(james-project) branch master updated: [ANNOUNCE] CVE-2024-37358 + CVE-2024-45626 (#2627)

btellier Wed, 05 Feb 2025 09:01:15 -0800

This is an automated email from the ASF dual-hosted git repository.

btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git



The following commit(s) were added to refs/heads/master by this push:
     new 0f33615907 [ANNOUNCE] CVE-2024-37358 + CVE-2024-45626 (#2627)
0f33615907 is described below

commit 0f33615907e4866c350acd8f554389b13450fd5f
Author: Benoit TELLIER <btell...@linagora.com>
AuthorDate: Wed Feb 5 17:59:51 2025 +0100

    [ANNOUNCE] CVE-2024-37358 + CVE-2024-45626 (#2627)
---
 CHANGELOG.md                                        | 18 +++++++++++++++---
 docs/modules/servers/partials/operate/security.adoc | 19 +++++++++++++++++++
 src/homepage/_posts/2025-01-29-james-3.7.6.markdown |  9 +++++++++
 src/homepage/_posts/2025-01-29-james-3.8.2.markdown |  9 +++++++++
 src/site/xdoc/server/feature-security.xml           | 18 ++++++++++++++++++
 5 files changed, 70 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 71e6c77e13..916234aba8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -285,10 +285,16 @@ No changes yet.
 
 ## [3.8.2] - 2025-02-05
 
-### Bug fixes
+### Security
+
+- **CVE-2024-37358**: Denial of service through the use of IMAP literals
+- **CVE-2024-45626**: Denial of service through JMAP HTML to text conversion
 
 - [FIX] Prevent HtmlTextExtractor to generate asymmetric outputs
 - [IMPROVEMENT] Better manage IMAP literals (3.8.x) (#2281)
+
+### Bug fixes
+
 - JAMES-4036 JMS mailQueue should silent interuptedExceptions upon shutdown
 - JAMES-4041 Fix OOM upon IMAP COPY
 - JAMES-4037 Resolve MailboxTyper for Spring (#2255)
@@ -617,11 +623,17 @@ No changes yet.
 
 ## [3.7.6] - 2025-02-05
 
+### Security
+
+- **CVE-2024-37358**: Denial of service through the use of IMAP literals
+- **CVE-2024-45626**: Denial of service through JMAP HTML to text conversion
+
+- [FIX] Prevent HtmlTextExtractor to generate asymmetric outputs
+- [IMPROVEMENT] Better manage IMAP literals (3.8.x) (#2281)
+
 ### Bug fixes
 
  - [BUILD] Fully drop glowroot
- - [FIX] Prevent HtmlTextExtractor to generate asymmetric outputs
- - [IMPROVEMENT] Better manage IMAP literals (3.7.x) (#2282)
  - [FIX] Solve weave/rest-smtp-sink: Docker image manifest v2 schema 1 
deprecation issue (#2152)
  - JAMES-3955 Increase consumer timeout for TaskManagerWorkQueue
  - JAMES-3955 WARNING logs upon closing channels
diff --git a/docs/modules/servers/partials/operate/security.adoc 
b/docs/modules/servers/partials/operate/security.adoc
index 7f84aeb5de..16758d5aee 100644
--- a/docs/modules/servers/partials/operate/security.adoc
+++ b/docs/modules/servers/partials/operate/security.adoc
@@ -109,6 +109,25 @@ outdated dependencies.
 
 We follow the standard procedures within the ASF regarding 
link:https://apache.org/security/committers.html#vulnerability-handling[vulnerability
 handling]
 
+=== CVE-2024-37358: Denial of service through the use of IMAP literals
+
+Apache James prior to versions  3.8.2 or 3.7.6 allows an attacker
+to trigger a denial of service by exploiting IMAP literals.
+
+*Severity*: Moderate
+
+*Mitigation*: Update to Apache James 3.8.2 or 3.7.6 onward.
+
+=== CVE-2024-45626: Denial of service through JMAP HTML to text conversion
+
+Apache James prior to versions  3.8.2 or 3.7.6 allows logged in attacker
+to trigger a denial of service by exploiting html to text conversion.
+
+*Severity*: Moderate
+
+*Mitigation*: Update to Apache James 3.8.2 or 3.7.6 onward.
+
+
 === CVE-2024-21742: Mime4J DOM header injection
 
 Apache JAMES MIME4J prior to version 0.8.10 allow attackers able to specify 
the value of a header field to craft other header fields.
diff --git a/src/homepage/_posts/2025-01-29-james-3.7.6.markdown 
b/src/homepage/_posts/2025-01-29-james-3.7.6.markdown
index f37a0d912f..95cb78fbc1 100644
--- a/src/homepage/_posts/2025-01-29-james-3.7.6.markdown
+++ b/src/homepage/_posts/2025-01-29-james-3.7.6.markdown
@@ -11,6 +11,15 @@ Early adopters can [download it][download], any issue can be 
reported on our iss
 
 The Apache James PMC would like to thanks all contributors who made this 
release possible!
 
+## Announcement
+
+This release comprise minor bug fixes enhancing Apache James stability.
+
+This release fixes the following security issues:
+
+- **CVE-2024-37358**: Denial of service through the use of IMAP literals
+- **CVE-2024-45626**: Denial of service through JMAP HTML to text conversion
+
 ## Release changelog
 
 The full changes included in this release can be seen in the 
[CHANGELOG][CHANGELOG].
diff --git a/src/homepage/_posts/2025-01-29-james-3.8.2.markdown 
b/src/homepage/_posts/2025-01-29-james-3.8.2.markdown
index ca1cd65eba..67b237779e 100644
--- a/src/homepage/_posts/2025-01-29-james-3.8.2.markdown
+++ b/src/homepage/_posts/2025-01-29-james-3.8.2.markdown
@@ -11,6 +11,15 @@ Early adopters can [download it][download], any issue can be 
reported on our iss
 
 The Apache James PMC would like to thank all contributors who made this 
release possible!
 
+## Announcement
+
+This release comprise minor bug fixes enhancing Apache James stability.
+
+This release fixes the following security issues:
+
+- **CVE-2024-37358**: Denial of service through the use of IMAP literals
+- **CVE-2024-45626**: Denial of service through JMAP HTML to text conversion
+
 ## Release changelog
 
 The full changes included in this release can be seen in the 
[CHANGELOG][CHANGELOG].
diff --git a/src/site/xdoc/server/feature-security.xml 
b/src/site/xdoc/server/feature-security.xml
index e69ec93365..cebf614e5c 100644
--- a/src/site/xdoc/server/feature-security.xml
+++ b/src/site/xdoc/server/feature-security.xml
@@ -61,6 +61,24 @@
             <a 
href="https://apache.org/security/committers.html#vulnerability-handling";>vulnerability
 handling</a>.
         </subsection>
 
+        <subsection name="CVE-2024-37358: Denial of service through the use of 
IMAP literals">
+            <p> Apache James prior to versions  3.8.2 or 3.7.6 allows an 
attacker
+                to trigger a denial of service by exploiting IMAP literals.</p>
+
+            <p><b>Severity</b>: Moderate</p>
+
+            <p><b>Mitigation</b>: Update to Apache James 3.8.2 or 3.7.6 
onward.</p>
+        </subsection>
+
+        <subsection name="CVE-2024-45626: Denial of service through JMAP HTML 
to text conversion">
+            <p> Apache James prior to versions  3.8.2 or 3.7.6 allows logged 
in attacker
+                to trigger a denial of service by exploiting html to text 
conversion.</p>
+
+            <p><b>Severity</b>: Moderate</p>
+
+            <p><b>Mitigation</b>: Update to Apache James 3.8.2 or 3.7.6 
onward.</p>
+        </subsection>
+
         <subsection name="CVE-2024-21742: Mime4J DOM header injection">
             <p> Apache JAMES MIME4J prior to version 0.8.10 allow attackers 
able to specify the value of a header field to craft other header fields.</p>
 


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org
For additional commands, e-mail: notifications-h...@james.apache.org

(james-project) branch master updated: [ANNOUNCE] CVE-2024-37358 + CVE-2024-45626 (#2627)

Reply via email to