[ANNOUNCE] Apache Beam 2.37.0 Released

[Brian Hulette]

The Apache Beam team is pleased to announce the release of version 2.37.0.

Apache Beam is an open source unified programming model to define and
execute data processing pipelines, including ETL, batch and stream
(continuous) processing. See https://beam.apache.org

You can download the release here:

https://beam.apache.org/get-started/downloads/

This release includes bug fixes, features, and improvements detailed
on the Beam blog: https://beam.apache.org/blog/beam-2.37.0/

Thanks to everyone who contributed to this release, and we hope you
enjoy using Beam 2.37.0.

-- Brian Hulette, on behalf of The Apache Beam team

[ANN] Apache Tomcat 9.0.60 available

[Rémy Maucherat]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.60.

Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.

Apache Tomcat 9.0.60 is a bugfix and feature release. The notable
changes compared to 9.0.59 include:

- Fix a potential thread-safety issue that could cause HTTP/1.1 request
   processing to pause, and potentially timeout, waiting for additional
   data when the full request has been received.

- Fix a regression introduced with 65757 bugfix which better identified
   non request threads but which introduced a similar problem when user
   code was doing sequential operations in a single thread.

- When resolving methods in EL expressions that use beans and/or static
   fields, ensure that any custom type conversion is considered when
   identifying the method to call.

Along with lots of other bug fixes and improvements.

Please refer to the change log for the complete list of changes:
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html


Downloads:
https://tomcat.apache.org/download-90.cgi

Migration guides from Apache Tomcat 7.x and 8.x:
https://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

[ANN] Apache Tomcat 10.0.18 available

[Mark Thomas]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 10.0.18.

This release is targeted at Jakarta EE 9.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory. This conversion is performed using the Apache Tomcat 
migration tool for Jakarta EE tool which is also available as a separate 
download for off-line use.


Apache Tomcat 10 is an open source software implementation of the
Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language,
Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations
specifications.

The notable changes compared to 10.0.17 include:

- Fix a potential thread-safety issue that could cause HTTP/1.1 request
  processing to pause, and potentially timeout, waiting for additional
  data when the full request has been received.

- Fix a regression introduced with 65757 bugfix which better identified
  non request threads but which introduced a similar problem when user
  code was doing sequential operations in a single thread.

- When resolving methods in EL expressions that use beans and/or static
  fields, ensure that any custom type conversion is considered when
  identifying the method to call.

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-10.0-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-10.cgi

Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

CVE-2022-22721: Apache HTTP Server: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody

[Stefan Eissing]

Severity: low

Description:

If LimitXMLRequestBody is set to allow request bodies larger than 350MB 
(defaults to 1M) on 32 bit systems an integer overflow happens which later 
causes out of bounds writes.

This issue affects Apache HTTP Server 2.4.52 and earlier.

Credit:

Anonymous working with Trend Micro Zero Day Initiative

[ANN] Apache Tomcat 10.1.0-M12 (alpha) available

[Mark Thomas]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 10.1.0-M12 (alpha).

Apache Tomcat 10 is an open source software implementation of the
Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language,
Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations
specifications.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory. This conversion is performed using the Apache Tomcat 
migration tool for Jakarta EE tool which is also available as a separate 
download for off-line use.


Apache Tomcat 10.1.0-M12 is a milestone release of the 10.1.x branch and 
has been made to provide users with early access to the new features in 
Apache Tomcat 10.1.x so that they may provide feedback. The notable 
changes compared to 10.1.0-M11 include:


- Fix a potential thread-safety issue that could cause HTTP/1.1 request
  processing to pause, and potentially timeout, waiting for additional
  data when the full request has been received.

- Fix a regression introduced with 65757 bugfix which better identified
  non request threads but which introduced a similar problem when user
  code was doing sequential operations in a single thread.

- When resolving methods in EL expressions that use beans and/or static
  fields, ensure that any custom type conversion is considered when
  identifying the method to call.

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-10.1-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-10.cgi

Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

CVE-2022-22719: Apache HTTP Server: mod_lua Use of uninitialized value of in r:parsebody

[Stefan Eissing]

Severity: moderate

Description:

A carefully crafted request body can cause a read to a random memory area which 
could cause the process to crash.

This issue affects Apache HTTP Server 2.4.52 and earlier.

Credit:

Chamal De Silva

CVE-2022-22720: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier

[Stefan Eissing]

Severity: important

Description:

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when 
errors are encountered discarding the request body, exposing the server to HTTP 
Request Smuggling

Credit:

James Kettle 

CVE-2022-23943: Apache HTTP Server: mod_sed: Read/write beyond bounds

[Stefan Eissing]

Severity: important

Description:

Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an 
attacker to overwrite heap memory with possibly attacker provided data.

This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions.

Credit:

Ronald Crane (Zippenhop LLC)

[ANNOUNCE] Apache Groovy 4.0.1 Released

[Paul King]

Dear community,

The Apache Groovy team is pleased to announce version 4.0.1 of Apache Groovy.
Apache Groovy is a multi-faceted programming language for the JVM.
Further details can be found at the https://groovy.apache.org website.

This release is a maintenance release of the GROOVY_4_0_X branch.
It is strongly encouraged that all users using prior
versions on this branch upgrade to this version.

This release includes 40 bug fixes/improvements as outlined in the changelog:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318123=12351284

Sources, convenience binaries, downloadable documentation and an SDK
bundle can be found at: https://groovy.apache.org/download.html
We recommend you verify your installation using the information on that page.

Jars are also available within the major binary repositories.

We welcome your help and feedback and in particular want
to thank everyone who contributed to this release.

For more information on how to report problems, and to get involved,
visit the project website at https://groovy.apache.org/

Best regards,

The Apache Groovy team.

[ANNOUNCE] Apache Libcloud 3.5.0 release

[Tomaz Muraus]

Libcloud is a Python library that abstracts away the differences among
multiple cloud provider APIs. It allows users to manage cloud services
(servers, storage, load balancers, DNS, containers as a service) offered by
many different providers through a single, unified and easy to use API.

We are happy to announce Libcloud v3.5.0.

This release includes various improvements, new functionality and bug fixes.

Changelog can be
found at <
https://libcloud.readthedocs.io/en/latest/changelog.html#changes-in-apache-libcloud-3-5-0
>.

Download

The release can be downloaded from
 or installed using pip:

pip install "apache-libcloud==3.5.0"

Upgrading

If you have installed Libcloud using pip you can also use it to upgrade it:

pip install --upgrade "apache-libcloud==3.5.0"

Note on Python 3.5 support

This release drops support for Python 3.5.

Python 3.5 has been EOL and non-supported for more than a year now and a lot
of libraries (including some we depend on) have already dropped support for
it.

Last release which still supports Python 3.5 is Libcloud v3.4.1.

Upgrade notes

A page which describes backward incompatible or semi-incompatible
changes and how to preserve the old behavior when this is possible
can be found at <
https://libcloud.readthedocs.org/en/latest/upgrade_notes.html>

Documentation

Regular and API documentation is available at <
https://libcloud.readthedocs.io/en/v3.5.0/>

Bugs / Issues

If you find any bug or issue, please report it on our issue tracker
.

Don't forget to attach an example and / or test which reproduces your
problem.

Thanks

Thanks to everyone who contributed and made this release possible! Full
list of people who contributed to this release can be found in the
CHANGES file .

[ANNOUNCE] Apache Kafka 3.0.1

[Mickael Maison]

The Apache Kafka community is pleased to announce the release for
Apache Kafka 3.0.1

Apache Kafka 3.0.1 is a bugfix release and 29 issues have been fixed
since 3.0.0.

All of the changes in this release can be found in the release notes:
https://www.apache.org/dist/kafka/3.0.1/RELEASE_NOTES.html


You can download the source and binary release (Scala 2.12 and 2.13) from:
https://kafka.apache.org/downloads#3.0.1

---


Apache Kafka is a distributed streaming platform with four core APIs:


** The Producer API allows an application to publish a stream of records to
one or more Kafka topics.

** The Consumer API allows an application to subscribe to one or more
topics and process the stream of records produced to them.

** The Streams API allows an application to act as a stream processor,
consuming an input stream from one or more topics and producing an
output stream to one or more output topics, effectively transforming the
input streams to output streams.

** The Connector API allows building and running reusable producers or
consumers that connect Kafka topics to existing applications or data
systems. For example, a connector to a relational database might
capture every change to a table.


With these APIs, Kafka can be used for two broad classes of application:

** Building real-time streaming data pipelines that reliably get data
between systems or applications.

** Building real-time streaming applications that transform or react
to the streams of data.


Apache Kafka is in use at large and small companies worldwide, including
Capital One, Goldman Sachs, ING, LinkedIn, Netflix, Pinterest, Rabobank,
Target, The New York Times, Uber, Yelp, and Zalando, among others.

A big thank you for the following 26 contributors to this release!

A. Sophie Blee-Goldman, Andras Katona, Bruno Cadonna, Chris Egerton,
Cong Ding, David Jacot, dengziming, Edoardo Comar, Ismael Juma, Jason
Gustafson, jiangyuan, Kevin Zhang, Konstantine Karantasis, Lee
Dongjin, Luke Chen, Marc Löhe, Matthias J. Sax, Michael Carter,
Mickael Maison, Oliver Hutchison, Philip Nee, Prateek Agarwal,
prince-mahajan, Rajini Sivaram, Randall Hauch, Walker Carlson

We welcome your help and feedback. For more information on how to
report problems, and to get involved, visit the project website at
https://kafka.apache.org/

Thank you!


Regards,
Mickael Maison

[ANNOUNCEMENT] Apache HTTP Server 2.4.53 Released

[icing]

Apache HTTP Server 2.4.53 Released

   March 14, 2022

   The Apache Software Foundation and the Apache HTTP Server Project
   are pleased to announce the release of version 2.4.53 of the Apache
   HTTP Server ("Apache").  This version of Apache is our latest GA
   release of the new generation 2.4.x branch of Apache HTTPD and
   represents fifteen years of innovation by the project, and is
   recommended over all previous releases. This release of Apache is
   a security, feature and bug fix release.

   We consider this release to be the best version of Apache available, and
   encourage users of all prior versions to upgrade.

   Apache HTTP Server 2.4.53 is available for download from:

 https://httpd.apache.org/download.cgi

   Apache 2.4 offers numerous enhancements, improvements, and performance
   boosts over the 2.2 codebase.  For an overview of new features
   introduced since 2.4 please see:

 https://httpd.apache.org/docs/trunk/new_features_2_4.html

   Please see the CHANGES_2.4 file, linked from the download page, for a
   full list of changes. A condensed list, CHANGES_2.4.53 includes only
   those changes introduced since the prior 2.4 release.  A summary of all 
   of the security vulnerabilities addressed in this and earlier releases 
   is available:

 https://httpd.apache.org/security/vulnerabilities_24.html

   This release requires the Apache Portable Runtime (APR), minimum
   version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may
   require the 1.6.x version of both APR and APR-Util. The APR libraries
   must be upgraded for all features of httpd to operate correctly.

   This release builds on and extends the Apache 2.2 API.  Modules written
   for Apache 2.2 will need to be recompiled in order to run with Apache
   2.4, and require minimal or no source code changes.

 https://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING

   When upgrading or installing this version of Apache, please bear in mind
   that if you intend to use Apache with one of the threaded MPMs (other
   than the Prefork MPM), you must ensure that any modules you will be
   using (and the libraries they depend on) are thread-safe.

   Please note the 2.2.x branch has now passed the end of life at the Apache
   HTTP Server project and no further activity will occur including security
   patches.  Users must promptly complete their transitions to this 2.4.x
   release of httpd to benefit from further bug fixes or new features.

[ANNOUNCE] Apache Camel 3.11.6 (LTS) Released

[Gregor Zurowski]

The Camel PMC is pleased to announce the release of Apache Camel 3.11.6 (LTS).

Apache Camel is an open source integration framework that empowers you
to quickly and easily integrate various systems consuming or producing
data.

This patch release contains 23 bug fixes and improvements.

The release is available for immediate download at:

https://camel.apache.org/download/

For more details please take a look at the release notes at:

https://camel.apache.org/releases/release-3.11.6/