You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by bt...@apache.org on 2023/01/09 03:01:23 UTC
[james-project] branch master updated: [DOC] CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES (#1378)
This is an automated email from the ASF dual-hosted git repository.
btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git
The following commit(s) were added to refs/heads/master by this push:
new b5580d13d6 [DOC] CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES (#1378)
b5580d13d6 is described below
commit b5580d13d6c74ecbf647127eff1a3ac1086f5493
Author: Benoit TELLIER <bt...@linagora.com>
AuthorDate: Mon Jan 9 10:01:17 2023 +0700
[DOC] CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES (#1378)
---
CHANGELOG.md | 3 +--
.../docs/modules/ROOT/pages/operate/security.adoc | 11 ++++++++++-
src/homepage/_posts/2022-12-30-james-3.7.3.markdown | 2 ++
src/site/xdoc/server/feature-security.xml | 7 +++++++
4 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5caea63b68..1d4d43361f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -235,8 +235,7 @@ Multiple performance enhancements for Distributed server mailbox, IMAP, SMTP and
### Security
-Upcoming security announcements.
-
+ - CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES
- [UPGRADE] commons-text 1.9 -> 1.10 (#1291)
- JAMES-3832 RemoteDelivery will do TLS host name verification when contacting remote mail servers
- JAMES-3860 Rely on Files.createTempFile (#1325)
diff --git a/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc b/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc
index 0b5e7060c3..bdc765ef2a 100644
--- a/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc
+++ b/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc
@@ -104,6 +104,15 @@ outdated dependencies.
We follow the standard procedures within the ASF regarding link:https://apache.org/security/committers.html#vulnerability-handling[vulnerability handling]
+=== CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES
+
+Apache James distribution prior to release 3.7.3 is vulnerable to a temporary File Information Disclosure.
+
+*Severity*: Moderate
+
+*Mitigation*: We recommend to upgrade to Apache James 3.7.3 or higher, which fixes this vulnerability.
+
+
=== CVE-2021-44228: STARTTLS command injection in Apache JAMES
Apache James distribution prior to release 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command.
@@ -112,7 +121,7 @@ Fix of CVE-2021-38542, which solved similar problem from Apache James 3.6.1, is
*Severity*: Moderate
-*Mitigation<*: We recommend to upgrade to Apache James 3.7.1 or higher, which fixes this vulnerability.
+*Mitigation*: We recommend to upgrade to Apache James 3.7.1 or higher, which fixes this vulnerability.
=== CVE-2021-38542: Apache James vulnerable to STARTTLS command injection (IMAP and POP3)
diff --git a/src/homepage/_posts/2022-12-30-james-3.7.3.markdown b/src/homepage/_posts/2022-12-30-james-3.7.3.markdown
index 95332f486d..5ced48c9b8 100644
--- a/src/homepage/_posts/2022-12-30-james-3.7.3.markdown
+++ b/src/homepage/_posts/2022-12-30-james-3.7.3.markdown
@@ -13,6 +13,8 @@ The Apache James PMC would like to thanks all contributors who made this release
## Announcement
+This release fixes CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES.
+
This release proposes stability related bug fixes and updates some dependencies for security reasons.
## Release changelog
diff --git a/src/site/xdoc/server/feature-security.xml b/src/site/xdoc/server/feature-security.xml
index 07cbc9ddf9..8d0340f8ea 100644
--- a/src/site/xdoc/server/feature-security.xml
+++ b/src/site/xdoc/server/feature-security.xml
@@ -53,6 +53,13 @@
We follow the standard procedures within the ASF regarding
<a href="https://apache.org/security/committers.html#vulnerability-handling">vulnerability handling</a>.
</subsection>
+ <subsection name="CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES">
+ <p>Apache James distribution prior to release 3.7.3 is vulnerable to a temporary File Information Disclosure.</p>
+
+ <p><b>Severity</b>: Moderate</p>
+
+ <p><b>Mitigation</b>: We recommend to upgrade to Apache James 3.7.3 or higher, which fixes this vulnerability.</p>
+ </subsection>
<subsection name="CVE-2021-44228: STARTTLS command injection in Apache JAMES">
<p>Apache James distribution prior to release 3.7.3 is vulnerable to a buffering attack relying on the use of the STARTTLS command.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org