Fwd: [ANNOUNCE] Apache XMLBeans 5.0.2 release
The Apache POI project is pleased to announce the release of Apache XMLBeans 5.0.2. The POI team took over the ownership of XMLBeans since version 3.0.0. See the downloads page for binary and source distributions: https://xmlbeans.apache.org/download Release Notes Changes The most notable changes in this release are: * When generating Java code, there is a wrong reference to java.util.Object[] * support disallow-doctype-decl setting on XML parser * Fix issue where you can get a StackOverflowError when parsing a large number of characters in an XML element * Upgrade dependencies (javaparser 3.23.0, log4j 2.14.1, Saxon 10.6) A full list of changes is available in the change log: https://xmlbeans.apache.org/status.html https://issues.apache.org/jira/projects/XMLBEANS/versions/12350390 https://issues.apache.org/jira/browse/XMLBEANS-569?jql=project%20%3D%20XMLBEANS%20AND%20fixVersion%20%3D%20%22Version%205.0.2%22 People interested should also follow the *POI* dev mailing list to track further progress. Release Contents This release comes in two forms: - pre-built binaries containing compiled versions of all Apache XMLBeans components and documentation (xmlbeans-bin-5.0.2-20211014.zip or xmlbeans-bin-5.0.2-20211014.tgz) - source archive you can build XMLBeans from (xmlbeans-src-5.0.2-20211014.zip or xmlbeans-src-5.0.2-20211014.tgz) Unpack the archive and use the following command to build all XMLBeans components with Apache Ant 1.8+ and JDK 1.8 or higher: ant deploy Pre-built versions of all XMLBeans components are also available in the central Maven repository under Group ID "org.apache.xmlbeans" and Version "5.0.2" All release artifacts are accompanied by SHA checksums and PGP signatures that you can use to verify the authenticity of your download. The public key used for the PGP signature can be found at https://www.apache.org/dist/poi/KEYS About Apache XMLBeans --- XMLBeans is a tool that allows access to the full power of XML in a Java friendly way. The idea is to take advantage of the richness and features of XML and XML Schema and have these features mapped as naturally as possible to the equivalent Java language and typing constructs. See https://xmlbeans.apache.org for more details About Apache POI --- Apache POI is well-known in the Java field as a library for reading and writing Microsoft Office file formats, such as Excel, PowerPoint, Word, Visio, Publisher and Outlook. It supports both the older (OLE2) and new (OOXML - Office Open XML) formats. See https://poi.apache.org/ for more details On behalf of the Apache POI PMC, PJ
[ANNOUNCE] Apache Qpid JMS 1.3.0 released
The Apache Qpid (https://qpid.apache.org) community is pleased to announce the immediate availability of Apache Qpid JMS 1.3.0. This is the latest release of our newer JMS client supporting the Advanced Message Queuing Protocol 1.0 (AMQP 1.0, ISO/IEC 19464, https://www.amqp.org), based around the Apache Qpid Proton protocol engine and implementing the AMQP JMS Mapping as it evolves at OASIS. The release is available now from our website: https://qpid.apache.org/download.html Binaries are also available via Maven Central: https://qpid.apache.org/maven.html Release notes can be found at: https://qpid.apache.org/releases/qpid-jms-1.3.0/release-notes.html Thanks to all involved, Robbie
[ANNOUNCE] Apache Flink 1.13.3 released
The Apache Flink community is very happy to announce the release of Apache Flink 1.13.3, which is the third bugfix release for the Apache Flink 1.13 series. Apache Flink® is an open-source stream processing framework for distributed, high-performing, always-available, and accurate data streaming applications. The release is available for download at: https://flink.apache.org/downloads.html Please check out the release blog post for an overview of the improvements for this bugfix release: https://flink.apache.org/news/2021/10/19/release-1.13.3.html The full release notes are available in Jira: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315522=12350329 We would like to thank all contributors of the Apache Flink community who made this release possible! Regards, Chesnay
[ANNOUNCE] Apache Ant 1.10.12 released
The Apache Ant Team is pleased to announce the release of Apache Ant 1.10.12. Apache Ant is a Java library and command-line tool that helps building software. The Apache Ant team currently maintains two lines of development. The 1.9.x releases require Java 5 at runtime and 1.10.x requires Java 8 at runtime. Both lines are based off of Ant 1.9.7 and the 1.9.x releases are mostly bug fix releases while additional new features are developed for 1.10.x. We recommend using 1.10.12 unless you are required to use versions of Java prior to Java 8 during the build process. Ant 1.10.12 is mainly a bug fix release. Source and binary distributions are available for download from the Apache Ant download site: https://ant.apache.org/bindownload.cgi https://ant.apache.org/srcdownload.cgi When downloading, please verify signatures using the KEYS file available at the above location. Changes in 1.10.12 are as follows: Fixed bugs: --- * The http condition would follow redirects even when "followRedirects" attribute was set to "false". This has now been fixed. Bugzilla Report 65489 * Made sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the same effect as using the shorter alias names. Bugzilla Report 65539 * Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper. Bugzilla Report 65424 Other changes: -- * The implementation of AntClassLoader#findResources() has been changed to optimize it for potential performance issues, as those noted at https://issues.jenkins.io/browse/JENKINS-22310?focusedCommentId=197405=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-197405 Github Pull Request #151 * AntClassLoader now implements the ClassLoader#findResource(String) method. Github Pull Request #150 * Ant tries to avoid file name canonicalization when possible. Bugzilla Report 65499 * javadoc task will now look for warning messages in the STDERR stream too when "failonwarning" is set to true to account for changes in JDK 17+ * The tar task now preserves symlinks of nested tarfilesets. Github Pull Request #142 -Jaikiran (on behalf of Apache Ant team)
CVE-2021-40865: Apache Storm: Unsafe Pre-Authentication Deserialization In Workers
Severity: high Description: An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4 Mitigation: Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0 Apache Storm 2.1.x users should upgrade to version 2.1.1 Apache Storm 1.x users should upgrade to version 1.2.4 Credit: Apache Storm would like to thank @pwntester Alvaro Muñoz of the GitHub Security Lab team for reporting this issue.
CVE-2021-38294: Apache Storm: Shell Command Injection Vulnerability in Nimbus Thrift Server
Severity: high Description: A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication. Mitigation: Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0 Apache Storm 2.1.x users should upgrade to version 2.1.1 Apache Storm 1.x users should upgrade to version 1.2.4 Credit: Apache Storm would like to thank @pwntester Alvaro Muñoz of the GitHub Security Lab team for reporting this issue.
