You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by jb...@apache.org on 2022/02/20 07:03:26 UTC
svn commit: r1898246 - in /karaf/site/production: ./ target/ target/site-4.3.0.RC1/ target/site-4.3.0.RC1/security/
Author: jbonofre
Date: Sun Feb 20 07:03:26 2022
New Revision: 1898246
URL: http://svn.apache.org/viewvc?rev=1898246&view=rev
Log:
[scm-publish] Updating main website contents
Added:
karaf/site/production/target/site-4.3.0.RC1/security/cve-2021-41766.txt
karaf/site/production/target/site-4.3.0.RC1/security/cve-2022-22932.txt
Modified:
karaf/site/production/download.html
karaf/site/production/feed.xml
karaf/site/production/index.html
karaf/site/production/news.html
karaf/site/production/target/site-4.3.0.RC1.war
karaf/site/production/target/site-4.3.0.RC1/documentation.html
karaf/site/production/target/site-4.3.0.RC1/download.html
karaf/site/production/target/site-4.3.0.RC1/feed.xml
karaf/site/production/target/site-4.3.0.RC1/index.html
karaf/site/production/target/site-4.3.0.RC1/news.html
Modified: karaf/site/production/download.html
URL: http://svn.apache.org/viewvc/karaf/site/production/download.html?rev=1898246&r1=1898245&r2=1898246&view=diff
==============================================================================
--- karaf/site/production/download.html (original)
+++ karaf/site/production/download.html Sun Feb 20 07:03:26 2022
@@ -215,23 +215,23 @@
<div class="card flex-md-row mb-4 box-shadow h-md-250">
<div class="card-body d-flex flex-column align-items-start">
<strong class="d-inline-block mb-2 text-success"><i class="fas fa-circle"></i> Latest release</strong>
- <h3 class="mb-0 text-dark">Karaf Decanter <span class="text-muted">2.8.0</span></h3>
- <div class="mb-1 text-muted">September 16, 2021</div>
+ <h3 class="mb-0 text-dark">Karaf Decanter <span class="text-muted">2.9.0</span></h3>
+ <div class="mb-1 text-muted">February 20, 2022</div>
<p class="card-text mb-auto">
Installation Instructions:
<a href="#decanter-installation">installation</a>
</p>
<p class="card-text mb-auto">
Source Distribution :
- <a href="http://www.apache.org/dyn/closer.lua/karaf/decanter/2.8.0/apache-karaf-decanter-2.8.0-src.tar.gz">tar.gz</a>
- [<a href="https://www.apache.org/dist/karaf/decanter/2.8.0/apache-karaf-decanter-2.8.0-src.tar.gz.asc">PGP</a>]
- [<a href="https://www.apache.org/dist/karaf/decanter/2.8.0/apache-karaf-decanter-2.8.0-src.tar.gz.sha512">SHA512</a>]
+ <a href="http://www.apache.org/dyn/closer.lua/karaf/decanter/2.9.0/apache-karaf-decanter-2.9.0-src.tar.gz">tar.gz</a>
+ [<a href="https://www.apache.org/dist/karaf/decanter/2.9.0/apache-karaf-decanter-2.9.0-src.tar.gz.asc">PGP</a>]
+ [<a href="https://www.apache.org/dist/karaf/decanter/2.9.0/apache-karaf-decanter-2.9.0-src.tar.gz.sha512">SHA512</a>]
-
- <a href="http://www.apache.org/dyn/closer.lua/karaf/decanter/2.8.0/apache-karaf-decanter-2.8.0-src.zip">zip</a>
- [<a href="https://www.apache.org/dist/karaf/decanter/2.8.0/apache-karaf-decanter-2.8.0-src.zip.asc">PGP</a>]
- [<a href="https://www.apache.org/dist/karaf/decanter/2.8.0/apache-karaf-decanter-2.8.0-src.zip.sha512">SHA512</a>]
+ <a href="http://www.apache.org/dyn/closer.lua/karaf/decanter/2.9.0/apache-karaf-decanter-2.9.0-src.zip">zip</a>
+ [<a href="https://www.apache.org/dist/karaf/decanter/2.9.0/apache-karaf-decanter-2.9.0-src.zip.asc">PGP</a>]
+ [<a href="https://www.apache.org/dist/karaf/decanter/2.9.0/apache-karaf-decanter-2.9.0-src.zip.sha512">SHA512</a>]
</p>
- <a class="btn btn-outline-dark mt-3" href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12349716" role="button" target="_blank">Release note »</a>
+ <a class="btn btn-outline-dark mt-3" href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350585" role="button" target="_blank">Release note »</a>
</div>
</div>
</div>
@@ -638,9 +638,9 @@
<td>2.0.x</td>
<td>4.x</td>
<td class="text-success">Stable</td>
- <td>2.8.0</td>
<td>2.9.0</td>
- <td>Feb 22</td>
+ <td>2.10.0</td>
+ <td>Aug 22</td>
</tr>
</tbody>
</table>
Modified: karaf/site/production/feed.xml
URL: http://svn.apache.org/viewvc/karaf/site/production/feed.xml?rev=1898246&r1=1898245&r2=1898246&view=diff
==============================================================================
--- karaf/site/production/feed.xml (original)
+++ karaf/site/production/feed.xml Sun Feb 20 07:03:26 2022
@@ -1 +1 @@
-<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.0.1">Jekyll</generator><link href="https://karaf.apache.org/feed.xml" rel="self" type="application/atom+xml" /><link href="https://karaf.apache.org/" rel="alternate" type="text/html" /><updated>2022-01-25T14:17:54+01:00</updated><id>https://karaf.apache.org/feed.xml</id><title type="html">Apache Karaf - The modulith runtime</title><subtitle>Karaf provides modulith runtime for the enterprise, running on premise or on cloud. Focus on your business code and applications, Apache Karaf deals with the rest.</subtitle></feed>
\ No newline at end of file
+<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.0.1">Jekyll</generator><link href="https://karaf.apache.org/feed.xml" rel="self" type="application/atom+xml" /><link href="https://karaf.apache.org/" rel="alternate" type="text/html" /><updated>2022-02-20T07:50:02+01:00</updated><id>https://karaf.apache.org/feed.xml</id><title type="html">Apache Karaf - The modulith runtime</title><subtitle>Karaf provides modulith runtime for the enterprise, running on premise or on cloud. Focus on your business code and applications, Apache Karaf deals with the rest.</subtitle></feed>
\ No newline at end of file
Modified: karaf/site/production/index.html
URL: http://svn.apache.org/viewvc/karaf/site/production/index.html?rev=1898246&r1=1898245&r2=1898246&view=diff
==============================================================================
--- karaf/site/production/index.html (original)
+++ karaf/site/production/index.html Sun Feb 20 07:03:26 2022
@@ -138,6 +138,13 @@
<div class="carousel-item active">
<div class="container">
<div class="carousel-caption">
+ <p><strong>Karaf Decanter 2.9.0 has been released! (20/2/22)</strong> - This is a new release for Karaf Decanter 2.x series. It contains bunch of dependency updates and couple of improvements. (<a href="/news.html">Details</a>)</p>
+ </div>
+ </div>
+ </div>
+ <div class="carousel-item">
+ <div class="container">
+ <div class="carousel-caption">
<p><strong>Karaf 4.3.6 has been released! (14/1/22)</strong> - This is a new release for Karaf 4.3.x series. It contains updates, new features and fixes, including log4j 2.17.1 update fixing CVE-2021-44832, Felix FileInstall 3.7.4. (<a href="/news.html">Details</a>)</p>
</div>
</div>
@@ -191,13 +198,6 @@
</div>
</div>
</div>
- <div class="carousel-item">
- <div class="container">
- <div class="carousel-caption">
- <p><strong>Karaf 4.3.1 has been released! (02/04/21)</strong> - This is a new release for Karaf 4.3.x series. It contains updates, new features and fixes. (<a href="/news.html">Details</a>)</p>
- </div>
- </div>
- </div>
</div>
</div>
@@ -340,7 +340,7 @@
<div class="col-md-7 order-md-2">
<h2 class="featurette-heading">Monitoring, alerting, and BAM with <span class="text-muted">Karaf Decanter.</span></h2>
<p class="lead">You need a monitoring solution for Karaf and related ? You need a BAM (Business Activity Monitoring) platform for your application ? Karaf Decanter can be very convenient for you ! Decanter provides ready to use monitoring solution. It's also completely extensible and customizable.</p>
- <p>Last version <strong>2.8.0</strong> - (16/9/21)</p>
+ <p>Last version <strong>2.9.0</strong> - (20/2/22)</p>
<p><a class="btn btn-primary" href="/projects.html" role="button">Learn more »</a></p>
</div>
<div class="col-md-5 order-md-1">
Modified: karaf/site/production/news.html
URL: http://svn.apache.org/viewvc/karaf/site/production/news.html?rev=1898246&r1=1898245&r2=1898246&view=diff
==============================================================================
--- karaf/site/production/news.html (original)
+++ karaf/site/production/news.html Sun Feb 20 07:03:26 2022
@@ -159,6 +159,18 @@
<h2 class="pb-3 mb-4 font-italic border-bottom"><i class="fas fa-bullhorn"></i> Fresh news</h2>
<div class="pb-4 mb-3 border-bottom">
+ <h3 class="text-dark">Karaf Decanter 2.9.0 has been released! <span class="text-muted">February 20, 2022</span></h3>
+ <p>Apache Karaf Decanter 2.9.0 is a major release on the 2.x series. It provides:
+ <ul>
+ <li>bunch of dependency updates</li>
+ <li>new property in the log collector to include selected loggers</li>
+ <li>make the inclusion of Camel history configurable in the Camel collector</li>
+ </ul>
+ <a class="btn btn-outline-primary" href="download.html">Download »</a>
+ <a class="btn btn-outline-primary" href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350585" target="_blank">Release Notes »</a>
+ </div><!-- /.blog-post -->
+
+ <div class="pb-4 mb-3 border-bottom">
<h3 class="text-dark">Karaf runtime 4.3.6 has been released! <span class="text-muted">January 14, 2022</span></h3>
<p>Apache Karaf runtime 4.3.6 is a release on the 4.3.x series. It provides updates, fixes, improvements, especially:
<ul>
Modified: karaf/site/production/target/site-4.3.0.RC1.war
URL: http://svn.apache.org/viewvc/karaf/site/production/target/site-4.3.0.RC1.war?rev=1898246&r1=1898245&r2=1898246&view=diff
==============================================================================
Binary files - no diff available.
Modified: karaf/site/production/target/site-4.3.0.RC1/documentation.html
URL: http://svn.apache.org/viewvc/karaf/site/production/target/site-4.3.0.RC1/documentation.html?rev=1898246&r1=1898245&r2=1898246&view=diff
==============================================================================
--- karaf/site/production/target/site-4.3.0.RC1/documentation.html (original)
+++ karaf/site/production/target/site-4.3.0.RC1/documentation.html Sun Feb 20 07:03:26 2022
@@ -465,6 +465,14 @@
<p>CVE-2020-11980: A remote client could create MBeans from arbitrary URLs.</p>
<a class="btn btn-outline-primary" href="/security/cve-2020-11980.txt">Notes »</a>
</div>
+ <div class="pb-4 mb-3">
+ <p>CVE-2021-41766: Insecure Java Deserialization.</p>
+ <a class="btn btn-outline-primary" href="/security/cve-2021-41766.txt">Notes »</a>
+ </div>
+ <div class="pb-4 mb-3">
+ <p>CVE-2022-22932: Path traversal flaws</p>
+ <a class="btn btn-outline-primary" href="/security/cve-2022-22932.txt">Notes »</a>
+ </div>
</div><!-- /.blog-main -->
</div>
Modified: karaf/site/production/target/site-4.3.0.RC1/download.html
URL: http://svn.apache.org/viewvc/karaf/site/production/target/site-4.3.0.RC1/download.html?rev=1898246&r1=1898245&r2=1898246&view=diff
==============================================================================
--- karaf/site/production/target/site-4.3.0.RC1/download.html (original)
+++ karaf/site/production/target/site-4.3.0.RC1/download.html Sun Feb 20 07:03:26 2022
@@ -215,23 +215,23 @@
<div class="card flex-md-row mb-4 box-shadow h-md-250">
<div class="card-body d-flex flex-column align-items-start">
<strong class="d-inline-block mb-2 text-success"><i class="fas fa-circle"></i> Latest release</strong>
- <h3 class="mb-0 text-dark">Karaf Decanter <span class="text-muted">2.8.0</span></h3>
- <div class="mb-1 text-muted">September 16, 2021</div>
+ <h3 class="mb-0 text-dark">Karaf Decanter <span class="text-muted">2.9.0</span></h3>
+ <div class="mb-1 text-muted">February 20, 2022</div>
<p class="card-text mb-auto">
Installation Instructions:
<a href="#decanter-installation">installation</a>
</p>
<p class="card-text mb-auto">
Source Distribution :
- <a href="http://www.apache.org/dyn/closer.lua/karaf/decanter/2.8.0/apache-karaf-decanter-2.8.0-src.tar.gz">tar.gz</a>
- [<a href="https://www.apache.org/dist/karaf/decanter/2.8.0/apache-karaf-decanter-2.8.0-src.tar.gz.asc">PGP</a>]
- [<a href="https://www.apache.org/dist/karaf/decanter/2.8.0/apache-karaf-decanter-2.8.0-src.tar.gz.sha512">SHA512</a>]
+ <a href="http://www.apache.org/dyn/closer.lua/karaf/decanter/2.9.0/apache-karaf-decanter-2.9.0-src.tar.gz">tar.gz</a>
+ [<a href="https://www.apache.org/dist/karaf/decanter/2.9.0/apache-karaf-decanter-2.9.0-src.tar.gz.asc">PGP</a>]
+ [<a href="https://www.apache.org/dist/karaf/decanter/2.9.0/apache-karaf-decanter-2.9.0-src.tar.gz.sha512">SHA512</a>]
-
- <a href="http://www.apache.org/dyn/closer.lua/karaf/decanter/2.8.0/apache-karaf-decanter-2.8.0-src.zip">zip</a>
- [<a href="https://www.apache.org/dist/karaf/decanter/2.8.0/apache-karaf-decanter-2.8.0-src.zip.asc">PGP</a>]
- [<a href="https://www.apache.org/dist/karaf/decanter/2.8.0/apache-karaf-decanter-2.8.0-src.zip.sha512">SHA512</a>]
+ <a href="http://www.apache.org/dyn/closer.lua/karaf/decanter/2.9.0/apache-karaf-decanter-2.9.0-src.zip">zip</a>
+ [<a href="https://www.apache.org/dist/karaf/decanter/2.9.0/apache-karaf-decanter-2.9.0-src.zip.asc">PGP</a>]
+ [<a href="https://www.apache.org/dist/karaf/decanter/2.9.0/apache-karaf-decanter-2.9.0-src.zip.sha512">SHA512</a>]
</p>
- <a class="btn btn-outline-dark mt-3" href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12349716" role="button" target="_blank">Release note »</a>
+ <a class="btn btn-outline-dark mt-3" href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350585" role="button" target="_blank">Release note »</a>
</div>
</div>
</div>
@@ -310,7 +310,7 @@
<td>Pax Logging 1.1.12/log4j 2.17.0/logback 1.2.9</td>
<td>Pax Web 7.2.29/Jetty 9.4.43.v20210629</td>
<td class="text-success">Stable</td>
- <td>4.2.14</td>
+ <td>4.2.15</td>
<td>4.2.16</td>
<td>Mar 22</td>
</tr>
@@ -638,9 +638,9 @@
<td>2.0.x</td>
<td>4.x</td>
<td class="text-success">Stable</td>
- <td>2.8.0</td>
<td>2.9.0</td>
- <td>Feb 22</td>
+ <td>2.10.0</td>
+ <td>Aug 22</td>
</tr>
</tbody>
</table>
Modified: karaf/site/production/target/site-4.3.0.RC1/feed.xml
URL: http://svn.apache.org/viewvc/karaf/site/production/target/site-4.3.0.RC1/feed.xml?rev=1898246&r1=1898245&r2=1898246&view=diff
==============================================================================
--- karaf/site/production/target/site-4.3.0.RC1/feed.xml (original)
+++ karaf/site/production/target/site-4.3.0.RC1/feed.xml Sun Feb 20 07:03:26 2022
@@ -1 +1 @@
-<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.0.1">Jekyll</generator><link href="https://karaf.apache.org/feed.xml" rel="self" type="application/atom+xml" /><link href="https://karaf.apache.org/" rel="alternate" type="text/html" /><updated>2022-01-14T13:54:35+01:00</updated><id>https://karaf.apache.org/feed.xml</id><title type="html">Apache Karaf - The modulith runtime</title><subtitle>Karaf provides modulith runtime for the enterprise, running on premise or on cloud. Focus on your business code and applications, Apache Karaf deals with the rest.</subtitle></feed>
\ No newline at end of file
+<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.0.1">Jekyll</generator><link href="https://karaf.apache.org/feed.xml" rel="self" type="application/atom+xml" /><link href="https://karaf.apache.org/" rel="alternate" type="text/html" /><updated>2022-02-20T07:49:53+01:00</updated><id>https://karaf.apache.org/feed.xml</id><title type="html">Apache Karaf - The modulith runtime</title><subtitle>Karaf provides modulith runtime for the enterprise, running on premise or on cloud. Focus on your business code and applications, Apache Karaf deals with the rest.</subtitle></feed>
\ No newline at end of file
Modified: karaf/site/production/target/site-4.3.0.RC1/index.html
URL: http://svn.apache.org/viewvc/karaf/site/production/target/site-4.3.0.RC1/index.html?rev=1898246&r1=1898245&r2=1898246&view=diff
==============================================================================
--- karaf/site/production/target/site-4.3.0.RC1/index.html (original)
+++ karaf/site/production/target/site-4.3.0.RC1/index.html Sun Feb 20 07:03:26 2022
@@ -138,6 +138,13 @@
<div class="carousel-item active">
<div class="container">
<div class="carousel-caption">
+ <p><strong>Karaf Decanter 2.9.0 has been released! (20/2/22)</strong> - This is a new release for Karaf Decanter 2.x series. It contains bunch of dependency updates and couple of improvements. (<a href="/news.html">Details</a>)</p>
+ </div>
+ </div>
+ </div>
+ <div class="carousel-item">
+ <div class="container">
+ <div class="carousel-caption">
<p><strong>Karaf 4.3.6 has been released! (14/1/22)</strong> - This is a new release for Karaf 4.3.x series. It contains updates, new features and fixes, including log4j 2.17.1 update fixing CVE-2021-44832, Felix FileInstall 3.7.4. (<a href="/news.html">Details</a>)</p>
</div>
</div>
@@ -191,13 +198,6 @@
</div>
</div>
</div>
- <div class="carousel-item">
- <div class="container">
- <div class="carousel-caption">
- <p><strong>Karaf 4.3.1 has been released! (02/04/21)</strong> - This is a new release for Karaf 4.3.x series. It contains updates, new features and fixes. (<a href="/news.html">Details</a>)</p>
- </div>
- </div>
- </div>
</div>
</div>
@@ -340,7 +340,7 @@
<div class="col-md-7 order-md-2">
<h2 class="featurette-heading">Monitoring, alerting, and BAM with <span class="text-muted">Karaf Decanter.</span></h2>
<p class="lead">You need a monitoring solution for Karaf and related ? You need a BAM (Business Activity Monitoring) platform for your application ? Karaf Decanter can be very convenient for you ! Decanter provides ready to use monitoring solution. It's also completely extensible and customizable.</p>
- <p>Last version <strong>2.8.0</strong> - (16/9/21)</p>
+ <p>Last version <strong>2.9.0</strong> - (20/2/22)</p>
<p><a class="btn btn-primary" href="/projects.html" role="button">Learn more »</a></p>
</div>
<div class="col-md-5 order-md-1">
Modified: karaf/site/production/target/site-4.3.0.RC1/news.html
URL: http://svn.apache.org/viewvc/karaf/site/production/target/site-4.3.0.RC1/news.html?rev=1898246&r1=1898245&r2=1898246&view=diff
==============================================================================
--- karaf/site/production/target/site-4.3.0.RC1/news.html (original)
+++ karaf/site/production/target/site-4.3.0.RC1/news.html Sun Feb 20 07:03:26 2022
@@ -159,6 +159,18 @@
<h2 class="pb-3 mb-4 font-italic border-bottom"><i class="fas fa-bullhorn"></i> Fresh news</h2>
<div class="pb-4 mb-3 border-bottom">
+ <h3 class="text-dark">Karaf Decanter 2.9.0 has been released! <span class="text-muted">February 20, 2022</span></h3>
+ <p>Apache Karaf Decanter 2.9.0 is a major release on the 2.x series. It provides:
+ <ul>
+ <li>bunch of dependency updates</li>
+ <li>new property in the log collector to include selected loggers</li>
+ <li>make the inclusion of Camel history configurable in the Camel collector</li>
+ </ul>
+ <a class="btn btn-outline-primary" href="download.html">Download »</a>
+ <a class="btn btn-outline-primary" href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350585" target="_blank">Release Notes »</a>
+ </div><!-- /.blog-post -->
+
+ <div class="pb-4 mb-3 border-bottom">
<h3 class="text-dark">Karaf runtime 4.3.6 has been released! <span class="text-muted">January 14, 2022</span></h3>
<p>Apache Karaf runtime 4.3.6 is a release on the 4.3.x series. It provides updates, fixes, improvements, especially:
<ul>
Added: karaf/site/production/target/site-4.3.0.RC1/security/cve-2021-41766.txt
URL: http://svn.apache.org/viewvc/karaf/site/production/target/site-4.3.0.RC1/security/cve-2021-41766.txt?rev=1898246&view=auto
==============================================================================
--- karaf/site/production/target/site-4.3.0.RC1/security/cve-2021-41766.txt (added)
+++ karaf/site/production/target/site-4.3.0.RC1/security/cve-2021-41766.txt Sun Feb 20 07:03:26 2022
@@ -0,0 +1,58 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+CVE-2021-41766: Insecure Java Deserialization in Apache Karaf
+
+Severity: Low
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: all versions of Apache Karaf prior to 4.3.6
+
+Description:
+
+Apache Karaf allows monitoring of applications and the Java runtime by
+using the Java Management Extensions (JMX).
+JMX is a Java RMI based technology that relies on Java serialized
+objects for client server communication.
+Whereas the default JMX implementation is hardened against
+unauthenticated deserialization attacks, the implementation
+used by Apache Karaf is not protected against this kind of attack.
+
+The impact of Java deserialization vulnerabilities strongly depends
+on the classes that are available within the targets
+class path.
+Generally speaking, deserialization of untrusted data does always
+represent a high security risk and should be prevented.
+
+The risk is low as, by default, Karaf uses a limited set of classes in the JMX server class path.
+It depends of system scoped classes (e.g. jar in the lib folder).
+
+This has been fixed in revision:
+
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=b42c82c
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=93a019c
+
+Mitigation: Apache Karaf users should upgrade to 4.3.6
+or later as soon as possible, or disable remote access to JMX server.
+
+JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7312
+
+Credit: This issue was reported by Daniel Heyne, Konstantin Samuel and Tobias
+Neitzel
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAmHlgMUACgkQv/LuQsgo
+Lnb4phAAg8ccLRsJX7fMr7SPPvbA9h7AyBkCupY1NErKUqDcnssmAlbBwfe07ztI
+xRn0Fvv3TSD077beEtt7qjgO+W5xmi6F7b6CBdrUnAE+d6mbEUiL0Ur5SJKaeN3s
+sMbQb0RhlfcSG7uBSYwSXGaikuWzHedWMemQilZzjNLc/qJhllmptFkM1TANq4W8
+51uglaiA1+7mQapl8mfwxlFbNqzWuVOmKq+PwvrKmSRjS4Uf4TLU5j4liH4thhS8
+wsZpKCNEAKpeDqNI/zCkU4QHzdE67va1IJ5rhsbiXMCO/5g7GiOUbwlnEkbjENX2
+vYKMeLdNPxiXYlVROwOo1Z2vQEGvZYLPvYJy9LJeHn0FJtYE5CImaC9NnpHoq6YB
+pxlw6ZcVeEOic6jj2UOA1t7aBh2KEmLhqe1JXPZTXHB3r6baGnsXbNKPnG7VEDF0
+TlxGvK6Wx6yVGaaqX7OemLWumhEftRWE5oiUxQtbdxYUgXD0qfnFfYJkIgIeG5B4
+H0MjlDLhLW03t7xK5hPsr0ibfBgyHgwx7uYpUvkuaNnPIMCupEmeW/SWrsmheAkK
+R231ARKeUUhFshjLFV+WxgxdEPh9cJB6R98UvRRtlXm5UHXCbTeYtFPBouA2ZsyF
+KDNTcFDXUUD+3jEvI6HlLPQ1ij7aTAGGlj7nR9PXeMfzkBBjBRU=
+=kBXw
+-----END PGP SIGNATURE-----
Added: karaf/site/production/target/site-4.3.0.RC1/security/cve-2022-22932.txt
URL: http://svn.apache.org/viewvc/karaf/site/production/target/site-4.3.0.RC1/security/cve-2022-22932.txt?rev=1898246&view=auto
==============================================================================
--- karaf/site/production/target/site-4.3.0.RC1/security/cve-2022-22932.txt (added)
+++ karaf/site/production/target/site-4.3.0.RC1/security/cve-2022-22932.txt Sun Feb 20 07:03:26 2022
@@ -0,0 +1,45 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+CVE-2022-22932: Path traversal flaws
+
+Severity: Low
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: all versions of Apache Karaf prior to 4.2.15 or 4.3.6
+
+Description:
+
+Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial
+path traversal which allows to break out of expected folder.
+
+The risk is low as obr:* commands are not very used and the entry is set by user.
+
+This has been fixed in revision:
+
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf
+
+Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6
+or later as soon as possible, or use correct path.
+
+JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326
+
+Credit: This issue was discovered and reported by GHSL team member Jaroslav Lobacevski.
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAmHlhlkACgkQv/LuQsgo
+Lna91A//YplFoZ+fe1v7oiYzskpGBPNoYJeM8i22vkBQmDEd6PDEXhURI/QFQWTX
+tBg5segXR+xG/vCE5il6ihPuUBMi+gXxPXOnpmiIFhprNgNjLAUk/q2uhUXhkDNQ
+L9z0uSmArNxcdaTE3x5M7r0VV/DWRRw61KWqsG3m5zurk/aGP2fYwTQxTqyAB0qr
+Wuo4wuq4ae2Wf20xqnlc19uCf15EkYxqdCuDRXfp7Iwh0VchUe/wMsJ8gobjfAuH
+o9r/PsVhFKo9iwTKvWOsbQOC7tpA9qqZBGa2+25sZTvYEFGWu/XrxfXE+5BOOk31
+3z26EMvLOfy70YFfIP4iQRGkK93g8TruW82vf8+LAASjjOVvJsHX0diAY6PAH8sZ
+qFjfmiTrK7I5DsSsPUphcDMRJWx/fAASdmcE/gCbLdPxCrkVQbv367/1wqUKMEQ7
+yQRWjEajTACphFLtjhe02YFvLkoa0M0F2u1bm2BvSNT9VwI8IM/9KqiFpdtP/de0
+Mt31S2Od10BFYUSTZ9uKgTzA+aMKw+pcXowQvYSvXj23t9YieMqajW5vKE8LxutW
+y44hwBpi2Rt0c+SRhpNRv5ot5/yUy6T9MffuAm1qlleeSHLqNMnpzpKfsf9QdXRt
+CM5KMeF1oyI06c69xjLGrr8vfddR+Z3uAmWU9OW0UqHsC93bezE=
+=gTgN
+-----END PGP SIGNATURE-----