[ANNOUNCE] Apache UIMA Java SDK JSON CAS I/O v0.4.0 released

[Richard Eckart de Castilho]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

the Apache UIMA team is pleased to announce the release of 

Apache UIMA Java SDK JSON CAS I/O v0.4.0.  

Apache UIMA  is a component architecture and framework
for the analysis of unstructured content like text, video and audio data.

The JSON CAS I/O implementation for use with the UIMA Java SDK allows to 
serialize UIMA CAS data to
JSON and to de-serialize the data back from JSON again, loading it into a CAS 
object. The aim of
this library is to facilitate the data interoperability of UIMA data across 
different platforms and 
programming languages. For example, the implementation contains functionality 
to deal with the 
different character offset counting strategies used by different languages such 
as Java and Python.
A Python-based implementation of the UIMA JSON CAS format is available as part 
of the third-party
DKPro Cassis [7] library.

This is the first public release based on the JSON serialization of the Apache 
UIMA CAS draft
specification version 0.4.0. Please note that the implementation and the 
specification are not yet
final. For this reason, is not yet recommended to use this library in scenarios 
where data needs to
be stored or archived over an extended period of time as future versions of the 
implementation and
specification may introduce incompatibilities with the current version. Good 
usage scenarios are
for example short-term data exchange between different UIMA implementations 
such as for example in
network communication.

A full list of issues [1] addressed in this release can be found on issue 
tracker.

Please use the mailing lists [2] for feedback and the issue tracker [2] to 
report bugs.

## Supported Platforms

UIMA Java SDK JSON CAS I/O v0.4.0 should be used in combination with

* Java 1.8 or higher
* UIMA Java SDK 3.3.0 or higher

## How to Get Involved

The Apache UIMA project really needs and appreciates any contributions, 
including documentation 
help, source code and feedback. If you are interested in contributing, please 
visit 
our getting involved page [4].

## Download

The official release comes with verifiable signatures and hashes and can be 
downloaded from the Apache UIMA homepage [5]

Convenience binaries are provided via Maven Central [6]

[1] 
https://issues.apache.org/jira/issues/?jql=project%20%3D%20UIMA%20AND%20fixVersion%20%3D%200.4.0jsoncas
[2] https://uima.apache.org/mail-lists.html
[3] https://github.com/apache/uima-uimaj-io-jsoncas/issues
[4] http://uima.apache.org/get-involved.html
[5] https://uima.apache.org/downloads.cgi
[6] https://search.maven.org/search?q=g:org.apache.uima
[7] https://github.com/dkpro/dkpro-cassis
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEPY2MKJLmMo4NDQCrO8wPPFbjAA4FAmLxb4tfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNE
OEQ4QzI4OTJFNjMyOEUwRDBEMDBBQjNCQ0MwRjNDNTZFMzAwMEUACgkQO8wPPFbj
AA5q+g//Tn0XX//ZQx3nSeJ67relPOz+9psgIaULWtBbmChGc/nntNIZ/YZcmUhf
AVVSRdz1uYSneD21ovf3mcJvovVDR7DEpZL87QCp6KSH3o1Soibd6IvH4jKkdOHl
v6c6ewNGsThK4aBRo1cKjJKzKuLytI37Et+XZV4L3934chJIKeO1eAfffIulNZId
lLvlnUNBRncZ/ZAqFPxr99qTNznu7k6Sylyq3bKh7HXCxG0Y+7jiBVbjcs4TJuER
94Zzyw581WGidl7rIawxyrJSbWWHRmMUksnbHmo21lZ8QLgQN/rT6q6yNNcSn/90
cbrehVwH8ze9w/GE9eFYTHa9fixa9lsOFOn5yF9Wwjxf+83SOEyORvwDYwcWOnWJ
dAHJJypJv964wzjkQSgWtQtcOeKuPZXwxB9pDv7Uarm1m3zy5w+yjFWOVP/GLOqM
znYJBHi989FMOynIWfXNVVViiLKB/cxebv7aPCo/evFQwGyHXoZwZS/yo+udeT1c
97qb61/WIGMki6BJIb+2AquJxDezupu1BZNcUanxQ2otHmeIFxGo2kUky+I9A/z3
W1o9KrbJEu2Z4v6BQLvHSv25wVd4ZrvuwO88yTwfNC0ZXmrPJJq5zjNkEEwleVtx
6yObFRYNXrJkX7K6IHfU7Mr+vuTFuBg5icRguJrJwM35Fqrbj0I=
=oRYn
-END PGP SIGNATURE-

CVE-2022-35724: Apache Avro: Denial of service while reading data in Avro Rust SDK

[Ryan Skraba]

Severity: important

Description:

It is possible to provide data to be read that leads the reader to loop in 
cycles endlessly, consuming CPU.  This issue affects Rust applications using 
Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs).  Users 
should update to apache-avro version 0.14.0 which addresses this issue.

Credit:

This issue was reported to the Apache Avro team by Evan Richter at ForAllSecure 
and found with Mayhem.

CVE-2022-36124: Apache Avro: Memory overconsumption in Avro Rust SDK

[Ryan Skraba]

Severity: moderate

Description:

It is possible for a Reader to consume memory beyond the allowed constraints 
and thus lead to out of memory on the system. This issue affects Rust 
applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as 
avro-rs).  Users should update to apache-avro version 0.14.0 which addresses 
this issue.

Credit:

This issue was reported to the Apache Avro team by Evan Richter at ForAllSecure 
and found with Mayhem.

CVE-2022-36125: Apache Avro: Integer overflow when reading corrupted .avro file in Avro Rust SDK

[Ryan Skraba]

Severity: important

Description:

It is possible to crash (panic) an application by providing a corrupted data to 
be read. This issue affects Rust applications using Apache Avro Rust SDK prior 
to 0.14.0 (previously known as avro-rs).  Users should update to apache-avro 
version 0.14.0 which addresses this issue.

Credit:

This issue was reported to the Apache Avro team by Evan Richter at ForAllSecure 
and found with Mayhem.

[ANNOUNCE] Apache Avro 1.11.1 released

[Ryan Skraba]

The Apache Avro community is pleased to announce the release of Avro 1.11.0!

All signed release artifacts, signatures and verification instructions can
be found here: https://avro.apache.org/releases.html

This release includes ~250 Jira issues, including some interesting features:

Some interesting highlights:

Avro specification
- [AVRO-3436] Clarify which names are allowed to be qualified with namespaces
- [AVRO-3370] Inconsistent behaviour on types as invalid names
- [AVRO-3275] Clarify how fullnames are created, with example
- [AVRO-3257] IDL: add syntax to create optional fields
- [AVRO-2019] Improve docs for logical type annotation

C++
- [AVRO-2722] Use of boost::mt19937 is not thread safe

C#
- [AVRO-3383] Many completed subtasks for modernizing C# coding style
- [AVRO-3481] Input and output variable type mismatch
- [AVRO-3475] Enforce time-millis and time-micros specification
- [AVRO-3469] Build and test using .NET SDK 7.0
- [AVRO-3468] Default values for logical types not supported
- [AVRO-3467] Use oracle-actions to test with Early Access JDKs
- [AVRO-3453] Avrogen Add Generated Code Attribute
- [AVRO-3432] Add command line option to skip creation of directories
based on namespace path
- [AVRO-3411] Add Visual Studio Code Devcontainer support
- [AVRO-3388] Implement extra codecs for C# as seperate nuget packages
- [AVRO-3265] avrogen generates uncompilable code when namespace ends
with ".Avro"
- [AVRO-3219] Support nullable enum type fields

Java
- [AVRO-3531] GenericDatumReader in multithread lead to infinite loop
- [AVRO-3482] Reuse MAGIC in DataFileReader
- [AVRO-3586] Make Avro Build Reproducible
- [AVRO-3441] Automatically register LogicalTypeFactory classes
- [AVRO-3375] Add union branch, array index and map key "path"
information to serialization errors
- [AVRO-3374] Fully qualified type reference "ns.int" loses namespace
- [AVRO-3294] IDL parsing allows doc comments in strange places
- [AVRO-3273] avro-maven-plugin breaks on old versions of Maven
- [AVRO-3266] Output stream incompatible with MagicS3GuardCommitter
- [AVRO-3243] Lock conflicts when using computeIfAbsent
- [AVRO-3120] Support Next Java LTS (Java 17)
- [AVRO-2498] UUID generation is not working

Javascript
- [AVRO-3489] Replace istanbul with nyc for code coverage
- [AVRO-3322] Buffer is not defined in browser environment
- [AVRO-3084] Fix JavaScript interop test to read files generated by
other languages on CI

Perl
- [AVRO-3263] Schema validation warning on invalid schema with a long field

Python
- [AVRO-3542] Scale assignment optimization
- [AVRO-3521] "Scale" property from decimal object
- [AVRO-3380] Byte reading in avro.io does not assert read bytes to
requested nbytes
- [AVRO-3229] validate the default value of an enum field
- [AVRO-3218] Pass LogicalType to BytesDecimalSchema

Ruby
- [AVRO-3277] Test against Ruby 3.1

Rust
- [AVRO-3558] Add a demo crate that shows usage as WebAssembly
- [AVRO-3526] Improve resolving Bytes and Fixed from string
- [AVRO-3506] Implement Single Object Writer
- [AVRO-3507] Implement Single Object Reader
- [AVRO-3405] Add API for user-provided metadata to file
- [AVRO-3339] Rename crate from avro-rs to apache-avro
- [AVRO-3479] Derive Avro Schema macro

Website
- [AVRO-2175] Website refactor
- [AVRO-3450] Document IDL support in IDEs

This is the first release that provides the Rust apache-avro crate at crates.io!

And of course upgraded dependencies to latest versions, CVE fixes and more
https://issues.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.11.1

The link to all fixed JIRA issues and a brief summary can be found at:
https://github.com/apache/avro/releases/tag/release-1.11.1

In addition, language-specific release artifacts are available:

* C#: https://www.nuget.org/packages/Apache.Avro/1.11.1
* Java: from Maven Central,
* Javascript: https://www.npmjs.com/package/avro-js/v/1.11.1
* Perl: https://metacpan.org/release/Avro
* Python 3: https://pypi.org/project/avro/1.11.1/
* Ruby: https://rubygems.org/gems/avro/versions/1.11.1
* Rust: https://crates.io/crates/apache-avro/0.14.0

Thanks to everyone for contributing!

[ANN] Apache Syncope 3.0.0-M0

[Francesco Chicchiriccò]

The Apache Syncope team is pleased to announce the release of Syncope 3.0.0-M0

Apache Syncope is an Open Source system for managing digital identities in 
enterprise environments, implemented in Java EE technology .

Syncope 3.0 Maggiore is now a full-fledged IAM system covering provisioning, 
reconciliation and reporting needs (as with earlier releases), access 
management and API management.

The release will be available within 24h from:
https://syncope.apache.org/downloads

Read the full change log available here:
https://s.apache.org/syncope300M0

We welcome your help and feedback. For more information on how to report 
problems, and to get involved, visit the project website at

http://syncope.apache.org/

The Apache Syncope Team

[ANN] Apache Syncope 2.1.12

[Francesco Chicchiriccò]

The Apache Syncope team is pleased to announce the release of Syncope 2.1.12

Apache Syncope is an Open Source system for managing digital identities in 
enterprise environments, implemented in Java EE technology .

The release will be available within 24h from:
https://syncope.apache.org/downloads

Read the full change log available here:
https://s.apache.org/syncope2112

Upgrading from 2.1.11? There are some notes about this process:
https://s.apache.org/he0xc

We welcome your help and feedback. For more information on how to report 
problems, and to get involved, visit the project website at

http://syncope.apache.org/

The Apache Syncope Team