[SECURITY] CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up

[Mark Thomas]

CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.0-M9
Apache Tomcat 9.0.0.M5 to 9.0.39
Apache Tomcat 8.5.1 to 8.5.59

Description:
While investigating Bug 64830 it was discovered that Apache Tomcat could
 re-use an HTTP request header value from the previous stream received
on an HTTP/2 connection for the request associated with the subsequent
stream. While this would most likely lead to an error and the closure of
the HTTP/2 connection, it is possible that information could leak
between requests.

Mitigation:
- Upgrade to Apache Tomcat 10.0.0-M10 or later
- Upgrade to Apache Tomcat 9.0.40 or later
- Upgrade to Apache Tomcat 8.5.60 or later

Credit:
This issue was identified by the Apache Tomcat Security Team.

References:
[1] http://tomcat.apache.org/security-10.html
[2] http://tomcat.apache.org/security-9.html
[3] http://tomcat.apache.org/security-8.html

[ANNOUNCE] Apache Groovy 2.4.21 Released

[Paul King]

Dear community,

The Apache Groovy team is pleased to announce version 2.4.21 of Apache
Groovy.
Apache Groovy is a multi-faceted programming language for the JVM.
Further details can be found at the https://groovy.apache.org website.

This release is a maintenance release of the GROOVY_2_4_X branch.
It is strongly encouraged that all users using prior
versions on this branch upgrade to this version.

This release includes 6 bug fixes/improvements as outlined in the changelog:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318123=12348619

Sources, convenience binaries, downloadable documentation and an SDK
bundle can be found at: https://groovy.apache.org/download.html
We recommend you verify your installation using the information on that
page.

Jars are also available within the major binary repositories.

We welcome your help and feedback and in particular want
to thank everyone who contributed to this release.

For more information on how to report problems, and to get involved,
visit the project website at https://groovy.apache.org/

Best regards,

The Apache Groovy team.

[ANNOUNCEMENT] HttpComponents Core 5.1 BETA2 released

[Oleg Kalnichevski]

The Apache HttpComponents project is pleased to announce 5.1 BETA2
release of HttpComponents Core. 

This is the second BETA release in the 5.1 release series that includes
a number of new features as well as bug fixes from the stable 5.0.x
branch.

Notable changes and features included in the 5.1 series:

* Conditional conformance with RFC 3986 (Uniform Resource Identifier
(URI): Generic Syntax).

* Improved support for out of sequence response message handing by the
the classic (blocking) HTTP transport.

* Application protocol upgrade support for non-blocking HTTP/1.1
connections.


Download - 
Release notes - <
http://www.apache.org/dist/httpcomponents/httpcore/RELEASE_NOTES-5.0.x.txt
HttpComponents site - 

About HttpComponents Core

HttpCore is a set of HTTP/1.1 and HTTP/2 transport components that can
be used to build custom client and server side HTTP services with a
minimal footprint

[ANNOUNCEMENT] HttpComponents Core 5.0.3 GA released

[Oleg Kalnichevski]

The Apache HttpComponents project is pleased to announce 5.0.3 GA
release of HttpComponents Core. 

This is a maintenance release that corrects a number of defects
discovered since release 5.0.2 including a defect in the async (non
blocking) transport potentially causing an infinite event loop and and
excessive CPU utilization.

Download - 
Release notes - <
http://www.apache.org/dist/httpcomponents/httpcore/RELEASE_NOTES-5.0.x.txt
HttpComponents site - 

About HttpComponents Core

HttpCore is a set of HTTP/1.1 and HTTP/2 transport components that can
be used to build custom client and server side HTTP services with a
minimal footprint

[ANNOUNCE] Apache SkyWalking 8.3.0 released

[Sheng Wu]

Hi all,

Apache SkyWalking Team is glad to announce the first release of Apache
SkyWalking 8.3.0.

SkyWalking: APM (application performance monitor) tool for distributed
systems,
especially designed for microservices, cloud native and container-based
(Docker, Kubernetes, Mesos) architectures.

This release contains a number of new features, bug fixes and improvements
compared to
version 8.2.0. The notable changes since 8.3.0 include:

1. Support Istio Control Panel metrics.
2. Enhance Istio + Envoy ALS solution, and support the observability of
Mesh on VM.
3. Support correlation context auto-tagging.

Please refer to the change log for the complete list of changes:
http://skywalking.apache.org/events/release-apache-skwaylking-apm-8-3-0/

Apache SkyWalking website:
http://skywalking.apache.org/

Downloads:
http://skywalking.apache.org/downloads/


SkyWalking Resources:
- GitHub: https://github.com/apache/skywalking
- Issue: https://github.com/apache/skywalking/issues
- Mailing list: d...@skywalkiing.apache.org


- Apache SkyWalking Team


Sheng Wu 吴晟
Twitter, wusheng1108

[ANNOUNCE] Apache APISIX 2.1 has been released

[Ming Wen]

Hi folks,

The Apache APISIX community is glad to announce that Apache APISIX 2.1 has
been released.

Apache APISIX is a cloud-native microservices API gateway, delivering the
ultimate performance, security, open-source and scalable platform for all
your APIs and microservices.

Apache APISIX is based on Nginx and etcd, it has dynamic routing and
plug-in hot loading, which is especially suitable for API management under
the micro-service system.

Download Link: http://apisix.apache.org/downloads/


Release Note: https://github.com/apache/apisix/blob/2.1/CHANGELOG.md#210

Apache APISIX Resources:
- Issues: https://github.com/apache/apisix/issues
- Mailing List: d...@apisix.apache.org

Thanks,
Ming Wen, Apache APISIX PMC Chair
Twitter: _WenMing

[ANNOUNCE] Apache SINGA 3.1.0 released

[Wang Wei]

We are pleased to announce that SINGA 3.1.0 was released on 30 October 2020.

SINGA is a general distributed deep learning library
for training big deep learning models over large datasets.
The release is available at: http://singa.apache.org/docs/downloads/

The main features of this release include

   - 1. Update Tensor core module to support tensor transformation
   (reshape, transpose) for tensors up to 6 dimensions.
   - 2. Add new tensor operators into the autograd module.
   - 3. Reconstruct sonnx to support creating ONNX operators from both
   layer and autograd.
   - 4. Replace the Travis CI with Github workflow. Add quality and
   coverage management.
   - 5. Add compiling and packaging scripts to create wheel packages for
   distribution.


Best Regards,
Wei
(On behalf of the SINGA team)

[ANNOUNCE] Apache Traffic Server 8.1.1 and 7.1.12 are Released

[Bryan Call]

Apache Traffic Server 8.1.1 and 7.1.12 are Released 

The Apache Software Foundation and the Apache Traffic Server (ATS) Project are 
pleased to announce the release of Apache Traffic Server 8.1.1 and 7.1.12! ATS 
is a high performance, scalable HTTP Intermediary and proxy cache. It is used 
by several large internet services, providing billions of users fast web site 
access and downloads.

This releases are immediately available for download at:

https://trafficserver.apache.org/downloads 


When upgrading to a new major version you will need to recompile user written 
plugins. Upgrading from  previous releases (v3.2.0 and later) to 8.1.1 and 
7.1.12 should preserve the existing cache, and not require it to be cleared.  
Information about what is new in the major releases can be found here:

https://cwiki.apache.org/confluence/display/TS/What%27s+New+in+v8.0.x 

https://cwiki.apache.org/confluence/display/TS/What%27s+New+in+v7.1.x 


This is a bug-fix release over the previous 8.1.0 and 7.1.11 releases. When 
upgrading from a previous major releases, please see the upgrade details at:

https://cwiki.apache.org/confluence/display/TS/Upgrading+to+v8.0 

https://cwiki.apache.org/confluence/display/TS/Upgrading+to+v7.0 



For a list of all Issues and PRs resolved in the 8.1.1 release, please see:

https://github.com/apache/trafficserver/milestone/44?closed=1 


For a list of all Issues and PRs resolved in the 7.1.12 release, please see:

https://github.com/apache/trafficserver/milestone/43?closed=1 


A brief summary (changelog) of all fixes in the releases are also available at:


https://raw.githubusercontent.com/apache/trafficserver/8.1.x/CHANGELOG-8.1.1 


https://raw.githubusercontent.com/apache/trafficserver/7.1.x/CHANGELOG-7.1.12 



Sincerely,

-- The Apache Traffic Server Community