[ANNOUNCE] Apache Qpid protonj2 1.0.0-M18 released
The Apache Qpid (http://qpid.apache.org) community is pleased to announce the immediate availability of Apache protonj2 1.0.0-M18. This is the latest release of our AMQP Java client supporting the Advanced Message Queuing Protocol 1.0 (AMQP 1.0, ISO/IEC 19464, http://www.amqp.org), based around the Apache Qpid ProtonJ2 protocol engine also contained in this release. The release is available now from our website: http://qpid.apache.org/download.html Binaries are also available via Maven Central: http://qpid.apache.org/maven.html Release notes can be found at: http://qpid.apache.org/releases/qpid-protonj2-1.0.0-M18/release-notes.html Thanks to all involved,
[ANNOUNCE] Apache Jackrabbit 2.20.13 released
The Apache Jackrabbit community is pleased to announce the release of Apache Jackrabbit 2.20.13. The release is available for download at: http://jackrabbit.apache.org/downloads.html See the full release notes below for details about this release: Release Notes -- Apache Jackrabbit -- Version 2.20.13 Introduction This is Apache Jackrabbit(TM) 2.20.13, a fully compliant implementation of the Content Repository for Java(TM) Technology API, version 2.0 (JCR 2.0) as specified in the Java Specification Request 283 (JSR 283). Apache Jackrabbit 2.20.13 is an incremental feature release based on and compatible with earlier stable Jackrabbit 2.x releases. Jackrabbit 2.20.x releases are considered stable and targeted for production use. The minimum Java version for this release is Java 8. See http://jackrabbit.apache.org/jcr/downloads.html for maintenance versions that support earlier Java versions. Changes in Jackrabbit 2.20.13 - Bug [JCR-4940] - jackrabbit-jcr2spi is incompatible with Java 21 Task [JCR-4951] - Update oak-jackrabbit-api.version.used in trunk and 2.20 to Oak 1.22.16 [JCR-4970] - it-osgi: fix package name [JCR-4971] - Update oak-jackrabbit-api.version.used in trunk and 2.20 to Oak 1.22.17 [JCR-4973] - jackrabbit-jcr-rmi: deprecate RMI support [JCR-4974] - Update easymock dependency to 5.2.0 [JCR-4975] - update aws java sdk version to 1.12.560 [JCR-4976] - Update tomcat dependency to 9.0.80 For more detailed information about all the changes in this and other Jackrabbit releases, please see the Jackrabbit issue tracker at https://issues.apache.org/jira/browse/JCR Release Contents This release consists of a single source archive packaged as a zip file. The archive can be unpacked with the jar tool from your JDK installation. See the README.txt file for instructions on how to build this release. The source archive is accompanied by an SHA512 checksum and a PGP signature that you can use to verify the authenticity of your download. The public key used for the PGP signature can be found at https://www.apache.org/dist/jackrabbit/KEYS. About Apache Jackrabbit --- Apache Jackrabbit is a fully conforming implementation of the Content Repository for Java Technology API (JCR). A content repository is a hierarchical content store with support for structured and unstructured content, full text search, versioning, transactions, observation, and more. For more information, visit http://jackrabbit.apache.org/ About The Apache Software Foundation Established in 1999, The Apache Software Foundation provides organizational, legal, and financial support for more than 140 freely-available, collaboratively-developed Open Source projects. The pragmatic Apache License enables individual and commercial users to easily deploy Apache software; the Foundation's intellectual property framework limits the legal exposure of its 3,800+ contributors. For more information, visit http://www.apache.org/ Trademarks -- Apache Jackrabbit, Jackrabbit, Apache, the Apache feather logo, and the Apache Jackrabbit project logo are trademarks of The Apache Software Foundation.
CVE-2023-46819: Apache OFBiz: Execution of Solr plugin queries without authentication
Severity: moderate Affected versions: - Apache OFBiz before 18.12.09 Description: Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin. This issue affects Apache OFBiz: before 18.12.09. Users are recommended to upgrade to version 18.12.09 Credit: Anonymous by demand (finder) References: https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html https://ofbiz.apache.org/release-notes-18.12.09.html https://ofbiz.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-46819
[ANNOUNCE] Apache Pulsar Go Client 0.11.1 released
The Apache Pulsar team is proud to announce Apache Pulsar Go Client version 0.11.1. Pulsar is a highly scalable, low latency messaging platform running on commodity hardware. It provides simple pub-sub semantics over topics, guaranteed at-least-once delivery of messages, automatic cursor management for subscribers, and cross-datacenter replication. For Pulsar release details and downloads, visit: https://github.com/apache/pulsar-client-go/releases/tag/v0.11.1 Release Notes are at: https://github.com/apache/pulsar-client-go/blob/master/CHANGELOG.md We would like to thank the contributors that made the release possible. Regards, The Pulsar Team
[ANNOUNCE] Apache Kyuubi released 1.8.0
Hi all, The Apache Kyuubi community is pleased to announce that Apache Kyuubi 1.8.0 has been released! Apache Kyuubi is a distributed and multi-tenant gateway to provide serverless SQL on data warehouses and lakehouses. Kyuubi provides a pure SQL gateway through Thrift JDBC/ODBC interface for end-users to manipulate large-scale data with pre-programmed and extensible Spark SQL engines. We are aiming to make Kyuubi an "out-of-the-box" tool for data warehouses and lakehouses. This "out-of-the-box" model minimizes the barriers and costs for end-users to use Spark, Flink, and other computing engines at the client side. At the server-side, Kyuubi server and engine's multi-tenant architecture provides the administrators a way to achieve computing resource isolation, data security, high availability, high client concurrency, etc. The full release notes and download links are available at: Release Notes: https://kyuubi.apache.org/release/1.8.0.html To learn more about Apache Kyuubi, please see https://kyuubi.apache.org/ Kyuubi Resources: - Issue: https://github.com/apache/kyuubi/issues - Mailing list: d...@kyuubi.apache.org We would like to thank all contributors of the Kyuubi community who made this release possible! Thanks, On behalf of Apache Kyuubi community
[ANNOUNCE] Apache Allura 1.16.0 released, contains critical security fix
The Apache Allura team is pleased to announce the release of Apache Allura 1.16.0 Apache Allura is an open source implementation of a software forge, a web site that manages source code repositories, bug reports, discussions, wiki pages, blogs, and more for any number of individual projects. This release contains a critical security fix for CVE-2023-46851 If you are unable to upgrade, set this in your .ini config file: disable_entry_points.allura.importers = forge-tracker, forge-discussion That same .ini setting is also recommend for users who want maximum security on their Allura instance and don't need those importers available. Also, this release drops support for Python 3.7 To see all the details and upgrade instructions, view the release changelog at https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES Download at https://allura.apache.org/download.html
CVE-2023-46851: Apache Allura: sensitive information exposure via import
Severity: critical Affected versions: - Apache Allura 1.0.1 through 1.15.0 Description: Allura Discussion and Allura Forum importing does not restrict URL values specified in attachments. Project administrators can run these imports, which could cause Allura to read local files and expose them. Exposing internal files then can lead to other exploits, like session hijacking, or remote code execution. This issue affects Apache Allura from 1.0.1 through 1.15.0. Users are recommended to upgrade to version 1.16.0, which fixes the issue. If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file. Credit: Stefan Schiller (Sonar) (finder) References: https://allura.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-46851
[ANNOUNCE] Apache Arrow 14.0.0 released
The Apache Arrow community is pleased to announce the 14.0.0 release. It includes 483 resolved issues ([1]) since the 13.0.0 release. The release is available now from our website and [2]: http://arrow.apache.org/install/ Read about what's new in the release https://arrow.apache.org/blog/2023/11/01/14.0.0-release/ Changelog https://arrow.apache.org/release/14.0.0.html What is Apache Arrow? - Apache Arrow is a columnar in-memory analytics layer designed to accelerate big data. It houses a set of canonical in-memory representations of flat and hierarchical data along with multiple language-bindings for structure manipulation. It also provides low-overhead streaming and batch messaging, zero-copy interprocess communication (IPC), and vectorized in-memory analytics libraries. Please report any feedback to the mailing lists ([3]) Regards, The Apache Arrow community [1]: https://github.com/apache/arrow/milestone/55?closed=1 [2]: https://www.apache.org/dyn/closer.cgi/arrow/arrow-14.0.0/ [3]: https://lists.apache.org/list.html?d...@arrow.apache.org
