You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by bo...@apache.org on 2017/08/01 18:33:48 UTC
svn commit: r1803679 - in /commons/proper/email/trunk: ./ README.md
RELEASE-NOTES.txt pom.xml src/changes/changes.xml src/site/site.xml
src/site/xdoc/security-reports.xml
Author: bodewig
Date: Tue Aug 1 18:33:48 2017
New Revision: 1803679
URL: http://svn.apache.org/viewvc?rev=1803679&view=rev
Log:
prepare for next iteration
Added:
commons/proper/email/trunk/README.md
- copied unchanged from r1803511, commons/proper/email/tags/EMAIL_1_5_RC1/README.md
commons/proper/email/trunk/src/site/xdoc/security-reports.xml (with props)
Modified:
commons/proper/email/trunk/ (props changed)
commons/proper/email/trunk/RELEASE-NOTES.txt
commons/proper/email/trunk/pom.xml
commons/proper/email/trunk/src/changes/changes.xml
commons/proper/email/trunk/src/site/site.xml
Propchange: commons/proper/email/trunk/
------------------------------------------------------------------------------
svn:mergeinfo = /commons/proper/email/tags/EMAIL_1_5_RC1:1803366-1803511
Modified: commons/proper/email/trunk/RELEASE-NOTES.txt
URL: http://svn.apache.org/viewvc/commons/proper/email/trunk/RELEASE-NOTES.txt?rev=1803679&r1=1803678&r2=1803679&view=diff
==============================================================================
--- commons/proper/email/trunk/RELEASE-NOTES.txt (original)
+++ commons/proper/email/trunk/RELEASE-NOTES.txt Tue Aug 1 18:33:48 2017
@@ -1,4 +1,4 @@
- Commons Email Package
+ Apache Commons Email
Version 1.5
Release Notes
@@ -15,8 +15,12 @@ downloads, reports, and bug status:
http://commons.apache.org/email/
-This is a major release which adds some new features and fixes several bugs
-present in the 1.4.0 release. All current users are encouraged to upgrade.
+This is a major and security bugfix release which adds some new
+features and fixes several bugs present in the 1.4 release. All
+current users are encouraged to upgrade.
+
+For the security bugfix see
+https://commons.apache.org/proper/commons-email/security-reports.html#Fixed_in_Apache_Commons_Email_1.5
CHANGES FROM 1.4:
-----------------
@@ -55,6 +59,9 @@ Issue: EMAIL-154. Thanks to Ken Geis, Ba
* DataSourceClassPathResolver doesn't close InputStream when resolving resources
Issue: EMAIL-167. Thanks to Lucian Burja.
+* CVE-2017-9801 - stripped all line-breaks from subjects in order to
+ prevent SMTP header injection.
+
CHANGES FROM 1.3.3:
-----------------
@@ -315,4 +322,4 @@ Java 2 Enterprise Edition 1.4 users must
JavaMail and JAF indicated above are available to their applications;
the J2EE 1.4 specification only requires earlier versions.
-Earlier versions of J2EE are not supported.
\ No newline at end of file
+Earlier versions of J2EE are not supported.
Modified: commons/proper/email/trunk/pom.xml
URL: http://svn.apache.org/viewvc/commons/proper/email/trunk/pom.xml?rev=1803679&r1=1803678&r2=1803679&view=diff
==============================================================================
--- commons/proper/email/trunk/pom.xml (original)
+++ commons/proper/email/trunk/pom.xml Tue Aug 1 18:33:48 2017
@@ -24,7 +24,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.apache.commons</groupId>
<artifactId>commons-email</artifactId>
- <version>1.5-SNAPSHOT</version>
+ <version>1.6-SNAPSHOT</version>
<name>Apache Commons Email</name>
<inceptionYear>2001</inceptionYear>
@@ -41,9 +41,9 @@
</issueManagement>
<scm>
- <connection>scm:svn:http://svn.apache.org/repos/asf/commons/proper/email/trunk</connection>
+ <connection>scm:svn:http://svn.apache.org/repos/asf/commons/proper/email/tags/EMAIL_1_5</connection>
<developerConnection>scm:svn:https://svn.apache.org/repos/asf/commons/proper/email/trunk</developerConnection>
- <url>http://svn.apache.org/viewvc/commons/proper/email/trunk</url>
+ <url>http://svn.apache.org/viewvc/commons/proper/email/tags/EMAIL_1_5</url>
</scm>
<developers>
Modified: commons/proper/email/trunk/src/changes/changes.xml
URL: http://svn.apache.org/viewvc/commons/proper/email/trunk/src/changes/changes.xml?rev=1803679&r1=1803678&r2=1803679&view=diff
==============================================================================
--- commons/proper/email/trunk/src/changes/changes.xml (original)
+++ commons/proper/email/trunk/src/changes/changes.xml Tue Aug 1 18:33:48 2017
@@ -22,7 +22,9 @@
</properties>
<body>
- <release version="1.5" date="2017-MM-DD">
+ <release version="1.6" date="2017-MM-DD">
+ </release>
+ <release version="1.5" date="2017-08-01">
<!-- N.B. AFAICT the date attribute is not used anywhere so no point in adding it -->
<action dev="kinow" type="fix" issue="EMAIL-172" due-to="Thomas Grainger">
Grammar error in comment
@@ -45,6 +47,10 @@
<action dev="ggregory" type="add" issue="EMAIL-154" date="2015-07-26" due-to="Ken Geis, Balachandran Sivakumar">
Add Email#getHeader(String) and Email#getHeaders() methods.
</action>
+ <action dev="ggregory" type="fix">
+ CVE-2017-9801 - stripped all line-breaks from subjects in
+ order to prevent SMTP header injection.
+ </action>
</release>
<release version="1.4" date="2015-05-23">
<action dev="tn" type="fix" issue="EMAIL-149" date="2015-03-10" due-to="Richard DiCroce">
Modified: commons/proper/email/trunk/src/site/site.xml
URL: http://svn.apache.org/viewvc/commons/proper/email/trunk/src/site/site.xml?rev=1803679&r1=1803678&r2=1803679&view=diff
==============================================================================
--- commons/proper/email/trunk/src/site/site.xml (original)
+++ commons/proper/email/trunk/src/site/site.xml Tue Aug 1 18:33:48 2017
@@ -27,6 +27,7 @@
<item name="Overview" href="/index.html"/>
<item name="Download" href="http://commons.apache.org/email/download_email.cgi"/>
<item name="User guide" href="/userguide.html"/>
+ <item name="Security Reports" href="/security-reports.html"/>
<item name="Latest API docs (development)" href="/apidocs/index.html"/>
<item name="Javadoc (1.5 release)" href="/javadocs/api-release/index.html"/>
<item name="Javadoc (1.4 release)" href="/javadocs/api-1.4/index.html"/>
Added: commons/proper/email/trunk/src/site/xdoc/security-reports.xml
URL: http://svn.apache.org/viewvc/commons/proper/email/trunk/src/site/xdoc/security-reports.xml?rev=1803679&view=auto
==============================================================================
--- commons/proper/email/trunk/src/site/xdoc/security-reports.xml (added)
+++ commons/proper/email/trunk/src/site/xdoc/security-reports.xml Tue Aug 1 18:33:48 2017
@@ -0,0 +1,82 @@
+<?xml version="1.0"?>
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<document>
+ <properties>
+ <title>Commons Email Security Reports</title>
+ <author email="dev@commons.apache.org">Commons Documentation Team</author>
+ </properties>
+ <body>
+ <section name="General Information">
+ <p>For information about reporting or asking questions about
+ security problems, please see the <a
+ href="http://commons.apache.org/security.html">security page
+ of the Commons project</a>.</p>
+ </section>
+
+ <section name="Apache Commons Email Security Vulnerabilities">
+ <p>This page lists all security vulnerabilities fixed in
+ released versions of Apache Commons Email. Each
+ vulnerability is given a security impact rating by the
+ development team - please note that this rating may vary from
+ platform to platform. We also list the versions of Commons
+ Email the flaw is known to affect, and where a flaw has not
+ been verified list the version with a question mark.</p>
+
+ <p>Please note that binary patches are never provided. If you
+ need to apply a source code patch, use the building
+ instructions for the Commons Email version that you are
+ using.</p>
+
+ <p>If you need help on building Commons Email or other help
+ on following the instructions to mitigate the known
+ vulnerabilities listed here, please send your questions to the
+ public <a href="mail-lists.html">Commons Users mailing
+ list</a>.</p>
+
+ <p>If you have encountered an unlisted security vulnerability
+ or other unexpected behaviour that has security impact, or if
+ the descriptions here are incomplete, please report them
+ privately to the Apache Security Team. Thank you.</p>
+
+ <subsection name="Fixed in Apache Commons Email 1.5">
+ <p><b>Low: SMTP header injection vulnerabilty</b> <a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9801">CVE-2017-9801</a></p>
+
+ <p>When passing text that contains line-breaks as the
+ subject of an email arbitrary SMTP headers can be added.</p>
+
+ <p>This was fixed in revisions
+ <a href="https://svn.apache.org/viewvc?view=revision&revision=1801385">1801385</a>
+ <a href="https://svn.apache.org/viewvc?view=revision&revision=1801388">1801388</a> and
+ <a href="https://svn.apache.org/viewvc?view=revision&revision=1801389">1801389</a>.</p>
+
+ <p>This was first reported to the Security Team on 27 June
+ 2017 and made public on 1 August 2017.</p>
+
+ <p>Affects: 1.0 - 1.4</p>
+
+ </subsection>
+ </section>
+
+ <section name="Errors and Ommissions">
+ <p>Please report any errors or omissions to <a
+ href="mail-lists.html">the dev mailing list</a>.</p>
+ </section>
+ </body>
+</document>
Propchange: commons/proper/email/trunk/src/site/xdoc/security-reports.xml
------------------------------------------------------------------------------
svn:eol-style = native