[ANNOUNCE] Apache Qpid proton-dotnet 1.0.0-M1 released

[Timothy Bish]

The Apache Qpid (http://qpid.apache.org) community is pleased to
announce the immediate availability of Apache proton-dotnet 1.0.0-M1.

This is the latest release of our AMQP .NET client supporting the
Advanced Message Queuing Protocol 1.0 (AMQP 1.0, ISO/IEC 19464,
http://www.amqp.org), based around the Apache Qpid proton-dotnet
protocol engine also contained in this release.

The release is available now from our website:
http://qpid.apache.org/download.html

Binaries are also available via Maven Central:
http://qpid.apache.org/maven.html

Release notes can be found at:

http://qpid.apache.org/releases/qpid-proton-dotnet-1.0.0-M1/release-notes.html

Thanks to all involved,

CVE-2022-28330: Apache HTTP Server: read beyond bounds in mod_isapi

[Stefan Eissing]

Severity: low

Description:

Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when 
configured to process requests with the mod_isapi module. 

Credit:

The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) 
for reporting this issue

References:

https://httpd.apache.org/security/vulnerabilities_24.html

[ANN] Apache Struts 2 ver. 6.0.0

[Lukasz Lenart]

The Apache Struts group is pleased to announce that Apache Struts 2
ver. 6.0.0 is available as a "General Availability"
release. The GA designation is our highest quality grade.

**Version change**

You may be surprised by the version change, previously we have been
using Struts 2.5.x versioning schema, but this was
a bit misleading. Struts 2 is a different framework than Struts 1 and
its versioning is supposed to start with 1.0.0.
Yet that never happened. With each breaking change release (like
Struts 2.5), we had been only upgrading the MINOR
part of the versioning schema. To fix that problem as from Struts 2
ver. 6.0.0  (aka Struts 2.6) we adopt a proper SemVer
to avoid such confusion.

**Internal Changes**

The framework requires Java 8 at runtime. Also Servlet API 3.1 capable
container is required.

OGNL expressions are limited to 256 characters by default. See
[WW-5179] and [docs] for more details.
https://issues.apache.org/jira/browse/WW-5179
https://struts.apache.org/security/#apply-a-maximum-allowed-length-on-ognl-expressions

Yasser's PR has been merged which contains a fix to double evaluation
security vulnerability - it should solve any future
attack vectors, yet it can impact your application if you have been
depending on double evaluation.

How to test:
- Run all your app tests, you shouldn't see any WARN log like below:
  Expression [so-and-so] isn't allowed by pattern [so-and-so]! See
Accepted / Excluded patterns at https://struts.apache.org/security/
- See if following components are still functioning correctly
regarding java-scripts:
  - forms with client side validations
  - doubleselect
  - combobox
- Check also `StreamResult`s, `AliasInterceptor` and
`JasperReportResult`s if they are still working as expected.

Support to access static methods via OGNL expressions has been
removed, use action instance methods instead.

**Bug**

- WW-3534 - PrepareOperations.createActionContext does not detect
existing context correctly
- WW-3730 - action tag accepts only String arrays as parameters
- WW-4723 - s:url incompatible with JDK 1.5
- WW-4742 - Problem with escape when the key from getText has no value
- WW-4865 - Struts s:checkbox conversion fails to List
- WW-4866 - ASM 5.2 and Java 9 leads to IllegalArgumentException
- WW-4897 - KEYS, sigs and hashes should use https (SSL)
- WW-4902 - Struts 2 fails to init Dispatcher - Tomcat Embedded
- WW-4928 - Setting struts.devMode from system property not working as described
- WW-4930 - SMI cannot be diasabled for action-packages found via the
convention-plugin
- WW-4941 - [jar_cache] Some jar_cache**.tmp files are generated
into a temporary directory(/tmp) during web service start
- WW-4943 - opensymphony.xwork2.util.LocalizedTextUtil can't get i18n resources
- WW-4944 - Struts 2 REST Tiles integration issue
- WW-4945 - TagUtils#buildNamespace should throw an exception when
invocation is null
- WW-4946 - Strtus 2 spring integrations is failing - fails to init
Dispatcher - Tomcat Embedded
- WW-4948 - Struts 2.5.16 is creating jar_cache files in temp folder
- WW-4951 - MD5 and SHA1 should no longer be provided on download pages
- WW-4954 - xml-validation fails since struts 2.5.17
- WW-4957 - Update struts version from 2.5.10 to 2.5.17.
LocalizedTextUtil class is removed and
GlobalLocalizedTextProvider cannot be used
instead.
- WW-4958 - File upload fails from certain clients
- WW-4964 - Missing javascript in form-validate.ftl
- WW-4968 - combining s:set and s:property where the property
retrieved is null has unexpected results
- WW-4971 - s:include tag fails with truncated content in certain circumstances
- WW-4974 - NullPointerException in
DefaultStaticContentLoader#findStaticResource
- WW-4977 - Fixing flaky test in Jsr168DispatcherTest and Jsr286DispatcherTest
- WW-4984 - Static files like css and js files in struts-core not
properly served
- WW-4986 - Race condition reloading config results in actions not found
- WW-4987 - Setting Struts2  options Css Class
- WW-4991 - Not existing property in listValueKey throws exception
- WW-4997 -  can't be resolved
- WW-4999 - Can't get OgnlValueStack log even if enable logMissingProperties
- WW-5002 - Package Level Properties in Global Results
- WW-5004 - No more calling of a static variable in Struts 2.8.20 available
- WW-5006 - NullPointerException in ProxyUtil class when accessing static member
- WW-5009 - EmptyStackException in JSON plugin due to concurrency
- WW-5011 - Tiles bug when parsing file:// URLs including # as part of the URL
- WW-5013 - Accessing static variable via OGNL returns nothing
- WW-5022 - Struts 2.6 escaping behaviour change for s:a (anchor) tag
- WW-5024 - HttpParameters.Builder can wrap objects in two layers of Parameters
- WW-5025 - Binding Integer Array upon form submission
- WW-5026 - Double-submit of TokenSessionStoreInterceptor broken since 2.5.16
- WW-5027 - xerces tries to load resources from the internet
- WW-5028 - Dispatcher prints stacktraces directly to the console

[ANNOUNCE] MyFaces Core v2.3.10 Released

[Volodymyr Siedlecki]

The Apache MyFaces team is pleased to announce the release of MyFaces Core 
2.3.10.

MyFaces Core is a JavaServer(tm) Faces 2.3 implementation as specified by 
JSR-372.

JavaServer Faces (JSF) is a Java specification for building component-based 
user interfaces for web applications.

MyFaces Core 2.3.10 is available in both binary and source distributions.

* https://myfaces.apache.org/#/core23?id=downloads

MyFaces Core is also available in the central Maven repository under Group ID 
"org.apache.myfaces.core".

Release Notes - MyFaces Core - Version 2.3.10 can be found in the following 
link: 
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=10600=12350093

Regards,
The MyFaces Team 

[Announce] MyFaces Core v2.3-next-M7 Released

[Volodymyr Siedlecki]

The Apache MyFaces team is pleased to announce the release of MyFaces Core 
2.3-next-M7.

MyFaces Core is a JavaServer(tm) Faces 2.3 implementation as specified by 
JSR-372.

JavaServer Faces (JSF) is a Java specification for building component-based 
user interfaces for web applications.

MyFaces Core 2.3-next-M7 is available in both binary and source distributions.

* https://myfaces.apache.org/#/core23next?id=downloads

MyFaces Core is also available in the central Maven repository under Group ID 
"org.apache.myfaces.core".

Release Notes - MyFaces Core - Version 2.3-next-M7 can be found in the 
following link:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=10600=12350227

Regards,

The MyFaces Team

[Announce] MyFaces Core v3.0.2 Released

[Volodymyr Siedlecki]

The Apache MyFaces team is pleased to announce the release of MyFaces Core 
3.0.2.

Jakarta Server Faces 3.0, as part of the Jakarta EE 9 Platform, offers a new 
implementation by moving away from the javax namespace. For specifications 
details, please see https://jakarta.ee/specifications/faces/3.0/

Jakarta Server Faces is a Java specification for building component-based user 
interfaces for web applications.

MyFaces Core 3.0.2 is available in both binary and source distributions.
* http://myfaces.apache.org/#/core30

MyFaces Core is also available in the central Maven repository under Group ID 
"org.apache.myfaces.core".

Release Notes - MyFaces Core - Version 3.0.2 can be found at the following link:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=10600=12350353

Regards,
The MyFaces Team

CVE-2022-26377: Apache HTTP Server: mod_proxy_ajp: Possible request smuggling

[Stefan Eissing]

Severity: moderate

Description:

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') 
vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to 
smuggle requests to the AJP server it forwards requests to.  This issue affects 
Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.

Credit:

Ricter Z @ 360 Noah Lab

References:

https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2022-28614: Apache HTTP Server: read beyond bounds via ap_rwrite()

[Stefan Eissing]

Severity: low

Description:

The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read 
unintended memory if an attacker can cause the server to reflect very large 
input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function.

Credit:

The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) 
for reporting this issue

References:

https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2022-29404: Apache HTTP Server: Denial of service in mod_lua r:parsebody

[Stefan Eissing]

Severity: low

Description:

In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script 
that calls r:parsebody(0) may cause a denial of service due to no default limit 
on possible input size.

Credit:

The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) 
for reporting this issue

References:

https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2022-30522: Apache HTTP Server: mod_sed denial of service

[Stefan Eissing]

Severity: low

Description:

If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed 
in contexts where the input to mod_sed may be very large, mod_sed may make 
excessively large memory allocations and trigger an abort.

Credit:

This issue was found by Brian Moussalli from the JFrog Security Research team

References:

https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2022-30556: Apache HTTP Server: Information Disclosure in mod_lua with websockets

[Stefan Eissing]

Severity: low

Description:

Apache HTTP Server 2.4.53 and earlier may return lengths to applications 
calling r:wsread() that point past the end of the storage allocated for the 
buffer.

Credit:

The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) 
for reporting this issue

References:

https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2022-31813: Apache HTTP Server: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism

[Stefan Eissing]

Severity: low

Description:

Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to 
the origin server based on client side Connection header hop-by-hop mechanism.
This may be used to bypass IP based authentication on the origin 
server/application.

Credit:

The Apache HTTP Server project would like to thank Gaetan Ferry (Synacktiv) for 
reporting this issue

References:

https://httpd.apache.org/security/vulnerabilities_24.html

[ANN] Apache Tomcat 10.1.0-M16 (beta) available

[Mark Thomas]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 10.1.0-M16 (beta).

Apache Tomcat 10 is an open source software implementation of the
Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language,
Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations
specifications.

The Jakarta EE specifications implemented by Tomcat 10.1.x are now final 
and Tomcat's implementation of those specifications is complete.


Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory. This conversion is performed using the Apache Tomcat 
migration tool for Jakarta EE tool which is also available as a separate 
download for off-line use.


Apache Tomcat 10.1.0-M16 is a milestone release of the 10.1.x branch and 
has been made to provide users with early access to the new features in 
Apache Tomcat 10.1.x so that they may provide feedback. The notable 
changes compared to 10.1.0-M15 include:


- Refactor synchronization blocks locking on SocketWrapper to use
  ReentrantLock to support users wishing to experiment with project
  Loom.

- Correct a regression in the support added for encrypted PKCS#1
  formatted private keys in the previous release that broke support
  for unencrypted PKCS#1 formatted private keys.

- Increase the default buffer size for cluster messages from 43800
  to 65536 bytes. This is expected to improve performance for large
  messages when running on Linux based systems.

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-10.1-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-10.cgi

Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

[ANNOUNCEMENT] HttpComponents Client 5.2-beta1 Released

[Oleg Kalnichevski]

The Apache HttpComponents project is pleased to announce 5.2-beta1
release of HttpComponents HttpClient.

This is the first BETA release in the 5.2 release series that upgrades
minimal JRE level to version 8 (8u251 is required) and includes several
protocol level and API improvements. It also includes all bug fixes
from the 5.1 branch.

Notable changes and features included in the 5.2 series:

* Upgrade to Java 8.

* Improved support for TLS upgrade and HTTP protocol upgrade (async).

* Support for H2 tunneling via HTTP/1.1 proxy.

* Conformance to RFC 7617 (The 'Basic' HTTP Authentication Scheme).

* Migration to Java 8 Time primitives in State Management and Cache
APIs.

* Base64 codec based on Commons Codec replaced with JRE Base64 codec.
Dependency on Commons Codec dropped.

* Optional support for BR (Brotli) decompression.

Download - 
Release notes -


About HttpComponents HttpClient

The Hyper-Text Transfer Protocol (HTTP) is perhaps the most
significantprotocol used on the Internet today. Web services, network-
enabled appliances and the growth of network computing continue to
expand the role of the HTTP protocol beyond user-driven web browsers,
while increasing the number of applications that require HTTP support.

Although the java.net package provides basic functionality for
accessing resources via HTTP, it doesn't provide the full flexibility
or functionality needed by many applications. HttpClient seeks to fill
this voidby providing an efficient, up-to-date, and feature-rich
package implementing the client side of the most recent HTTP standards
and recommendations.

Designed for extension while providing robust support for the base
HTTPprotocol, HttpClient may be of interest to anyone building HTTP-
aware client applications such as web browsers, web service clients, or
systems that leverage or extend the HTTP protocol for distributed
communication.

[ANNOUNCE] Apache Impala 4.1.0 release

[Tamás Máté]

The Apache Impala team is pleased to announce the release of Impala 4.1.0.

Impala is a high-performance distributed SQL engine.

The release is available at: https://impala.apache.org/downloads.html

Thanks,

The Apache Impala team

[ANN] Apache Tomcat 9.0.64 available

[Rémy Maucherat]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.64.

Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.

Apache Tomcat 9.0.64 is a bugfix and feature release. The notable
changes compared to 9.0.63 include:

- Correct a regression in the support added for encrypted PKCS#1
   formatted private keys in the previous release that broke support
   for unencrypted PKCS#1 formatted private keys.

- Increase the default buffer size for cluster messages from 43800
   to 65536 bytes. This is expected to improve performance for large
   messages when running on Linux based systems.

- When using TLS with non-blocking writes and the NIO connector,
   ensure that flushing the buffers attempts to empty all of the
   output buffers.

Along with lots of other bug fixes and improvements.

Please refer to the change log for the complete list of changes:
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html


Downloads:
https://tomcat.apache.org/download-90.cgi

Migration guides from Apache Tomcat 7.x and 8.x:
https://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team