CVE-2017-12626 – Denial of Service Vulnerabilities in Apache POI < 3.17
Title: CVE-2017-12626 – Denial of Service Vulnerabilities in Apache POI < 3.17 Severity: Important Vendor: The Apache Software Foundation Versions affected: versions prior to version 3.17 Description: Apache POI versions prior to release 3.17 are vulnerable to Denial of Service Attacks: * Infinite Loops while parsing specially crafted WMF, EMF, MSG and macros (POI bugs 61338 [0] and 61294 [1]) * Out of Memory Exceptions while parsing specially crafted DOC, PPT and XLS (POI bugs 52372 [2] and 61295 [3]) Mitigation: Users with applications which accept content from external or untrusted sources are advised to upgrade to Apache POI 3.17 or newer. -Tim Allison on behalf of the Apache POI PMC [0] https://bz.apache.org/bugzilla/show_bug.cgi?id=61338 [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=61294 [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=52372 [3] https://bz.apache.org/bugzilla/show_bug.cgi?id=61295
[ANN] Release of Apache Chainsaw 2.0.0
The Apache Logging Services project is pleased to announce the availability of Apache Chainsaw 2.0.0. This is a long-awaited release of the Chainsaw trunk/master code. Apache Chainsaw is a Java GUI application to search, watch, and gather log data from applications, particularly applications using Apache Log4j. This release requires Java 6, though the source code can still be potentially built with Java 1.4. Site: https://logging.apache.org/chainsaw/2.x/ Downloads: https://logging.apache.org/chainsaw/2.x/download.html
[ANNOUNCE] Apache Jackrabbit Oak 1.8.1 released
The Apache Jackrabbit community is pleased to announce the release of Apache Jackrabbit Oak. The release is available for download at: http://jackrabbit.apache.org/downloads.html See the full release notes below for details about this release: Release Notes -- Apache Jackrabbit Oak -- Version 1.8.1 Introduction Jackrabbit Oak is a scalable, high-performance hierarchical content repository designed for use as the foundation of modern world-class web sites and other demanding content applications. Jackrabbit Oak 1.8.1 is a patch release that contains fixes and improvements over Oak 1.8. Jackrabbit Oak 1.8.x releases are considered stable and targeted for production use. The Oak effort is a part of the Apache Jackrabbit project. Apache Jackrabbit is a project of the Apache Software Foundation. Changes in Oak 1.8.1 - Technical task [OAK-7060] - RDBDocumentStore.getStats() for SQLServer [OAK-7137] - Upgrade to scr bnd plugin that places the metatype files in the correct location [OAK-7138] - Move metatype files in source control to correct location [OAK-7141] - Remove unused metatype.properties [OAK-7142] - RDBDocumentStoreDB: use try-with-resources in new code introduced for getStats() Bug [OAK-4401] - Excerpt Highlighting for a property is not correct [OAK-7131] - xpath to sql2 conversion drops order by clause for some cases [OAK-7132] - SNFE after full compaction [OAK-7136] - Stop storing metatype.properties files under OSGI-INF/metatype [OAK-7147] - Oak run LuceneIndexer indexes excluded parent nodes [OAK-7152] - CacheMap.clear() never returns [OAK-7162] - Race condition on revisions head between compaction and scheduler could result in skipped commit [OAK-7168] - The debug command returns a zero exit code on error [OAK-7169] - The datastorecheck returns a zero exit code on error [OAK-7171] - The history command returns a zero exit code on error [OAK-7174] - The check command returns a zero exit code on error [OAK-7176] - RevisionVector from empty string throws StringIndexOutOfBoundsException Improvement [OAK-6031] - Add TarFiles to the architecture diagram [OAK-7157] - Minimize the amount of generations retained by the Cold Standby [OAK-7158] - Users shouldn't be able to change the number of retained generations Task [OAK-7075] - Document oak-run compact arguments and system properties [OAK-7126] - make RDBCacheConsistency2Test store-agnostic [OAK-7130] - Update README.md with Java 8 requirement [OAK-7172] - Document TarMK specific MBeans [OAK-7173] - Update documentation for oak-run check Documentation [OAK-6941] - Compatibility matrix for oak-run compact [OAK-6964] - Document tail compaction [OAK-7112] - Update documentation for cold standby In addition to the above-mentioned changes, this release contains all changes included up to the Apache Jackrabbit Oak 1.8.x release. For more detailed information about all the changes in this and other Oak releases, please see the Oak issue tracker at https://issues.apache.org/jira/browse/OAK Release Contents This release consists of a single source archive packaged as a zip file. The archive can be unpacked with the jar tool from your JDK installation. See the README.md file for instructions on how to build this release. The source archive is accompanied by SHA1 and MD5 checksums and a PGP signature that you can use to verify the authenticity of your download. The public key used for the PGP signature can be found at http://www.apache.org/dist/jackrabbit/KEYS. About Apache Jackrabbit Oak --- Jackrabbit Oak is a scalable, high-performance hierarchical content repository designed for use as the foundation of modern world-class web sites and other demanding content applications. The Oak effort is a part of the Apache Jackrabbit project. Apache Jackrabbit is a project of the Apache Software Foundation. For more information, visit http://jackrabbit.apache.org/oak About The Apache Software Foundation Established in 1999, The Apache Software Foundation provides organizational, legal, and financial support for more than 140 freely-available, collaboratively-developed Open Source projects. The pragmatic Apache License enables individual and commercial users to easily deploy Apache software; the Foundation's intellectual property framework limits the legal exposure of its 3,800+ contributors. For more information, visit http://www.apache.org/
[ANNOUNCE] Apache Atlas1.0.0-alpha released
The Apache Atlas team is happy to announce the release of Apache Atlas - version 1.0.0-alpha. Atlas is a scalable and extensible set of core foundational governance services – enabling enterprises to effectively and efficiently meet their compliance requirements within Hadoop and allows integration with the whole enterprise data ecosystem. The release artifacts are available at: http://www.apache.org/dyn/closer.cgi/atlas/1.0.0-alpha/ The binary artifacts are available from Maven central and its mirrors. To use these artifacts, please use the following documentation: http://atlas.apache.org/1.0.0-alpha For more details on Apache Atlas, please visit the project website: http://atlas.apache.org We thank everyone who made this release possible. Thanks, The Apache Atlas team
The Apache News Round-up: week ending 26 January 2018
[this announcement is available online at https://blogs.apache.org/foundation/entry/the-apache-news-round-up55 ] Here's hoping you had a great week. The Apache community has been working on: ASF Board –management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws. - Next Board Meeting: 21 February. Board calendar and minutes http://apache.org/foundation/board/calendar.html ASF Infrastructure –our distributed team on three continents keeps the ASF's infrastructure running around the clock. - 7M+ weekly checks yield ace performance at 99.69% uptime http://status.apache.org/ ASF Operations Factoid –this week, 519 Apache contributors changed 1,071,102 lines of code over 3,235 commits. Top 5 contributors, in order, are: Jeff Elsloo, Tellier Benoit, Andi Huber, Junkai Xue, and Gary Gregory. Apache Guacamole™ –a clientless remote desktop gateway that supports standard protocols like VNC, RDP, and SSH. - Apache Guacamole 0.9.14 released https://guacamole.apache.org/ Apache HttpComponents™ –a set of HTTP/1.1 and HTTP/2 transport components used to build custom client and server side HTTP services with a minimal footprint. - Apache HttpComponents Client 4.5.5 GA released http://hc.apache.org/ Apache Jackrabbit™ Oak –a scalable, high-performance hierarchical content repository designed for use as the foundation of modern world-class Web sites and other demanding content applications. - Apache Jackrabbit 1.0.41 and Jackrabbit Oak 1.2.28 released http://jackrabbit.apache.org/ Apache NiFi™ –an easy to use, powerful, and reliable system to process and distribute data. - Apache NiFi MiNiFi 0.4.0 released https://nifi.apache.org/ Apache Phoenix™ –enables OLTP and SQL-based operational analytics for Apache Hadoop. - Apache Phoenix 4.13.2 for CDH 5.11.2 released http://phoenix.apache.org/ Apache Taverna (incubating) –domain-independent suite of tools used to design and execute data-driven scientific workflows, combining WSDL/REST Web Services and local tools. - Apache Taverna Server 3.1.0-incubating released https://taverna.incubator.apache.org/ Apache Tomcat™ –an Open Source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. - Apache Tomcat 7.0.84, 8.0.49, 8.5.27, and 9.0.4 released http://tomcat.apache.org/ Did You Know? - Did you know that in 2017 the Top 10 most active Apache project mailing lists (dev + user) were, in order: Flex, Lucene, Ignite, Kafka, Geode, Flink, Tomcat, Cassandra, Beam, and Sentry? https://s.apache.org/h8do - Did you know that Spotify uses Apache Hadoop and Apache Crunch to process terabytes of user data each day? http://hadoop.apache.org/ and http://crunch.apache.org/ - Did you know that the 2018 Apache EU Roadshow will be held during FOSS Backstage 13-14 June in Berlin? https://foss-backstage.de/ Apache Community Notices: - Apache in 2017 - By The Digits https://s.apache.org/h8do - Foundation Statement –Apache Is Open. https://s.apache.org/PIRA - "Success at Apache" focuses on the processes behind why the ASF "just works". 1) Project Independence https://s.apache.org/CE0V 2) All Carrot and No Stick https://s.apache.org/ykoG 3) Asynchronous Decision Making https://s.apache.org/PMvk4) Rule of the Makers https://s.apache.org/yFgQ 5) JFDI --the unconditional love of contributors https://s.apache.org/4pjM 6) Meritocracy and Me https://s.apache.org/tQQh 7) Learning to Build a Stronger Community https://s.apache.org/x9Be 8) Meritocracy. https://s.apache.org/DiEo 9) Lowering Barriers to Open Innovation https://s.apache.org/dAlg 10) All My Roads Led to Apache https://s.apache.org/l9OO 11) Scratch Your Own Itch. https://s.apache.org/7Amk 12) What a Long Strange (and Great) Trip It's Been https://s.apache.org/gVuN - Please follow/like/re-tweet the ASF on social media: @TheASF on Twitter and on LinkedIn at https://www.linkedin.com/company/the-apache-software-foundation - Do friend and follow us on the Apache Community Facebook page https://www.facebook.com/ApacheSoftwareFoundation/and Twitter account https://twitter.com/ApacheCommunity - The list of Apache project-related MeetUps can be found at http://apache.org/events/meetups.html - The Apache Wicket community will be holding a MeetUp on 24 January in Hydrabad https://www.meetup.com/jughyderabad/events/246743640/?_cookie-check=sA8sdSu69o0Dk0zY - The ASF will be back at FOSDEM in Brussels 3-5 February 2018. We'll see you there! https://fosdem.org/2018/ - The ASF is a Developer Week Community Partner 3-7 February in San Franciso https://blogs.apache.org/comdev/entry/apache-software-foundation-community-sponsor - The Apache Tinkerpop community will be holding a MeetUp on Gremlin on 21 February in New York https://www.meetup.com/DataStax-UserGroup-NewYork/events/246762770/ - Apache CloudStack will be holding their first German
