You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@commons.apache.org by gg...@apache.org on 2022/10/19 18:22:16 UTC
svn commit: r1081162 [18/44] - in /websites/production/commons/content/proper/commons-configuration: ./ apidocs/ apidocs/org/apache/commons/configuration2/ apidocs/org/apache/commons/configuration2/beanutils/ apidocs/org/apache/commons/configuration2/b...
Modified: websites/production/commons/content/proper/commons-configuration/scm.html
==============================================================================
--- websites/production/commons/content/proper/commons-configuration/scm.html (original)
+++ websites/production/commons/content/proper/commons-configuration/scm.html Wed Oct 19 18:22:03 2022
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 30 June 2022
+ | Generated by Apache Maven Doxia at 19 October 2022
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="iso-8859-1" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20220630" />
+ <meta name="Date-Revision-yyyymmdd" content="20221019" />
<meta http-equiv="Content-Language" content="en" />
<title>Commons Configuration – Source Code Management</title>
@@ -40,7 +40,7 @@
<a class="brand" href="https://commons.apache.org/proper/commons-configuration/">Apache Commons Configuration ™</a>
<ul class="nav">
- <li id="publishDate">Last Published: 30 June 2022</li>
+ <li id="publishDate">Last Published: 19 October 2022</li>
<li class="divider">|</li> <li id="projectVersion">Version: 2.8.0</li>
</ul>
<div class="pull-right"> <ul class="nav">
@@ -78,6 +78,10 @@
Download</a>
</li>
<li class="none">
+ <a href="security.html" title="Security">
+ Security</a>
+ </li>
+ <li class="none">
<a href="issue-tracking.html" title="Issue Tracking">
Issue Tracking</a>
</li>
@@ -286,4 +290,4 @@
</div>
</body>
-</html>
+</html>
\ No newline at end of file
Added: websites/production/commons/content/proper/commons-configuration/security.html
==============================================================================
--- websites/production/commons/content/proper/commons-configuration/security.html (added)
+++ websites/production/commons/content/proper/commons-configuration/security.html Wed Oct 19 18:22:03 2022
@@ -0,0 +1,356 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 19 October 2022
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <meta charset="iso-8859-1" />
+ <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+ <meta name="author" content="Commons Team" />
+ <meta name="Date-Revision-yyyymmdd" content="20221019" />
+ <meta http-equiv="Content-Language" content="en" />
+ <title>Commons Configuration – Apache Commons Configuration Security Reports</title>
+
+ <link rel="stylesheet" href="./css/bootstrap.min.css" type="text/css" />
+ <link rel="stylesheet" href="./css/site.css" type="text/css" />
+ <link rel="stylesheet" href="./css/print.css" media="print" />
+
+ <script type="text/javascript" src="./js/jquery.min.js"></script>
+ <script type="text/javascript" src="./js/bootstrap.min.js"></script>
+ <script type="text/javascript" src="./js/prettify.min.js"></script>
+ <script type="text/javascript" src="./js/site.js"></script>
+
+
+ </head>
+
+ <body class="composite">
+ <a href="https://commons.apache.org/" id="bannerLeft" title="Apache Commons logo">
+ <img class="logo-left" src=" ./images/commons-logo.png
+" alt="Apache Commons logo"/>
+ </a>
+ <a href="index.html" id="bannerRight">
+ <img class="logo-right" src=" images/logo.png
+" alt="Commons Configuration"/>
+ </a>
+ <div class="clear"></div>
+
+ <div class="navbar">
+ <div class="navbar-inner">
+ <div class="container-fluid">
+ <a class="brand" href="https://commons.apache.org/proper/commons-configuration/">Apache Commons Configuration ™</a>
+ <ul class="nav">
+
+ <li id="publishDate">Last Published: 19 October 2022</li>
+ <li class="divider">|</li> <li id="projectVersion">Version: 2.8.0</li>
+ </ul>
+ <div class="pull-right"> <ul class="nav">
+ <li>
+ <a href="https://www.apachecon.com/" class="externalLink" title="ApacheCon">
+ ApacheCon</a>
+ </li>
+ <li>
+ <a href="https://www.apache.org" class="externalLink" title="Apache">
+ Apache</a>
+ </li>
+ <li>
+ <a href="../../" title="Commons">
+ Commons</a>
+ </li>
+ </ul>
+</div>
+ </div>
+ </div>
+ </div>
+
+ <div class="container-fluid">
+ <table class="layout-table">
+ <tr>
+ <td class="sidebar">
+ <div class="well sidebar-nav">
+ <ul class="nav nav-list">
+ <li class="nav-header">Configuration</li>
+ <li class="none">
+ <a href="index.html" title="Overview">
+ Overview</a>
+ </li>
+ <li class="none">
+ <a href="../../configuration/download_configuration.cgi" title="Download">
+ Download</a>
+ </li>
+ <li class="none active">
+ <a href="security.html" title="Security">
+ Security</a>
+ </li>
+ <li class="none">
+ <a href="issue-tracking.html" title="Issue Tracking">
+ Issue Tracking</a>
+ </li>
+ </ul>
+ <ul class="nav nav-list">
+ <li class="nav-header">Documentation</li>
+ <li class="none">
+ <a href="building.html" title="Building">
+ Building</a>
+ </li>
+ <li class="none">
+ <a href="changes-report.html" title="Release History">
+ Release History</a>
+ </li>
+ <li class="collapsed">
+ <a href="index.html" title="2.8.0">
+ 2.8.0</a>
+ </li>
+ <li class="collapsed">
+ <a href="index.html" title="1.10">
+ 1.10</a>
+ </li>
+ </ul>
+ <ul class="nav nav-list">
+ <li class="nav-header"><i class="icon-info-sign"></i>Project Documentation</li>
+ <li class="collapsed">
+ <a href="project-info.html" title="Project Information">
+ Project Information</a>
+ </li>
+ <li class="collapsed">
+ <a href="project-reports.html" title="Project Reports">
+ Project Reports</a>
+ </li>
+ </ul>
+ <ul class="nav nav-list">
+ <li class="nav-header">Commons</li>
+ <li class="none">
+ <a href="../../" title="Home">
+ Home</a>
+ </li>
+ <li class="none">
+ <a href="https://www.apache.org/licenses/" class="externalLink" title="License">
+ License</a>
+ </li>
+ <li class="collapsed">
+ <a href="../../components.html" title="Components">
+ Components</a>
+ </li>
+ <li class="collapsed">
+ <a href="../../sandbox/index.html" title="Sandbox">
+ Sandbox</a>
+ </li>
+ <li class="collapsed">
+ <a href="../../dormant/index.html" title="Dormant">
+ Dormant</a>
+ </li>
+ </ul>
+ <ul class="nav nav-list">
+ <li class="nav-header">General Information</li>
+ <li class="none">
+ <a href="../../security.html" title="Security">
+ Security</a>
+ </li>
+ <li class="none">
+ <a href="../../volunteering.html" title="Volunteering">
+ Volunteering</a>
+ </li>
+ <li class="none">
+ <a href="../../patches.html" title="Contributing Patches">
+ Contributing Patches</a>
+ </li>
+ <li class="none">
+ <a href="../../building.html" title="Building Components">
+ Building Components</a>
+ </li>
+ <li class="none">
+ <a href="../../commons-parent-pom.html" title="Commons Parent Pom">
+ Commons Parent Pom</a>
+ </li>
+ <li class="none">
+ <a href="../../build-plugin/index.html" title="Commons Build Plugin">
+ Commons Build Plugin</a>
+ </li>
+ <li class="none">
+ <a href="../../releases/index.html" title="Releasing Components">
+ Releasing Components</a>
+ </li>
+ <li class="none">
+ <a href="https://cwiki.apache.org/confluence/display/commons/FrontPage" class="externalLink" title="Wiki">
+ Wiki</a>
+ </li>
+ </ul>
+ <ul class="nav nav-list">
+ <li class="nav-header">ASF</li>
+ <li class="none">
+ <a href="https://www.apache.org/foundation/how-it-works.html" class="externalLink" title="How the ASF works">
+ How the ASF works</a>
+ </li>
+ <li class="none">
+ <a href="https://www.apache.org/foundation/getinvolved.html" class="externalLink" title="Get Involved">
+ Get Involved</a>
+ </li>
+ <li class="none">
+ <a href="https://www.apache.org/dev/" class="externalLink" title="Developer Resources">
+ Developer Resources</a>
+ </li>
+ <li class="none">
+ <a href="https://www.apache.org/foundation/policies/conduct.html" class="externalLink" title="Code of Conduct">
+ Code of Conduct</a>
+ </li>
+ <li class="none">
+ <a href="https://www.apache.org/foundation/sponsorship.html" class="externalLink" title="Sponsorship">
+ Sponsorship</a>
+ </li>
+ <li class="none">
+ <a href="https://www.apache.org/foundation/thanks.html" class="externalLink" title="Thanks">
+ Thanks</a>
+ </li>
+ </ul>
+ </div>
+ <div id="poweredBy">
+ <a href="https://www.apache.org/events/current-event.html" title="ApacheCon" class="builtBy">
+ <img class="builtBy" alt="ApacheCon" src="https://www.apache.org/events/current-event-125x125.png" />
+ </a>
+ <a href="https://maven.apache.org/" title="Maven" class="builtBy">
+ <img class="builtBy" alt="Maven" src="https://maven.apache.org/images/logos/maven-feather.png" />
+ </a>
+ </div>
+ </td>
+ <td class="content">
+
+
+ <section>
+<h2><a name="Security_Vulnerabilities"></a>Security Vulnerabilities</h2>
+
+<p>
+ For information about reporting or asking questions about
+ security, please see the
+ <a class="externalLink" href="https://commons.apache.org/security.html">security page</a>
+ of the Apache Commons project.
+ </p>
+
+<p>
+ This page lists all security vulnerabilities fixed in released versions of this component.
+ </p>
+
+
+<p>
+ Please note that binary patches are never provided. If you need to apply a source code patch, use the
+ building instructions for the component version that you are using.
+ </p>
+
+
+<p>
+ If you need help on building this component or other help on following the instructions to
+ mitigate the known vulnerabilities listed here, please send your questions to the public
+ <a href="mail-lists.html">user mailing list</a>.
+ </p>
+
+
+<p>
+ If you have encountered an unlisted security vulnerability or other unexpected behavior that has security
+ impact, or if the descriptions here are incomplete, please report them privately to the Apache Security
+ Team. Thank you.
+ </p>
+
+ <section>
+<h3><a name="CVE-2022-33980_prior_to_2.8.0.2C_RCE_when_applied_to_untrusted_input"></a>CVE-2022-33980 prior to 2.8.0, RCE when applied to untrusted input</h3>
+
+<p>
+ On 2022-07-06, the Apache Commons Configuration team disclosed
+ <a class="externalLink" href="https://www.cve.org/CVERecord?id=CVE-2022-33980">CVE-2022-33980</a>
+ . Key takeaways:
+ </p>
+<ul>
+
+<li>
+ If you rely on software that uses a version of commons-configuration prior to 2.8.0, you are likely
+ still not vulnerable: only if this software loads configuration
+ files from untrusted sources, which is likely rare.
+ </li>
+
+<li>
+ If your own software uses commons-configuration, double-check whether it loads
+ configuration files from untrusted sources. If so, an update to 2.8.0 could be a
+ quick workaround, but the recommended solution is to also properly validate and sanitize the
+ untrusted input.
+ </li>
+ </ul>
+
+
+<p>
+ Apache Commons Configuration is a library to read configuration data from a variety of sources.
+ It supports variable interpolation with lookups using various mechanisms, such as system properties
+ or environment variables. Some of the available interpolators can trigger network
+ access or code execution. This is intended, but it also means an application that includes user
+ input in the configuration passed to Commons Configuration without properly sanitizing it would allow an
+ attacker to trigger those interpolators.
+ </p>
+
+<p>
+ For that reason the Apache Commons Configuration team have decided to update the list of interpolators
+ that are enabled by default to be more
+ conservative, so that the impact of a failure to validate inputs is mitigated and will not
+ give an attacker access to these interpolators. However, it is still recommended that users treat
+ untrusted input with care.
+ </p>
+
+<p>
+ We're not currently aware of any applications that load untrusted input as configuration
+ and thus would have been impacted by this problem prior to Apache Commons Configuration 2.8.0.
+ </p>
+
+<p>
+ This issue is different from
+ <a class="externalLink" href="https://logging.apache.org/log4j/2.x/security.html#log4j-2.15.0">Log4Shell (CVE-2021-44228)</a>
+ because in Log4Shell, string interpolation was possible from the log message body, which commonly
+ contains untrusted input. In the Apache Common Configuration issue, the processed configuration data
+ is much less likely to come from an untrusted source.
+ </p>
+
+<p>
+ Credit: this issue was reported by
+ <a class="externalLink" href="https://github.com/pwntester">@pwntester (Alvaro Muñoz)</a>
+ of the
+ <a class="externalLink" href="https://securitylab.github.com">GitHub Security Lab team</a>
+ . Thank you!
+ </p>
+
+<p>
+ References:
+ </p>
+<ul>
+
+<li>
+ <a class="externalLink" href="https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s">Announcement on dev@commons.apache.org</a>
+ </li>
+
+<li>
+ <a class="externalLink" href="https://www.openwall.com/lists/oss-security/2022/07/06/5">Announcement on oss-security</a>
+ </li>
+
+<li>
+ <a class="externalLink" href="https://www.cve.org/CVERecord?id=CVE-2022-33980">Advisory on cve.org</a>
+ </li>
+
+<li>
+ <a class="externalLink" href="https://securitylab.github.com/advisories/GHSL-2022-017_Apache_Commons_Configuration/">GHSL advisory</a>
+ </li>
+ </ul>
+
+ </section>
+ </section>
+
+
+ </td>
+ </tr>
+ </table>
+ </div>
+
+ <div class="footer">
+ <p>Copyright © 2001-2022
+ <a href="https://www.apache.org/">The Apache Software Foundation</a>.
+ All Rights Reserved.</p>
+
+<div class="center">Apache Commons, Apache Commons Configuration, Apache, the Apache feather logo, and the Apache Commons project logos are trademarks of The Apache Software Foundation.
+ All other marks mentioned may be trademarks or registered trademarks of their respective owners.</div>
+ </div>
+ </body>
+
+</html>
\ No newline at end of file
Modified: websites/production/commons/content/proper/commons-configuration/spotbugs.html
==============================================================================
--- websites/production/commons/content/proper/commons-configuration/spotbugs.html (original)
+++ websites/production/commons/content/proper/commons-configuration/spotbugs.html Wed Oct 19 18:22:03 2022
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 30 June 2022
+ | Generated by Apache Maven Doxia at 19 October 2022
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="iso-8859-1" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20220630" />
+ <meta name="Date-Revision-yyyymmdd" content="20221019" />
<meta http-equiv="Content-Language" content="en" />
<title>Commons Configuration – SpotBugs Bug Detector Report</title>
@@ -40,7 +40,7 @@
<a class="brand" href="https://commons.apache.org/proper/commons-configuration/">Apache Commons Configuration ™</a>
<ul class="nav">
- <li id="publishDate">Last Published: 30 June 2022</li>
+ <li id="publishDate">Last Published: 19 October 2022</li>
<li class="divider">|</li> <li id="projectVersion">Version: 2.8.0</li>
</ul>
<div class="pull-right"> <ul class="nav">
@@ -78,6 +78,10 @@
Download</a>
</li>
<li class="none">
+ <a href="security.html" title="Security">
+ Security</a>
+ </li>
+ <li class="none">
<a href="issue-tracking.html" title="Issue Tracking">
Issue Tracking</a>
</li>
@@ -296,4 +300,4 @@
</div>
</body>
-</html>
+</html>
\ No newline at end of file
Modified: websites/production/commons/content/proper/commons-configuration/summary.html
==============================================================================
--- websites/production/commons/content/proper/commons-configuration/summary.html (original)
+++ websites/production/commons/content/proper/commons-configuration/summary.html Wed Oct 19 18:22:03 2022
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 30 June 2022
+ | Generated by Apache Maven Doxia at 19 October 2022
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="iso-8859-1" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20220630" />
+ <meta name="Date-Revision-yyyymmdd" content="20221019" />
<meta http-equiv="Content-Language" content="en" />
<title>Commons Configuration – Project Summary</title>
@@ -40,7 +40,7 @@
<a class="brand" href="https://commons.apache.org/proper/commons-configuration/">Apache Commons Configuration ™</a>
<ul class="nav">
- <li id="publishDate">Last Published: 30 June 2022</li>
+ <li id="publishDate">Last Published: 19 October 2022</li>
<li class="divider">|</li> <li id="projectVersion">Version: 2.8.0</li>
</ul>
<div class="pull-right"> <ul class="nav">
@@ -78,6 +78,10 @@
Download</a>
</li>
<li class="none">
+ <a href="security.html" title="Security">
+ Security</a>
+ </li>
+ <li class="none">
<a href="issue-tracking.html" title="Issue Tracking">
Issue Tracking</a>
</li>
@@ -317,4 +321,4 @@
</div>
</body>
-</html>
+</html>
\ No newline at end of file