CVE-2022-45402: Apache Airflow: Open redirect during login

[Jedidiah Cunningham]

Description:

In Apache Airflow versions prior to 2.4.3, there was an open redirect in the 
webserver's `/login` endpoint.

Credit:

The Apache Airflow PMC would like to thank Bugra Eskici for reporting this 
issue.

References:

https://github.com/apache/airflow/pull/27576

[ANN] Apache Tomcat 9.0.69 available

[Rémy Maucherat]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.69.

Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.

Apache Tomcat 9.0.69 is a bugfix and feature release. The notable
changes compared to 9.0.68 include:

- Fix concurrency issue in evaluation of expression language containing
   lambda expressions.

- Correct the date format used with the expires attribute of HTTP
   cookies. A single space rather than a single dash should be used to
   separate the day, month and year components to be compliant with RFC
   6265.

Along with lots of other bug fixes and improvements.

Please refer to the change log for the complete list of changes:
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html


Downloads:
https://tomcat.apache.org/download-90.cgi

Migration guides from Apache Tomcat 7.x and 8.x:
https://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

[ANN] Apache Tomcat 10.1.2 available

[Mark Thomas]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 10.1.2.

Apache Tomcat 10 is an open source software implementation of the
Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language,
Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations
specifications.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory. This conversion is performed using the Apache Tomcat 
migration tool for Jakarta EE tool which is also available as a separate 
download for off-line use.


The notable changes compared to 10.1.1 include:

- Fix concurrency issue in evaluation of expression language containing
  lambda expressions.

- Update the packaged version of the Apache Tomcat Native Library to
  2.0.2 to pick up the Windows binaries built with with OpenSSL 3.0.7.

- Correct the date format used with the expires attribute of HTTP
  cookies. A single space rather than a single dash should be used to
  separate the day, month and year components to be compliant with RFC
  6265.


Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-10.1-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-10.cgi

Migration guides from Apache Tomcat 8.5.x and 9.0.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

CVE-2022-45136: JDBC Deserialisation in Apache Jena SDB

[Rob Vesse]

Severity: low

Description:

** UNSUPPORTED WHEN ASSIGNED ** Apache Jena SDB 3.17.0 and earlier is 
vulnerable to a JDBC Deserialisation attack if the attacker is able to control 
the JDBC URL used or cause the underlying database server to return malicious 
data.  The mySQL JDBC driver in particular is known to be vulnerable to this 
class of attack.  As a result an application using Apache Jena SDB can be 
subject to RCE when connected to a malicious database server.

Apache Jena SDB has been EOL since December 2020 and users should migrate to 
alternative options e.g. Apache Jena TDB 2.

Mitigation:

Apache Jena SDB has been EOL since December 2020, users should migrate to 
alternative options from the Apache Jena project e.g. Apache Jena TDB 2 or from 
3rd party vendors.


Users utilising Apache Jena SDB with mySQL should ensure they explicitly set 
autoDeserialize=false on their JDBC connection strings.  It is also recommended 
that users ensure that any ability to set the JDBC connection string is limited 
to appropriate users.

Credit:

Apache Jena would like to thank Crilwa & LaNyer640 for reporting this issue

[ANN] Apache Syncope 3.0.0

[Francesco Chicchiriccò]

The Apache Syncope team is pleased to announce the release of Syncope 3.0.0

Apache Syncope is an Open Source system for managing digital identities in 
enterprise environments, implemented in Java EE technology .

Syncope 3.0 Maggiore is now a full-fledged IAM system covering provisioning, 
reconciliation and reporting needs (as with earlier releases), access 
management and API management.

The release will be available within 24h from:
https://syncope.apache.org/downloads

Read the full change log available here:
https://s.apache.org/syncope300

We welcome your help and feedback. For more information on how to report 
problems, and to get involved, visit the project website at

http://syncope.apache.org/

The Apache Syncope Team

[ANNOUNCEMENT] HttpComponents Core 5.1.5 GA released

[Oleg Kalnichevski]

The Apache HttpComponents project is pleased to announce 5.1.5 GA
release of HttpComponents Core. 

This is a maintenance release that corrects several minor defects
discovered since release 5.1.4.

This is likely to be the last release in the 5.1 release series. Users
of HttpCore 5.1 are advised to upgrade to the latest version of 5.2.

Download - 
Release notes -


About HttpComponents Core

HttpCore is a set of HTTP/1.1 and HTTP/2 transport components that can
be used to build custom client and server side HTTP services with a
minimal footprint

CVE-2022-45378: Apache SOAP allows unauthenticated users to potentially invoke arbitrary code

[Arnout Engelen]

Severity: moderate

Description:

** UNSUPPORTED WHEN ASSIGNED ** In the default configuration of Apache SOAP, an 
RPCRouterServlet is available without authentication. This gives an attacker 
the possibility to invoke methods on the classpath that meet certain criteria. 
Depending on what classes are available on the classpath this might even lead 
to arbitrary remote code execution. NOTE: This vulnerability only affects 
products that are no longer supported by the maintainer.

Credit:

  Apache would like to thank TsungShu Chiu (CHT Security) for reporting this 
issue

[ANNOUNCE] Apache Airflow 2.4.3 Released

[Ephraim Anierobi]

Dear community,

I'm happy to announce that Airflow 2.4.3 was just released.

The released sources and packages can be downloaded via 
https://airflow.apache.org/docs/apache-airflow/stable/installation/installing-from-sources.html

Other installation methods are described in 
https://airflow.apache.org/docs/apache-airflow/stable/installation/

We also made this version available on PyPI for convenience:
`pip install apache-airflow`
https://pypi.org/project/apache-airflow/2.4.3/

The documentation is available at:
https://airflow.apache.org/docs/apache-airflow/2.4.3/

Find the release notes here for more details:
https://airflow.apache.org/docs/apache-airflow/2.4.3/release_notes.html

Container images are published at:
https://hub.docker.com/r/apache/airflow/tags/?page=1=2.4.3

Cheers,
- Ephraim

CVE-2022-27949: Apache Airflow: sensitive values in rendered template

[Jarek Potiuk]

Severity: low

Description:

A vulnerability in UI of Apache Airflow allows an attacker to view unmasked 
secrets in rendered template values for tasks which were not executed (for 
example when they were depending on past and previous instances of the task 
failed). This issue affects Apache Airflow prior to 2.3.1.

References:

https://github.com/apache/airflow/pull/22754

CVE-2022-40127: RCE in Apache Airflow <2.4.0 bash example

[Jarek Potiuk]

Severity: low

Description:

A vulnerability in Example Dags of Apache Airflow allows an attacker with UI 
access who can trigger DAGs, to execute arbitrary commands via manually 
provided run_id parameter.  This issue affects Apache Airflow Apache Airflow 
versions prior to 2.4.0.

Mitigation:

Do not enable example dags on systems that should not allow UI user to execute 
an arbitrary command.

Credit:

Apache Airflow PMC would like to thank L3yx of Syclover Security Team.

References:

https://github.com/apache/airflow/pull/25960