You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by bt...@apache.org on 2022/09/03 21:55:17 UTC

[james-project] branch master updated: Announce CVE-2021-44228 (#1180)

This is an automated email from the ASF dual-hosted git repository.

btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git


The following commit(s) were added to refs/heads/master by this push:
     new 372ed02f0e Announce CVE-2021-44228 (#1180)
372ed02f0e is described below

commit 372ed02f0e9bda1a64a55b150c0ea75d48091001
Author: Benoit TELLIER <bt...@linagora.com>
AuthorDate: Sun Sep 4 04:55:12 2022 +0700

    Announce CVE-2021-44228 (#1180)
---
 .../docs/modules/ROOT/pages/operate/security.adoc              | 10 ++++++++++
 src/homepage/_posts/2022-08-26-james-3.7.1.markdown            |  6 +++++-
 src/site/xdoc/server/feature-security.xml                      |  9 +++++++++
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc b/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc
index 3170b360d8..b5010385e3 100644
--- a/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc
+++ b/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc
@@ -104,6 +104,16 @@ outdated dependencies.
 
 We follow the standard procedures within the ASF regarding link:https://apache.org/security/committers.html#vulnerability-handling[vulnerability handling]
 
+=== CVE-2021-44228: STARTTLS command injection in Apache JAMES
+
+Apache James distribution prior to release 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command.
+
+Fix of CVE-2021-38542, which solved similar problem from Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.
+
+*Severity*: Moderate
+
+*Mitigation<*: We recommend to upgrade to Apache James 3.7.1 or higher, which fixes this vulnerability.
+
 === CVE-2021-38542: Apache James vulnerable to STARTTLS command injection (IMAP and POP3)
 
 Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS
diff --git a/src/homepage/_posts/2022-08-26-james-3.7.1.markdown b/src/homepage/_posts/2022-08-26-james-3.7.1.markdown
index bb022ebf52..f1f00734e4 100644
--- a/src/homepage/_posts/2022-08-26-james-3.7.1.markdown
+++ b/src/homepage/_posts/2022-08-26-james-3.7.1.markdown
@@ -13,7 +13,11 @@ The Apache James PMC would like to thanks all contributors who made this release
 
 ## Announcement
 
-As this is a minor maintenance release, including bug fixes, there is no major announcements.
+As this is a minor maintenance release.
+
+This release addresses CVE-2022-28220 `STARTTLS command injection in Apache JAMES`.
+
+It also includes various bugfixes.
 
 ## Release changelog
 
diff --git a/src/site/xdoc/server/feature-security.xml b/src/site/xdoc/server/feature-security.xml
index 3d88c7594c..c6fa70b041 100644
--- a/src/site/xdoc/server/feature-security.xml
+++ b/src/site/xdoc/server/feature-security.xml
@@ -53,6 +53,15 @@
             We follow the standard procedures within the ASF regarding
             <a href="https://apache.org/security/committers.html#vulnerability-handling">vulnerability handling</a>.
         </subsection>
+        <subsection name="CVE-2021-44228: STARTTLS command injection in Apache JAMES">
+            <p>Apache James distribution prior to release 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command.</p>
+
+            <p>Fix of CVE-2021-38542, which solved similar problem from Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.</p>
+
+            <p><b>Severity</b>: Moderate</p>
+
+            <p><b>Mitigation</b>: We recommend to upgrade to Apache James 3.7.1 or higher, which fixes this vulnerability.</p>
+        </subsection>
         <subsection name="CVE-2021-44228: Log4Shell">
             <p>Apache James Spring distribution prior to release 3.6.1 is vulnerable to attacks leveraging Log4Shell.
             This can be leveraged to conduct remote code execution with only SMTP access.</p>


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org