Did we send a message to [email protected] @Petri? On Thu, May 27, 2021 at 3:03 PM Muellners ApS <[email protected]> wrote:
> Thanks James for highlighting this security issue and its solution in the > latest release. > > On Thu, 27 May 2021 at 05.11, James Dailey <[email protected]> wrote: > >> Dev List - This announcement is to acknowledge the work of the Release >> manager and the entire community in pushing out the 1.5.0, which included a >> fix for a reported issue. >> >> If you know of a security issue, the practice is to send an email to: >> security AT fineract.apache.org. We then determine its level of >> criticality according to a risk model and provide a fix in the next >> release, or patch is required. >> >> Please see >> https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report >> >> >> Thank you @Michael Vorburger <[email protected]> for submitting the >> fix. >> >> *CVE-2020-17514: Disabled Hostname verification for HTTPS * >> >> [DESCRIPTION]: >> >> *Critical*: Apache Fineract disables HTTPS hostname verification in >> `ProcessorHelper` in the `configureClient` method. >> >> Under typical deployments, a man in the middle attack could be >> successful. >> >> *Release branch*: The fix is available at >> https://github.com/apache/fineract/tree/1.5.0. >> >> *Acknowledgements*: We would like to thank Simon Gerst at >> https://github.com/intrigus-lgtm for reporting this issue, and the *Apache >> Security team* for their assistance. >> Reported to security team 15 October 2020 >> Fixed 19 October 2020 >> Update Released 23 May 2021 >> Issue public 26 May 2021 >> Affects 0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, >> 1.1.0, 1.2.0, 1.3.0, 1.4.0 >> >> [REFERENCES]: >> >> https://issues.apache.org/jira/browse/FINERACT-1211 >> >> ------ >> >> Please also note the many improvements and new features in this release. >> >> https://cwiki.apache.org/confluence/display/FINERACT/1.5.0+-+Apache+Fineract >> <https://cwiki.apache.org/confluence/display/FINERACT/1.5.0+-+Apache+Fineract> >> >> >> -- > Ankit > Managing Partner > Muellners LLC > > This mail is governed by Muellners® IT policy. > The information contained in this e-mail and any accompanying documents > may contain information that is confidential or otherwise protected from > disclosure. If you are not the intended recipient of this message, or if > this message has been addressed to you in error, please immediately alert > the sender by reply e-mail and then delete this message, including any > attachments. Any dissemination, distribution or other use of the contents > of this message by anyone other than the intended recipient is strictly > prohibited. All messages sent to and from this e-mail address may be > monitored as permitted by applicable law and regulations to ensure > compliance with our internal policies and to protect our business. E-mails > are not secure and cannot be guaranteed to be error free as they can be > intercepted, amended, lost or destroyed, or contain viruses. You are deemed > to have accepted these risks if you communicate with us by e-mail. >
