[ANNOUNCE] Apache Calcite Avatica 1.20.0 released

[Julian Hyde]

The Apache Calcite team is pleased to announce the release of Apache
Calcite Avatica 1.20.0.

Avatica is a framework for building database drivers. Avatica defines
a wire API and serialization mechanism for clients to communicate with
a server as a proxy to a database. The reference Avatica client and
server are implemented in Java and communicate over HTTP. Avatica is a
sub-project of Apache Calcite.

Apache Calcite Avatica 1.20.0 upgrades Log4j2 to version 2.15.0 (to
address CVE-2021-44228), and makes the SPNEGO protocol much more
efficient.

For a full list of changes, please see the release notes:

  https://calcite.apache.org/avatica/docs/history.html#v1-20-0

The release is available here:

  https://calcite.apache.org/avatica/downloads/avatica.html

We welcome your help and feedback. For more information on how to
report problems and get involved, visit the project website at:

  https://calcite.apache.org/avatica/

or the Apache Calcite project website:

  https://calcite.apache.org/

Thanks to everyone involved. The Log4j issue only became known on
Friday, and a half dozen Calcite committers and PMC members worked
over the weekend to create a release to address this issue. We take
your security seriously!

Julian Hyde, on behalf of the Apache Calcite team

[ANNOUNCE] Apache Log4j 2.16.0 Released

[Matt Sicker]

The Apache Log4j 2 team is pleased to announce the Log4j 2.16.0 release!

Apache Log4j is a well known framework for logging application
behavior. Log4j 2 is an upgrade to Log4j that provides significant
improvements over its predecessor, Log4j 1.x, and provides many other
modern features such as support for Markers, lambda expressions for
lazy logging, property substitution using Lookups, multiple patterns
on a PatternLayout and asynchronous Loggers. Another notable Log4j 2
feature is the ability to be "garbage-free" (avoid allocating
temporary objects) while logging. In addition, Log4j 2 will not lose
events while reconfiguring.

The artifacts may be downloaded from
https://logging.apache.org/log4j/2.x/download.html.

This release contains one change which is noted below.

Due to a break in compatibility in the SLF4J binding, Log4j now ships
with two versions of the SLF4J to Log4j adapters. log4j-slf4j-impl
should be used with SLF4J 1.7.x and earlier and log4j-slf4j18-impl
should be used with SLF4J 1.8.x and later. SLF4J-2.0.0 alpha releases
are not fully supported. See
https://issues.apache.org/jira/browse/LOG4J2-2975 and
https://jira.qos.ch/browse/SLF4J-511.

Some of the changes in Log4j 2.16.0 include:

* Removed Message Lookups. This is a hardening related to changes made
to prevent CVE-2021-44228. While this change is recommended, it is NOT
required to fix CVE-2021-44228.
* While release 2.15.0 removed the ability to resolve Lookups and log
messages and addressed issues with how JNDI is accessed, the Log4j
team feels that having JNDI enabled by default introduces an undue
risk for our users. Starting in version 2.16.0, JNDI functionality is
disabled by default and can be re-enabled via the log4j2.enableJndi
system property. Use of JNDI in an unprotected context is a large
security risk and should be treated as such in both this library and
all other Java libraries using JNDI.
* Prior to version 2.15.0, Log4j would automatically resolve Lookups
contained in the message or its parameters in the Pattern Layout. This
behavior is no longer the default and must be enabled by specifying
%msg{lookup}.

The Log4j 2.16.0 API, as well as many core components, maintains
binary compatibility with previous releases. This version is
recommended as an upgrade

GA Release 2.16.0

Changes in this version include:

Fixed Bugs

LOG4J2-3208: Disable JNDI by default. Require log4j2.enableJndi to be
set to true to allow JNDI.
LOG4J2-3211: Completely remove support for Message Lookups.



Apache Log4j 2.16.0 requires a minimum of Java 8 to build and run.
Log4j 2.12.1 is the last release to support Java 7. Java 7 is no
longer supported by the Log4j team.

For complete information on Apache Log4j 2, including instructions on
how to submit bug reports, patches, or suggestions for improvement,
see the Apache Apache Log4j 2 website:

https://logging.apache.org/log4j/2.x/

-- 
Matt Sicker
PMC Member, Logging Services, Apache Software Foundation

[ANNOUNCE] Apache OFBiz 18.12.03 released

[Jacopo Cappellato]

The Apache OFBiz community is pleased to announce the new release "Apache
OFBiz 18.12.03".

Apache OFBiz® is an open source product for the automation of enterprise
processes that includes framework components and business applications.

http://ofbiz.apache.org/

"Apache OFBiz 18.12.03" is the third release of the 18.12 series.

For more details of the changes introduced with this new version
please refer to http://ofbiz.apache.org/release-notes-18.12.03.html

The release file can be downloaded following the instructions in the OFBiz
download page:

http://ofbiz.apache.org/download.html

CVE-2021-4104: Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2

[Ralph Goers]

Description:

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data 
when the attacker has write access to the Log4j configuration. The attacker can 
provide TopicBindingName and TopicConnectionFactoryBindingName configurations 
causing JMSAppender to perform JNDI requests that result in remote code 
execution in a similar fashion to CVE-2021-44228.  

Note this issue only affects Log4j 1.2 when specifically configured to use 
JMSAppender, which is not the default.

Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to 
Log4j 2 as it addresses numerous other issues from the previous versions.

References:

https://www.cve.org/CVERecord?id=CVE-2021-44228
https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
https://access.redhat.com/security/cve/CVE-2021-4104

[ANNOUNCEMENT] HttpComponents HttpAsyncClient 4.1.5 GA Released

[Oleg Kalnichevski]

The Apache HttpComponents project is pleased to announce 4.1.5 GA
release of HttpComponents HttpAsyncClient.

This is a maintenance release that fixes a number of issues discovered
since 4.1.4.


---
Download - 


Release notes -
<
http://www.apache.org/dist/httpcomponents/httpasyncclient/RELEASE_NOTES-4.1.x.txt
>

HttpComponents site -


---
About Apache HttpAsyncClient

Although the java.net package provides basic functionality for
accessing resources via HTTP, it doesn't provide the full flexibility
or functionality needed by many applications. HttpAsyncClient seeks to
fill this void by providing an efficient, up-to-date, and feature-rich
package with an event-driven programming interface based on a non-
blocking I/O model.