[ANN] Apache Tomcat Native 1.2.28 released

2021-04-12 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.28 stable. The key features of this release are: - Windows binaries built using 1.1.1k - Correct a regression in the fix for 65181 that prevented an error message from being displayed if an invalid key file

Sponsor Success at Apache: The Fork

2021-04-12 Thread Sally Khudairi
[this post is available online at https://s.apache.org/snobd ] by Wei Zhou I joined the Apache CloudStack community in 2012 and became a committer in 2013, eventually becoming a PMC (Project Management Committee) member in 2017. My journey to becoming a PMC was both physical and literal, and

CVE-2021-27905: Apache Solr: SSRF vulnerability with the Replication handler

2021-04-12 Thread Mike Drob
Description: The ReplicationHandler (normally registered at "/replication" under a Solr core) has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF

[ANN] Apache Syncope 2.1.9

2021-04-12 Thread Francesco Chicchiriccò
The Apache Syncope team is pleased to announce the release of Syncope 2.1.9 Apache Syncope is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology . The release will be available within 24h from:

[ANNOUNCE] Apache Solr 8.8.2 released

2021-04-12 Thread Mike Drob
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The Solr PMC is pleased to announce the release of Apache Solr 8.8.2 Solr is the popular, blazing fast, open source NoSQL search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting,

CVE-2021-29943: Apache Solr Unprivileged users may be able to perform unauthorized read/write to collections

2021-04-12 Thread Mike Drob
Description: When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorrect authorization resolution on the receiving

CVE-2021-29262: Apache Solr: Misapplied Zookeeper ACLs can result in leakage of configured authentication and authorization settings

2021-04-12 Thread Mike Drob
Description: When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would