[ANNOUNCE] Apache Druid 0.17.1 release
The Apache Druid team is proud to announce the release of Apache Druid 0.17.1. Druid is a high performance analytics data store for event-driven data. Apache Druid 0.17.1 is a bug fix release that addresses a string encoding issue. Source and binary distributions can be downloaded from: https://druid.apache.org/downloads.html Release notes are at: https://github.com/apache/incubator-druid/releases/tag/druid-0.17.1
[CVE-2020-1958]: Apache Druid LDAP injection vulnerability
Severity: High Vendor: The Apache Software Foundation Versions Affected: Druid 0.17.0 Description: When LDAP authentication is enabled: - Callers of Druid APIs with a valid set of LDAP credentials can bypass the `credentialsValidator.userSearch` filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based authorization checks, if configured. - Callers of Druid APIs can retrieve any LDAP attribute values of users that exist on the LDAP server, so long as that information is visible to the Druid server. This information disclosure does not require the caller itself to be a valid LDAP user. Mitigation: - Users of Druid 0.17.0 that use LDAP authentication should upgrade to Druid 0.17.1. Credit: This issue was discovered by Grzegorz Goławski.
Apache Month in Review: March 2020
[this newsletter is available online at https://s.apache.org/Mar2020 ] Welcome to the third monthly overview of events from the Apache community. Here's a summary of what happened in March: New this month -- - Happy 21st Anniversary, ASF! https://s.apache.org/21stAnniversary - ASF Statement on the COVID-19 Coronavirus Outbreak https://s.apache.org/COVID-19 - Notice on Apache 2020 Conferences https://s.apache.org/zgm8m - Apache Software Foundation Operations Summary: Q3 2020 (November 2019 - January 2020) https://s.apache.org/r6s5u - Success at Apache: Google Summer of Code Mentorship... by Sanyam Goel and Kevin A. McGrail https://s.apache.org/ejj5q - Beijing, China, joins Indore, India, to become the second Apache Local Community (ALC) Chapter https://s.apache.org/t4m3x - "Inside Infra" --a new interview series with members of the ASF Infrastructure team. Meet Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris - Apache Month in Review: February 2020 https://s.apache.org/Feb2020 Important Dates -- - Next Board Meeting: 15 April 2020. Board calendar and minutes http://apache.org/foundation/board/calendar.html - COVID-19-related adjustments to Apache Conferences: Roadshows DC and Chicago have been cancelled; the Seattle Roadshow has been postponed. The planners for ApacheCon North America have extended the CFP, and will provide regular status updates. https://www.apachecon.com/ Infrastructure -- Our seven-member Infrastructure team on three continents oversees our highly-reliable, distributed network under the leadership of VP Infrastructure David Nalley and Infrastructure Administrator Greg Stein. ASF Infrastructure supports 300+ Apache projects and their communities across ~200 individual machines, 1,400+ repositories, more than half a petabyte of software source releases, and 2-3M daily emails on 2,000+ lists. ASF Infra performs 7M+ weekly checks to ensure services are available around the clock. The average uptime in March was 99.87%. Committer Activity -- In March, 785 Apache Committers changed 4,573,799 lines of code over 15,082 commits. The Committers with the top 5 highest contributions, in order, were: Andrea Cosentino, Jean-Baptiste Onofré, Mark Thomas, Claus Ibsen, and Kaxil Naik. Project Releases and Updates -- New releases from Apache Brooklyn (Cloud Computing); Calcite (Big Data); Commons (Libraries); CouchDB (Big Data); Curator (Messaging); Derby (Databases); FreeMarker (Templating); Groovy (Programming Languages); HBase (Big Data); HttpComponents (Servers); Jackrabbit (Content); Kafka (Big Data); Log4j (Libraries); Lucene/Solr (Search); NiFi (Big Data); OFBiz (ERP); PLC4X (IoT); Qpid (Messaging); SkyWalking (Application Performance Management) Tomcat (Servers); Traffic Server (Servers). The Apache Incubator is the primary entry path for projects and codebases wishing to become part of the efforts at The Apache Software Foundation. No new podlings have entered the Incubator over the past month, but we invite you to review the many projects currently in development in the Apache Incubator http://incubator.apache.org/ # # # To see our Weekly News Round-ups, visit https://blogs.apache.org/foundation/ and click on the calendar in the upper-right side (we publish every Friday) or hop directly to https://blogs.apache.org/foundation/category/Newsletter. For real-time updates, sign up for Apache-related news by sending mail to announce-subscr...@apache.org and follow @TheASF on Twitter. We appreciate your support! - - - NOTE: you are receiving this message because you are subscribed to the announce@apache.org distribution list. To unsubscribe, send email from the recipient account to announce-unsubscr...@apache.org with the word "Unsubscribe" in the subject line.
[CVE-2020-1954] Apache CXF JMX Integration is vulnerable to a MITM attack
CVE-2020-1954: Apache CXF JMX Integration is vulnerable to a MITM attack Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: This vulnerability affects all versions of Apache CXF prior to 3.3.6 and 3.2.13. Description: Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the "createMBServerConnectorFactory" property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX. Mitigation: Users of Apache CXF that use the InstrumentationManagerImpl should update to either 3.3.6 or 3.2.13. Alternatively, set the createMBServerConnectorFactory property to false and use the default JVM JMX remote capabilities instead. From CXF 3.4.0, the createMBServerConnectorFactory property will be removed altogether. Credit: Jonathan Gallimore, Tomitribe and Colm O hEigeartaigh, Talend. Reference: http://cxf.apache.org/security-advisories.data/CVE-2020-1954.txt.asc?version=1=1585730169000=v2
[ANNOUNCEMENT] Apache HTTP Server 2.4.43 Released
Apache HTTP Server 2.4.43 Released April 01, 2020 The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.4.43 of the Apache HTTP Server ("Apache"). This version of Apache is our latest GA release of the new generation 2.4.x branch of Apache HTTPD and represents fifteen years of innovation by the project, and is recommended over all previous releases. This release of Apache is a security, feature and bug fix release. We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade. Apache HTTP Server 2.4.43 is available for download from: https://httpd.apache.org/download.cgi Apache 2.4 offers numerous enhancements, improvements, and performance boosts over the 2.2 codebase. For an overview of new features introduced since 2.4 please see: https://httpd.apache.org/docs/trunk/new_features_2_4.html Please see the CHANGES_2.4 file, linked from the download page, for a full list of changes. A condensed list, CHANGES_2.4.43 includes only those changes introduced since the prior 2.4 release. A summary of all of the security vulnerabilities addressed in this and earlier releases is available: https://httpd.apache.org/security/vulnerabilities_24.html This release requires the Apache Portable Runtime (APR), minimum version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may require the 1.6.x version of both APR and APR-Util. The APR libraries must be upgraded for all features of httpd to operate correctly. This release builds on and extends the Apache 2.2 API. Modules written for Apache 2.2 will need to be recompiled in order to run with Apache 2.4, and require minimal or no source code changes. https://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe. Please note the 2.2.x branch has now passed the end of life at the Apache HTTP Server project and no further activity will occur including security patches. Users must promptly complete their transitions to this 2.4.x release of httpd to benefit from further bug fixes or new features.