[ANNOUNCEMENT] Apache Commons VFS Project 2.4.1
The Apache Commons VFS Project team is pleased to announce the release of Apache Commons VFS Project 2.4.1-SNAPSHOT. Apache Commons VFS is a Virtual File System library. New features and bug fix release. Changes in this version include: Fixed Bugs: o VFS-725: [Local] org.apache.commons.vfs2.FileContent.getLastModifiedTime() is losing milliseconds (always ends in 000). Thanks to Gary Gregory. o VFS-724: FileContent#getByteArray() throws IllegalArgumentException: Buffer size <= 0 when file size is 0. Thanks to William R, Gary Gregory. o Javadoc fixes. Thanks to Gary Gregory. Historical list of changes: http://commons.apache.org/proper/commons-vfs/changes-report.html For complete information on Apache Commons VFS Project, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Apache Commons VFS Project website: Visit http://commons.apache.org/proper/commons-vfs/ Download it from http://commons.apache.org/proper/commons-vfs/download_vfs.cgi Gary Gregory On behalf of the Apache Commons Team
[ANNOUNCEMENT] Apache HTTP Server 2.4.41 Released
Apache HTTP Server 2.4.41 Released
August 14, 2019
The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.41 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
a security and bug fix release.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.4.41 is available for download from:
https://httpd.apache.org/download.cgi
Apache 2.4 offers numerous enhancements, improvements, and performance
boosts over the 2.2 codebase. For an overview of new features
introduced since 2.4 please see:
https://httpd.apache.org/docs/trunk/new_features_2_4.html
Please see the CHANGES_2.4 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.4.41 includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
https://httpd.apache.org/security/vulnerabilities_24.html
This release requires the Apache Portable Runtime (APR), minimum
version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may
require the 1.6.x version of both APR and APR-Util. The APR libraries
must be upgraded for all features of httpd to operate correctly.
This release builds on and extends the Apache 2.2 API. Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.4, and require minimal or no source code changes.
https://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
Please note the 2.2.x branch has now passed the end of life at the Apache
HTTP Server project and no further activity will occur including security
patches. Users must promptly complete their transitions to this 2.4.x
release of httpd to benefit from further bug fixes or new features.
[ANN] [SECURITY] Corrected affected version ranges in historic Apache,Struts security bulletins and CVE entries
The Apache Struts Security Team would like to announce that a number of historic Struts Security Bulletins [1] and related CVE database entries contained incorrect affected release version ranges. The issue was reported by Christopher Fearon and the Black Duck Research Team within the Synopsys Cybersecurity Research Center. The reporting entity conducted thorough investigations on this matter, leading to a report to the Apache Struts Security Team. The Apache Struts Security Team worked with the reporters to cross-check said issues and map them to affected Apache Struts General Availability (GA) releases. This effort led to the issue of Struts Security Bulletin S2-058, referencing 15 historic Struts Security Bulletins and respective CVE entries [2] that have been updated to reflect corrections in affected GA version ranges as well as minimum GA versions to contain appropriate fixes for the issues at hand. The full Security Bulletin can be found here: https://cwiki.apache.org/confluence/display/WW/S2-058 The Struts Security Team stresses that while the reporters reference more affected issues and resulting affected version ranges, the Struts Security Bulletins only cover GA versions designated for production use. This led to less corrected Security Bulletins and CVE entries [2] compared to the number of covered issues in the original report. It is very important to understand that while the individual listed bulletins contain updated minimum fix versions, it is strongly recommended to update to the versions recommended by the latest Security Bulletin, which is S2-057 [3] by the time of this announcement. Following this advice, the recommended minimum Struts versions to operate in production are Struts 2.3.35 or Struts 2.5.17. The Apache Struts Security Team would like to thank the reporters for their efforts and their practice of responsible disclosure, as well as their help while investigating the report and coordinating public disclosure. [1] https://cwiki.apache.org/confluence/display/WW/Security+Bulletins [2] https://github.com/CVEProject/cvelist/pull/2423/files [3] https://cwiki.apache.org/confluence/display/WW/S2-057 -- René Gielen http://twitter.com/rgielen
[SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default.
CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property
in PropertyUtilsBean by default.
Severity: Medium
Vendor: The Apache Software Foundation
Versions Affected: commons-beanutils-1.9.3 and earlier
Description: A special BeanIntrospector class was added in version 1.9.2.
This can be used to stop attackers from using the class property of
Java objects to get access to the classloader.
However this protection was not enabled by default.
PropertyUtilsBean (and consequently BeanUtilsBean) now disallows class
level property access by default, thus protecting against
CVE-2014-0114.
Mitigation: 1.X users should migrate to 1.9.4.
Credit: This was discovered by Melloware (https://melloware.com/).
Example:
/**
* Example displaying the new default behaviour such that
* it is not possible to access class level properties utilizing the
* BeanUtilsBean, which in turn utilizes the PropertyUtilsBean.
*/
public void testSuppressClassPropertyByDefault() throws Exception {
final BeanUtilsBean bub = new BeanUtilsBean();
final AlphaBean bean = new AlphaBean();
try {
bub.getProperty(bean, "class");
fail("Could access class property!");
} catch (final NoSuchMethodException ex) {
// ok
}
}
/**
* Example showing how by which one would use to revert to the
* behaviour prior to the 1.9.4 release where class level properties were
accessible by
* the BeanUtilsBean and the PropertyUtilsBean.
*/
public void testAllowAccessToClassProperty() throws Exception {
final BeanUtilsBean bub = new BeanUtilsBean();
bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
final AlphaBean bean = new AlphaBean();
String result = bub.getProperty(bean, "class");
assertEquals("Class property should have been accessed", "class
org.apache.commons.beanutils2.AlphaBean", result);
}
References.
[1] https://issues.apache.org/jira/browse/BEANUTILS-520
[2] http://commons.apache.org/proper/commons-beanutils/
[ANNOUNCE] Commons BeanUtils 1.9.4 Released
The Apache Commons Team is pleased to announce the release of Apache Commons BeanUtils 1.9.4. The Apache Commons BeanUtils open source software library provides easy-to-use wrappers around the Java reflection and introspection APIs. Source and binary distributions are available for download from the Apache Commons download site: http://commons.apache.org/proper/commons-beanutils/download_beanutils.cgi When downloading, please verify signatures using the KEYS file available at the above location when downloading the release. Alternatively the release can be pulled via maven: commons-beanutils commons-beanutils 1.9.4 The release notes can be reviewed at: http://www.apache.org/dist/commons/beanutils/RELEASE-NOTES.txt For complete information on Commons BeanUtils, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Commons BeanUtils website: http://commons.apache.org/proper/commons-beanutils/ Best regards, Rob Tompkins on behalf of the Apache Commons community
