[CVE-2020-9489] Denial of Service (DOS) Vulnerabilities in Some of Apache Tika's Parsers
Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Apache Tika 1.24 Description: A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Mitigation: Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release. We also upgraded openjson to 1.0.10, org.ow2.asm to 8.0.1, zstd-jni to 1.4.4-9, bouncycastle to 1.65, commons-lang3 to 3.10, lucene to 8.5.0 and mockito to 3.3.3 as part of the 1.24.1 release. Credit: These vulnerabilities were discovered by Tim Allison on the Apache Tika team.
[ANNOUNCE] Apache Wicket 8.8.0 released
The Apache Wicket PMC is proud to announce Apache Wicket 8.8.0! Apache Wicket is an open source Java component oriented web application framework that powers thousands of web applications and web sites for governments, stores, universities, cities, banks, email providers, and more. You can find more about Apache Wicket at https://wicket.apache.org This release marks another minor release of Wicket 8. We use semantic versioning for the development of Wicket, and as such no API breaks are present breaks are present in this release compared to 8.0.0. Using this release -- With Apache Maven update your dependency to (and don't forget to update any other dependencies on Wicket projects to the same version): org.apache.wicket wicket-core 8.8.0 Or download and build the distribution yourself, or use our convenience binary package you can find here: * Download: http://wicket.apache.org/start/wicket-8.x.html#manually Upgrading from earlier versions --- If you upgrade from 8.y.z this release is a drop in replacement. If you come from a version prior to 8.0.0, please read our Wicket 8 migration guide found at * http://s.apache.org/wicket8migrate Have fun! — The Wicket team The signatures for the source release artefacts: Signature for apache-wicket-8.8.0.zip: -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEE0a6YZHC1pJw+aieyh48B+qjTVuEFAl6coLEACgkQh48B+qjT VuFdGBAAiHikGIh0UtFE1rABkPus9Vj3OltyM7pqtAw1hyn75OXiDUXHIs00RWCJ 0h7vqKZMYDOq+syHxhEjF4m945jI+de1JMn/zXxa8lCagHk22NClHcdtFlDb+xws sw+8bY0RkQbImA/kag/yFLpJ8Is/YrHsH76HmHvHHuHFrfXsRI7DNerhokb5BtAM Z89D4UFzZbHm0iiv6jjExrA7gmXGBKVRI3kG8AO2zmRRfG5gKUcfRh8tQGa80JGO CGU6peeLsodM1fw29SvT8r49SE2noqDaTuM6GicxREgo/pZVhpJkpNEKtJtM5NQ2 slcX58mpCYkTBYFoMRW1poYlDOU+vfMKYUx5EfrvA1akfg7J+NnsbiWcOM/sjw+y h8ys7JnoW4jeVelF7xSHcDP8bWW/0ipgW8NfOOcQaMcm49ImAO0VhdFr4M3LvUpd 6Q0K07CNhluVNUk/9XNrM2V1VAovkJACz0rYriI37+zoDUfrjqc2pGZziK7ZgbaP +NBrvIJtjuOmn5zodwVeOMhA5QSw3qIGg4Tg+jqsIealzMcguJrPPMUFzO3bnRgs 7uCQ6MQ2QXSCFTR3cXWvQh7tkSmtfNrmUz34lU9VcZLUw+6neKAOtmSwsxrATH5X 4iipMYkS81GHnFPPnNP1uQDBUA5X3JktCNa71kmmIMnOrzbjgmM= =OZ+0 -END PGP SIGNATURE- Signature for apache-wicket-8.8.0.tar.gz: -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEE0a6YZHC1pJw+aieyh48B+qjTVuEFAl6coLAACgkQh48B+qjT VuEZAA/7BrVnFLoLBr+XOfkvM38XM/+SU/kb7dSzAs8TaaGawyUPnpDRT/JCtjv+ 7g5NvK/1vc7rKJ3ainskwUEI8zfpeegVFMBovabSy70QAF6Lj97Eoz58tLJrkpHU qTRsBUi8a9vceRuxz/INYM3dbRNylrpFga+jab9hrqK86L1wOhTLQfq6ZJ+nChMb POUnR8y9jLL4AzR/Me67F9VD4ucVP6xUCJen5baqC1FfXB3cLWOhVS1t46t+Y5r/ 7Opv1SWAiumyPpZjcIsnydma2xKtYxMa8tCphgHesgQWpQ/uTG9uuL9k0bim1XwN G0bewSKa6LVOrLwn2vFwSOWEjrPcK4Zs/M9J4lEA5Ak/ri5U5fT4OzvKmNkUiKUL 2mxMpcstq6UFUJf117bdSqLQ3X3ViJAORrbyqIxR+P0/pn18ybTAsLUXOvMTkM8H UDtu4UQVFtIhD/quHgSZjMJr0m8hRnVNvZgLjXTT92cmMeCxtfTCfUbZjrwjSPM4 6fQDilKXss25CjC63cM2Ztvd/8KGU7W1vQgdiD56XuduYZ2DHwWWm2QVbazmhegV tOZfAfYcXcNJagPSNgDLtnhgYCiNyZnvhlOSIQgD5vkVfhskf3RjZgX6J1Y7F+w0 Sb0UwH933TRrxYQBMxv6P+apBhnKCMTAk3UVC0BWzZT1dFGup4s= =UYoM -END PGP SIGNATURE- CHANGELOG for 8.8.0: ** Bug * [WICKET-6746] - HttpsMapper cannot deal with resources over websockets * [WICKET-6752] - Some dependencies contain CVEs * [WICKET-6753] - res/modal.js using aria-labelledby where it should be using aria-label * [WICKET-6754] - Iteration stops with nested containers * [WICKET-6755] - MockServletContext does not decode real path * [WICKET-6756] - Avoid URL.getFile() when actually expecting paths. * [WICKET-6757] - Avoid URL.getFile during mime type detection. * [WICKET-6758] - NPE in AbstractWebSocketProcessor after session times out ** Improvement * [WICKET-6759] - Support disabling error notification for websockets * [WICKET-6760] - Nested Form placeholder should preserve tag name * [WICKET-6761] - Support multiple connections to the same websocket resource from a single session * [WICKET-6762] - Support manual initialization of websocket connections
[ANNOUNCE] Apache OpenMeetings 5.0.0-M4 is released
The Apache OpenMeetings project is pleased to announce the release of Apache OpenMeetings 5.0.0-M4. The release is available for download from https://openmeetings.apache.org/downloads.html Openmeetings provides video conferencing, instant messaging, white board, collaborative document editing and other groupware tools. It uses API functions of Kurento Media Server for Remoting and Streaming. Flash plugin is no more required in the browser Please NOTE: this version might be not production ready IMPORTANT: Java 11 is required UI: * Main UI library has been changed Jquery-UI -> Bootstrap * Hotkey to resize "video" windows is added * Camera/Microphone on/off icons are less confusing * The room can be blocked until moderator will enter * Room sidebar dock button works as expected * Right-click menu for WB tab is fixed * Link to privacy statement is added to sign-in dialog Audio/Video: * Audio-only clients doesn't create "video" windows * Audio/Video stream tries to re-connect in case of any issue Backup/Restore: * Backup/restore was re-worked and better covered with tests * Multiple other issues are addressed Integration: * OAuth: user attributes retrieval is improved * LDAP documentation is improved * User picture can be retrieved from LDAP Some other fixes and improvements, 56 issues were addressed Readme: https://github.com/apache/openmeetings/blob/5.0.0-M4/README.md Changelog: https://github.com/apache/openmeetings/blob/5.0.0-M4/CHANGELOG.md List of fixed issues: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720=12346603 For more information on Apache OpenMeetings please visit project home page: https://openmeetings.apache.org Apache OpenMeetings Team
The Apache News Round-up: week ending 24 April 2020
[this newsletter is available online at https://s.apache.org/hij7x ] Greetings all. It's time to review the Apache community's activities from the past week: ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws. - Next Board Meeting: 20 May 2020. Board calendar and minutes https://apache.org/foundation/board/calendar.html ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998. - Notice on Apache 2020 Conferences https://s.apache.org/zgm8m - CFP EXTENDED for ApacheCon North America: submissions due 1 June https://www.apachecon.com/ ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock. - 7M+ weekly checks yield uptime at 99.99%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/ Apache Code Snapshot – this week, 950 Apache contributors changed 2,932,004 lines of code over 4,001 commits. Top 5 contributors, in order, are: Andrea Cosentino, Mark Thomas, Tellier Benoit, Colm O hEigeartaigh, and Andrey Zagrebin. Apache Project Announcements – the latest updates by category. Big Data -- - Apache Arrow 0.17.0 released https://arrow.apache.org/ - Apache Druid 0.18.0 released https://druid.apache.org/ - Apache SAMOA (Incubating) 0.5.0 released https://samoa.incubator.apache.org/ Content -- - Apache Jackrabbit Oak 1.22.3 released https://jackrabbit.apache.org/ - Apache Tika 1.24.1 released https://tika.apache.org/ Messaging -- - Apache Pulsar 2.5.1 released https://pulsar.apache.org/ Network Client/Server -- - Apache Directory Studio 2.0-0-M15 released https://directory.apache.org/studio/ Version Control -- - Apache Subversion 1.14.0-rc2 released https://subversion.apache.org/ Did You Know? - Did you know that Feathercast, the voice of The Apache Software Foundation, has new sessions on Apache Airflow, OFBiz, Sling, and more? https://feathercast.apache.org/ - Did you know that Apache SkyWalking now officially supports Java 8~14, both agent and backend side, as well as both run-time and compile time? http://skywalking.apache.org/ - Did you know that Apache Mahout and Spark are used to help denoise CT scans to improve COVID-19 detection at early stages of infection? https://projects.apache.org/projects.html?category#big-data Apache Community Notices: - The Apache Software Foundation Statement on the COVID-19 Coronavirus Outbreak https://s.apache.org/COVID-19 - The Apache Software Foundation Celebrates 21 Years of Open Source Leadership https://s.apache.org/21stAnniversary - Apache Month In Review: March 2020 – overview of events that have taken place within the Apache community https://s.apache.org/Mar2020 - The Apache Software Foundation Operations Summary: Q3 FY2020 (November 2019 - January 2020) https://s.apache.org/r6s5u - "Trillions and Trillions Served", the documentary on the ASF, is in post-production. Catch the teaser at https://s.apache.org/ASF-Trillions - Apache in 2019 - By The Digits https://s.apache.org/Apache2019Digits - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI - ASF Operations Summary: Q2 FY2020 (August - October 2019) https://s.apache.org/2kv2n - ASF Founders look back on 20 Years of the ASF https://blogs.apache.org/foundation/entry/our-founders-look-back-on - Foundation Reports and Statements http://www.apache.org/foundation/reports.html - ApacheCon: Tomorrow's Technology Today since 1998 http://s.apache.org/ApacheCon - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache - Inside Infra: the new interview series with members of the ASF infrastructure team --meet Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris - Please follow/like/re-tweet the ASF on social media: @TheASF on Twitter (https://twitter.com/TheASF) and on LinkedIn at https://www.linkedin.com/company/the-apache-software-foundation - Do friend and follow us on the Apache Community Facebook page https://www.facebook.com/ApacheSoftwareFoundation/ and Twitter account https://twitter.com/ApacheCommunity - Find out how you can participate with Apache community/projects/activities --opportunities open with Apache Camel, Apache HTTP Server, and more! https://helpwanted.apache.org/ - Are your software solutions Powered by Apache? Download & use our "Powered By" logos http://www.apache.org/foundation/press/kit/#poweredby = = = For real-time updates, sign up for Apache-related news by sending mail to announce-subscr...@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers. # #