[ANNOUNCE] Apache ShardingSphere UI 4.1.0 available

2020-05-10 Thread Zhang Yonglun 
Hi all,

Apache ShardingSphere Team is glad to announce the new release of Apache
ShardingSphere UI 4.1.0.

ShardingSphere is an open-source ecosystem consisted of a set of
distributed database middleware solutions, including 2 independent
products, Sharding-JDBC & Sharding-Proxy.
They both provide functions of data sharding, distributed transaction and
database orchestration, applicable in a variety of situations such as Java
isomorphism, heterogeneous language.
Aiming at reasonably making full use of the computation and storage
capacity of the database in a distributed system, ShardingSphere defines
itself as a middleware, rather than a totally new type of database.
As the cornerstone of many enterprises, relational database still takes a
huge market share.
Therefore, at the current stage, we prefer to focus on its increment
instead of a total overturn.

Download Links:
https://shardingsphere.apache.org/document/current/en/downloads/

Release Notes:
https://github.com/apache/shardingsphere/blob/master/shardingsphere-ui/RELEASE-NOTES.md

Website: https://shardingsphere.apache.org/

ShardingSphere Resources:
- Issue: https://github.com/apache/shardingsphere/issues/
- Mailing list: d...@shardingsphere.apache.org
- Documents: https://shardingsphere.apache.org/document/current/



- Apache ShardingSphere Team

--

Zhang Yonglun
Apache ShardingSphere

[CVE-2018-1285] XXE vulnerability in Apache log4net

2020-05-10 Thread Matt Sicker 
Summary: Apache log4net does not disable XML external entities when
parsing log4net configuration files. This could allow for XXE-based
attacks in applications that accept arbitrary configuration files from
users. [1]

Affected: log4net up to 2.0.8

Mitigation: as there are no further releases of log4net beyond 2.0.8,
and the Logging Services PMC has voted [2] to mark the project
dormant, users should not allow arbitrary configuration files to be
specified from untrusted sources. While this is arguably a
vulnerability, misuse of any framework allowing untrusted input to
configure things is always a bad idea.

[1]: https://issues.apache.org/jira/browse/LOG4NET-575
[2]: 
https://lists.apache.org/thread.html/r6691036b0f85419e8bc97f6f522b8c353dd250b0a329164167b021a6%40%3Cdev.logging.apache.org%3E

-- 
Matt Sicker
Secretary, Apache Software Foundation
VP Logging Services, ASF