[ANNOUNCE] Apache JSPWiki 2.11.0 released

[Juan Pablo Santos Rodríguez]

The Apache JSPWiki team is pleased to announce the release of JSPWiki
2.11.0.

This is the first release after eight milestones on the 2.11 series of
Apache JSPWiki,
a feature-rich and extensible WikiWiki engine built around the standard JEE
components.

The release is available here:
https://jspwiki-wiki.apache.org/Wiki.jsp?page=Downloads

JSPWiki Maven artifacts are available under org.apache.jspwiki groupId,
version 2.11.0

The full change log is available here:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310732=12345152

A curated change log is also available here:
https://jspwiki-wiki.apache.org/Wiki.jsp?page=NewIn2.11

We welcome your help and feedback. For more information on how to
report problems, and to get involved visit the project website at
http://jspwiki.apache.org/


The Apache JSPWiki Team

[CVE-2021-44140] Apache JSPWiki Arbitrary file deletion on logout

[Juan Pablo Santos Rodríguez]

Severity
Critical

Vendor
The Apache Software Foundation

Versions Affected
Apache JSPWiki up to 2.11.0.M8

Description
Remote attackers may delete arbitrary files in a system hosting a
JSPWiki instance by using a carefuly crafted http request on logout,
given that those files are reachable to the user running the JSPWiki
instance.

Mitigation
Apache JSPWiki users should upgrade to 2.11.0 or later.

Credit
This issue was discovered by haby0 (forha...@gmail.com) from Duxiaoman
Financial Security Team, who also proposed the fix for this issue.