[ANNOUNCE] Apache Jackrabbit Oak 1.22.11 released

2022-02-24 Thread Nitin Gupta
The Apache Jackrabbit community is pleased to announce the release of

Apache Jackrabbit Oak 1.22.11. The release is available for download at:


See the full release notes below for details about this release:

Release Notes -- Apache Jackrabbit Oak -- Version 1.22.11


Jackrabbit Oak is a scalable, high-performance hierarchical content

repository designed for use as the foundation of modern world-class

web sites and other demanding content applications.

Jackrabbit Oak 1.22.11 is a patch release that contains fixes and

improvements over Oak 1.22. Jackrabbit Oak 1.22.x releases are

considered stable and targeted for production use.

The Oak effort is a part of the Apache Jackrabbit project.

Apache Jackrabbit is a project of the Apache Software Foundation.

Changes in Oak 1.22.11



[OAK-9653] - Adding the index tag option interferes with regex
properties, leads to return zero results

New Feature

[OAK-9587] - Add an attribute to enforce a strict index tag check


[OAK-9634] - CacheLIRS: test failure with ARM processor

[OAK-9651] - Protection against very large queries

In addition to the above-mentioned changes, this release contains

all changes included up to the previous Apache Jackrabbit Oak 1.22.x release.

For more detailed information about all the changes in this and other

Oak releases, please see the Oak issue tracker at


Release Contents

This release consists of a single source archive packaged as a zip file.

The archive can be unpacked with the jar tool from your JDK installation.

See the README.md file for instructions on how to build this release.

The source archive is accompanied by a SHA512 checksums and a PGP

signature that you can use to verify the authenticity of your

download. The public key used for the PGP signature can be found at


About Apache Jackrabbit Oak


Jackrabbit Oak is a scalable, high-performance hierarchical content

repository designed for use as the foundation of modern world-class

web sites and other demanding content applications.

The Oak effort is a part of the Apache Jackrabbit project.

Apache Jackrabbit is a project of the Apache Software Foundation.

For more information, visit http://jackrabbit.apache.org/oak

About The Apache Software Foundation

Established in 1999, The Apache Software Foundation provides organizational,

legal, and financial support for more than 140 freely-available,

collaboratively-developed Open Source projects. The pragmatic Apache License

enables individual and commercial users to easily deploy Apache software;

the Foundation's intellectual property framework limits the legal exposure

of its 3,800+ contributors.

For more information, visit http://www.apache.org/

[ANNOUNCE] Apache Fineract 1.6.0 Release

2022-02-24 Thread Aleksandar Vidakovic
The Apache Fineract project is pleased to announce the release of
Apache Fineract 1.6.0.
The release is available for download from


Fineract provides a reliable, robust, and affordable solution for
entrepreneurs, financial institutions, and service providers to offer
financial services to the world’s 2 billion underbanked and unbanked.
Fineract is aimed at innovative mobile and cloud-based solutions, and
enables digital transaction accounts for all.

This release addressed 99 issues.

Readme: https://github.com/apache/fineract/blob/1.6.0/README.md

Release page: 

List of fixed issues:

For more information on Apache Fineract please visit
project home page: https://fineract.apache.org

The Apache Fineract Team

CVE-2022-24288: Apache Airflow: RCE in example DAGs

2022-02-24 Thread Jedidiah Cunningham
Severity: high


In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly 
sanitize user-provided params, making them susceptible to OS Command Injection 
from the web UI.


This can be mitigated by ensuring `[core] load_examples` is set to `False`.


The Apache Airflow PMC would like to thank Kai Zhao of the TToU Security Team 
for reporting this issue.

[CVE-2022-24947] Apache JSPWiki CSRF Account Takeover

2022-02-24 Thread Juan Pablo Santos Rodríguez

The Apache Software Foundation

Versions Affected
Apache JSPWiki up to 2.11.1

Apache JSPWiki user preferences form is vulnerable to CSRF attacks,
which can lead to account takeover.

Apache JSPWiki users should upgrade to 2.11.2 or later. Installations
>= 2.7.0 can also enable user management workflows' manual approval to
mitigate the issue.

This issue was discovered initially by Cristian Borlovan from Ounce
Labs Security (ref. JSPWIKI-79), and later on and independently from
this by Paulos Yibelo, from Octagon Networks.

[CVE-2022-24948] Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen

2022-02-24 Thread Juan Pablo Santos Rodríguez

The Apache Software Foundation

Versions Affected
Apache JSPWiki up to 2.11.1

A carefully crafted user preferences for submission could trigger an
XSS vulnerability on Apache JSPWiki, related to the user preferences
screen, which could allow the attacker to execute javascript in the
victim's browser and get some sensitive information about the victim.

Apache JSPWiki users should upgrade to 2.11.2 or later.

This issue was discovered by Paulos Yibelo, from Octagon Networks.