This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/jena-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new b89d64892 Updated site from main
(2f8aa5d1320a6403139dbdd69098ff2329b58697)
b89d64892 is described below
commit b89d648928f98e05b874bc4633c58364370f055b
Author: jenkins <[email protected]>
AuthorDate: Tue Jul 11 19:58:04 2023 +0000
Updated site from main (2f8aa5d1320a6403139dbdd69098ff2329b58697)
---
content/about_jena/index.xml | 2 +-
content/about_jena/security-advisories.html | 170 ++++++++++++++++++----------
content/index.json | 2 +-
content/index.xml | 2 +-
content/sitemap.xml | 4 +-
5 files changed, 114 insertions(+), 66 deletions(-)
diff --git a/content/about_jena/index.xml b/content/about_jena/index.xml
index 23fec876c..24982bb30 100644
--- a/content/about_jena/index.xml
+++ b/content/about_jena/index.xml
@@ -52,7 +52,7 @@ Pull requests, patches and other contributions
welcome!</description>
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://jena.apache.org/about_jena/security-advisories.html</guid>
- <description>The Jena project has issued a number of security advisories
during the lifetime of the project. On this page you&rsquo;ll find details
of our security issue process, as well as a listing of our past CVEs as well as
relevant Dependency CVEs.
+ <description>The Jena project has issued a number of security advisories
during the lifetime of the project. On this page you&rsquo;ll find details
of our security issue process, as a listing of our past CVEs and relevant
Dependency CVEs.
Process Jena follows the standard ASF Security for Committers policy for
reporting and addressing security issues.
If you think you have identified a Security issue in our project please refer
to that policy for how to report it, and the process that the Jena Project
Management Committee (PMC) will follow in addressing the issue.</description>
</item>
diff --git a/content/about_jena/security-advisories.html
b/content/about_jena/security-advisories.html
index 00da06cd1..bbf074325 100644
--- a/content/about_jena/security-advisories.html
+++ b/content/about_jena/security-advisories.html
@@ -175,91 +175,125 @@
<h2 class="h6 sticky-top m-0 p-2 bg-body-tertiary">On this page</h2>
<nav id="TableOfContents">
<ul>
- <li><a href="#process">Process</a></li>
- <li><a href="#single-supported-version">Single Supported Version</a></li>
- <li><a href="#standard-mitigation-advice">Standard Mitigation
Advice</a></li>
- <li><a href="#end-of-life-eol-components">End of Life (EOL)
Components</a></li>
- <li><a href="#security-issues-in-dependencies">Security Issues in
Dependencies</a></li>
- </ul>
-
- <ul>
- <li><a
href="#cve-2023-22665---exposure-of-arbitrary-execution-in-script-engine-expressions">CVE-2023-22665
- Exposure of arbitrary execution in script engine expressions.</a></li>
- <li><a
href="#cve-2022-45136---jdbc-serialisation-in-apache-jena-sdb">CVE-2022-45136 -
JDBC Serialisation in Apache Jena SDB</a></li>
- <li><a href="#cve-2022-28890---processing-external-dtds">CVE-2022-28890 -
Processing External DTDs</a></li>
- <li><a
href="#cve-2021-39239---xml-external-entity-xxe-vulnerability">CVE-2021-39239 -
XML External Entity (XXE) Vulnerability</a></li>
- <li><a
href="#cve-2021-33192---display-information-ui-xss-in-apache-jena-fuseki">CVE-2021-33192
- Display information UI XSS in Apache Jena Fuseki</a></li>
- </ul>
-
- <ul>
- <li><a href="#log4shell">log4shell</a></li>
+ <li><a href="#process">Process</a>
+ <ul>
+ <li><a href="#single-supported-version">Single Supported
Version</a></li>
+ <li><a href="#standard-mitigation-advice">Standard Mitigation
Advice</a></li>
+ <li><a href="#end-of-life-eol-components">End of Life (EOL)
Components</a></li>
+ <li><a href="#security-issues-in-dependencies">Security Issues in
Dependencies</a></li>
+ </ul>
+ </li>
+ <li><a href="#jena-cves">Jena CVEs</a>
+ <ul>
+ <li>
+ <ul>
+ <li><a
href="#cve-2023-32200---exposure-of-execution-in-script-engine-expressions">CVE-2023-32200
- Exposure of execution in script engine expressions.</a></li>
+ <li><a
href="#cve-2023-22665---exposure-of-arbitrary-execution-in-script-engine-expressions">CVE-2023-22665
- Exposure of arbitrary execution in script engine expressions.</a></li>
+ <li><a
href="#cve-2022-45136---jdbc-serialisation-in-apache-jena-sdb">CVE-2022-45136 -
JDBC Serialisation in Apache Jena SDB</a></li>
+ <li><a
href="#cve-2022-28890---processing-external-dtds">CVE-2022-28890 - Processing
External DTDs</a></li>
+ <li><a
href="#cve-2021-39239---xml-external-entity-xxe-vulnerability">CVE-2021-39239 -
XML External Entity (XXE) Vulnerability</a></li>
+ <li><a
href="#cve-2021-33192---display-information-ui-xss-in-apache-jena-fuseki">CVE-2021-33192
- Display information UI XSS in Apache Jena Fuseki</a></li>
+ </ul>
+ </li>
+ </ul>
+ </li>
+ <li><a href="#cves-in-jena-dependencies">CVEs in Jena Dependencies</a>
+ <ul>
+ <li>
+ <ul>
+ <li><a href="#log4shell">log4shell</a></li>
+ </ul>
+ </li>
+ </ul>
+ </li>
</ul>
</nav>
</aside>
<article class="flex-column me-lg-4">
- <p>The Jena project has issued a number of security advisories during the
lifetime of the project. On this page you’ll
-find details of our <a href="#process">security issue process</a>, as well as
a listing of our past <a href="#jena-cves">CVEs</a> as well as relevant <a
href="#cves-in-jena-dependencies">Dependency CVEs</a>.</p>
+ <p>The Jena project has issued a number of security advisories during the
lifetime of the
+project. On this page you’ll find details of our <a
href="#process">security issue
+process</a>, as a listing of our past <a href="#jena-cves">CVEs</a> and
+relevant <a href="#cves-in-jena-dependencies">Dependency CVEs</a>.</p>
<h2 id="process">Process</h2>
<p>Jena follows the standard <a
href="https://www.apache.org/security/committers.html";>ASF Security for
Committers</a> policy for
reporting and addressing security issues.</p>
<p>If you think you have identified a Security issue in our project please
refer to that policy for how to report it, and
the process that the Jena Project Management Committee (PMC) will follow in
addressing the issue.</p>
-<h2 id="single-supported-version">Single Supported Version</h2>
+<h3 id="single-supported-version">Single Supported Version</h3>
<p>As a project, Apache Jena only has the resources to maintain a single
release
-version. Any accepted security issue will be fixed in a future release in a
timeframe appropriate to the severity of the issue.</p>
-<h2 id="standard-mitigation-advice">Standard Mitigation Advice</h2>
-<p>Note that as a project our guidance to users is <strong>always</strong> to
use the newest Jena version available to ensure you have
-any security fixes we have made available.</p>
-<p>Where more specific mitigations are available these will be denoted in the
individual CVEs.</p>
-<h2 id="end-of-life-eol-components">End of Life (EOL) Components</h2>
+version. Any accepted security issue will be fixed in a future release in a
+timeframe appropriate to the severity of the issue.</p>
+<h3 id="standard-mitigation-advice">Standard Mitigation Advice</h3>
+<p>Note that as a project our guidance to users is <em>always</em> to use the
newest
+Jena version available to ensure you have any security fixes we have made
+available.</p>
+<p>Where more specific mitigations are available, these will be denoted in the
individual CVEs.</p>
+<h3 id="end-of-life-eol-components">End of Life (EOL) Components</h3>
<p>Where a security advisory is issued for a component that is already EOL
(sometimes referred to as archived or retired
within our documentation) then we will not fix the issue but instead reiterate
our previous recommendations that users
cease using the EOL component and migrate to actively supported components.</p>
<p>Such issues will follow the <a
href="https://cve.mitre.org/cve/cna/CVE_Program_End_of_Life_EOL_Assignment_Process.html";>CVE
EOL Assignment
Process</a> and will be clearly denoted
by the <strong>UNSUPPORTED WHEN ASSIGNED</strong> text at the start of the
description.</p>
-<h2 id="security-issues-in-dependencies">Security Issues in Dependencies</h2>
-<p>For our dependencies the project relies primarily upon GitHub Dependabot
Alerts to be made aware of available dependency
+<h3 id="security-issues-in-dependencies">Security Issues in Dependencies</h3>
+<p>For our dependencies, the project relies primarily upon GitHub Dependabot
Alerts to be made aware of available dependency
updates, whether security related or otherwise. When a security related
update is released and our analysis shows that
Jena users may be affected we endeavour to take the dependency upgrade ASAP
and make a new release in timeframe
appropriate to the severity of the issue.</p>
-<h1 id="jena-cves">Jena CVEs</h1>
+<h2 id="jena-cves">Jena CVEs</h2>
<p>The following CVEs specifically relate to the Jena codebase itself and have
been addressed by the project. Per our
policy above we advise users to always utilise the latest Jena release
available.</p>
<p>Please refer to the individual CVE links for further details and
mitigations.</p>
-<h2
id="cve-2023-22665---exposure-of-arbitrary-execution-in-script-engine-expressions">CVE-2023-22665
- Exposure of arbitrary execution in script engine expressions.</h2>
-<p><a href="https://www.cve.org/CVERecord?id=CVE-2023-22665";>CVE-2023</a>
affects Jena 3.7.0 through 4.7.0 and relates to the
-<a
href="https://jena.apache.org/documentation/query/javascript-functions.html";>Javascript
SPARQL Functions</a> feature of our ARQ
-SPARQL engine.</p>
-<p>From Jena 4.8.0 onwards this feature <strong>MUST</strong> be explicitly
enabled by end users, and on newer JVMs (Java 17 onwards) a
-JavaScript script engine <strong>MUST</strong> be explicitly added to the
environment.</p>
-<p>However, when enabled this feature does expose the majority of the
underlying scripting engine directly to SPARQL
-queries so may provide a vector for arbitrary code execution. Therefore, it
is recommended that this feature remain
-disabled for any publicly accessible deployment that utilises the ARQ query
engine.</p>
+<h4
id="cve-2023-32200---exposure-of-execution-in-script-engine-expressions">CVE-2023-32200
- Exposure of execution in script engine expressions.</h4>
+<p><a
href="https://www.cve.org/CVERecord?id=CVE-2023-32200";>CVE-2023-32200</a>
affects Jena 3.7.0
+through Jena 4.8.0 and relates to the
+<a
href="https://jena.apache.org/documentation/query/javascript-functions.html";>Javascript
SPARQL Functions</a>
+feature of our ARQ SPARQL engine.</p>
+<p>There is insufficient restrictions of called script functions in Apache Jena
+versions 4.8.0 and earlier, when invoking custom scripts. It allows a remote
+user to execute javascript via a SPARQL query.</p>
+<p>From Jena 4.9.0, script functions <strong>MUST</strong> be added to an
explicit “allow” list
+for them to be called from the SPARQL query engine. This is in addition to the
+script enabling controls of Jena 4.8.0 which <strong>MUST</strong> also be
applied.</p>
+<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a>
available.</p>
+<h4
id="cve-2023-22665---exposure-of-arbitrary-execution-in-script-engine-expressions">CVE-2023-22665
- Exposure of arbitrary execution in script engine expressions.</h4>
+<p><a
href="https://www.cve.org/CVERecord?id=CVE-2023-22665";>CVE-2023-22665</a>
affects Jena
+3.7.0 through 4.7.0 and relates to the
+<a
href="https://jena.apache.org/documentation/query/javascript-functions.html";>Javascript
SPARQL Functions</a>
+feature of our ARQ SPARQL engine.</p>
+<p>From Jena 4.8.0 onwards this feature <strong>MUST</strong> be explicitly
enabled by end
+users, and on newer JVMs (Java 17 onwards) a JavaScript script engine
<strong>MUST</strong>
+be explicitly added to the environment.</p>
+<p>However, when enabled this feature does expose the majority of the
underlying
+scripting engine directly to SPARQL queries so may provide a vector for
+arbitrary code execution. Therefore, it is recommended that this feature
remain
+disabled for any publicly accessible deployment that utilises the ARQ query
+engine.</p>
<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a>
available.</p>
-<h2 id="cve-2022-45136---jdbc-serialisation-in-apache-jena-sdb">CVE-2022-45136
- JDBC Serialisation in Apache Jena SDB</h2>
+<h4 id="cve-2022-45136---jdbc-serialisation-in-apache-jena-sdb">CVE-2022-45136
- JDBC Serialisation in Apache Jena SDB</h4>
<p><a
href="https://www.cve.org/CVERecord?id=CVE-2022-45136";>CVE-2022-45136</a>
affects all versions of <a href="../documentation/archive/sdb/">Jena
SDB</a> up to and including the final <code>3.17.0</code> release.</p>
<p>Apache Jena SDB has been EOL since December 2020 and we recommend any
remaining users migrate to <a href="../documentation/tdb2/">Jena TDB
2</a> or other 3rd party vendor alternatives.</p>
<p>Apache Jena would like to thank Crilwa & LaNyer640 for reporting this
issue</p>
-<h2 id="cve-2022-28890---processing-external-dtds">CVE-2022-28890 - Processing
External DTDs</h2>
+<h4 id="cve-2022-28890---processing-external-dtds">CVE-2022-28890 - Processing
External DTDs</h4>
<p><a
href="https://www.cve.org/CVERecord?id=CVE-2022-28890";>CVE-2022-28890</a>
affects the RDF/XML parser in Jena 4.4.0
only.</p>
<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a>
available.</p>
<p>Apache Jena would like to thank Feras Daragma, Avishag Shapira & Amit
Laish (GE Digital, Cyber Security Lab) for their
report.</p>
-<h2 id="cve-2021-39239---xml-external-entity-xxe-vulnerability">CVE-2021-39239
- XML External Entity (XXE) Vulnerability</h2>
+<h4 id="cve-2021-39239---xml-external-entity-xxe-vulnerability">CVE-2021-39239
- XML External Entity (XXE) Vulnerability</h4>
<p><a
href="https://www.cve.org/CVERecord?id=CVE-2021-39239";>CVE-2021-39239</a>
affects XML parsing up to and including the Jena <code>4.1.0</code> release.</p>
<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a>
available.</p>
-<h2
id="cve-2021-33192---display-information-ui-xss-in-apache-jena-fuseki">CVE-2021-33192
- Display information UI XSS in Apache Jena Fuseki</h2>
+<h4
id="cve-2021-33192---display-information-ui-xss-in-apache-jena-fuseki">CVE-2021-33192
- Display information UI XSS in Apache Jena Fuseki</h4>
<p><a
href="https://www.cve.org/CVERecord?id=CVE-2021-33192";>CVE-2021-33192</a>
affected
<a href="../documentation/fuseki2/">Fuseki</a> versions <code>2.0.0</code>
through <code>4.0.0</code>.</p>
<p>Users should upgrade to latest Jena 4.x <a href="../download/">release</a>
available.</p>
-<h1 id="cves-in-jena-dependencies">CVEs in Jena Dependencies</h1>
+<h2 id="cves-in-jena-dependencies">CVEs in Jena Dependencies</h2>
<p>The following advisories are CVEs in Jena’s dependencies that may
affect users of Jena, as with Jena specific CVEs our
standard <a href="#security-issue-policy">Security Issue Policy</a> applies
and any necessary dependency updates, dependency API
and/or configuration changes have been adopted and released as soon as
appropriate.</p>
-<h2 id="log4shell">log4shell</h2>
+<h4 id="log4shell">log4shell</h4>
<p><a
href="https://www.cve.org/CVERecord?id=CVE-2021-45046";>CVE-2021-45105</a>,
<a href="https://www.cve.org/CVERecord?id=CVE-2021-45105";>CVE-2021-45105</a>
and
<a href="https://www.cve.org/CVERecord?id=CVE-2021-44832";>CVE-2021-44832</a>,
collectively known as
@@ -275,23 +309,37 @@ for <a href="../documentation/fuseki2/">Fuseki</a> and
our command line tools.</
<h2 class="h6 sticky-top m-0 p-2 bg-body-tertiary">On this page</h2>
<nav id="TableOfContents">
<ul>
- <li><a href="#process">Process</a></li>
- <li><a href="#single-supported-version">Single Supported Version</a></li>
- <li><a href="#standard-mitigation-advice">Standard Mitigation
Advice</a></li>
- <li><a href="#end-of-life-eol-components">End of Life (EOL)
Components</a></li>
- <li><a href="#security-issues-in-dependencies">Security Issues in
Dependencies</a></li>
- </ul>
-
- <ul>
- <li><a
href="#cve-2023-22665---exposure-of-arbitrary-execution-in-script-engine-expressions">CVE-2023-22665
- Exposure of arbitrary execution in script engine expressions.</a></li>
- <li><a
href="#cve-2022-45136---jdbc-serialisation-in-apache-jena-sdb">CVE-2022-45136 -
JDBC Serialisation in Apache Jena SDB</a></li>
- <li><a href="#cve-2022-28890---processing-external-dtds">CVE-2022-28890 -
Processing External DTDs</a></li>
- <li><a
href="#cve-2021-39239---xml-external-entity-xxe-vulnerability">CVE-2021-39239 -
XML External Entity (XXE) Vulnerability</a></li>
- <li><a
href="#cve-2021-33192---display-information-ui-xss-in-apache-jena-fuseki">CVE-2021-33192
- Display information UI XSS in Apache Jena Fuseki</a></li>
- </ul>
-
- <ul>
- <li><a href="#log4shell">log4shell</a></li>
+ <li><a href="#process">Process</a>
+ <ul>
+ <li><a href="#single-supported-version">Single Supported
Version</a></li>
+ <li><a href="#standard-mitigation-advice">Standard Mitigation
Advice</a></li>
+ <li><a href="#end-of-life-eol-components">End of Life (EOL)
Components</a></li>
+ <li><a href="#security-issues-in-dependencies">Security Issues in
Dependencies</a></li>
+ </ul>
+ </li>
+ <li><a href="#jena-cves">Jena CVEs</a>
+ <ul>
+ <li>
+ <ul>
+ <li><a
href="#cve-2023-32200---exposure-of-execution-in-script-engine-expressions">CVE-2023-32200
- Exposure of execution in script engine expressions.</a></li>
+ <li><a
href="#cve-2023-22665---exposure-of-arbitrary-execution-in-script-engine-expressions">CVE-2023-22665
- Exposure of arbitrary execution in script engine expressions.</a></li>
+ <li><a
href="#cve-2022-45136---jdbc-serialisation-in-apache-jena-sdb">CVE-2022-45136 -
JDBC Serialisation in Apache Jena SDB</a></li>
+ <li><a
href="#cve-2022-28890---processing-external-dtds">CVE-2022-28890 - Processing
External DTDs</a></li>
+ <li><a
href="#cve-2021-39239---xml-external-entity-xxe-vulnerability">CVE-2021-39239 -
XML External Entity (XXE) Vulnerability</a></li>
+ <li><a
href="#cve-2021-33192---display-information-ui-xss-in-apache-jena-fuseki">CVE-2021-33192
- Display information UI XSS in Apache Jena Fuseki</a></li>
+ </ul>
+ </li>
+ </ul>
+ </li>
+ <li><a href="#cves-in-jena-dependencies">CVEs in Jena Dependencies</a>
+ <ul>
+ <li>
+ <ul>
+ <li><a href="#log4shell">log4shell</a></li>
+ </ul>
+ </li>
+ </ul>
+ </li>
</ul>
</nav>
</aside>
diff --git a/content/index.json b/content/index.json
index f0ae6506f..29cbb7af8 100644
--- a/content/index.json
+++ b/content/index.json
@@ -1 +1 @@
-[{"categories":null,"contents":"This page is historical \u0026ldquo;for
information only\u0026rdquo; - there is no Apache release of Eyeball and the
code has not been updated for Jena3.\nThe original source code is available. So
you\u0026rsquo;ve got Eyeball installed and you\u0026rsquo;ve run it on one of
your files, and Eyeball doesn\u0026rsquo;t like it. You\u0026rsquo;re not sure
why, or what to do about it. Here\u0026rsquo;s what\u0026rsquo;s going
on.\nEyeball inspects your model a [...]
\ No newline at end of file
+[{"categories":null,"contents":"This page is historical \u0026ldquo;for
information only\u0026rdquo; - there is no Apache release of Eyeball and the
code has not been updated for Jena3.\nThe original source code is available. So
you\u0026rsquo;ve got Eyeball installed and you\u0026rsquo;ve run it on one of
your files, and Eyeball doesn\u0026rsquo;t like it. You\u0026rsquo;re not sure
why, or what to do about it. Here\u0026rsquo;s what\u0026rsquo;s going
on.\nEyeball inspects your model a [...]
\ No newline at end of file
diff --git a/content/index.xml b/content/index.xml
index 77226d382..899ae73a3 100644
--- a/content/index.xml
+++ b/content/index.xml
@@ -1287,7 +1287,7 @@ Schemagen is typically invoked from the command line or
from a built script (suc
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://jena.apache.org/about_jena/security-advisories.html</guid>
- <description>The Jena project has issued a number of security advisories
during the lifetime of the project. On this page you&rsquo;ll find details
of our security issue process, as well as a listing of our past CVEs as well as
relevant Dependency CVEs.
+ <description>The Jena project has issued a number of security advisories
during the lifetime of the project. On this page you&rsquo;ll find details
of our security issue process, as a listing of our past CVEs and relevant
Dependency CVEs.
Process Jena follows the standard ASF Security for Committers policy for
reporting and addressing security issues.
If you think you have identified a Security issue in our project please refer
to that policy for how to report it, and the process that the Jena Project
Management Committee (PMC) will follow in addressing the issue.</description>
</item>
diff --git a/content/sitemap.xml b/content/sitemap.xml
index 5a37ffdf6..d789c1150 100644
--- a/content/sitemap.xml
+++ b/content/sitemap.xml
@@ -6,7 +6,7 @@
<lastmod>2020-06-28T16:59:07+01:00</lastmod>
</url><url>
<loc>https://jena.apache.org/about_jena.html</loc>
- <lastmod>2023-04-26T11:32:32+01:00</lastmod>
+ <lastmod>2023-07-11T20:47:52+01:00</lastmod>
</url><url>
<loc>https://jena.apache.org/documentation/permissions/example.html</loc>
<lastmod>2022-01-12T17:24:53+00:00</lastmod>
@@ -375,7 +375,7 @@
<lastmod>2020-05-01T11:11:56+12:00</lastmod>
</url><url>
<loc>https://jena.apache.org/about_jena/security-advisories.html</loc>
- <lastmod>2023-04-26T11:32:32+01:00</lastmod>
+ <lastmod>2023-07-11T20:47:52+01:00</lastmod>
</url><url>
<loc>https://jena.apache.org/documentation/txn/</loc>
<lastmod>2020-02-28T13:09:12+01:00</lastmod>
