[ANNOUNCE] Apache Avro 1.10.1 released
The Apache Avro community is pleased to announce the release of Avro 1.10.1! All signed release artifacts, signatures and verification instructions can be found here: https://avro.apache.org/releases.html This release includes 33 Jira issues, including some interesting features: C#: AVRO-2750 Support for enum defaults C++: AVRO-2891 Expose last sync offset written on DataFileWriter Java: AVRO-2924 SpecificCompiler add 'LocalDateTime' logical type Java: AVRO-2937 Expose some missing flags in SpecificCompilerTool PHP: AVRO-2096 Fixes to missing functions Ruby: AVRO-2907 Ruby schema.single_object_schema_fingerprint is reversed Migration notes: Java: AVRO-2817 Turn off validateDefaults when reading legacy Avro files Python: AVRO-2656 avro-python package is now the preferred python3 library and avro-python3 is prepared to be deprecated And of course upgraded dependencies to latest versions, CVE fixes and more: https://issues.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.10.1 The link to all fixed JIRA issues and a brief summary can be found at: https://github.com/apache/avro/releases/tag/release-1.10.1 In addition, language-specific release artifacts are available: * C#: https://www.nuget.org/packages/Apache.Avro/1.10.1 * Java: from Maven Central, * Javascript: https://www.npmjs.com/package/avro-js/v/1.10.1 * Python 2: https://pypi.org/project/avro/1.10.1/ * Python 3: https://pypi.org/project/avro-python3/1.10.1/ * Ruby: https://rubygems.org/gems/avro/versions/1.10.1 Thanks to everyone for contributing!
[ANN] Struts 2.5.26
The Apache Struts group is pleased to announce that Struts 2.5.26 is available as a “General Availability” release. The GA designation is our highest quality grade. https://struts.apache.org/announce.html#a20201206 Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. Below is a full list of all changes: - Junit plugin does not push ACTION_MAPPING into the context resulting in NPE - Struts2 StaticParametersInterceptor’s addParametersToContext method is not working as expected All developers are strongly advised to perform this action. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page https://struts.apache.org/download.cgi#struts-ga Kind regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[ANNOUNCE] Apache OpenMeetings 5.1.0 is released
The Apache OpenMeetings project is pleased to announce the release of Apache OpenMeetings 5.1.0. The release is available for download from https://openmeetings.apache.org/downloads.html Openmeetings provides video conferencing, instant messaging, white board, collaborative document editing and other groupware tools. It uses API functions of Kurento Media Server for Remoting and Streaming. Release 5.1.0, provides following improvements: Stability: * Room Audio/Video should be more stable * OM should work as expected after KMS server restart * Backup is further improved * Audio/Video connection established faster * Most recent versions of dependencies are used UI: * User display name is used almost everywhere * Browser notifications are used to notify about new chat messages and moderator actions * Interview room was broken * Mute and "Mic status" were broken Some other fixes and improvements, 52 issues were addressed Readme: https://github.com/apache/openmeetings/blob/5.1.0/README.md Changelog: https://github.com/apache/openmeetings/blob/5.1.0/CHANGELOG.md List of fixed issues: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12349414 For more information on Apache OpenMeetings please visit project home page: https://openmeetings.apache.org Apache OpenMeetings Team
[SECURITY] CVE-2020-17521: Apache Groovy Information Disclosure
CVE-2020-17521 Apache Groovy Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Unsupported Codehaus versions of Groovy from 2.0 to 2.4.4. Apache Groovy versions 2.4.4 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2 Impact: This vulnerability potentially impacts Unix-like systems, and very old versions of Mac OSX and Windows. On such OS versions, Groovy may create temporary directories within the OS temporary directory which is shared between all users on affected systems. Groovy will create such directories for internal use when producing Java Stubs (very low impact) or on behalf of user code via two extension methods[4,5] for creating temporary directories. If Groovy user code uses either of these extension methods, and stores executable code in the resulting temporary directory, then the risk is high, since this can lead to local privilege escalation. If such Groovy code is making use of the temporary directory to store sensitive information, then the risk is medium, since such information could be exposed or modified. When analyzing the impact of this vulnerability, here are the important questions to ask: Is the Groovy code running on a machine with an impacted operating system? Do other users have access to the machine running the Groovy code? Does the Groovy code create temporary directories using Groovy's createTempDir extension methods[4,5]? If you answer no to any of these questions, you are not affected. If you answered yes, does the Groovy code write or store executable code in the temporary directory? If you answer yes, the risk is high, and can lead to local privilege escalation. Does the Groovy code write sensitive information, like API keys or passwords, into the temporary directory? If you answer yes, the risk is medium, and information may be exposed or modified. Description: Groovy was making use of a method in the JDK which is now flagged as not suitable for security-sensitive contexts. In addition, Groovy wasn't checking a flag related to successful creation of the temporary directory which leads to a race condition whereby the vulnerability exists[1]. For the fixed versions, Groovy 2.5 and above is now using a newer JDK method which creates a directory that is only readable by the user running the Groovy code. The same is true for the fixed Groovy 2.4 version except if running on a pre-JDK7 version of the JDK in which case a fallback implementation is used which now checks for successful creation of the temporary directory. This eliminates the high-risk scenario involving the race condition whereby executables or information could be modified, but still leaves the potential for sensitive information leakage. Groovy 2.4/JDK 6 users are recommended to use the `java.io.tmpdir` mitigation. Mitigation: Setting the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all operating systems and all Groovy versions. Users who cannot easily move to the fixed Groovy versions may wish to consider using the JDK's Files#createTempDirectory method instead of the Groovy extension methods. Credit: This vulnerability was discovered by Jonathan Leitschuh ( https://twitter.com/jlleitschuh) Similar Vulnerabilities: * Jetty - https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6 * JUnit4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp * Google Guava - https://github.com/google/guava/issues/4011 * Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945 * JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824 References: [1] CWE-379: Creation of Temporary File in Directory with Insecure Permissions (https://cwe.mitre.org/data/definitions/379.html) [2] "File.createTempFile" should not be used to create a directory ( https://rules.sonarsource.com/java/tag/owasp/RSPEC-2976) [3] Groovy CVE list (https://groovy-lang.org/security.html) [4] https://docs.groovy-lang.org/latest/html/groovy-jdk/java/io/File.html#createTempDir() [5] https://docs.groovy-lang.org/latest/html/groovy-jdk/java/io/File.html#createTempDir(java.lang.String,%20java.lang.String) [6] related Jira issue: https://issues.apache.org/jira/browse/GROOVY-9824
[ANNOUNCE] Apache Groovy 2.4.21 Released
Dear community, The Apache Groovy team is pleased to announce version 2.4.21 of Apache Groovy. Apache Groovy is a multi-faceted programming language for the JVM. Further details can be found at the https://groovy.apache.org website. This release is a maintenance release of the GROOVY_2_4_X branch. It is strongly encouraged that all users using prior versions on this branch upgrade to this version. This release includes 6 bug fixes/improvements as outlined in the changelog: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318123&version=12348619 Sources, convenience binaries, downloadable documentation and an SDK bundle can be found at: https://groovy.apache.org/download.html We recommend you verify your installation using the information on that page. Jars are also available within the major binary repositories. We welcome your help and feedback and in particular want to thank everyone who contributed to this release. For more information on how to report problems, and to get involved, visit the project website at https://groovy.apache.org/ Best regards, The Apache Groovy team.
[ANNOUNCE] Apache Groovy 2.5.14 Released
Dear community, The Apache Groovy team is pleased to announce version 2.5.14 of Apache Groovy. Apache Groovy is a multi-faceted programming language for the JVM. Further details can be found at the https://groovy.apache.org website. This release is a maintenance release of the GROOVY_2_5_X branch. It is strongly encouraged that all users using prior versions on this branch upgrade to this version. This release includes 34 bug fixes/improvements as outlined in the changelog: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318123&version=12348620 Sources, convenience binaries, downloadable documentation and an SDK bundle can be found at: https://groovy.apache.org/download.html We recommend you verify your installation using the information on that page. Jars are also available within the major binary repositories. We welcome your help and feedback and in particular want to thank everyone who contributed to this release. For more information on how to report problems, and to get involved, visit the project website at https://groovy.apache.org/ Best regards, The Apache Groovy team.
[ANNOUNCE] Apache Groovy 3.0.7 Released
Dear community, The Apache Groovy team is pleased to announce version 3.0.7 of Apache Groovy. Apache Groovy is a multi-faceted programming language for the JVM. Further details can be found at the https://groovy.apache.org website. This release is a maintenance release of the GROOVY_3_0_X branch. It is strongly encouraged that all users using prior versions on this branch upgrade to this version. This release includes 52 bug fixes/improvements as outlined in the changelog: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318123&version=12348838 Sources, convenience binaries, downloadable documentation and an SDK bundle can be found at: https://groovy.apache.org/download.html We recommend you verify your installation using the information on that page. Jars are also available within the major binary repositories. We welcome your help and feedback and in particular want to thank everyone who contributed to this release. For more information on how to report problems, and to get involved, visit the project website at https://groovy.apache.org/ Best regards, The Apache Groovy team.
[ANNOUNCE] Release Apache Groovy 4.0.0-alpha-2
Dear community, The Apache Groovy team is pleased to announce version 4.0.0-alpha-2 of Apache Groovy. Apache Groovy is a multi-faceted programming language for the JVM. Further details can be found at the https://groovy.apache.org website. This is a pre-release of a new version of Groovy. We greatly appreciate any feedback you can give us when using this version. This release includes 60 bug fixes/improvements as outlined in the changelog: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318123&version=12348839 Sources, convenience binaries, downloadable documentation and an SDK bundle can be found at: https://groovy.apache.org/download.html We recommend you verify your installation using the information on that page. Jars are also available within the major binary repositories. We welcome your help and feedback and in particular want to thank everyone who contributed to this release. For more information on how to report problems, and to get involved, visit the project website at https://groovy.apache.org/ Best regards, The Apache Groovy team.
[ANNOUNCE] Release Apache Traffic Control 4.1.1
The Apache Traffic Control team is proud to announce the release of Apache Traffic Control 4.1.1, which contains various bug fixes and improvements. Apache Traffic Control allows you to build a large scale content delivery network using open source. Built around Apache Traffic Server as the caching software, Traffic Control implements all the core functions of a modern CDN. More details regarding Apache Traffic Control can be found at: http://trafficcontrol.apache.org/ The release artifacts, along with release notes, can be found here: http://trafficcontrol.apache.org/releases/ Thanks! The Apache Traffic Control Team