This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/jena-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new d561f610b Updated site from main
(5e0ccf2e4f402ecc0e7e38c43e66ebe1a3e9efd2)
d561f610b is described below
commit d561f610b1d51c1f3b35a213037971aa9cccad05
Author: jenkins <[email protected]>
AuthorDate: Thu Apr 27 08:56:42 2023 +0000
Updated site from main (5e0ccf2e4f402ecc0e7e38c43e66ebe1a3e9efd2)
---
content/about_jena/security-advisories.html | 26 ++++++++++++++++------
.../documentation/query/javascript-functions.html | 3 +++
content/index.json | 2 +-
content/sitemap.xml | 8 +++----
4 files changed, 27 insertions(+), 12 deletions(-)
diff --git a/content/about_jena/security-advisories.html
b/content/about_jena/security-advisories.html
index 977053521..00da06cd1 100644
--- a/content/about_jena/security-advisories.html
+++ b/content/about_jena/security-advisories.html
@@ -183,6 +183,7 @@
</ul>
<ul>
+ <li><a
href="#cve-2023-22665---exposure-of-arbitrary-execution-in-script-engine-expressions">CVE-2023-22665
- Exposure of arbitrary execution in script engine expressions.</a></li>
<li><a
href="#cve-2022-45136---jdbc-serialisation-in-apache-jena-sdb">CVE-2022-45136 -
JDBC Serialisation in Apache Jena SDB</a></li>
<li><a href="#cve-2022-28890---processing-external-dtds">CVE-2022-28890 -
Processing External DTDs</a></li>
<li><a
href="#cve-2021-39239---xml-external-entity-xxe-vulnerability">CVE-2021-39239 -
XML External Entity (XXE) Vulnerability</a></li>
@@ -225,23 +226,33 @@ appropriate to the severity of the issue.</p>
<p>The following CVEs specifically relate to the Jena codebase itself and have
been addressed by the project. Per our
policy above we advise users to always utilise the latest Jena release
available.</p>
<p>Please refer to the individual CVE links for further details and
mitigations.</p>
+<h2
id="cve-2023-22665---exposure-of-arbitrary-execution-in-script-engine-expressions">CVE-2023-22665
- Exposure of arbitrary execution in script engine expressions.</h2>
+<p><a href="https://www.cve.org/CVERecord?id=CVE-2023-22665";>CVE-2023</a>
affects Jena 3.7.0 through 4.7.0 and relates to the
+<a
href="https://jena.apache.org/documentation/query/javascript-functions.html";>Javascript
SPARQL Functions</a> feature of our ARQ
+SPARQL engine.</p>
+<p>From Jena 4.8.0 onwards this feature <strong>MUST</strong> be explicitly
enabled by end users, and on newer JVMs (Java 17 onwards) a
+JavaScript script engine <strong>MUST</strong> be explicitly added to the
environment.</p>
+<p>However, when enabled this feature does expose the majority of the
underlying scripting engine directly to SPARQL
+queries so may provide a vector for arbitrary code execution. Therefore, it
is recommended that this feature remain
+disabled for any publicly accessible deployment that utilises the ARQ query
engine.</p>
+<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a>
available.</p>
<h2 id="cve-2022-45136---jdbc-serialisation-in-apache-jena-sdb">CVE-2022-45136
- JDBC Serialisation in Apache Jena SDB</h2>
-<p><a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45136";>CVE-2022-45136</a>
affects all versions of <a href="../documentation/archive/sdb/">Jena
+<p><a
href="https://www.cve.org/CVERecord?id=CVE-2022-45136";>CVE-2022-45136</a>
affects all versions of <a href="../documentation/archive/sdb/">Jena
SDB</a> up to and including the final <code>3.17.0</code> release.</p>
<p>Apache Jena SDB has been EOL since December 2020 and we recommend any
remaining users migrate to <a href="../documentation/tdb2/">Jena TDB
2</a> or other 3rd party vendor alternatives.</p>
<p>Apache Jena would like to thank Crilwa & LaNyer640 for reporting this
issue</p>
<h2 id="cve-2022-28890---processing-external-dtds">CVE-2022-28890 - Processing
External DTDs</h2>
-<p><a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28890";>CVE-2022-28890</a>
affects the RDF/XML parser in Jena 4.4.0
+<p><a
href="https://www.cve.org/CVERecord?id=CVE-2022-28890";>CVE-2022-28890</a>
affects the RDF/XML parser in Jena 4.4.0
only.</p>
<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a>
available.</p>
<p>Apache Jena would like to thank Feras Daragma, Avishag Shapira & Amit
Laish (GE Digital, Cyber Security Lab) for their
report.</p>
<h2 id="cve-2021-39239---xml-external-entity-xxe-vulnerability">CVE-2021-39239
- XML External Entity (XXE) Vulnerability</h2>
-<p><a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39239";>CVE-2021-39239</a>
affects XML parsing up to and including the Jena <code>4.1.0</code>
release.</p>
+<p><a
href="https://www.cve.org/CVERecord?id=CVE-2021-39239";>CVE-2021-39239</a>
affects XML parsing up to and including the Jena <code>4.1.0</code> release.</p>
<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a>
available.</p>
<h2
id="cve-2021-33192---display-information-ui-xss-in-apache-jena-fuseki">CVE-2021-33192
- Display information UI XSS in Apache Jena Fuseki</h2>
-<p><a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33192";>CVE-2021-33192</a>
affected
+<p><a
href="https://www.cve.org/CVERecord?id=CVE-2021-33192";>CVE-2021-33192</a>
affected
<a href="../documentation/fuseki2/">Fuseki</a> versions <code>2.0.0</code>
through <code>4.0.0</code>.</p>
<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a>
available.</p>
<h1 id="cves-in-jena-dependencies">CVEs in Jena Dependencies</h1>
@@ -249,9 +260,9 @@ report.</p>
standard <a href="#security-issue-policy">Security Issue Policy</a> applies
and any necessary dependency updates, dependency API
and/or configuration changes have been adopted and released as soon as
appropriate.</p>
<h2 id="log4shell">log4shell</h2>
-<p><a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046";>CVE-2021-45105</a>,
-<a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105";>CVE-2021-45105</a>
and
-<a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832";>CVE-2021-44832</a>,
collectively known as
+<p><a
href="https://www.cve.org/CVERecord?id=CVE-2021-45046";>CVE-2021-45105</a>,
+<a href="https://www.cve.org/CVERecord?id=CVE-2021-45105";>CVE-2021-45105</a>
and
+<a href="https://www.cve.org/CVERecord?id=CVE-2021-44832";>CVE-2021-44832</a>,
collectively known as
<a href="https://en.wikipedia.org/wiki/Log4Shell";>log4shell</a> were several
vulnerabilities identified in the <a
href="https://logging.apache.org/log4j/2.x/index.html";>Apache
Log4j</a> project that Jena uses as the concrete logging implementation
for <a href="../documentation/fuseki2/">Fuseki</a> and our command line
tools.</p>
@@ -272,6 +283,7 @@ for <a href="../documentation/fuseki2/">Fuseki</a> and our
command line tools.</
</ul>
<ul>
+ <li><a
href="#cve-2023-22665---exposure-of-arbitrary-execution-in-script-engine-expressions">CVE-2023-22665
- Exposure of arbitrary execution in script engine expressions.</a></li>
<li><a
href="#cve-2022-45136---jdbc-serialisation-in-apache-jena-sdb">CVE-2022-45136 -
JDBC Serialisation in Apache Jena SDB</a></li>
<li><a href="#cve-2022-28890---processing-external-dtds">CVE-2022-28890 -
Processing External DTDs</a></li>
<li><a
href="#cve-2021-39239---xml-external-entity-xxe-vulnerability">CVE-2021-39239 -
XML External Entity (XXE) Vulnerability</a></li>
diff --git a/content/documentation/query/javascript-functions.html
b/content/documentation/query/javascript-functions.html
index 4d3116eb0..bce078be2 100644
--- a/content/documentation/query/javascript-functions.html
+++ b/content/documentation/query/javascript-functions.html
@@ -241,6 +241,9 @@ sparql --set arq:js-library=SomeFile.js --data ... --query
...
“SomeFile.js” available.</p>
<p>JavaScript functions can also be set from a string directly from within
Java using constant
<code>ARQ.symJavaScriptFunctions</code> (“<a
href="http://jena.apache.org/ARQ#js-functions%22)">http://jena.apache.org/ARQ#js-functions")</a>.</p>
+<p><strong>WARNING:</strong> Enabling this feature exposes the majority of the
underlying scripting engine directly to SPARQL queries so
+may provide a vector for arbitrary code execution. Therefore it is
recommended that this feature remain disabled for
+any publicly accessible deployment that utilises the ARQ query engine.</p>
<h2 id="using-javascript-functions">Using JavaScript functions</h2>
<p>SPARQL functions implemented in JavaScript are automatically called when a
URI starting “<a
href="http://jena.apache.org/ARQ/jsFunction#%22";>http://jena.apache.org/ARQ/jsFunction#"</a>
used.</p>
diff --git a/content/index.json b/content/index.json
index f2aa11fda..390bde4dd 100644
--- a/content/index.json
+++ b/content/index.json
@@ -1 +1 @@
-[{"categories":null,"contents":"This page is historical \u0026ldquo;for
information only\u0026rdquo; - there is no Apache release of Eyeball and the
code has not been updated for Jena3.\nThe original source code is available. So
you\u0026rsquo;ve got Eyeball installed and you\u0026rsquo;ve run it on one of
your files, and Eyeball doesn\u0026rsquo;t like it. You\u0026rsquo;re not sure
why, or what to do about it. Here\u0026rsquo;s what\u0026rsquo;s going
on.\nEyeball inspects your model a [...]
\ No newline at end of file
+[{"categories":null,"contents":"This page is historical \u0026ldquo;for
information only\u0026rdquo; - there is no Apache release of Eyeball and the
code has not been updated for Jena3.\nThe original source code is available. So
you\u0026rsquo;ve got Eyeball installed and you\u0026rsquo;ve run it on one of
your files, and Eyeball doesn\u0026rsquo;t like it. You\u0026rsquo;re not sure
why, or what to do about it. Here\u0026rsquo;s what\u0026rsquo;s going
on.\nEyeball inspects your model a [...]
\ No newline at end of file
diff --git a/content/sitemap.xml b/content/sitemap.xml
index 68f9ae619..ba6cac99e 100644
--- a/content/sitemap.xml
+++ b/content/sitemap.xml
@@ -6,7 +6,7 @@
<lastmod>2020-06-28T16:59:07+01:00</lastmod>
</url><url>
<loc>https://jena.apache.org/about_jena.html</loc>
- <lastmod>2023-04-10T10:11:44+01:00</lastmod>
+ <lastmod>2023-04-26T11:32:32+01:00</lastmod>
</url><url>
<loc>https://jena.apache.org/documentation/permissions/example.html</loc>
<lastmod>2022-01-12T17:24:53+00:00</lastmod>
@@ -114,7 +114,7 @@
<lastmod>2021-11-05T08:11:46+00:00</lastmod>
</url><url>
<loc>https://jena.apache.org/documentation/query/javascript-functions.html</loc>
- <lastmod>2023-02-19T09:28:48+00:00</lastmod>
+ <lastmod>2023-04-26T11:23:47+01:00</lastmod>
</url><url>
<loc>https://jena.apache.org/documentation/query/lateral-join.html</loc>
<lastmod>2023-02-26T22:14:57+01:00</lastmod>
@@ -201,7 +201,7 @@
<lastmod>2023-04-09T15:11:22+02:00</lastmod>
</url><url>
<loc>https://jena.apache.org/documentation.html</loc>
- <lastmod>2023-04-10T12:49:33+02:00</lastmod>
+ <lastmod>2023-04-26T11:23:47+01:00</lastmod>
</url><url>
<loc>https://jena.apache.org/download.html</loc>
<lastmod>2023-04-16T17:26:15+01:00</lastmod>
@@ -375,7 +375,7 @@
<lastmod>2020-05-01T11:11:56+12:00</lastmod>
</url><url>
<loc>https://jena.apache.org/about_jena/security-advisories.html</loc>
- <lastmod>2022-11-21T09:42:05+00:00</lastmod>
+ <lastmod>2023-04-26T11:32:32+01:00</lastmod>
</url><url>
<loc>https://jena.apache.org/documentation/txn/</loc>
<lastmod>2020-02-28T13:09:12+01:00</lastmod>
