You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by re...@apache.org on 2020/02/05 10:07:31 UTC
svn commit: r1873616 - /jackrabbit/site/live/jcr/index.html
Author: reschke
Date: Wed Feb 5 10:07:31 2020
New Revision: 1873616
URL: http://svn.apache.org/viewvc?rev=1873616&view=rev
Log:
@trivial: Site checkin for project Apache Jackrabbit Site-1.0-SNAPSHOT
Modified:
jackrabbit/site/live/jcr/index.html
Modified: jackrabbit/site/live/jcr/index.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/jcr/index.html?rev=1873616&r1=1873615&r2=1873616&view=diff
==============================================================================
--- jackrabbit/site/live/jcr/index.html (original)
+++ jackrabbit/site/live/jcr/index.html Wed Feb 5 10:07:31 2020
@@ -466,6 +466,9 @@
<h2>Apache Jackrabbit News<a name="Apache_Jackrabbit_News"></a></h2>
<div class="section">
<div class="section">
+<h4>February 5th, 2020: CVE-2020-1940: Apache Jackrabbit Oak sensitive information disclosure vulnerability (updated)<a name="February_5th_2020:_CVE-2020-1940:_Apache_Jackrabbit_Oak_sensitive_information_disclosure_vulnerability_updated"></a></h4>
+<p>We just fixed a recently reported vulnerability in Apache Jackrabbit Oak: The optional <a class="externalLink" href="https://jackrabbit.apache.org/oak/docs/security/user/expiry.html">initial password change and password expiration features</a> are prone to a sensitive information disclosure vulnerability. The code mandates the changed password to be passed as an additional attribute to the credentials object but does not remove it upon processing during the first phase of the authentication. In combination with additional, independent authentication mechanisms, this may lead to the new password being disclosed. Mitigation: 1.12.0 - 1.22.0 should be upgraded to <a href="downloads.html#latest">1.24.0</a>. 1.10.x should be upgraded to <a href="downloads.html#oak1.10">1.10.8</a>. 1.8.x should be upgraded to <a href="downloads.html#oak1.8">1.8.20</a>. 1.6.x should be upgraded to <a href="downloads.html#oak1.6">1.6.20</a>. For older maintained and affected branches (1.2.x and 1.4.x), p
atches are available and releases will follow. See <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-8870">OAK-8870</a> for more information.</p></div>
+<div class="section">
<h4>February 5th, 2020: Apache Jackrabbit Oak 1.6.20 released<a name="February_5th_2020:_Apache_Jackrabbit_Oak_1.6.20_released"></a></h4>
<p>Jackrabbit Oak 1.6.20 is a patch release that contains fixes and improvements over the previous 1.6.x release. See the <a href="downloads.html#oak1.6">downloads</a> page for more details.</p></div>
<div class="section">