This is an automated email from the ASF dual-hosted git repository. solomax pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/openmeetings.git
commit 726e9d32101d4a7a5b3add34f5bde788f699d440 Author: Maxim Solodovnik <[email protected]> AuthorDate: Fri May 5 10:26:25 2023 +0700 7.1.0 Release Candidate 1 --- CHANGELOG.md | 33 ++++++++- README.md | 23 ++++++- openmeetings-core/pom.xml | 2 +- openmeetings-db/pom.xml | 2 +- openmeetings-install/pom.xml | 2 +- openmeetings-mediaserver/pom.xml | 2 +- openmeetings-screenshare/pom.xml | 2 +- openmeetings-server/pom.xml | 4 +- openmeetings-server/src/site/xdoc/NewsArchive.xml | 34 ++++++++++ openmeetings-server/src/site/xdoc/downloads.xml | 30 ++++----- openmeetings-server/src/site/xdoc/index.xml | 33 +++++---- openmeetings-server/src/site/xdoc/security.xml | 81 ++++++++++++++++------- openmeetings-service/pom.xml | 2 +- openmeetings-util/pom.xml | 2 +- openmeetings-web/pom.xml | 2 +- openmeetings-webservice/pom.xml | 2 +- pom.xml | 5 +- 17 files changed, 193 insertions(+), 68 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dbd018995..5e2e5c37f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,11 +3,42 @@ Apache OpenMeetings Change Log Licensed under Apache License 2.0 - http://www.apache.org/licenses/LICENSE-2.0 See https://issues.apache.org/jira/browse/OPENMEETINGS-* (where * is the number of the issue below) -See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-* (where * is the number of CVE below) +See https://www.cve.org/CVERecord?id=CVE-* (where * is the number of CVE below) + + +Release Notes - Openmeetings - Version 7.1.0 +================================================================================================================ + +* Vulnerability + * CVE-2023-28936: Apache OpenMeetings: insufficient check of invitation hash + * CVE-2023-29032: Apache OpenMeetings: allows bypass authentication + * CVE-2023-29246: Apache OpenMeetings: allows null-byte Injection + +* Bug + * [OPENMEETINGS-2760] - Room name overlap on menu in RTL + * [OPENMEETINGS-2763] - Turn server is not being set + * [OPENMEETINGS-2764] - Permissions are incorrectly being set + * [OPENMEETINGS-2765] - Paths should be verified in configuration + * [OPENMEETINGS-2767] - WebRTC connection is not established in FF + * [OPENMEETINGS-2768] - Save button is hidden + * [OPENMEETINGS-2769] - Ask permission confirmation pops out event when it shouldn't + +* Improvement + * [OPENMEETINGS-2761] - Missing German Translations for new OTP-dialogs + * [OPENMEETINGS-2762] - Invitation hash check should be more strict + +* Task + * [OPENMEETINGS-2757] - (7.1.0) Libraries should be updated + * [OPENMEETINGS-2758] - (7.1.0) Sonar issues need to be addressed + * [OPENMEETINGS-2759] - (7.1.0) All translations from PoEditor should be synced + Release Notes - Openmeetings - Version 7.0.0 ================================================================================================================ +* Vulnerability + * CVE-2023-28326: Apache OpenMeetings: allows user impersonation + * Bug * [OPENMEETINGS-2253] - Interruption of a video session when the microphone is turned on / off * [OPENMEETINGS-2471] - Invitation email format diff --git a/README.md b/README.md index 8ee345dcc..9dfdeadd0 100644 --- a/README.md +++ b/README.md @@ -56,9 +56,30 @@ Release Notes see [CHANGELOG.md](/CHANGELOG.md) file for detailed log + +7.1.0 +----- +[Release 7.1.0](https://www.apache.org/dyn/closer.lua/openmeetings/7.1.0), provides following improvements: + +IMPORTANT: Java 17 and KMS 6.18.0+ are required + +Security: +* Invitation hash check made strict +* Set of user permissions is fixed +* Paths entered in Admin->Config are being verified +* All dependencies are updated with most recent versions + +Stability: +* TURN server config is passed to the client + +***3 security vulnerabilities were addressed*** + +Some other fixes and improvements, 12 issues were addressed + + 7.0.0 ----- -[Release 7.0.0](https://www.apache.org/dyn/closer.lua/openmeetings/7.0.0), provides following improvements: +[Release 7.0.0](https://archive.apache.org/dist/openmeetings/7.0.0), provides following improvements: IMPORTANT: Java 17 is required diff --git a/openmeetings-core/pom.xml b/openmeetings-core/pom.xml index 2f7f72752..491a9b1ac 100644 --- a/openmeetings-core/pom.xml +++ b/openmeetings-core/pom.xml @@ -22,7 +22,7 @@ <parent> <groupId>org.apache.openmeetings</groupId> <artifactId>openmeetings-parent</artifactId> - <version>7.1.0-SNAPSHOT</version> + <version>7.1.0</version> <relativePath>..</relativePath> </parent> <artifactId>openmeetings-core</artifactId> diff --git a/openmeetings-db/pom.xml b/openmeetings-db/pom.xml index c720b9980..5599c8b15 100644 --- a/openmeetings-db/pom.xml +++ b/openmeetings-db/pom.xml @@ -22,7 +22,7 @@ <parent> <groupId>org.apache.openmeetings</groupId> <artifactId>openmeetings-parent</artifactId> - <version>7.1.0-SNAPSHOT</version> + <version>7.1.0</version> <relativePath>..</relativePath> </parent> <artifactId>openmeetings-db</artifactId> diff --git a/openmeetings-install/pom.xml b/openmeetings-install/pom.xml index a51343515..68d89d45b 100644 --- a/openmeetings-install/pom.xml +++ b/openmeetings-install/pom.xml @@ -22,7 +22,7 @@ <parent> <groupId>org.apache.openmeetings</groupId> <artifactId>openmeetings-parent</artifactId> - <version>7.1.0-SNAPSHOT</version> + <version>7.1.0</version> <relativePath>..</relativePath> </parent> <artifactId>openmeetings-install</artifactId> diff --git a/openmeetings-mediaserver/pom.xml b/openmeetings-mediaserver/pom.xml index 07acb44ed..7913efbe5 100644 --- a/openmeetings-mediaserver/pom.xml +++ b/openmeetings-mediaserver/pom.xml @@ -22,7 +22,7 @@ <parent> <groupId>org.apache.openmeetings</groupId> <artifactId>openmeetings-parent</artifactId> - <version>7.1.0-SNAPSHOT</version> + <version>7.1.0</version> <relativePath>..</relativePath> </parent> <artifactId>openmeetings-mediaserver</artifactId> diff --git a/openmeetings-screenshare/pom.xml b/openmeetings-screenshare/pom.xml index 88b453f3a..343fa3e23 100644 --- a/openmeetings-screenshare/pom.xml +++ b/openmeetings-screenshare/pom.xml @@ -22,7 +22,7 @@ <parent> <groupId>org.apache.openmeetings</groupId> <artifactId>openmeetings-parent</artifactId> - <version>7.1.0-SNAPSHOT</version> + <version>7.1.0</version> <relativePath>..</relativePath> </parent> <artifactId>openmeetings-screenshare</artifactId> diff --git a/openmeetings-server/pom.xml b/openmeetings-server/pom.xml index 4fb9172c4..966e7cc7f 100644 --- a/openmeetings-server/pom.xml +++ b/openmeetings-server/pom.xml @@ -22,7 +22,7 @@ <parent> <groupId>org.apache.openmeetings</groupId> <artifactId>openmeetings-parent</artifactId> - <version>7.1.0-SNAPSHOT</version> + <version>7.1.0</version> <relativePath>..</relativePath> </parent> <artifactId>openmeetings-server</artifactId> @@ -46,7 +46,7 @@ <scm> <connection>scm:git:https://github.com/apache/openmeetings.git</connection> <developerConnection>scm:git:https://github.com/apache/openmeetings.git</developerConnection> - <url>https://github.com/apache/openmeetings.git</url> + <url>https://github.com/apache/openmeetings/tree/7.1.0</url> <tag>HEAD</tag> </scm> <profiles> diff --git a/openmeetings-server/src/site/xdoc/NewsArchive.xml b/openmeetings-server/src/site/xdoc/NewsArchive.xml index cec59e08e..caf242b40 100644 --- a/openmeetings-server/src/site/xdoc/NewsArchive.xml +++ b/openmeetings-server/src/site/xdoc/NewsArchive.xml @@ -20,6 +20,40 @@ </properties> <body> + <section name="Release 7.0.0"> + <div class="bd-callout bd-callout-info"> + <div class="h4">Version 7.0.0 released!</div> + <div>Release 7.0.0, provides following improvements:<br/> + <div class="bd-callout bd-callout-info"> + <br/> + IMPORTANT: Java 17 is required + </div> + + UI and Security: + <ul> + <li>Microphone on/off doesn't interrupt the streaming</li> + <li>Stability fix at Safari</li> + <li>Full screen mode for WB</li> + <li>Redo tool for WB</li> + <li>2-factor authentication</li> + <li>Libraries are updated with most recent versions</li> + </ul> + <br/> + <div class="bd-callout bd-callout-danger">1 security vulnerability was addressed</div> + <br/> + Other fixes and improvements + </div> + <br/> + + <span> + 28 issues are fixed please check <br/> + <a href="https://www.apache.org/dist/openmeetings/7.0.0/CHANGELOG.md";>CHANGELOG</a> and + <a href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12350648";>Detailed list</a> + </span> + <span> See <a href="https://archive.apache.org/dist/openmeetings/7.0.0";>Archived download</a>.</span> + <span class="date">(2023-02-11)</span> + </div> + </section> <section name="Release 6.3.0"> <div class="bd-callout bd-callout-info"> <div class="h4">Version 6.3.0 released!</div> diff --git a/openmeetings-server/src/site/xdoc/downloads.xml b/openmeetings-server/src/site/xdoc/downloads.xml index a0720cce3..e59135276 100644 --- a/openmeetings-server/src/site/xdoc/downloads.xml +++ b/openmeetings-server/src/site/xdoc/downloads.xml @@ -32,21 +32,21 @@ </p> <subsection name="Latest Official WebRTC Release"> <p> - Apache OpenMeetings 7.0.0 + Apache OpenMeetings 7.1.0 </p> <ul> <li> Binaries: <ul> <li> - <a href="https://www.apache.org/dyn/closer.lua/openmeetings/7.0.0/bin/apache-openmeetings-7.0.0.zip";>apache-openmeetings-7.0.0.zip</a> - <a href="https://downloads.apache.org/openmeetings/7.0.0/bin/apache-openmeetings-7.0.0.zip.asc";>[SIG]</a> - <a href="https://downloads.apache.org/openmeetings/7.0.0/bin/apache-openmeetings-7.0.0.zip.sha512";>[SHA512]</a> + <a href="https://www.apache.org/dyn/closer.lua/openmeetings/7.1.0/bin/apache-openmeetings-7.1.0.zip";>apache-openmeetings-7.1.0.zip</a> + <a href="https://downloads.apache.org/openmeetings/7.1.0/bin/apache-openmeetings-7.1.0.zip.asc";>[SIG]</a> + <a href="https://downloads.apache.org/openmeetings/7.1.0/bin/apache-openmeetings-7.1.0.zip.sha512";>[SHA512]</a> </li> <li> - <a href="https://www.apache.org/dyn/closer.lua/openmeetings/7.0.0/bin/apache-openmeetings-7.0.0.tar.gz";>apache-openmeetings-7.0.0.tar.gz</a> - <a href="https://downloads.apache.org/openmeetings/7.0.0/bin/apache-openmeetings-7.0.0.tar.gz.asc";>[SIG]</a> - <a href="https://downloads.apache.org/openmeetings/7.0.0/bin/apache-openmeetings-7.0.0.tar.gz.sha512";>[SHA512]</a> + <a href="https://www.apache.org/dyn/closer.lua/openmeetings/7.1.0/bin/apache-openmeetings-7.1.0.tar.gz";>apache-openmeetings-7.1.0.tar.gz</a> + <a href="https://downloads.apache.org/openmeetings/7.1.0/bin/apache-openmeetings-7.1.0.tar.gz.asc";>[SIG]</a> + <a href="https://downloads.apache.org/openmeetings/7.1.0/bin/apache-openmeetings-7.1.0.tar.gz.sha512";>[SHA512]</a> </li> </ul> </li> @@ -54,22 +54,22 @@ Sources: <ul> <li> - <a href="https://www.apache.org/dyn/closer.lua/openmeetings/7.0.0/src/apache-openmeetings-7.0.0-src.zip";>apache-openmeetings-7.0.0-src.zip</a> - <a href="https://downloads.apache.org/openmeetings/7.0.0/src/apache-openmeetings-7.0.0-src.zip.asc";>[SIG]</a> - <a href="https://downloads.apache.org/openmeetings/7.0.0/src/apache-openmeetings-7.0.0-src.zip.sha512";>[SHA512]</a> + <a href="https://www.apache.org/dyn/closer.lua/openmeetings/7.1.0/src/apache-openmeetings-7.1.0-src.zip";>apache-openmeetings-7.1.0-src.zip</a> + <a href="https://downloads.apache.org/openmeetings/7.1.0/src/apache-openmeetings-7.1.0-src.zip.asc";>[SIG]</a> + <a href="https://downloads.apache.org/openmeetings/7.1.0/src/apache-openmeetings-7.1.0-src.zip.sha512";>[SHA512]</a> </li> <li> - <a href="https://www.apache.org/dyn/closer.lua/openmeetings/7.0.0/src/apache-openmeetings-7.0.0-src.tar.gz";>apache-openmeetings-7.0.0-src.tar.gz</a> - <a href="https://downloads.apache.org/openmeetings/7.0.0/src/apache-openmeetings-7.0.0-src.tar.gz.asc";>[SIG]</a> - <a href="https://downloads.apache.org/openmeetings/7.0.0/src/apache-openmeetings-7.0.0-src.tar.gz.sha512";>[SHA512]</a> + <a href="https://www.apache.org/dyn/closer.lua/openmeetings/7.1.0/src/apache-openmeetings-7.1.0-src.tar.gz";>apache-openmeetings-7.1.0-src.tar.gz</a> + <a href="https://downloads.apache.org/openmeetings/7.1.0/src/apache-openmeetings-7.1.0-src.tar.gz.asc";>[SIG]</a> + <a href="https://downloads.apache.org/openmeetings/7.1.0/src/apache-openmeetings-7.1.0-src.tar.gz.sha512";>[SHA512]</a> </li> </ul> </li> <li> - Changes: <a href="https://downloads.apache.org/openmeetings/7.0.0/CHANGELOG.md";>CHANGELOG.md</a>. + Changes: <a href="https://downloads.apache.org/openmeetings/7.1.0/CHANGELOG.md";>CHANGELOG.md</a>. </li> <li> - Docker image: <a href="https://github.com/openmeetings/openmeetings-docker/tree/7.0.0";>https://github.com/openmeetings/openmeetings-docker/tree/7.0.0</a> + Docker image: <a href="https://github.com/openmeetings/openmeetings-docker/tree/7.1.0";>https://github.com/openmeetings/openmeetings-docker/tree/7.1.0</a> </li> <li> <a href="https://cwiki.apache.org/confluence/display/OPENMEETINGS/Live+iso+OpenMeetings+on+Ubuntu";>Live OM iso images by Alvaro</a> diff --git a/openmeetings-server/src/site/xdoc/index.xml b/openmeetings-server/src/site/xdoc/index.xml index 2cbfeca47..8280bb648 100644 --- a/openmeetings-server/src/site/xdoc/index.xml +++ b/openmeetings-server/src/site/xdoc/index.xml @@ -69,34 +69,39 @@ </section> <section name="News"> <div class="bd-callout bd-callout-danger"> - <div class="h4">Version 7.0.0 released!</div> - <div>Release 7.0.0, provides following improvements:<br/> + <div class="h4">Version 7.1.0 released!</div> + <div>Release 7.1.0, provides following improvements:<br/> <div class="bd-callout bd-callout-info"> <br/> - IMPORTANT: Java 17 is required + IMPORTANT: Java 17 and KMS 6.18.0+ are required </div> - UI and Security: + Security: <ul> - <li>Microphone on/off doesn't interrupt the streaming</li> - <li>Stability fix at Safari</li> - <li>Full screen mode for WB</li> - <li>Redo tool for WB</li> - <li>2-factor authentication</li> - <li>Libraries are updated with most recent versions</li> + <li>Invitation hash check made strict</li> + <li>Set of user permissions is fixed</li> + <li>Paths entered in Admin->Config are being verified</li> + <li>All dependencies are updated with most recent versions</li> </ul> + + Stability: + <ul> + <li>TURN server config is passed to the client</li> + </ul> + <br/> + <div class="bd-callout bd-callout-danger">3 security vulnerabilities were addressed</div> <br/> Other fixes and improvements </div> <br/> <span> - 28 issues are fixed please check <br/> - <a href="https://www.apache.org/dist/openmeetings/7.0.0/CHANGELOG.md";>CHANGELOG</a> and - <a href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12350648";>Detailed list</a> + 12 issues are fixed please check <br/> + <a href="https://www.apache.org/dist/openmeetings/7.1.0/CHANGELOG.md";>CHANGELOG</a> and + <a href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12352896";>Detailed list</a> </span> <span> See <a href="downloads.html">Downloads page</a>.</span> - <span class="date">(2023-02-11)</span> + <span class="date">(2023-05-09)</span> </div> <div class="bd-callout bd-callout-info"> <span class="date"><a href="NewsArchive.html">You can find older news here</a></span> diff --git a/openmeetings-server/src/site/xdoc/security.xml b/openmeetings-server/src/site/xdoc/security.xml index e210ccf91..db681a657 100644 --- a/openmeetings-server/src/site/xdoc/security.xml +++ b/openmeetings-server/src/site/xdoc/security.xml @@ -45,12 +45,45 @@ Please NOTE: only security issues should be reported to this list. </p> </section> + <section name="CVE-2023-28936: Apache OpenMeetings: insufficient check of invitation hash"> + <p>Severity: Critical</p> + <p>Vendor: The Apache Software Foundation</p> + <p>Versions Affected: from 2.0.0 before 7.1.0</p> + <p>Description: Attacker can access arbitrary recording/room<br/> + <a href="https://www.cve.org/CVERecord?id=CVE-2023-28936";>CVE-2023-28936</a> + </p> + <p>The issue was fixed in 7.1.0<br/> + All users are recommended to upgrade to Apache OpenMeetings 7.1.0</p> + <p>Credit: This issue was identified by Stefan Schiller</p> + </section> + <section name="CVE-2023-29032: Apache OpenMeetings: allows bypass authentication"> + <p>Severity: Important</p> + <p>Vendor: The Apache Software Foundation</p> + <p>Versions Affected: from 3.1.3 before 7.1.0</p> + <p>Description: An attacker that has gained access to certain private information can use this to act as other user.<br/> + <a href="https://www.cve.org/CVERecord?id=CVE-2023-29032";>CVE-2023-29032</a> + </p> + <p>The issue was fixed in 7.1.0<br/> + All users are recommended to upgrade to Apache OpenMeetings 7.1.0</p> + <p>Credit: This issue was identified by Stefan Schiller</p> + </section> + <section name="CVE-2023-29246: Apache OpenMeetings: allows null-byte Injection"> + <p>Severity: Important</p> + <p>Vendor: The Apache Software Foundation</p> + <p>Versions Affected: from 2.0.0 before 7.0.0</p> + <p>Description: An attacker who has gained access to an admin account can perform RCE via null-byte injection<br/> + <a href="https://www.cve.org/CVERecord?id=2023-29246";>2023-29246</a> + </p> + <p>The issue was fixed in 7.1.0<br/> + All users are recommended to upgrade to Apache OpenMeetings 7.1.0</p> + <p>Credit: This issue was identified by Stefan Schiller</p> + </section> <section name="CVE-2023-28326: Apache OpenMeetings: allows user impersonation"> <p>Severity: Critical</p> <p>Vendor: The Apache Software Foundation</p> <p>Versions Affected: from 2.0.0 before 7.0.0</p> <p>Description: Attacker can elevate their privileges in any room<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28326";>CVE-2023-28326</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2023-28326";>CVE-2023-28326</a> </p> <p>The issue was fixed in 7.0.0<br/> All users are recommended to upgrade to Apache OpenMeetings 7.0.0</p> @@ -61,7 +94,7 @@ <p>Vendor: The Apache Software Foundation</p> <p>Versions Affected: from 4.0.0 before 6.0.0</p> <p>Description: NetTest web service can be used to overload the bandwidth of the server<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27576";>CVE-2021-27576</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2021-27576";>CVE-2021-27576</a> </p> <p>The issue was fixed in 6.0.0<br/> All users are recommended to upgrade to Apache OpenMeetings 6.0.0</p> @@ -72,7 +105,7 @@ <p>Vendor: The Apache Software Foundation</p> <p>Versions Affected: from 4.0.0 before 5.0.1</p> <p>Description: NetTest web service can be used to perform Denial of Service attack<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13951";>CVE-2020-13951</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2020-13951";>CVE-2020-13951</a> </p> <p>The issue was fixed in 5.0.1<br/> All users are recommended to upgrade to Apache OpenMeetings 5.0.1</p> @@ -83,7 +116,7 @@ <p>Vendor: wicket-jquery-ui</p> <p>Versions Affected: <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1</p> <p>Description: JS code created in WYSIWYG editor will be executed on display<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1325";>CVE-2018-1325</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2018-1325";>CVE-2018-1325</a> </p> <p>The issue was fixed in 6.29.1, 7.10.2, 8.0.0-M9.2<br/> All users are recommended to upgrade to Apache OpenMeetings 4.0.3</p> @@ -94,7 +127,7 @@ <p>Vendor: wicket-jquery-ui</p> <p>Versions Affected: <= 6.28.0, <= 7.9.1, <= 8.0.0-M8</p> <p>Description: Attacker can submit arbitrary JS code to WYSIWYG editor<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15719";>CVE-2017-15719</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2017-15719";>CVE-2017-15719</a> </p> <p>The issue was fixed in 6.28.1, 7.9.2, 8.0.0-M8.1<br/> All users are recommended to upgrade to Apache OpenMeetings 4.0.2</p> @@ -106,7 +139,7 @@ <p>Versions Affected: from 3.0.0 before 4.0.2</p> <p>Description: CRUD operations on privileged users are not password protected allowing an authenticated attacker to deny service for privileged users.<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1286";>CVE-2018-1286</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2018-1286";>CVE-2018-1286</a> </p> <p>The issue was fixed in 4.0.2<br/> All users are recommended to upgrade to Apache OpenMeetings 4.0.2</p> @@ -117,7 +150,7 @@ <p>Vendor: The Apache Software Foundation</p> <p>Versions Affected: 3.2.0</p> <p>Description: Both global and Room chat are vulnerable to XSS attack<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7663";>CVE-2017-7663</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2017-7663";>CVE-2017-7663</a> </p> <p>The issue was fixed in 3.3.0<br/> All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> @@ -128,7 +161,7 @@ <p>Vendor: The Apache Software Foundation</p> <p>Versions Affected: from 3.1.0 before 3.3.0</p> <p>Description: Uploaded XML documents were not correctly validated<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7664";>CVE-2017-7664</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2017-7664";>CVE-2017-7664</a> </p> <p>The issue was fixed in 3.3.0<br/> All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> @@ -140,7 +173,7 @@ <p>Versions Affected: from 1.0.0 before 3.3.0</p> <p>Description: Apache Openmeetings is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7666";>CVE-2017-7666</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2017-7666";>CVE-2017-7666</a> </p> <p>The issue was fixed in 3.3.0<br/> All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> @@ -153,7 +186,7 @@ <p>Description: Apache OpenMeetings uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7673";>CVE-2017-7673</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2017-7673";>CVE-2017-7673</a> </p> <p>The issue was fixed in 3.3.0<br/> All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> @@ -166,7 +199,7 @@ <p>Description: Apache OpenMeetings has an overly permissive crossdomain.xml file. This allows for flash content to be loaded from untrusted domains.<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7680";>CVE-2017-7680</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2017-7680";>CVE-2017-7680</a> </p> <p>The issue was fixed in 3.3.0<br/> All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> @@ -180,7 +213,7 @@ This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the application in the back-end<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7681";>CVE-2017-7681</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2017-7681";>CVE-2017-7681</a> </p> <p>The issue was fixed in 3.3.0<br/> All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> @@ -192,7 +225,7 @@ <p>Versions Affected: 3.2.0</p> <p>Description: Apache OpenMeetings is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas.<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7682";>CVE-2017-7682</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2017-7682";>CVE-2017-7682</a> </p> <p>The issue was fixed in 3.3.0<br/> All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> @@ -204,7 +237,7 @@ <p>Versions Affected: from 1.0.0 before 3.3.0</p> <p>Description: Apache OpenMeetings displays Tomcat version and detailed error stack trace which is not secure.<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7683";>CVE-2017-7683</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2017-7683";>CVE-2017-7683</a> </p> <p>The issue was fixed in 3.3.0<br/> All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> @@ -217,7 +250,7 @@ <p>Description: Apache OpenMeetings doesn't check contents of files being uploaded. An attacker can cause a denial of service by uploading multiple large files to the server<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7684";>CVE-2017-7684</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2017-7684";>CVE-2017-7684</a> </p> <p>The issue was fixed in 3.3.0<br/> All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> @@ -229,7 +262,7 @@ <p>Versions Affected: from 1.0.0 before 3.3.0</p> <p>Description: Apache OpenMeetingsrespond to the following insecure HTTP Methods: PUT, DELETE, HEAD, and PATCH.<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7685";>CVE-2017-7685</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2017-7685";>CVE-2017-7685</a> </p> <p>The issue was fixed in 3.3.0<br/> All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> @@ -240,7 +273,7 @@ <p>Vendor: The Apache Software Foundation</p> <p>Versions Affected: from 1.0.0 before 3.3.0</p> <p>Description: Apache OpenMeetings updates user password in insecure manner.<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7688";>CVE-2017-7688</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2017-7688";>CVE-2017-7688</a> </p> <p>The issue was fixed in 3.3.0<br/> All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> @@ -253,7 +286,7 @@ <p>Description: The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized Java data.<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5878";>CVE-2017-5878</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2017-5878";>CVE-2017-5878</a> </p> <p>The issue was fixed in 3.1.4<br/> All users are recommended to upgrade to Apache OpenMeetings 3.1.4</p> @@ -264,7 +297,7 @@ <p>Vendor: The Apache Software Foundation</p> <p>Versions Affected: from 3.1.0 before 3.1.2</p> <p>Description: Apache Openmeetings is vulnerable to Remote Code Execution via RMI deserialization attack<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8736";>CVE-2016-8736</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2016-8736";>CVE-2016-8736</a> </p> <p>The issue was fixed in 3.1.2<br/> All users are recommended to upgrade to Apache OpenMeetings 3.1.3</p> @@ -276,7 +309,7 @@ <p>Versions Affected: from 3.1.0 before 3.1.2</p> <p>Description: The value of the URL's "swf" query parameter is interpolated into the JavaScript tag without being escaped, leading to the reflected XSS.<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3089";>CVE-2016-3089</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2016-3089";>CVE-2016-3089</a> </p> <p>All users are recommended to upgrade to Apache OpenMeetings 3.1.2</p> <p>Credit: This issue was identified by Matthew Daley</p> @@ -289,7 +322,7 @@ name and the current system time, and then hashing it using MD5. This is highly predictable and can be cracked in seconds by an attacker with knowledge of the user name of an OpenMeetings user.<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0783";>CVE-2016-0783</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2016-0783";>CVE-2016-0783</a> </p> <p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p> <p>Credit: This issue was identified by Andreas Lindh</p> @@ -305,7 +338,7 @@ directory. This could be used to, for example, overwrite the /usr/bin/convert file (or any other 3 rd party integrated executable) with a shell script, which would be executed the next time an image file is uploaded and imagemagick is invoked.<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0784";>CVE-2016-0784</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2016-0784";>CVE-2016-0784</a> </p> <p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p> <p>Credit: This issue was identified by Andreas Lindh</p> @@ -319,7 +352,7 @@ possible to create a link like "javascript:alert('xss')", which will execute once the link is clicked. As the link is placed within an <a> tag, the actual link is not visible to the end user which makes it hard to tell if the link is legit or not.<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2163";>CVE-2016-2163</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2016-2163";>CVE-2016-2163</a> </p> <p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p> <p>Credit: This issue was identified by Andreas Lindh</p> @@ -331,7 +364,7 @@ <p>Description: When attempting to upload a file via the API using the importFileByInternalUserId or importFile methods in the FileService, it is possible to read arbitrary files from the system. This is due to that Java's URL class is used without checking what protocol handler is specified in the API call.<br/> - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2164";>CVE-2016-2164</a> + <a href="https://www.cve.org/CVERecord?id=CVE-2016-2164";>CVE-2016-2164</a> </p> <p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p> <p>Credit: This issue was identified by Andreas Lindh</p> diff --git a/openmeetings-service/pom.xml b/openmeetings-service/pom.xml index 335bbc1cf..9bbc1dd4c 100644 --- a/openmeetings-service/pom.xml +++ b/openmeetings-service/pom.xml @@ -22,7 +22,7 @@ <parent> <groupId>org.apache.openmeetings</groupId> <artifactId>openmeetings-parent</artifactId> - <version>7.1.0-SNAPSHOT</version> + <version>7.1.0</version> <relativePath>..</relativePath> </parent> <artifactId>openmeetings-service</artifactId> diff --git a/openmeetings-util/pom.xml b/openmeetings-util/pom.xml index e8261877b..18143c2b9 100644 --- a/openmeetings-util/pom.xml +++ b/openmeetings-util/pom.xml @@ -22,7 +22,7 @@ <parent> <groupId>org.apache.openmeetings</groupId> <artifactId>openmeetings-parent</artifactId> - <version>7.1.0-SNAPSHOT</version> + <version>7.1.0</version> <relativePath>..</relativePath> </parent> <artifactId>openmeetings-util</artifactId> diff --git a/openmeetings-web/pom.xml b/openmeetings-web/pom.xml index 963359f8d..dd41f26e6 100644 --- a/openmeetings-web/pom.xml +++ b/openmeetings-web/pom.xml @@ -22,7 +22,7 @@ <parent> <groupId>org.apache.openmeetings</groupId> <artifactId>openmeetings-parent</artifactId> - <version>7.1.0-SNAPSHOT</version> + <version>7.1.0</version> <relativePath>..</relativePath> </parent> <artifactId>openmeetings-web</artifactId> diff --git a/openmeetings-webservice/pom.xml b/openmeetings-webservice/pom.xml index 2f9912f62..e054a0c1a 100644 --- a/openmeetings-webservice/pom.xml +++ b/openmeetings-webservice/pom.xml @@ -22,7 +22,7 @@ <parent> <groupId>org.apache.openmeetings</groupId> <artifactId>openmeetings-parent</artifactId> - <version>7.1.0-SNAPSHOT</version> + <version>7.1.0</version> <relativePath>..</relativePath> </parent> <artifactId>openmeetings-webservice</artifactId> diff --git a/pom.xml b/pom.xml index 1abf56b49..4220f46ae 100644 --- a/pom.xml +++ b/pom.xml @@ -26,12 +26,13 @@ </parent> <groupId>org.apache.openmeetings</groupId> <artifactId>openmeetings-parent</artifactId> - <version>7.1.0-SNAPSHOT</version> + <version>7.1.0</version> <packaging>pom</packaging> <name>Openmeetings</name> <description>Parent project for all OpenMeetings Maven modules. Required to hold general settings</description> <properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> + <project.build.outputTimestamp>2023-05-05T03:25:03Z</project.build.outputTimestamp> <wicket.configuration>DEPLOYMENT</wicket.configuration> <om.quick.build>false</om.quick.build> <om.notquick.build>true</om.notquick.build> @@ -351,7 +352,7 @@ <scm> <connection>scm:git:https://github.com/apache/openmeetings.git</connection> <developerConnection>scm:git:https://github.com/apache/openmeetings.git</developerConnection> - <url>https://github.com/apache/openmeetings.git</url> + <url>https://github.com/apache/openmeetings/tree/7.1.0</url> <tag>HEAD</tag> </scm> <mailingLists>
