This is an automated email from the ASF dual-hosted git repository.

ppkarwasz pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/logging-flume.git

commit 16b22263fb4481417891adb8653bf56ca35c967b
Author: Ralph Goers <[email protected]>
AuthorDate: Mon Jun 13 13:05:04 2022 -0700

    Update site for 1.10.0
---
 source/sphinx/FlumeUserGuide.rst | 20 +++++++++----------
 source/sphinx/index.rst          |  6 +++++-
 source/sphinx/security.rst       | 43 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 57 insertions(+), 12 deletions(-)

diff --git a/source/sphinx/FlumeUserGuide.rst b/source/sphinx/FlumeUserGuide.rst
index 7d7b3fde..dc5b2b78 100644
--- a/source/sphinx/FlumeUserGuide.rst
+++ b/source/sphinx/FlumeUserGuide.rst
@@ -197,11 +197,10 @@ several named agents; when a given Flume process is 
launched a flag is passed te
 
 Given this configuration file, we can start Flume as follows::
 
-  $ bin/flume-ng agent --conf conf --conf-file example.conf --name a1 
-Dflume.root.logger=INFO,console
+  $ bin/flume-ng agent --conf conf --conf-file example.conf --name a1
 
 Note that in a full deployment we would typically include one more option: 
``--conf=<conf-dir>``.
-The ``<conf-dir>`` directory would include a shell script *flume-env.sh* and 
potentially a log4j properties file.
-In this example, we pass a Java option to force Flume to log to the console 
and we go without a custom environment script.
+The ``<conf-dir>`` directory would include a shell script *flume-env.sh* and 
potentially a log4j configuration file.
 
 From a separate terminal, we can then telnet port 44444 and send Flume an 
event:
 
@@ -249,7 +248,7 @@ configurations will be processed before any of the 
--conf-file configurations ar
 
 For example, a configuration of::
 
-  $ bin/flume-ng agent --conf conf --conf-file example.conf --conf-uri 
http://localhost:80/flume.conf --conf-uri http://localhost:80/override.conf 
--name a1 -Dflume.root.logger=INFO,console
+  $ bin/flume-ng agent --conf conf --conf-file example.conf --conf-uri 
http://localhost:80/flume.conf --conf-uri http://localhost:80/override.conf 
--name a1
 
 will cause flume.conf to be read first, override.conf to be merged with it and 
finally example.conf would be
 merged last. If it is desirec to have example.conf be the base configuration 
it should be specified using the
@@ -278,7 +277,7 @@ class using the default set of Lookups along with a lookup 
that uses the configu
 source for replacement values.
 
 For example::
-  $ NC_PORT=44444 bin/flume-ng agent --conf conf --conf-file example.conf 
--name a1 -Dflume.root.logger=INFO,console
+  $ NC_PORT=44444 bin/flume-ng agent --conf conf --conf-file example.conf 
--name a1
 
 Note the above is just an example, environment variables can be configured in 
other ways, including being set in `conf/flume-env.sh`.
 
@@ -292,7 +291,7 @@ As noted, system properties are also supported, so the 
configuration::
 
 could be used and the startup command could be::
 
-  $ bin/flume-ng agent --conf conf --conf-file example.conf --name a1 
-Dflume.root.logger=INFO,console -DNC_PORT=44444
+  $ bin/flume-ng agent --conf conf --conf-file example.conf --name a1 
-DNC_PORT=44444
 
 Furthermore, because multiple configuration files are allowed the first file 
could contain::
 
@@ -308,7 +307,7 @@ and the override file could contain::
 
 In this case the startup command could be::
 
-  $ bin/flume-ng agent --conf conf --conf-file example.conf --conf-file 
override.conf --name a1 -Dflume.root.logger=INFO,console
+  $ bin/flume-ng agent --conf conf --conf-file example.conf --conf-file 
override.conf --name a1
 
 Note that the method for specifying environment variables as was done in prior 
versions will stil work
 but has been deprecated in favor of using ${env:varName}.
@@ -348,10 +347,9 @@ To enable data logging, set the Java system property 
``-Dorg.apache.flume.log.ra
 in the same way described above. For most components, the log4j logging level 
must also be set to
 DEBUG or TRACE to make event-specific logging appear in the Flume logs.
 
-Here is an example of enabling both configuration logging and raw data logging 
while also
-setting the Log4j loglevel to DEBUG for console output::
+Here is an example of enabling both configuration logging and raw data 
logging::
 
-  $ bin/flume-ng agent --conf conf --conf-file example.conf --name a1 
-Dflume.root.logger=DEBUG,console -Dorg.apache.flume.log.printconfig=true 
-Dorg.apache.flume.log.rawdata=true
+  $ bin/flume-ng agent --conf conf --conf-file example.conf --name a1 
-Dorg.apache.flume.log.printconfig=true -Dorg.apache.flume.log.rawdata=true
 
 
 Zookeeper based Configuration
@@ -369,7 +367,7 @@ Following is how the Zookeeper Node tree would look like 
for agents a1 and a2
 
 Once the configuration file is uploaded, start the agent with following options
 
-  $ bin/flume-ng agent --conf conf -z zkhost:2181,zkhost1:2181 -p /flume 
--name a1 -Dflume.root.logger=INFO,console
+  $ bin/flume-ng agent --conf conf -z zkhost:2181,zkhost1:2181 -p /flume 
--name a1
 
 ==================   ================  
=========================================================================
 Argument Name        Default           Description
diff --git a/source/sphinx/index.rst b/source/sphinx/index.rst
index a7507343..b5a92b77 100644
--- a/source/sphinx/index.rst
+++ b/source/sphinx/index.rst
@@ -33,7 +33,7 @@ application.
 
 .. raw:: html
 
-   <h3>June 5, 2022 - Apache Flume 1.10.0 Released</h3>
+   <h3>June 13, 2022 - Apache Flume 1.10.0 Released</h3>
 
 The Apache Flume team is pleased to announce the release of Flume 1.10.0.
 
@@ -43,6 +43,9 @@ collecting, aggregating, and moving large amounts of 
streaming event data.
 Flume 1.10.0 is stable, production-ready software, and is backwards-compatible 
with
 previous versions of the Flume 1.x codeline.
 
+Flume 1.10.0 contains a fix for `CVE-2022-25167 
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25167>`__.
+See the `Flume Security <./security.html>`__ page for more details.
+
 This version of Flume upgrades many dependencies, resolving the CVEs 
associated with them.
 Enhancements included in this release include the addition of a 
LoadBalancingChannelSelector,
 the ability to retrieve the Flume configuration from a remote source such as a 
Spring
@@ -575,6 +578,7 @@ Feel free to post to the User's mailing list with any 
questions.
 
    getinvolved
    download
+   security
    documentation
    releases/index
    mailinglists
diff --git a/source/sphinx/security.rst b/source/sphinx/security.rst
new file mode 100644
index 00000000..eef07a2e
--- /dev/null
+++ b/source/sphinx/security.rst
@@ -0,0 +1,43 @@
+=====================================
+Apache Flume Security Vulnerabilities
+=====================================
+
+This page lists all the security vulnerabilities fixed in released versions of 
Apache Flume. Each vulnerability is given a security impact rating by the 
Apache Flume security team. Note that this rating may vary from platform to 
platform. We also list the versions of Apache Flume the flaw is known to 
affect, and where a flaw has not been verified list the version with a question 
mark.
+
+Binary patches are never provided. If you need to apply a source code patch, 
use the building instructions for the Apache Flume version that you are using.
+
+If you need help on building or configuring Flume or other help on following 
the instructions to mitigate the known vulnerabilities listed here, please 
subscribe to, and send your questions to the public Flume Users mailing list.
+
+If you have encountered an unlisted security vulnerability or other unexpected 
behaviour that has security impact, or if the descriptions here are incomplete, 
please report them privately to the `Flume SecurityTeam 
<mailto:[email protected]>`__. Thank you!
+
+.. rubric:: Fixed in Flume 1.10.0
+
+`CVE-2022-25167 
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25167>`__: Apache 
Flume vulnerable to a JNDI RCE in JMSSource.
+
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+| `CVE-2022-25167 
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25167>`__ | 
Deserialization of Untrusted Data                                        |
++====================================================================================+==========================================================================+
+| Severity                                                                     
      | Moderate                                                                
 |
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+| Base CVSS SCore                                                              
      | 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)                               
 |
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+| Versions Affected                                                            
      | Flume 1.4.0 through 1.9.0                                               
 |
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+
+.. rubric:: Description
+
+Flume's JMSSource class can be configured with a connection factory name. A 
JNDI lookup is performed on this name without performing an validation. This 
could result in untrusted data being deserialized.
+
+.. rubric:: Mitigation
+
+Upgrade to Flume 1.10.0.
+
+In releases 1.4.0 through 1.9.0 the JMSSource should not be used.
+
+.. rubric:: Release Details
+
+In release 1.10.0, if a protocol is specified in the connection factory 
parameter only the java protocol will be allowed. If no protocol is specified 
it will also be allowed.
+
+.. rubric:: Credit
+
+This issue was found by the Flume development team.

Reply via email to