You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by bt...@apache.org on 2023/01/09 03:01:23 UTC

[james-project] branch master updated: [DOC] CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES (#1378)

This is an automated email from the ASF dual-hosted git repository.

btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git


The following commit(s) were added to refs/heads/master by this push:
     new b5580d13d6 [DOC] CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES (#1378)
b5580d13d6 is described below

commit b5580d13d6c74ecbf647127eff1a3ac1086f5493
Author: Benoit TELLIER <bt...@linagora.com>
AuthorDate: Mon Jan 9 10:01:17 2023 +0700

    [DOC] CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES (#1378)
---
 CHANGELOG.md                                                  |  3 +--
 .../docs/modules/ROOT/pages/operate/security.adoc             | 11 ++++++++++-
 src/homepage/_posts/2022-12-30-james-3.7.3.markdown           |  2 ++
 src/site/xdoc/server/feature-security.xml                     |  7 +++++++
 4 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5caea63b68..1d4d43361f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -235,8 +235,7 @@ Multiple performance enhancements for Distributed server mailbox, IMAP, SMTP and
 
 ### Security
 
-Upcoming security announcements.
-
+ - CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES
  - [UPGRADE] commons-text 1.9 -> 1.10 (#1291)
  - JAMES-3832 RemoteDelivery will do TLS host name verification when contacting remote mail servers
  - JAMES-3860 Rely on Files.createTempFile (#1325)
diff --git a/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc b/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc
index 0b5e7060c3..bdc765ef2a 100644
--- a/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc
+++ b/server/apps/distributed-app/docs/modules/ROOT/pages/operate/security.adoc
@@ -104,6 +104,15 @@ outdated dependencies.
 
 We follow the standard procedures within the ASF regarding link:https://apache.org/security/committers.html#vulnerability-handling[vulnerability handling]
 
+=== CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES
+
+Apache James distribution prior to release 3.7.3 is vulnerable to a temporary File Information Disclosure.
+
+*Severity*: Moderate
+
+*Mitigation*: We recommend to upgrade to Apache James 3.7.3 or higher, which fixes this vulnerability.
+
+
 === CVE-2021-44228: STARTTLS command injection in Apache JAMES
 
 Apache James distribution prior to release 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command.
@@ -112,7 +121,7 @@ Fix of CVE-2021-38542, which solved similar problem from Apache James 3.6.1, is
 
 *Severity*: Moderate
 
-*Mitigation<*: We recommend to upgrade to Apache James 3.7.1 or higher, which fixes this vulnerability.
+*Mitigation*: We recommend to upgrade to Apache James 3.7.1 or higher, which fixes this vulnerability.
 
 === CVE-2021-38542: Apache James vulnerable to STARTTLS command injection (IMAP and POP3)
 
diff --git a/src/homepage/_posts/2022-12-30-james-3.7.3.markdown b/src/homepage/_posts/2022-12-30-james-3.7.3.markdown
index 95332f486d..5ced48c9b8 100644
--- a/src/homepage/_posts/2022-12-30-james-3.7.3.markdown
+++ b/src/homepage/_posts/2022-12-30-james-3.7.3.markdown
@@ -13,6 +13,8 @@ The Apache James PMC would like to thanks all contributors who made this release
 
 ## Announcement
 
+This release fixes CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES.
+
 This release proposes stability related bug fixes and updates some dependencies for security reasons.
 
 ## Release changelog
diff --git a/src/site/xdoc/server/feature-security.xml b/src/site/xdoc/server/feature-security.xml
index 07cbc9ddf9..8d0340f8ea 100644
--- a/src/site/xdoc/server/feature-security.xml
+++ b/src/site/xdoc/server/feature-security.xml
@@ -53,6 +53,13 @@
             We follow the standard procedures within the ASF regarding
             <a href="https://apache.org/security/committers.html#vulnerability-handling">vulnerability handling</a>.
         </subsection>
+        <subsection name="CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES">
+            <p>Apache James distribution prior to release 3.7.3 is vulnerable to a temporary File Information Disclosure.</p>
+
+            <p><b>Severity</b>: Moderate</p>
+
+            <p><b>Mitigation</b>: We recommend to upgrade to Apache James 3.7.3 or higher, which fixes this vulnerability.</p>
+        </subsection>
         <subsection name="CVE-2021-44228: STARTTLS command injection in Apache JAMES">
             <p>Apache James distribution prior to release 3.7.3 is vulnerable to a buffering attack relying on the use of the STARTTLS command.</p>
 


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org