You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by gg...@apache.org on 2022/12/03 16:37:44 UTC
[commons-net] branch master updated (d88de866 -> 78968eb3)
This is an automated email from the ASF dual-hosted git repository.
ggregory pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/commons-net.git
from d88de866 Fix release date
new 884c0959 Remove old broken links
new deeb30e7 Add security page
new 78968eb3 Fix subsection title
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
pom.xml | 2 +-
src/site/site.xml | 1 +
src/site/xdoc/index.xml | 10 ------
src/site/xdoc/security.xml | 82 ++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 84 insertions(+), 11 deletions(-)
create mode 100644 src/site/xdoc/security.xml
[commons-net] 03/03: Fix subsection title
Posted by gg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-net.git
commit 78968eb398370af01e471205de6004e1c1256de2
Author: Gary Gregory <ga...@gmail.com>
AuthorDate: Sat Dec 3 11:32:11 2022 -0500
Fix subsection title
---
src/site/xdoc/security.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml
index 9b9e96c7..05f57280 100644
--- a/src/site/xdoc/security.xml
+++ b/src/site/xdoc/security.xml
@@ -43,7 +43,7 @@
</p>
<subsection
- name="CVE-2021-37533: Apache Commons Net's FTP client trusts the host from PASV response by default: Apache Commons Net's FTP client trusts the host from PASV response by default">
+ name="CVE-2021-37533: Apache Commons Net's FTP client trusts the host from PASV response by default">
<p>
On 2022-12-03, the Apache Commons Text team disclosed
<a href="https://www.cve.org/CVERecord?id=CVE-2021-37533">CVE-2021-37533</a>
[commons-net] 02/03: Add security page
Posted by gg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-net.git
commit deeb30e7680fa23fd1efa3b54c6daeb1260cbdc3
Author: Gary Gregory <ga...@gmail.com>
AuthorDate: Sat Dec 3 11:17:26 2022 -0500
Add security page
---
pom.xml | 2 +-
src/site/site.xml | 1 +
src/site/xdoc/security.xml | 82 ++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 84 insertions(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index 0b2b2be6..9ee1f198 100644
--- a/pom.xml
+++ b/pom.xml
@@ -29,7 +29,7 @@
<groupId>commons-net</groupId>
<artifactId>commons-net</artifactId>
- <version>3.10.0-SNAPSHOT</version>
+ <version>3.9.0</version>
<name>Apache Commons Net</name>
<!-- N.B. the description content is deliberately not indented ! to improve the layout of the Release Notes generated
by mvn changes:announcement-generate -->
diff --git a/src/site/site.xml b/src/site/site.xml
index 5affdcda..c07262b4 100644
--- a/src/site/site.xml
+++ b/src/site/site.xml
@@ -32,6 +32,7 @@
<item name="Download" href="/download_net.cgi"/>
<item name="Javadoc" href="/apidocs/index.html"/>
<item name="Javadoc Archive" href="https://javadoc.io/doc/commons-net/commons-net/latest/index.html"/>
+ <item name="Security" href="security.html"/>
</menu>
<menu name="Development">
<item name="Coding Specifications" href="code-standards.html"/>
diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml
new file mode 100644
index 00000000..9b9e96c7
--- /dev/null
+++ b/src/site/xdoc/security.xml
@@ -0,0 +1,82 @@
+<?xml version="1.0"?>
+<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under
+ the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may
+ obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to
+ in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+ ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under
+ the License. -->
+<document>
+ <properties>
+ <title>Apache Commons Text Security Reports</title>
+ <author email="dev@commons.apache.org">Commons Team</author>
+ </properties>
+ <body>
+ <section name="Security Vulnerabilities">
+ <p>
+ For information about reporting or asking questions about
+ security, please see the
+ <a href="https://commons.apache.org/security.html">security page</a>
+ of the Apache Commons project.
+ </p>
+ <p>
+ This page lists all security vulnerabilities fixed in released versions of this component.
+ </p>
+
+ <p>
+ Please note that binary patches are never provided. If you need to apply a source code patch, use the
+ building instructions for the component version that you are using.
+ </p>
+
+ <p>
+ If you need help on building this component or other help on following the instructions to
+ mitigate the
+ known vulnerabilities listed here, please send your questions to the public
+ <a href="mail-lists.html">user mailing list</a>
+ .
+ </p>
+
+ <p>
+ If you have encountered an unlisted security vulnerability or other unexpected behavior that has security
+ impact, or if the descriptions here are incomplete, please report them privately to the Apache Security
+ Team. Thank you.
+ </p>
+
+ <subsection
+ name="CVE-2021-37533: Apache Commons Net's FTP client trusts the host from PASV response by default: Apache Commons Net's FTP client trusts the host from PASV response by default">
+ <p>
+ On 2022-12-03, the Apache Commons Text team disclosed
+ <a href="https://www.cve.org/CVERecord?id=CVE-2021-37533">CVE-2021-37533</a>
+ </p>
+ <p>
+ Severity: low
+ </p>
+ <p>
+ Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A
+ malicious server can redirect the Commons Net code to use a different host, but the user has to
+ connect to the malicious server in the first place. This may lead to leakage of information about
+ services running on the private network of the client.
+ The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See
+ <a href="https://issues.apache.org/jira/browse/NET-711">NET-711</a>.
+ </p>
+ <p>
+ Credit: Apache Commons would like to thank ZeddYu Lu for reporting this issue.
+ </p>
+ <p>
+ References:
+ <ul>
+ <li>
+ <a href="https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7">Announcement on dev@commons.apache.org</a>
+ </li>
+ <li>
+ <a href="https://www.openwall.com/lists/oss-security/2022/12/03/1">Announcement on oss-security</a>
+ </li>
+ <li>
+ <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37533">Advisory on cve.org</a>
+ </li>
+ </ul>
+ </p>
+ </subsection>
+ </section>
+ </body>
+</document>
[commons-net] 01/03: Remove old broken links
Posted by gg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-net.git
commit 884c09595e91c90a843bf6aab01a9f61b33d57e8
Author: Gary Gregory <ga...@gmail.com>
AuthorDate: Sat Dec 3 11:17:13 2022 -0500
Remove old broken links
---
src/site/xdoc/index.xml | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/src/site/xdoc/index.xml b/src/site/xdoc/index.xml
index be82bcdd..4b28dd30 100644
--- a/src/site/xdoc/index.xml
+++ b/src/site/xdoc/index.xml
@@ -208,16 +208,6 @@
</subsection>
</section>
- <section name="Further Information">
- <p>
- For more info, see the Javadoc, or look at some of the following articles:
- <ul>
- <li><a href="http://www.informit.com/guides/content.asp?g=java&seqNum=40">http://www.informit.com/guides/content.asp?g=java&seqNum=40</a>Jakarta Commons - Net Class Library</li>
- <li><a href="http://www.onjava.com/pub/a/onjava/2003/06/25/commons.html?page=3">http://www.onjava.com/pub/a/onjava/2003/06/25/commons.html?page=3</a>Using the Jakarta Commons, Part 1</li>
- <li><a href="http://safari.phptr.com/0131478303/ch04">http://safari.phptr.com/0131478303/ch04</a>Apache Jakarta Commons: Reusable Java Components</li>
- </ul>
- </p>
- </section>
</body>
</document>