Author: shuber
Date: Fri Nov 13 18:48:19 2020
New Revision: 1883398
URL: http://svn.apache.org/viewvc?rev=1883398&view=rev
Log:
[scm-publish] Updating Unomi website
Added:
unomi/website/security/cve-2020-13942.txt
Modified:
unomi/website/contribute-release-guide.html
unomi/website/documentation.html
unomi/website/download.html
unomi/website/index.html
Modified: unomi/website/contribute-release-guide.html
URL:
http://svn.apache.org/viewvc/unomi/website/contribute-release-guide.html?rev=1883398&r1=1883397&r2=1883398&view=diff
==============================================================================
--- unomi/website/contribute-release-guide.html (original)
+++ unomi/website/contribute-release-guide.html Fri Nov 13 18:48:19 2020
@@ -267,7 +267,7 @@ mvn clean install</code></pre>
<li>If something fails, make sure you first drop the staging
repository created here: <a
href="https://repository.apache.org/#stagingRepositories"
target="_blank">https://repository.apache.org/#stagingRepositories</a>.<br>
If you need to relaunch the <code>release:perform</code> and don???t have a
release.properties, create a <code>release.properties</code> file with the
following contents:
<pre class="alert
alert-primary"><code>scm.url=scm:git:https://gitbox.apache.org/repos/asf?p=unomi.git
-scm.tag=unomi-root-1.5.1
+scm.tag=unomi-root-1.5.2
and run mvn release:perform</code></pre>
</li>
<li>Make sure you uploaded your public PGP key using:
@@ -275,7 +275,7 @@ and run mvn release:perform</code></pre>
</li>
<li>Connect to <a
href="https://repository.apache.org/#stagingRepositories"
target="_blank">https://repository.apache
.org/#stagingRepositories</a> and look for the open staging
repositories, you should have two (one for everything and the other for
KAR/features) for releases <= 1.2 and just one for versions >= 1.3.0
(because of changes in the Karaf plugins). Close the repositories and given a
meaningful comment when closing such as:<br>
- <strong>Apache Unomi 1.5.1 Release Candidate 1</strong>
+ <strong>Apache Unomi 1.5.2 Release Candidate 1</strong>
</li>
</ol>
@@ -286,48 +286,48 @@ and run mvn release:perform</code></pre>
</li>
<li>
<pre class="alert alert-primary"><code>cd unomi-dev
-mkdir 1.5.1</code></pre>
+mkdir 1.5.2</code></pre>
</li>
<li>
Copy all the Zip and Tarbars including ASC (but do not copy
the SHA1 or MD5 sum) files from:
- <a
href="https://repository.apache.org/content/repositories/orgapacheunomi-1014/org/apache/unomi/unomi/1.5.1/"
target="_blank">https://repository.apache.org/content/repositories/orgapacheunomi-1014/org/apache/unomi/unomi/1.5.1/</a>
+ <a
href="https://repository.apache.org/content/repositories/orgapacheunomi-1014/org/apache/unomi/unomi/1.5.2/"
target="_blank">https://repository.apache.org/content/repositories/orgapacheunomi-1014/org/apache/unomi/unomi/1.5.2/</a>
and
- <a
href="https://repository.apache.org/content/repositories/orgapacheunomi-1014/org/apache/unomi/unomi-root/1.5.1/"
target="_blank">https://repository.apache.org/content/repositories/orgapacheunomi-1014/org/apache/unomi/unomi-root/1.5.1/</a>
+ <a
href="https://repository.apache.org/content/repositories/orgapacheunomi-1014/org/apache/unomi/unomi-root/1.5.2/"
target="_blank">https://repository.apache.org/content/repositories/orgapacheunomi-1014/org/apache/unomi/unomi-root/1.5.2/</a>
</li>
<li>
Rename the source and binary files to something shorter and
consistent with previous releases and generate
the SHA 512 checksum manually:
<pre class="alert alert-primary"><code>
-mv unomi-root-1.5.1-source-release.zip unomi-1.5.1-src.zip
-mv unomi-root-1.5.1-source-release.zip.asc unomi-1.5.1-src.zip.asc
-shasum -a 512 unomi-1.5.1-src.zip > unomi-1.5.1-src.zip.sha512
-
-mv unomi-1.5.1.zip unomi-1.5.1-bin.zip
-mv unomi-1.5.1.zip.asc unomi-1.5.1-bin.zip.asc
-shasum -a 512 unomi-1.5.1-bin.zip > unomi-1.5.1-bin.zip.sha512
-
-mv unomi-1.5.1.tar.gz unomi-1.5.1-bin.tar.gz
-mv unomi-1.5.1.tar.gz.asc unomi-1.5.1-bin.tar.gz.asc
-shasum -a 512 unomi-1.5.1-bin.tar.gz > unomi-1.5.1-bin.tar.gz.sha512
+mv unomi-root-1.5.2-source-release.zip unomi-1.5.2-src.zip
+mv unomi-root-1.5.2-source-release.zip.asc unomi-1.5.2-src.zip.asc
+shasum -a 512 unomi-1.5.2-src.zip > unomi-1.5.2-src.zip.sha512
+
+mv unomi-1.5.2.zip unomi-1.5.2-bin.zip
+mv unomi-1.5.2.zip.asc unomi-1.5.2-bin.zip.asc
+shasum -a 512 unomi-1.5.2-bin.zip > unomi-1.5.2-bin.zip.sha512
+
+mv unomi-1.5.2.tar.gz unomi-1.5.2-bin.tar.gz
+mv unomi-1.5.2.tar.gz.asc unomi-1.5.2-bin.tar.gz.asc
+shasum -a 512 unomi-1.5.2-bin.tar.gz > unomi-1.5.2-bin.tar.gz.sha512
</code></pre>
</li>
<li>
<pre class="alert alert-primary"><code>cd ..
-svn add 1.5.1</code></pre>
+svn add 1.5.2</code></pre>
</li>
<li>
If needed, update the KEYS file (that is in the svn checkout
<code>https://dist.apache.org/repos/dist/release/unomi</code>)
</li>
<li>
- <pre class="alert alert-primary"><code>svn commit -m "Apache
1.5.1 Release (for PMC voting)"</code></pre>
+ <pre class="alert alert-primary"><code>svn commit -m "Apache
1.5.2 Release (for PMC voting)"</code></pre>
</li>
<li>Send out to the Unomi mailing list a mail to start the
voting process, see <a href="#mail-1">[1]</a></li>
<li>If the vote is refused or cancelled, peform the following
steps to restart the release process:
<ol>
<li>Drop the release in <a
href="https://repository.apache.org/#stagingRepositories"
target="_blank">Nexus</a></li>
<li>Remove the tag in Git:
- <pre class="alert alert-primary"><code>git push
--delete origin unomi-root-1.5.1
-git tag -d unomi-root-1.5.1</code></pre>
+ <pre class="alert alert-primary"><code>git push
--delete origin unomi-root-1.5.2
+git tag -d unomi-root-1.5.2</code></pre>
</li>
<li>Correct any problems in the source, make sure to
do them in master and cherry-pick them to the relevant branches</li>
<li>Reset all versions with the following command:
@@ -350,9 +350,9 @@ git tag -d unomi-root-1.5.1</code></pre>
<ol>
<li>
Move the files uploaded to the unomi-dev repository to the
unomi-release repository by doing the following:
- <pre class="alert alert-primary"><code>svn mv
https://dist.apache.org/repos/dist/dev/unomi/1.5.1
-https://dist.apache.org/repos/dist/release/unomi/1.5.1
--m "Apache Unomi 1.5.1 Release"</code></pre>
+ <pre class="alert alert-primary"><code>svn mv
https://dist.apache.org/repos/dist/dev/unomi/1.5.2
+https://dist.apache.org/repos/dist/release/unomi/1.5.2
+-m "Apache Unomi 1.5.2 Release"</code></pre>
</li>
<li>
Update Jenkins
@@ -382,8 +382,8 @@ https://dist.apache.org/repos/dist/relea
<h3 id="rollback">Rollback</h3>
<ol>
<li>Delete the tag:
- <pre class="alert alert-primary"><code>git push --delete
origin unomi-root-1.5.1
-git tag --delete unomi-root-1.5.1</code></pre>
+ <pre class="alert alert-primary"><code>git push --delete
origin unomi-root-1.5.2
+git tag --delete unomi-root-1.5.2</code></pre>
</li>
<li>Reset to the previous commit before the release preparation:
<pre class="alert alert-primary"><code>git reset --hard
c65f9897ec5f31d9d22ad639738c7db9d109aa77
@@ -426,11 +426,11 @@ git push origin -f</code></pre>
<h6 id="mail-1" class="pt-3">[1] Mail template for the Unomi PMC
vote:</h6>
<pre class="alert alert-primary"><code>
-Subject: [VOTE] Apache Unomi 1.5.1 release [TAKE2]
+Subject: [VOTE] Apache Unomi 1.5.2 release [TAKE2]
Body:
Hi all,
-I submit Apache Unomi 1.5.1 release [TAKE2] to your vote.
+I submit Apache Unomi 1.5.2 release [TAKE2] to your vote.
The following corrections were done since TAKE 1:
NOTICE year (2016) has been updated to 2018
@@ -444,18 +444,18 @@ Staging Repository:
You can find the sources here :
*https://repository.apache.org/content/repositories/orgapacheunomi-1021/org/apache/
-unomi/unomi-root/1.5.1/unomi-root-1.5.1-source-release.zip
+unomi/unomi-root/1.5.2/unomi-root-1.5.2-source-release.zip
<https://repository.apache.org/content/repositories/orgapacheunomi-1021/org/apache/
-unomi/unomi-root/1.5.1/unomi-root-1.5.1-source-release.zip>*
+unomi/unomi-root/1.5.2/unomi-root-1.5.2-source-release.zip>*
Convenience binaries are also available here:
*https://repository.apache.org/content/repositories/orgapacheunomi-1021/org/apache/
-unomi/unomi/1.5.1/
+unomi/unomi/1.5.2/
<https://repository.apache.org/content/repositories/orgapacheunomi-1021/org/apache/
-unomi/unomi/1.5.1/>*
+unomi/unomi/1.5.2/>*
Git tag:
-unomi-root-1.5.1
+unomi-root-1.5.2
Release Notes:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12319220&
@@ -477,7 +477,7 @@ Regards
<h6 id="mail-2" class="pt-3">[2] Mail template for the results of
the Unomi PMC vote:</h6>
<pre class="alert alert-primary"><code>
-Subject: [RESULT][VOTE] Apache Unomi 1.5.1 release [TAKE2]
+Subject: [RESULT][VOTE] Apache Unomi 1.5.2 release [TAKE2]
Body:
Hi,
@@ -497,7 +497,7 @@ John Doe 5
No 0 or -1.
-The proposal to release Unomi 1.5.1 is approved by the team.
+The proposal to release Unomi 1.5.2 is approved by the team.
Thanks,
John Doe 1
@@ -505,10 +505,10 @@ John Doe 1
<h6 id="mail-3" class="pt-3">[3] Announce mailing list
template:</h6>
<pre class="alert alert-primary"><code>
-Subject : [ANNOUNCE] Apache Unomi 1.5.1 Release
+Subject : [ANNOUNCE] Apache Unomi 1.5.2 Release
Body:
The Apache Unomi team would like to announce the release of Apache
-Unomi 1.5.1.
+Unomi 1.5.2.
Release notes are here:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12319220&
@@ -522,10 +522,10 @@ More details regarding Apache Unomi can
http://unomi.apache.org/
The release artifacts can be downloaded here:
-https://dist.apache.org/repos/dist/release/incubator/unomi/1.5.1/
+https://dist.apache.org/repos/dist/release/incubator/unomi/1.5.2/
All JIRAs completed for this release are tagged with 'FixVersion =
-1.5.1'; the JIRA release notes can be found here:
+1.5.2'; the JIRA release notes can be found here:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12319220&
version=12338361
Modified: unomi/website/documentation.html
URL:
http://svn.apache.org/viewvc/unomi/website/documentation.html?rev=1883398&r1=1883397&r2=1883398&view=diff
==============================================================================
--- unomi/website/documentation.html (original)
+++ unomi/website/documentation.html Fri Nov 13 18:48:19 2020
@@ -89,8 +89,8 @@
<div class="card flex-md-row mb-4 box-shadow h-md-250">
<div class="card-body d-flex flex-column align-items-start">
<strong class="d-inline-block mb-2 text-success"><i class="fas
fa-circle"></i> Stable</strong>
- <h3 class="mb-0 text-dark">Unomi <span
class="text-muted">1.5.1</span></h3>
- <div class="mb-1 text-muted">Last update: May 14th, 2020</div>
+ <h3 class="mb-0 text-dark">Unomi <span
class="text-muted">1.5.2</span></h3>
+ <div class="mb-1 text-muted">Last update: November 2nd,
2020</div>
<p class="card-text">
<a href="manual/1_5_x/index.html">online</a><br>
<a target="_blank"
href="https://dist.apache.org/repos/dist/release/unomi/1.5.1/unomi-manual-1_5_x.zip">html
(zipped)</a>
@@ -368,6 +368,10 @@
CVE-2020-11975 : Remote Code Execution in Apache Unomi
</p>
<a class="btn btn-outline-primary"
href="security/cve-2020-11975.txt">Notes</a>
+ <p>
+ CVE-2020-13942 : Remote Code Execution in Apache Unomi
+ </p>
+ <a class="btn btn-outline-primary"
href="security/cve-2020-13942.txt">Notes</a>
</div>
</div>
Modified: unomi/website/download.html
URL:
http://svn.apache.org/viewvc/unomi/website/download.html?rev=1883398&r1=1883397&r2=1883398&view=diff
==============================================================================
--- unomi/website/download.html (original)
+++ unomi/website/download.html Fri Nov 13 18:48:19 2020
@@ -87,24 +87,24 @@
<div class="card flex-md-row mb-2 box-shadow h-md-250">
<div class="card-body d-flex flex-column align-items-start">
<strong class="d-inline-block mb-2 text-success"><i class="fas
fa-circle"></i> Latest release</strong>
- <h3 class="mb-0 text-dark">Unomi <span
class="text-muted">1.5.1</span></h3>
- <div class="mb-1 text-muted">May 14th, 2020</div>
+ <h3 class="mb-0 text-dark">Unomi <span
class="text-muted">1.5.2</span></h3>
+ <div class="mb-1 text-muted">November 2nd, 2020</div>
<p class="card-text mb-auto">
Binary Distribution :
- <a target="_blank"
href="https://www.apache.org/dyn/closer.lua/unomi/1.5.1/unomi-1.5.1-bin.tar.gz">tar.gz</a>
- [<a target="_blank"
href="https://www.apache.org/dist/unomi/1.5.1/unomi-1.5.1-bin.tar.gz.asc">PGP</a>]
- [<a target="_blank"
href="https://www.apache.org/dist/unomi/1.5.1/unomi-1.5.1-bin.tar.gz.sha512">SHA512</a>]
-
- <a target="_blank"
href="https://www.apache.org/dyn/closer.lua/unomi/1.5.1/unomi-1.5.1-bin.zip">zip</a>
- [<a target="_blank"
href="https://www.apache.org/dist/unomi/1.5.1/unomi-1.5.1-bin.zip.asc">PGP</a>]
- [<a target="_blank"
href="https://www.apache.org/dist/unomi/1.5.1/unomi-1.5.1-bin.zip.sha512">SHA512</a>]
+ <a target="_blank"
href="https://www.apache.org/dyn/closer.lua/unomi/1.5.2/unomi-1.5.2-bin.tar.gz">tar.gz</a>
+ [<a target="_blank"
href="https://www.apache.org/dist/unomi/1.5.2/unomi-1.5.2-bin.tar.gz.asc">PGP</a>]
+ [<a target="_blank"
href="https://www.apache.org/dist/unomi/1.5.2/unomi-1.5.2-bin.tar.gz.sha512">SHA512</a>]
-
+ <a target="_blank"
href="https://www.apache.org/dyn/closer.lua/unomi/1.5.2/unomi-1.5.2-bin.zip">zip</a>
+ [<a target="_blank"
href="https://www.apache.org/dist/unomi/1.5.2/unomi-1.5.2-bin.zip.asc">PGP</a>]
+ [<a target="_blank"
href="https://www.apache.org/dist/unomi/1.5.2/unomi-1.5.2-bin.zip.sha512">SHA512</a>]
</p>
<p class="card-text mb-auto">
Source Distribution :
- <a target="_blank"
href="https://www.apache.org/dyn/closer.lua/unomi/1.5.1/unomi-1.5.1-src.zip">zip</a>
- [<a target="_blank"
href="https://www.apache.org/dist/unomi/1.5.1/unomi-1.5.1-src.zip.asc">PGP</a>]
- [<a target="_blank"
href="https://www.apache.org/dist/unomi/1.5.1/unomi-1.5.1-src.zip.sha512">SHA512</a>]
+ <a target="_blank"
href="https://www.apache.org/dyn/closer.lua/unomi/1.5.2/unomi-1.5.2-src.zip">zip</a>
+ [<a target="_blank"
href="https://www.apache.org/dist/unomi/1.5.2/unomi-1.5.2-src.zip.asc">PGP</a>]
+ [<a target="_blank"
href="https://www.apache.org/dist/unomi/1.5.2/unomi-1.5.2-src.zip.sha512">SHA512</a>]
</p>
- <a class="btn btn-outline-dark mt-3"
href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12319220&version=12345521"
role="button" target="_blank">Release notes »</a>
+ <a class="btn btn-outline-dark mt-3"
href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12319220&version=12348274"
role="button" target="_blank">Release notes »</a>
</div>
</div>
</div>
@@ -136,7 +136,7 @@
</code>
<br>
<code>
- % gpg --verify unomi-1.5.1-bin.tar.gz.asc
unomi-1.5.1-bin.tar.gz
+ % gpg --verify unomi-1.5.2-bin.tar.gz.asc
unomi-1.5.2-bin.tar.gz
</code>
</p>
</div>
@@ -160,6 +160,33 @@
</thead>
<tbody>
<tr>
+ <td>1.5.1</td>
+ <td><a target="_blank"
+
href="https://archive.apache.org/dist/unomi/1.5.1/unomi-1.5.1-bin.tar.gz">tar.gz</a>
+ [<a target="_blank"
+
href="https://archive.apache.org/dist/unomi/1.5.1/unomi-1.5.1-bin.tar.gz.asc">PGP</a>]
+ [<a target="_blank"
+
href="https://archive.apache.org/dist/unomi/1.5.1/unomi-1.5.1-bin.tar.gz.sha512">SHA512</a>]<br>
+ <a target="_blank"
+
href="https://archive.apache.org/dist/unomi/1.5.1/unomi-1.5.1-bin.zip">zip</a>
+ [<a target="_blank"
+
href="https://archive.apache.org/dist/unomi/1.5.1/unomi-1.5.1-bin.zip.asc">PGP</a>]
+ [<a target="_blank"
+
href="https://archive.apache.org/dist/unomi/1.5.1/unomi-1.5.1-bin.zip.sha512">SHA512</a>]
+ </td>
+ <td>
+ <a target="_blank"
+
href="https://archive.apache.org/dist/unomi/1.5.1/unomi-1.5.1-src.zip">zip</a>
+ [<a target="_blank"
+
href="http://archive.apache.org/dist/unomi/1.5.1/unomi-1.5.1-src.zip.asc">PGP</a>]
+ [<a target="_blank"
+
href="https://archive.apache.org/dist/unomi/1.5.1/unomi-1.5.1-src.zip.sha1">SHA512</a>]
+ </td>
+ <td><a target="_blank"
+
href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12319220&version=12345521">Release
+ Notes</a></td>
+ </tr>
+ <tr>
<td>1.5.0</td>
<td><a target="_blank"
href="https://archive.apache.org/dist/unomi/1.5.0/unomi-1.5.0-bin.tar.gz">tar.gz</a>
Modified: unomi/website/index.html
URL:
http://svn.apache.org/viewvc/unomi/website/index.html?rev=1883398&r1=1883397&r2=1883398&view=diff
==============================================================================
--- unomi/website/index.html (original)
+++ unomi/website/index.html Fri Nov 13 18:48:19 2020
@@ -258,6 +258,7 @@
<div class="col-md-12">
<h2 class="featurette-heading">News</h2>
<ul>
+ <li>2020-11-01 Released version 1.5.2</li>
<li>2020-05-14 Released version 1.5.1</li>
<li>2020-05-09 Released version 1.5.0</li>
<li>2019-05-24 Released version 1.4.0</li>
Added: unomi/website/security/cve-2020-13942.txt
URL:
http://svn.apache.org/viewvc/unomi/website/security/cve-2020-13942.txt?rev=1883398&view=auto
==============================================================================
--- unomi/website/security/cve-2020-13942.txt (added)
+++ unomi/website/security/cve-2020-13942.txt Fri Nov 13 18:48:19 2020
@@ -0,0 +1,44 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+CVE-2020-13942: Remote Code Execution in Apache Unomi
+
+Severity: Critical
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+This vulnerability affects all versions of Apache Unomi prior to 1.5.2
+
+Description:
+
+Apache Unomi allows conditions to use OGNL and MVEL scripting which offers the
possibility
+to call static Java classes from the JDK that could execute code with the
+permission level of the running Java process.
+
+This has been fixed in revision:
+
+https://github.com/apache/unomi/commit/0b81ba35dd3c3c2e0a92ce06592b3df90571eced
+
+Migration:
+
+Apache Unomi users should upgrade to 1.5.2 or later.
+
+Credit: This issue was reported by Eugene Rojavski of Checkmarx.
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEFt9+Vnc4Fy+UXwQCfBnR+70asd8FAl+uwBcACgkQfBnR+70a
+sd8jKxAAkjnC16coiiIkkZ8xVCZVEmga/QRSy2wMM6SYbbWSVjCR6OrpWsaPLLAT
+3NLw2xraYrDuNs8WYXm/bZaw3C3Y5B57CB/Lbf+9Vk+8JN9BBecxSDGDv6PGTAjQ
+XNFzMuS4g8+GrJ+8iaC+rSiHT0Jj6H4J+5Y2FhvV+KvKWbaJOTIqD1rRL3SUr0A7
+qnrrPA3QJEwHsnNIOCcZN18celX5tsxDQkzj7EXnllfjPdY11/rwFDM+PGCrAxER
+aFt5lWHuNvRw7FhgGoku/G9CLbCYqIBLrmOhuk6UvG3E9NK3SAQKt24annM92xsy
+fSWZrVA+sgnKgU4iRmlJ5oZyQKlkLEIP0Jm6//nQy+yG3kEIWAZHdn/M4Vo5JVTa
+Yo3dezgnkQ6RWURAkl9YfN3xEjmSgdlhv4NYoSM6spVeqs1xKO2eAsYLMNoTYUwJ
+bTZTtqZsK9ntnLwv+2YpOfiwHjCRFAJGBKQFNA52aCCIVu/NntRlR+QGI8rvYM+U
+Rjl1juv3EIc/4EHfNNllAxTTzt5X2rejtkuZaTHnBqL47sj3oMPkSZxkiKA09126
+0GEbBgLGpToTlQYBm/53oDqGEaAhFJFStuZg7ndapT785R2HUIwoDVsSB+iRFi80
+uqpr6ElD5cEThsX6h5ognp0eMTKa5rRXsXFNPoPp45+XUhwEG7Q=
+=m8RZ
+-----END PGP SIGNATURE-----