[SECURITY] CVE-2020-9495: Apache Archiva login service is vulnerable to LDAP injection

[Martin]

CVE-2020-9495: Apache Archiva login service is vulnerable to LDAP injection

Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:

Apache Archiva all versions before 2.2.5

By providing special values to the archiva login form a attacker is able to 
retrieve user attribute data from the connected LDAP server. 
With certain characters it is possible to modify the LDAP filter used to query 
the users on the connected LDAP server. 
By measuring the response time, arbitrary attribute data can be retrieved from 
LDAP user objects.

Mitigation:

Upgrade to Apache Archiva 2.2.5 or higher

References:
http://archiva.apache.org/security.html#CVE-2020-9495

The newest Archiva version can be downloaded from:
http://archiva.apache.org/download.cgi

[ANN] Apache Archiva 2.2.5 released

[Martin]

The Apache Archiva team is pleased to announce the release of 
   Archiva 2.2.5 
Archiva is available for download from the web site.
  http://archiva.apache.org/download.cgi


Archiva is an application for managing one or more remote
repositories, including administration, artifact handling, browsing
and searching.

If you have any questions, please consult:
  the web site: http://archiva.apache.org/
  the archiva-user mailing list: http://archiva.apache.org/mailing-lists.html

Apache Archiva 2.2.5 is a bug fix release.

** As this release contains security fixes, we highly recommend to update to 
the new version. **

See the release notes for more information:
http://archiva.apache.org/docs/2.2.5/release-notes.html

And security related information:
http://archiva.apache.org/security.html

The Apache News Round-up: week ending 19 June 2020

[Swapnil M Mane]

[this newsletter is available online at https://s.apache.org/a97rx ]

Happy Friday! Let's take a look at what the Apache community has been
up to over the past week:

ASF Board – management and oversight of the business affairs of the
corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 15 July 2020. Board calendar and minutes
https://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing
Tomorrow's Technology Today since 1998.
 - Notice on Apache 2020 Conferences https://s.apache.org/zgm8m

ASF Infrastructure – our distributed team on three continents keeps
the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.72%. Performance checks across
50 different service components spread over more than 250 machines in
data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – this week, 902 Apache contributors changed
5,499,342 lines of code over 3,942 commits. Top 5 contributors, in
order, are: Chunen Ni, Sebastian Bazley, Rupeng Wang, Gary Gregory,
and Andrea Cosentino.

Apache Project Announcements – the latest updates by category.

Cloud Computing --
 - Apache Libcloud 3.1.0 released http://libcloud.apache.org/

Servers --
 - Apache HttpComponents Client 5.0.1 GA released https://hc.apache.org/
 - Apache Traffic Control 4.1.0 released https://trafficcontrol.apache.org/


Did You Know?

 - Did you know that you can NEW: meet Apache APISIX (Incubating),
catch up with Apache CloudStack, see what’s next with Apache HBaseas
the project celebrates its 10th Anniversary, and more? Only on
Feathercast --the voice of the ASF https://feathercast.apache.org

 - Did you know that Tencent uses Apache Pulsar to process tens of
billions of dollars in financial transactions each day?
http://pulsar.apache.org/

 - Did you know that Apache Cordova has a major release for iOS?
https://cordova.apache.org/


Apache Community Notices

 - "Trillions and Trillions Served" – the feature documentary on the
ASF filmed onsite at ApacheCon Las Vegas and Berlin in 2019
https://s.apache.org/Trillions-Feature

 - The Apache Software Foundation Statement on the COVID-19
Coronavirus Outbreak https://s.apache.org/COVID-19

 - The Apache Software Foundation Celebrates 21 Years of Open Source
Leadership https://s.apache.org/21stAnniversary

 - Apache Month In Review: May 2020 – overview of events that have
taken place within the Apache community https://s.apache.org/May2020

 - The Apache Software Foundation Operations Summary: Q3 FY2020
(November 2019 - January 2020) https://s.apache.org/r6s5u

 - "Trillions and Trillions Served", the documentary on the ASF, is in
post-production. Catch the teaser at
https://s.apache.org/ASF-Trillions and "Apache Everywhere", the first
"Trillions" "short" filmed onsite at ApacheCon Las Vegas and Berlin
this past year https://youtu.be/nXtIti9jMFI

 - Apache in 2019 - By The Digits https://s.apache.org/Apache2019Digits

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - ASF Operations Summary: Q2 FY2020 (August - October 2019)
https://s.apache.org/2kv2n

 - ASF Founders look back on 20 Years of the ASF
https://blogs.apache.org/foundation/entry/our-founders-look-back-on

 - Foundation Reports and Statements
http://www.apache.org/foundation/reports.html

 - ApacheCon: Tomorrow's Technology Today since 1998
http://s.apache.org/ApacheCon

 - "Success at Apache" focuses on the people and processes behind why
the ASF "just works".
https://blogs.apache.org/foundation/category/SuccessAtApache

 - Inside Infra: the new interview series with members of the ASF
infrastructure team --meet Drew Foulks
https://s.apache.org/InsideInfra-Drew

- Did you know that Airflow Summit 2020 will be held 6-17 July online?
https://airflowsummit.org/

- Did you know that Beam Summit 2020 will be held 24-28 August online
and free of charge? https://beamsummit.org/

 - Please follow/like/re-tweet the ASF on social media: @TheASF on
Twitter (https://twitter.com/TheASF) and on LinkedIn at
https://www.linkedin.com/company/the-apache-software-foundation

 - Do friend and follow us on the Apache Community Facebook page
https://www.facebook.com/ApacheSoftwareFoundation/ and Twitter account
https://twitter.com/ApacheCommunity

 - Find out how you can participate with Apache
community/projects/activities --opportunities open with Apache Camel,
Apache HTTP Server, and more! https://helpwanted.apache.org/

 - Are your software solutions Powered by Apache? Download & use our
"Powered By" logos
http://www.apache.org/foundation/press/kit/#poweredby

= = =

For real-time updates, sign up for Apache-related news by sending mail
to announce-subscr...@apache.org and follow @TheASF on Twitter. For a
broader spectrum from the Apache community,
https://twitter.com/PlanetApache provides an aggregate of Project
activities as well as the personal blogs and tweets of select ASF
Committers.

# # 

[ANNOUNCE] Apache Pulsar 2.6.0 released

[PengHui Li]

The Apache Pulsar team is proud to announce Apache Pulsar version 2.6.0.

Pulsar is a highly scalable, low latency messaging platform running on
commodity hardware. It provides simple pub-sub semantics over topics,
guaranteed at-least-once delivery of messages, automatic cursor management
for
subscribers, and cross-datacenter replication.

For Pulsar release details and downloads, visit:

https://pulsar.apache.org/download

Release Notes are at:
http://pulsar.apache.org/release-notes

We would like to thank the contributors that made the release possible.

Regards,

The Pulsar Team