+1 ... thanks again Petri On Thu, May 27, 2021 at 3:31 PM Petri Tuomola <[email protected]> wrote:
> About the release? Yes - this was done, and you can see it in the announce > mailing list archives. > > Regards > Petri > > On 27 May 2021, at 9:30 PM, Aleksandar Vidakovic < > [email protected]> wrote: > > Did we send a message to [email protected] @Petri? > > On Thu, May 27, 2021 at 3:03 PM Muellners ApS <[email protected]> wrote: > >> Thanks James for highlighting this security issue and its solution in the >> latest release. >> >> On Thu, 27 May 2021 at 05.11, James Dailey <[email protected]> >> wrote: >> >>> Dev List - This announcement is to acknowledge the work of the Release >>> manager and the entire community in pushing out the 1.5.0, which included a >>> fix for a reported issue. >>> >>> If you know of a security issue, the practice is to send an email to: >>> security AT fineract.apache.org. We then determine its level of >>> criticality according to a risk model and provide a fix in the next >>> release, or patch is required. >>> >>> Please see >>> https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report >>> >>> >>> Thank you @Michael Vorburger <[email protected]> for submitting the >>> fix. >>> >>> *CVE-2020-17514: Disabled Hostname verification for HTTPS * >>> >>> [DESCRIPTION]: >>> >>> *Critical*: Apache Fineract disables HTTPS hostname verification in >>> `ProcessorHelper` in the `configureClient` method. >>> >>> Under typical deployments, a man in the middle attack could be >>> successful. >>> >>> *Release branch*: The fix is available at >>> https://github.com/apache/fineract/tree/1.5.0. >>> >>> *Acknowledgements*: We would like to thank Simon Gerst at >>> https://github.com/intrigus-lgtm for reporting this issue, and the *Apache >>> Security team* for their assistance. >>> Reported to security team 15 October 2020 >>> Fixed 19 October 2020 >>> Update Released 23 May 2021 >>> Issue public 26 May 2021 >>> Affects 0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, >>> 1.1.0, 1.2.0, 1.3.0, 1.4.0 >>> >>> [REFERENCES]: >>> >>> https://issues.apache.org/jira/browse/FINERACT-1211 >>> >>> ------ >>> >>> Please also note the many improvements and new features in this release. >>> >>> >>> https://cwiki.apache.org/confluence/display/FINERACT/1.5.0+-+Apache+Fineract >>> <https://cwiki.apache.org/confluence/display/FINERACT/1.5.0+-+Apache+Fineract> >>> >>> >>> -- >> Ankit >> Managing Partner >> Muellners LLC >> >> This mail is governed by Muellners® IT policy. >> The information contained in this e-mail and any accompanying documents >> may contain information that is confidential or otherwise protected from >> disclosure. If you are not the intended recipient of this message, or if >> this message has been addressed to you in error, please immediately alert >> the sender by reply e-mail and then delete this message, including any >> attachments. Any dissemination, distribution or other use of the contents >> of this message by anyone other than the intended recipient is strictly >> prohibited. All messages sent to and from this e-mail address may be >> monitored as permitted by applicable law and regulations to ensure >> compliance with our internal policies and to protect our business. E-mails >> are not secure and cannot be guaranteed to be error free as they can be >> intercepted, amended, lost or destroyed, or contain viruses. You are deemed >> to have accepted these risks if you communicate with us by e-mail. >> > >
