 2.0.14 released Mark Thomas
[ANN] Apache Tomcat Native 1.3.7 released Mark Thomas
CVE-2026-23907: Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code Tilman Hausherr
[ANNOUNCE] Apache PDFBox 3.0.7 released Andreas Lehmkühler
[ANN] Apache Sling 14 Released Stefan Seifert
CVE-2026-25604: Apache Airflow AWS Auth Manager - Host Header Injection Leading to SAML Authentication Bypass Jarek Potiuk
CVE-2026-24015: Apache IoTDB: Insecure Default Configuration Vulnerability Haonan Hou
CVE-2026-24713: Apache IoTDB: JEXL Expression Injection Vulnerability Haonan Hou
CVE-2025-64152: Apache IoTDB: Path Traversal Vulnerability Haonan Hou
CVE-2025-55017: Apache IoTDB: Path Traversal Vulnerability Haonan Hou
CVE-2025-69219: Apache Airflow Providers Http: Unsafe Pickle Deserialization in apache-airflow-providers-http leading to RCE via HttpOperator Jarek Potiuk
[ANNOUNCE] Apache Grails 7.0.8 James Fredley
[ANNOUNCE] Apache Commons Logging 1.3.6 Gary Gregory
[ANNOUNCE] Apache Storm 2.8.4 Released Rui Abreu
[ANNOUNCE] Release Apache DolphinScheduler 3.4.1 wenjun
CVE-2026-24308: Apache ZooKeeper: Sensitive information disclosure in client configuration handling Andor Molnar
CVE-2026-24281: Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager Andor Molnar
[ANNOUNCEMENT] HttpComponents Core 5.4.2 GA released Oleg Kalnichevski
[ANN] Apache Maven 3.9.13 released Tamás Cservenák
[ANNOUNCE] Apache Pulsar C# Client DotPulsar 5.2.2 released David Jensen
[ANNOUNCE] Apache Iceberg Go Release v0.5.0 Matt Topol
[ANNOUNCE] Apache Accumulo ClassLoader Extras 1.0.0 Christopher
[ANNOUNCE] Apache IoTDB 1.3.7 released Haonan Hou
[ANNOUNCE] Apache IoTDB 2.0.7 released Haonan Hou
[ANNOUNCE] Apache Airflow Providers prepared on 2026-03-03 are released Jarek Potiuk
[ANNOUNCE] Apache Solr 10.0.0 released Anshum Gupta
[ANNOUNCE] Apache Jackrabbit Oak 1.92.0 Julian Reschke
CVE-2025-66168: Apache ActiveMQ, Apache ActiveMQ All Module, Apache ActiveMQ MQTT Module: MQTT control packet remaining length field is not properly validated Christopher L. Shannon
CVE-2026-27446: Apache Artemis, Apache ActiveMQ Artemis: Auth bypass for Core downstream federation Justin Bertram
Apache Airflow Providers prepared on 2026-02-26 are released Jarek Potiuk
CVE-2025-59059: Apache Ranger: Remote Code Execution Vulnerability in NashornScriptEngineCreator Velmurugan Periasamy
CVE-2025-59060: Apache Ranger: Hostname verification bypass in NiFiRegistryClient and NifiClient Velmurugan Periasamy
[ANNOUNCE] Apache Artemis 2.52.0 Released Justin Bertram
[ANNOUNCE] Apache Fluss 0.9.0-incubating released yuxia luo
[ANNOUNCE] Apache Ranger 2.8.0 released Madhan Neethiraj
[ANNOUNCE] Apache ShardingSphere 5.5.3 available Longtao Jiang
[ANNOUNCE] Release Apache Kvrocks 2.15.0 hulk
[ANNOUNCE] Apache Pulsar C# Client DotPulsar 5.2.1 released David Jensen
[ANNOUNCE] Apache NiFi NAR Maven Plugin 2.3.0 Released Pierre Villard
[ANNOUNCE] Apache Arrow nanoarrow 0.8.0 Released Dewey Dunnington
[ANNOUNCE] Apache Wayang 1.1.1 released Mads Sejer
[ANNOUNCE] OpenNLP 3.0.0-M1 released Richard Zowalla
[ANNOUNCE] Apache NetBeans 29 Released Eric Barboni
CVE-2026-23984: Apache Superset: SQLLab Read-Only Bypass on PostgreSQL Daniel Gaspar
CVE-2026-23983: Apache Superset: Sensitive Data Exposure via REST API (disabled by default) Daniel Gaspar
CVE-2026-23982: Apache Superset: Improper Authorization in Dataset Creation Allows Access Control Bypass Daniel Gaspar
CVE-2026-23980: Apache Superset: Improper Neutralization of Special Elements used in a SQL Command Daniel Gaspar
CVE-2026-23969: Apache Superset: Exposure of Sensitive Information via Incomplete ClickHouse Function Filtering Daniel Gaspar
CVE-2024-56373: Apache Airflow: SSTI to Code Execution in Airflow through Shared DB Information Jarek Potiuk
CVE-2025-27555: Apache Airflow: Connection Secrets not masked in UI when Connection are added via Airflow cli Jarek Potiuk
[ANNOUNCE] Apache Pulsar Helm Chart version 4.5.0 Released Lari Hotari
[ANN] Apache Syncope 4.1.0-M0 Francesco Chicchiriccò
[ANNOUNCE] Apache Airflow 2.11.1 and Fab provider 1.5.4 Released Jarek Potiuk
[ANNOUNCE] Apache Pulsar 4.1.3 released Lari Hotari

Earlier messages