[ANNOUNCE] Apache PDFBox JBIG2 ImageIO plugin 3.0.3 released

2019-12-19 Thread Andreas Lehmkuehler 

The Apache PDFBox community is pleased to announce the release of
Apache PDFBox JBIG2 ImageIO plugin version 3.0.3. The release is
available for download at:

http://pdfbox.apache.org/download.cgi

See the full release notes below for details about this release.

Release Notes -- Apache JBIG2 ImageIO -- Version 3.0.3

Introduction


The Java ImageIO plugin for JBIG2 enables access to images encoded using the 
JBIG2
image compression standard. This component is part of the Apache PDFBox® 
project.

This is an incremental bugfix release based on the earlier 3.0.2 release.

For more details on all fixes and improvements included in this release, please 
refer

to the following issues on the PDFBox issue tracker at
https://issues.apache.org/jira/browse/PDFBOX.

Bug

[PDFBOX-4472] Thread stuck in SoftReferenceCache.get
[PDFBOX-4598] oversized jbig2 decoded result that causing unnecessary operation

Release Contents


This release consists of a single source archive packaged as a zip file.
The archive can be unpacked with the jar tool from your JDK installation.
See the README.md file for instructions on how to build this release.

The source archive is accompanied by SHA512 checksums and a PGP signature
that you can use to verify the authenticity of your download.
The public key used for the PGP signature can be found at
https://svn.apache.org/repos/asf/pdfbox/KEYS.

About Apache PDFBox
---

Apache PDFBox is an open source Java library for working with PDF documents.
This project allows creation of new PDF documents, manipulation of existing
documents and the ability to extract content from documents. Apache PDFBox
also includes several command line utilities. Apache PDFBox is published
under the Apache License, Version 2.0.

For more information, visit http://pdfbox.apache.org/

About The Apache Software Foundation


Established in 1999, The Apache Software Foundation provides organizational,
legal, and financial support for more than 100 freely-available,
collaboratively-developed Open Source projects. The pragmatic Apache License
enables individual and commercial users to easily deploy Apache software;
the Foundation's intellectual property framework limits the legal exposure
of its 2,500+ contributors.

For more information, visit http://www.apache.org/

[CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer

2019-12-19 Thread Matt Sicker 
CVE-2019-17571: Deserialization of untrusted data in SocketServer

Severity: Critical
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/RL:W

Product:
Apache Log4j

Versions Affected:
Apache Log4j up to and including 1.2.27. Separately fixed by
CVE-2017-5645 in Log4j 2.8.2.

Problem type:
CWE-502: Deserialization of Untrusted Data

Description:

Included in Log4j 1.2 is a SocketServer class that is vulnerable to
deserialization of untrusted data which can be exploited to remotely
execute arbitrary code when combined with a deserialization gadget
when listening to untrusted network traffic for log data.

Mitigation:

Apache Log4j 1.2 reached end of life in August 2015. Users should
upgrade to Log4j 2.x which both addresses that vulnerability as well
as numerous other issues in the previous versions.

Credit:

This issue was initially discovered in CVE-2017-5645 by Marcio Almeida
de Macedo of Red Team at Telstra.

Links:

https://logging.apache.org/log4j/1.2/
https://issues.apache.org/jira/browse/LOG4J2-1863

-- 
Matt Sicker
Secretary, Apache Software Foundation
VP Logging Services, ASF