Dev List - This announcement is to acknowledge the work of the Release manager and the entire community in pushing out the 1.5.0, which included a fix for a reported issue.
If you know of a security issue, the practice is to send an email to: security AT fineract.apache.org. We then determine its level of criticality according to a risk model and provide a fix in the next release, or patch is required. Please see https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report Thank you @Michael Vorburger <[email protected]> for submitting the fix. *CVE-2020-17514: Disabled Hostname verification for HTTPS * [DESCRIPTION]: *Critical*: Apache Fineract disables HTTPS hostname verification in `ProcessorHelper` in the `configureClient` method. Under typical deployments, a man in the middle attack could be successful. *Release branch*: The fix is available at https://github.com/apache/fineract/tree/1.5.0. *Acknowledgements*: We would like to thank Simon Gerst at https://github.com/intrigus-lgtm for reporting this issue, and the *Apache Security team* for their assistance. Reported to security team 15 October 2020 Fixed 19 October 2020 Update Released 23 May 2021 Issue public 26 May 2021 Affects 0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0 [REFERENCES]: https://issues.apache.org/jira/browse/FINERACT-1211 ------ Please also note the many improvements and new features in this release. https://cwiki.apache.org/confluence/display/FINERACT/1.5.0+-+Apache+Fineract <https://cwiki.apache.org/confluence/display/FINERACT/1.5.0+-+Apache+Fineract>
