Apache Month in Review: February 2021
[this announcement is available online at https://s.apache.org/Feb2021 ] Welcome to the latest monthly overview of events from the Apache community. Here's a summary of what happened in February: New this month -- - Call for Apache project proposals and mentors: Outreachy Open Source internship program May-Aug 2021 https://s.apache.org/s7tz2 - The Apache Software Foundation Announces Apache® DataSketches™ as a Top-Level Project https://s.apache.org/jhvqu - The Apache Software Foundation Announces Apache® Gobblin™ as a Top-Level Project https://s.apache.org/df92k - The Apache® Software Foundation Sustains its Mission of Providing Software for the Public Good through Corporate Sponsorships and Charitable Giving https://s.apache.org/8foo2 - Apache Month in Review: January 2020 https://s.apache.org/Jan2021 Important Dates -- - Next Board Meeting: 17 March 2021. Board calendar and minutes http://apache.org/foundation/board/calendar.html Infrastructure -- Our seven-member Infrastructure team on three continents oversees our highly-reliable, distributed network under the leadership of VP Infrastructure David Nalley and Infrastructure Administrator Greg Stein. ASF Infrastructure supports 300+ Apache projects and their communities across ~200 individual machines, 1,400+ repositories, 5-6PB in traffic annually, ~75M downloads per month, and 2-3M daily emails on 2,000+ lists. ASF Infra performs 7M+ weekly checks to ensure services are available around the clock. The average uptime in February was 99.97%. http://www.apache.org/uptime/ Committer Activity -- In February, 718 Apache Committers changed 8,293,634 lines of code over 13,685 commits. The Committers with the top 5 highest contributions, in order, were: Andrea Cosentino, Gary Gregory, Claus Ibsen, Andi Huber, and Benoit Tellier. Project Releases and Updates -- New releases from Apache Airflow (Big Data); APISIX (API); Beam (Big Data); BookKeeper (Big Data); Camel (Integration); Commons NET (Libraries); Directory Studio (Network Client / Server); Druid (Big Data); Flink (Big Data); FreeMarker (Templating); HttpComponents (Servers); Lucene (Search); MyFaces (Web Frameworks); NiFi (Big Data); NLPCraft (Incubating; Natural Language Processing); PLC4X (IoT); Qpid Broker (Messaging); Qpid Dispatch (Messaging); Skywalking (Application Performance Management); Tomcat (Servers). The Apache Incubator is the primary entry path for projects wishing to become an official part of the ASF. EventMesh entered the Apache Incubator as a new podling this month. We invite you to review the many projects currently in development in the Apache Incubator http://incubator.apache.org/ . # # # To see our Weekly News Round-ups (published every Friday), visit https://blogs.apache.org/foundation/ and click on the calendar or hop directly to https://blogs.apache.org/foundation/category/Newsletter . For real-time updates, sign up for Apache-related news by sending mail to announce-subscr...@apache.org and follow @TheASF on Twitter. We appreciate your support! = = = NOTE: you are receiving this message because you are subscribed to the announce@apache.org distribution list. To unsubscribe, send email from the recipient account to announce-unsubscr...@apache.org with the word "Unsubscribe" in the subject line.
[SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up
CVE-2021-25122 h2c request mix-up Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.0 Apache Tomcat 9.0.0.M1 to 9.0.41 Apache Tomcat 8.5.0 to 8.5.61 Description: When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.0.2 or later - Upgrade to Apache Tomcat 9.0.43 or later - Upgrade to Apache Tomcat 8.5.63 or later Note that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release votes for those versions did not pass. Credit: This issue was identified by the Apache Tomcat Security Team. History: 2021-03-01 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html [4] https://tomcat.apache.org/security-7.html OpenPGP_signature Description: OpenPGP digital signature
[SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence)
CVE-2021-25329 Incomplete fix for CVE-2020-9484 (RCE via session persistence) Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.0 Apache Tomcat 9.0.0.M1 to 9.0.41 Apache Tomcat 8.5.0 to 8.5.61 Apache Tomcat 7.0.0 to 7.0.107 Description: The fix for CVE-2020-9484 was incomplete. When using a highly unlikely configuration edge case, the Tomcat instance was still vulnerable to CVE-2020-9484. Note that both the previously published prerequisites for CVE-2020-9484 also apply to this issue. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.0.2 or later - Upgrade to Apache Tomcat 9.0.43 or later - Upgrade to Apache Tomcat 8.5.63 or later - Upgrade to Apache Tomcat 7.0.108 or later - the the previously published non-upgrade mitigations for CVE-2020-9484 also apply to this issue Note that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release votes for those versions did not pass. Credit: This issue was identified by Trung Pham of Viettel Cyber Security. History: 2021-03-01 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html [4] https://tomcat.apache.org/security-7.html OpenPGP_signature Description: OpenPGP digital signature
[ANNOUNCE] Apache NiFi MiNiFi C++ 0.9.0 release
Hello The Apache NiFi team would like to announce the release of Apache NiFi MiNiFi C++ 0.9.0. Highlights of the 0.9.0 release include: - Added support for RocksDB-based content repository for better performance - Added SQL extension - Improved task scheduling - Various C2 improvements - Bug fixes and improvements to TailFile, ConsumeWindowsEventLog, MergeContent, CompressContent, PublishKafka, InvokeHTTP - Implemented RetryFlowFile and smart handling of loopback connections - Added a way to encrypt sensitive config properties and the flow configuration - Implemented full S3 support - Reduced memory footprint when working with many flow files MiNiFi — a subproject of Apache NiFi — is a complementary data collection approach that supplements the core tenets of NiFi in dataflow management, focusing on the collection of data at the source of its creation. Specific goals for the initial thrust of the MiNiFi effort comprise: - Small size and low resource consumption - Central management of agents - Generation of data provenance (full chain of custody of information) - Integration with NiFi for follow-on dataflow management More details on Apache NiFi - MiNiFi C++ can be found here: https://nifi.apache.org/minifi The release artifacts can be downloaded from here: https://nifi.apache.org/minifi/download.html Issues closed/resolved for this list can be found here: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12321520&version=12345444 Release note highlights can be found here: https://cwiki.apache.org/confluence/display/MINIFI/Release+Notes#ReleaseNotes-Versioncpp-0.9.0 Thank you The Apache NiFi team
[ANNOUNCE] Release Apache SkyWalking Nginx LUA version 0.4.0
Hi all, Apache SkyWalking Team is glad to announce the first release of Apache SkyWalking Nginx LUA 0.4.0 SkyWalking: APM (application performance monitor) tool for distributed systems, especially designed for microservices, cloud-native and container-based (Docker, Kubernetes, Mesos) architectures. SkyWalking Nginx Agent provides the native tracing capability for Nginx powered by Nginx LUA module. This release contains a number of new features, bug fixes and improvements compared to version 0.4.0(last release). The notable changes since 0.3.0 include: (Highlight key changes) 1. Add a global field 'includeHostInEntrySpan', type 'boolean', mark the entrySpan include host/domain. 2. Add destroyBackendTimer to stop reporting metrics. 3. Doc: set random seed in init_worker phase. 4. Local cache some variables and reuse them in Lua module. 5. Enable local cache and use tablepool to reuse the temporary table. Please refer to the change log for the complete list of changes: https://github.com/apache/skywalking-nginx-lua/blob/v0.4.0/CHANGES.md Apache SkyWalking website: http://skywalking.apache.org/ Downloads: http://skywalking.apache.org/downloads/ Twitter: https://twitter.com/ASFSkyWalking SkyWalking Resources: - GitHub: https://github.com/apache/skywalking - Issue: https://github.com/apache/skywalking/issues - Mailing list: d...@skywalkiing.apache.org - Apache SkyWalking Team