[ANN] Apache Syncope 2.1.6

2020-05-02 Thread Francesco Chicchiriccò
The Apache Syncope team is pleased to announce the release of Syncope 2.1.6

Apache Syncope is an Open Source system for managing digital identities in 
enterprise environments, implemented in Java EE technology .

The release will be available within 24h from:
https://syncope.apache.org/downloads

Read the full change log available here:
https://s.apache.org/syncope216

Upgrading from 2.1.5? There are some notes about this process:
https://s.apache.org/5esvf

We welcome your help and feedback. For more information on how to report 
problems, and to get involved, visit the project website at

http://syncope.apache.org/

The Apache Syncope Team



[ANNOUNCE] Apache ZooKeeper 3.6.1

2020-05-02 Thread Enrico Olivelli
The Apache ZooKeeper team is proud to announce Apache ZooKeeper version
3.6.1

ZooKeeper is a high-performance coordination service for distributed
applications. It exposes common services - such as naming,
configuration management, synchronization, and group services - in a
simple interface so you don't have to write them from scratch. You can
use it off-the-shelf to implement consensus, group management, leader
election, and presence protocols. And you can build on it for your
own, specific needs.

For ZooKeeper release details and downloads, visit:
https://zookeeper.apache.org/releases.html

ZooKeeper 3.6.1 Release Notes are at:
https://zookeeper.apache.org/doc/r3.6.1/releasenotes.html

We would like to thank the contributors that made the release possible.

Regards,

The ZooKeeper Team


[CVE-2020-1959] Multiple Remote Code Execution Vulnerabilities

2020-05-02 Thread Francesco Chicchiriccò
Description:
A Server-Side Template Injection was identified in Syncope enabling attackers 
to inject arbitrary Java EL expressions, leading to an
unauthenticated Remote Code Execution (RCE) vulnerability.
Apache Syncope uses Java Bean Validation (JSR 380) custom constraint 
validators. When building custom constraint violation error messages, they
support different types of interpolation, including Java EL expressions.
Therefore, if an attacker can inject arbitrary data in the error message 
template being passed, they will be able to run arbitrary Java code.

Severity: Important

Vendor: The Apache Software Foundation

Affects:
2.1.X releases prior to 2.1.6

Solution:
Upgrade to 2.1.6

Credit:
This issue was discovered by GitHub Security Labs team member Alvaro Muñoz - 
https//github.com/pwntester.

References:
https://syncope.apache.org/security



[ANN] Apache Syncope 2.0.15

2020-05-02 Thread Francesco Chicchiriccò
The Apache Syncope team is pleased to announce the release of Syncope 2.0.15

Apache Syncope is an Open Source system for managing digital identities in 
enterprise environments, implemented in Java EE technology .

The release will be available within 24h from:
https://syncope.apache.org/downloads

Read the full change log available here:
https://s.apache.org/syncope2015

Upgrading from 2.0.14? There are some notes about this process:
https://s.apache.org/fra2f

We welcome your help and feedback. For more information on how to report 
problems, and to get involved, visit the project website at

http://syncope.apache.org/

The Apache Syncope Team