About the release? Yes - this was done, and you can see it in the announce mailing list archives.
Regards Petri > On 27 May 2021, at 9:30 PM, Aleksandar Vidakovic <[email protected]> > wrote: > > Did we send a message to [email protected] <mailto:[email protected]> > @Petri? > > On Thu, May 27, 2021 at 3:03 PM Muellners ApS <[email protected] > <mailto:[email protected]>> wrote: > Thanks James for highlighting this security issue and its solution in the > latest release. > > On Thu, 27 May 2021 at 05.11, James Dailey <[email protected] > <mailto:[email protected]>> wrote: > Dev List - This announcement is to acknowledge the work of the Release > manager and the entire community in pushing out the 1.5.0, which included a > fix for a reported issue. > > If you know of a security issue, the practice is to send an email to: > security AT fineract.apache.org <http://fineract.apache.org/>. We then > determine its level of criticality according to a risk model and provide a > fix in the next release, or patch is required. > > Please see > https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report > > <https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report> > > > Thank you @Michael Vorburger <mailto:[email protected]> for submitting the > fix. > > CVE-2020-17514: Disabled Hostname verification for HTTPS > [DESCRIPTION]: > Critical: Apache Fineract disables HTTPS hostname verification in > `ProcessorHelper` in the `configureClient` method. > Under typical deployments, a man in the middle attack could be successful. > Release branch: The fix is available at > https://github.com/apache/fineract/tree/1.5.0 > <https://github.com/apache/fineract/tree/1.5.0>. > Acknowledgements: We would like to thank Simon Gerst at > https://github.com/intrigus-lgtm <https://github.com/intrigus-lgtm> for > reporting this issue, and the Apache Security team for their assistance. > Reported to security team 15 October 2020 > Fixed 19 October 2020 > Update Released 23 May 2021 > Issue public 26 May 2021 > Affects 0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, > 1.1.0, 1.2.0, 1.3.0, 1.4.0 > [REFERENCES]: > https://issues.apache.org/jira/browse/FINERACT-1211 > <https://issues.apache.org/jira/browse/FINERACT-1211> > ------ > > Please also note the many improvements and new features in this release. > https://cwiki.apache.org/confluence/display/FINERACT/1.5.0+-+Apache+Fineract > <https://cwiki.apache.org/confluence/display/FINERACT/1.5.0+-+Apache+Fineract> > > > -- > Ankit > Managing Partner > Muellners LLC > > This mail is governed by Muellners® IT policy. > The information contained in this e-mail and any accompanying documents may > contain information that is confidential or otherwise protected from > disclosure. If you are not the intended recipient of this message, or if this > message has been addressed to you in error, please immediately alert the > sender by reply e-mail and then delete this message, including any > attachments. Any dissemination, distribution or other use of the contents of > this message by anyone other than the intended recipient is strictly > prohibited. All messages sent to and from this e-mail address may be > monitored as permitted by applicable law and regulations to ensure compliance > with our internal policies and to protect our business. E-mails are not > secure and cannot be guaranteed to be error free as they can be intercepted, > amended, lost or destroyed, or contain viruses. You are deemed to have > accepted these risks if you communicate with us by e-mail.
