[ANNOUNCE] Apache Yetus 0.5.0 Released!
The Apache Software Foundation and the Apache Yetus Project are pleased to announce the release of version 0.5.0 of Apache Yetus. Apache Yetus is a collection of libraries and tools that enable contribution and release processes for software projects. It provides a robust system for automatically checking new contributions against a variety of community accepted requirements, the means to document a well defined supported interface for downstream projects, and tooling to help release managers generate release documentation based on the information provided by community issue trackers and source repositories. This version marks the latest minor release representing the community's work over the last 6 months. To download please choose a mirror by visiting: https://yetus.apache.org/downloads/ The relevant checksums files are available at: https://www.apache.org/dist/yetus/0.5.0/yetus-0.5.0-src.tar.gz.mds https://www.apache.org/dist/yetus/0.5.0/yetus-0.5.0-bin.tar.gz.mds Project member signature keys can be found at https://www.apache.org/dist/yetus/KEYS PGP signatures are available at: https://www.apache.org/dist/yetus/0.5.0/yetus-0.5.0-src.tar.gz.asc https://www.apache.org/dist/yetus/0.5.0/yetus-0.5.0-bin.tar.gz.asc The list of changes included in this release and release notes can be browsed at: https://yetus.apache.org/documentation/0.5.0/CHANGES/ https://yetus.apache.org/documentation/0.5.0/RELEASENOTES/ Documentation for this release is at: https://yetus.apache.org/documentation/0.5.0/ On behalf of the Apache Yetus team, thanks to everyone who helped with this release! Questions, comments, and bug reports are always welcome on d...@yetus.apache.org -- Allen Wittenauer Apache Yetus PMC
[ANNOUNCE] Apache OpenMeetings 3.3.0 released
The Apache Openmeetings project is pleased to announce the release of Apache Openmeetings 3.3.0. The release is available for download from http://openmeetings.apache.org/downloads.html Apache OpenMeetings provides video conferencing, instant messaging, white board, collaborative document editing and other groupware tools using API functions of the Red5 Streaming Server for Remoting and Streaming. Release 3.3.0, provides following improvements: Security fixes in: * Chat * All requests via security headers * More secure password processing rules and storage * More strict rules for uploaded files * SQL injection in web services 11 security vulnerabilities were addressed Whiteboard: * Room is displayed without overlap in IE * Multiple display issues * Wb room element can now be hidden Other fixes and improvements, https://www.apache.org/dist/openmeetings/3.3.0/CHANGELOG 21 issues were fixed and Detailed list: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12339849 For more information on Apache Openmeeting please visit project home page: http://openmeetings.apache.org Apache OpenMeetings Team
CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest
CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest Severity: Important Vendor: The Apache Software Foundation Versions Affected: all versions through 2.2.33 and 2.4.26 Description: The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments. by mod_auth_digest Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault Mitigation: All users of httpd should upgrade to 2.4.27 (or minimally 2.2.34, which will receive no further security releases.) Alternately, the administrator could configure httpd to reject requests with a header matching a complex regular expression identifing where = character does not occur in the first key=value pair, as in the following syntax; [Proxy-]Authorization: Digest key[,key=value] Credit: The Apache HTTP Server security team would like to thank Robert Święcki for reporting this issue. References: https://httpd.apache.org/security_report.html
CVE-2017-9789: Apache httpd 2.4 Read after free in mod_http2
CVE-2017-9789: Read after free in mod_http2.c Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.26 Description: When under stress, closing many connections, the HTTP/2 handling code would sometimes access memory after it has been freed, resulting in potentially erratic behaviour. Mitigation: 2.4.26 users of mod_http2 should upgrade to 2.4.27. Credit: The Apache HTTP Server security team would like to thank Robert Święcki for reporting this issue. References: https://httpd.apache.org/security_report.html
[ANNOUNCE] Apache Jackrabbit 2.14.2 released
The Apache Jackrabbit community is pleased to announce the release of Apache Jackrabbit 2.14.2. The release is available for download at: https://jackrabbit.apache.org/jcr/downloads.html#v2.14 See the full release notes below for details about this release: Release Notes -- Apache Jackrabbit -- Version 2.14.2 Introduction This is Apache Jackrabbit(TM) 2.14.2, a fully compliant implementation of the Content Repository for Java(TM) Technology API, version 2.0 (JCR 2.0) as specified in the Java Specification Request 283 (JSR 283). Apache Jackrabbit 2.14.2 is a patch release that contains fixes and improvements over Jackrabbit 2.14. Jackrabbit 2.14.x releases are considered stable and targeted for production use. Changes in Jackrabbit 2.14.2 Bug [JCR-4146] - json extension is removed by AbstractWebdavServlet on COPY request [JCR-4149] - change to drop SHA-1 requires version change [JCR-4150] - enable bundle:baseline check [JCR-4154] - davex upload of binaries broken Improvement [JCR-4115] - Don't use SHA-1 for new DataStore binaries (Jackrabbit) Task [JCR-4128] - update maven plugins and require Maven 3.2.1 [JCR-4142] - update junit dependency to 4.12 [JCR-4145] - upgrade clirr plugin to 2.8 [JCR-4151] - remove clirr profile in branches where bundle:baseline is used For more detailed information about all the changes in this and other Jackrabbit releases, please see the Jackrabbit issue tracker at https://issues.apache.org/jira/browse/JCR Release Contents This release consists of a single source archive packaged as a zip file. The archive can be unpacked with the jar tool from your JDK installation. See the README.txt file for instructions on how to build this release. The source archive is accompanied by SHA1 and MD5 checksums and a PGP signature that you can use to verify the authenticity of your download. The public key used for the PGP signature can be found at https://svn.apache.org/repos/asf/jackrabbit/dist/KEYS. About Apache Jackrabbit --- Apache Jackrabbit is a fully conforming implementation of the Content Repository for Java Technology API (JCR). A content repository is a hierarchical content store with support for structured and unstructured content, full text search, versioning, transactions, observation, and more. For more information, visit http://jackrabbit.apache.org/ About The Apache Software Foundation Established in 1999, The Apache Software Foundation provides organizational, legal, and financial support for more than 140 freely-available, collaboratively-developed Open Source projects. The pragmatic Apache License enables individual and commercial users to easily deploy Apache software; the Foundation's intellectual property framework limits the legal exposure of its 3,800+ contributors. For more information, visit http://www.apache.org/ Trademarks -- Apache Jackrabbit, Jackrabbit, Apache, the Apache feather logo, and the Apache Jackrabbit project logo are trademarks of The Apache Software Foundation.
[ANNOUNCE] Apache OpenWebBeans-1.7.4
It’s a great pleasure to announce the release of Apache OpenWebBeans-1.7.4. Apache OpenWebBeans is a CDI container (Contexts and Dependency Injection for Java) and targets the CDI-1.2 specification (JavaEE 7). We pass the standalone CDI TCK and the JavaEE7 WebProfile part of the CDI-TCK (in Apache TomEE-7.0). OpenWebBeans is modularly built and can be used either in pure Java SE, in a Servlet Container like e.g. Tomcat or in fully fledged JavaEE containers. Our core is only 500k and thus brings full JavaEE compatibility at a smaller size of most so called ‚micro solutions‘. Distribution packages can be downloaded from https://www.apache.org/dyn/closer.lua/openwebbeans/1.7.4/ The release is also available via maven http://repo1.maven.org/maven2/org/apache/openwebbeans/ We also include an installer scripts in our binary distribution which can be used as easy as: $> unzip openwebbeans-distribution-1.7.4-binary.zip $> cd openwebbeans-distribution-1.7.4 $> ./install_owb_tomcat7.bat /opt/your/apache-tomcat-8.x.x (works with Apache Tomcat7 and 8, 8.5 and 9) Please also visit our homepage http://openwebbeans.apache.org and contact us on our mailing lists. have fun, The Apache OpenWebBeans Team signature.asc Description: Message signed with OpenPGP
[ANN] Apache Struts 2.5.12 GA with Security Fixes Release
The Apache Struts group is pleased to announce that Struts 2.5.12 is available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This release contains fixes for the following potential security vulnerabilities: - S2-047 Possible DoS attack when using URLValidator http://struts.apache.org/docs/s2-047.html - S2-049 A DoS attack is available for Spring secured actions http://struts.apache.org/docs/s2-049.html Except the above this release also contains several improvements just to mention few of them: - `double` and `Double` are not validated with the same decimal separator - `ognl.MethodFailedException` when you do not enter a value for a field mapped to an int - `Double` Value Conversion with requestLocale=de - The `TextProvider` injection in `ActionSupport` isn't quite integrated into the framework's core DI - Struts2 raise `java.lang.ClassCastException` when Result type is `chain` - `@InputConfig` annotation is not working when integrating with spring aop - Validators do not work for multiple values - `BigDecimal` are not converted according context locale - `NullPointerException` when displaying a form without action attribute - Http Sessions forcefully created for all requests using I18nInterceptor with default Storage value. - `cssErrorClass` attribute has no effect on `label` tag - Why `JSONValidationInterceptor` return Status Code `400 BAD_REQUEST` instead of `200 SUCCESS` - @autowired does not work since Struts 2.3.28.1 - Mixed content https to http when upgraded to 2.3.32 or 2.5.10.1 - Upgrade from struts2-tiles3-plugin to struts2-tiles-plugin gives a NoSuchDefinitionException - Aspects are not executed when chaining AOPed actions - Duplicate hidden input field checkboxListHandler - The value of checkbox getted in server-side is "false" when no any checkbox been selected. - refactor file upload framework - `creditCard` validator available in Struts 1 missing in Struts 2 - No easy way to have an empty interceptor stack if have default stack - `@TypeConversion` converter attribute to class - Convert `LocalizedTextUtil` into a bean with default implementation - NPE in `StrutsTilesContainerFactory` when resource isn't found - Buffer/Flush behaviour in `FreemarkerResult` - Struts2 should know and consider config time class of user's Actions - getters of exclude-sets in OgnlUtil should return immutable collections - Mark `site-graph` plugin as deprecated - Use `TextProviderFactory` instead of `TextProvider` as bean's dependency - Create `LocaleProviderFactory` and uses instead of `LocaleProvider` - Improve error logging in `DefaultDispatcherErrorHandler` - Make `jakarta-stream` multipart parser more extensible - Make Multipart parsers more extensible - Add proper validation if request is a multipart request - Make `SecurityMethodAccess` excluded classes & packages definitions immutable - Upgrade to Log4j2 2.8.2 - Allow disable file upload support via an configurable option - Stop using `DefaultLocalizedTextProvider#localeFromString` static util method - Don't add `JBossFileManager` as a possible FileManager when not on JBoss - There is no `@LongRangeFieldValidator` annotation to support `LongRangeFieldValidator` - Upgrade to commons-lang 3.6 - Update commons-fileupload Please read the Version Notes to find more details about performed bug fixes and improvements. http://struts.apache.org/docs/version-notes-2512.html All developers are strongly advised to perform this action. The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 7. Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket. You can download this version from our download page. http://struts.apache.org/download.cgi#struts-ga Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/