CVE-2022-25312: An XML external entity (XXE) injection vulnerability exists in the Apache Any23 RDFa XSLTStylesheet extractor
Description: An XML external entity (XXE) injection vulnerability was discovered in the Any23 RDFa XSLTStylesheet extractor and is known to affect Any23 versions < 2.7. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. Resolution: This issue is fixed in Apache Any23 2.7 which can be downloaded from https://any23.apache.org/download.html. We strongly encourage all Any23 users to upgrade to Apache Any23 2.7. Credit: The Apache Any23 Project Management Committee would like to thank Lion Tree a.k.a liontree0110 for reporting this issue. -- http://home.apache.org/~lewismc/ http://people.apache.org/keys/committer/lewismc
[ANNOUNCE] Apache Any23 2.7
The Apache Any23 Project Management Committee is pleased to announce the release of Apache Any23 2.7. Apache Anything To Triples (Any23) is a library, a web service and a command line tool that extracts structured data in RDF format from a variety of Web documents. Any23 2.7 requires JDK11 to build and run. Release Notes: https://github.com/apache/any23/blob/any23-2.7/RELEASE-NOTES.md Download: http://any23.apache.org/download.html Maven Artifacts: https://search.maven.org/search?q=g:org.apache.any23%20AND%20v:2.7 DOAP: https://github.com/apache/any23-committers/blob/master/doap_Any23.rdf Have Fun, (Lewis), on behalf of the Apache Any23 PMC N.B. The release artifacts can take a bit of time to reach the distribution servers, please be patient. -- http://home.apache.org/~lewismc/ http://people.apache.org/keys/committer/lewismc
[ANNOUNCE] Apache NetBeans 13 released
Hi all, The Apache NetBeans team is pleased to announce that Apache NetBeans 13 is released today on March 4, 2022. Apache NetBeans is a full IDE for Java SE, Java EE, PHP, JavaScript, HTML5 and more, including some support for Groovy and C/C++. Our schedule is publicly available here: https://cwiki.apache.org/confluence/display/NETBEANS/Release+Schedule New & noteworthy features of the 13 release: https://netbeans.apache.org/download/nb13/index.html Downloads: https://netbeans.apache.org/download/nb13/nb13.html Feel free to share the good news! Thanks everyone, and best wishes, Neil, Eric, and Geertjan Release Managers for Apache NetBeans 13 on behalf of Apache NetBeans PMC
The Apache Weekly News Round-up: week ending 4 March 2022
We're opening March with a cracking week. Here's what the Apache community has been up to: Sponsor Apache – a number of tax-deductible sponsorships help offset the ASF's day-to-day operating expenses that include infrastructure support, bandwidth, connectivity, servers, hardware, development environments, legal counsel, accounting services, trademark protection, marketing and publicity, educational events, and more. - The Apache Software Foundation Welcomes VMware as its Newest Platinum Sponsor https://blogs.apache.org/foundation/entry/the-apache-software-foundation-welcomes11 ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws. - Announcing New ASF Board of Directors, elected during this week's Members' Meeting. https://blogs.apache.org/foundation/entry/announcing-new-asf-board-of4 - Next Board Meeting: 16 March 2022. Running Board calendar and minutes are available. https://apache.org/foundation/board/calendar.html ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock. - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages. http://www.apache.org/uptime/ Apache Code Snapshot – Over the past week, 332 Apache Committers changed 880,561 lines of code over 3,128 commits. Top 5 contributors, in order, are: Olivier Lamy, Andrea Cosentino, Claus Ibsen, Sebastian Rühl, and Eric Milles. Apache Project Announcements – the latest updates by category. Application Servers/Middleware -- - Apache Karaf Decanter 2.9.0 released https://karaf.apache.org/ Content -- - Apache Jackrabbit Oak 1.22.11 released http://jackrabbit.apache.org/ - Apache POI 5.2.1 released https://poi.apache.org/ - CVE-2022-26336: poi-scratchpad: A carefully crafted TNEF file can cause an out of memory exception https://lists.apache.org/thread/hqc0ohg0z1j0p4ysm3y4ct6g2d8sjc2b FinTech -- - Apache Fineract 1.6.0 released http://fineract.apache.org/ Libraries -- - Apache PDFBox JBIG2 ImageIO plugin 3.0.4 released https://pdfbox.apache.org/ Logging Services -- - Apache Log4j 2.17.2 released https://logging.apache.org/log4j/2.x/index.html Network Application Framework -- - Apache MINA FtpServer 1.1.3 released https://mina.apache.org/ Servers -- - Apache Tomcat 9.0.59, 10.0.17 and 10.1.0-M11 (alpha) released http://tomcat.apache.org/ Workflow -- - CVE-2021-45229: Apache Airflow: Reflected XSS via Origin Query Argument in URL https://lists.apache.org/thread/o80q468nzrds1on5lll54s1s24l5q0w2 Did You Know? - Did you know that the Apache Ignite community's CFP for IgniteSummit (taking place online 14 June) closes on 29 April? https://ignite.apache.org/events.html - Did you know that HugeGraph (incubating), a large-scale and easy-to-use graph database that stores and queries billions of vertices and edges, is the newest podling undergoing development in the Apache Incubator? https://incubator.apache.org/ - Did you know that the ASF manages 2,180 mailing lists, 486 of which are private? Over the past year, 19,053 authors sent 1,946,990 emails on 869,461 topics! https://apache.org/foundation/mailinglists.html Apache Community Notices - Apache in 2021 - By The Digits https://apache.org/foundation/mailinglists.html + Video highlights https://youtu.be/GU0SV_2tWkU - The Apache Month in Review: January 2022 https://s.apache.org/January2022 and video highlights https://youtu.be/goxIRFMIi-w - Watch "Trillions and Trillions Served" https://www.youtube.com/watch?v=JUt2nb0mgwg , the documentary on the ASF 1) full feature [49 min] https://www.youtube.com/watch?v=JUt2nb0mgwg 2) "Apache Everywhere" [6 min] https://www.youtube.com/watch?v=nXtIti9jMFI 3) "Why Apache" [2.5 min] https://www.youtube.com/watch?v=YM5dLvNatRs 4) “Apache Innovation” [40 min] https://www.youtube.com/watch?v=qkvqJaX4S50 - ASF Annual Report: FY2021 -- Press release https://blogs.apache.org/foundation/entry/the-apache-software-foundation-announces78 and Report (PDF) https://www.apache.org/foundation/docs/FY2021AnnualReport.pdf - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI - Foundation Reports and Statements http://www.apache.org/foundation/reports.html - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel. https://www.youtube.com/c/TheApacheFoundation/ - "Success at Apache" focuses on the people and processes behind why the ASF "just works." https://blogs.apache.org/foundation/category/SuccessAtApache - Follow the ASF on social media: @TheASF on Twitter https://twitter.com/TheASF and The ASF page LinkedIn. https://www.linkedin.com/company/the-apache-software-foundation - Follow the Apache Community on Facebook https:
CVE-2022-26336: poi-scratchpad: A carefully crafted TNEF file can cause an out of memory exception
Severity: moderate Description: A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1. This issue is being tracked as https://bz.apache.org/bugzilla/show_bug.cgi?id=65899 Credit: Apache POI would like to thank Craig Haft of Yahoo Inc. for reporting and providing a patch for this issue.
[ANNOUNCE] Apache POI 5.2.1 released
The Apache POI project is pleased to announce the release of POI 5.2.1. Featured are a handful of new areas of functionality, and numerous bug fixes. See the downloads page for binary and source distributions: https://poi.apache.org/download.html Release Notes Changes The most notable changes in this release are: * upgrade dependencies: curvesapi 1.07 ... * IOUtils.toByteArray did not fully take into account value set by IOUtils.setByteArrayMaxOverride [#65887] * Fix issue where malformed TNEF file can cause memory issues [#65899] * XAdES-XL modifications due to specification check errors [#65908] * Picture resize can lead to infinite loop [#65839] * Multiplication in cell formulas can have small rounding issues [#65792] * Add support a number of extra Excel functions (Normal Distribution, BESSELJ, NUMBERVALUE, WORKDAY.INTL, DOLLARDE and DOLLARFR) A full list of changes is available in the change log: https://poi.apache.org/changes.html. People interested should also follow the dev mailing list to track further progress. Release Contents This release comes in two forms: - pre-built binaries containing compiled versions of all Apache POI components and documentation (poi-bin-5.2.1-20220224.zip or poi-bin-5.2.1-20220224.tgz) - source archive you can build POI from (poi-src-5.2.1-20220224.zip or poi-src-5.2.1-20220224.tgz) Unpack the archive and use the following command to build all POI components with JDK 1.8 or higher: gradlew jar Pre-built versions of all POI components are also available in the central Maven repository under Group ID "org.apache.poi" and Version "5.2.1" All release artifacts are accompanied by MD5 checksums and PGP signatures that you can use to verify the authenticity of your download. The public key used for the PGP signature can be found at https://svn.apache.org/repos/asf/poi/tags/REL_5_2_1/KEYS About Apache POI --- Apache POI is well-known in the Java field as a library for reading and writing Microsoft Office file formats, such as Excel, PowerPoint, Word, Visio, Publisher and Outlook. It supports both the older (OLE2) and new (OOXML - Office Open XML) formats. See https://poi.apache.org/ for more details On behalf of the Apache POI PMC, PJ
