Thanks James for highlighting this security issue and its solution in the latest release.
On Thu, 27 May 2021 at 05.11, James Dailey <[email protected]> wrote: > Dev List - This announcement is to acknowledge the work of the Release > manager and the entire community in pushing out the 1.5.0, which included a > fix for a reported issue. > > If you know of a security issue, the practice is to send an email to: > security AT fineract.apache.org. We then determine its level of > criticality according to a risk model and provide a fix in the next > release, or patch is required. > > Please see > https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report > > > Thank you @Michael Vorburger <[email protected]> for submitting the fix. > > *CVE-2020-17514: Disabled Hostname verification for HTTPS * > > [DESCRIPTION]: > > *Critical*: Apache Fineract disables HTTPS hostname verification in > `ProcessorHelper` in the `configureClient` method. > > Under typical deployments, a man in the middle attack could be successful. > > *Release branch*: The fix is available at > https://github.com/apache/fineract/tree/1.5.0. > > *Acknowledgements*: We would like to thank Simon Gerst at > https://github.com/intrigus-lgtm for reporting this issue, and the *Apache > Security team* for their assistance. > Reported to security team 15 October 2020 > Fixed 19 October 2020 > Update Released 23 May 2021 > Issue public 26 May 2021 > Affects 0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, > 1.1.0, 1.2.0, 1.3.0, 1.4.0 > > [REFERENCES]: > > https://issues.apache.org/jira/browse/FINERACT-1211 > > ------ > > Please also note the many improvements and new features in this release. > > https://cwiki.apache.org/confluence/display/FINERACT/1.5.0+-+Apache+Fineract > <https://cwiki.apache.org/confluence/display/FINERACT/1.5.0+-+Apache+Fineract> > > > -- Ankit Managing Partner Muellners LLC This mail is governed by Muellners® IT policy. The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
