You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by bt...@apache.org on 2022/09/03 22:06:28 UTC

[james-site] branch asf-site updated: Annouce CVE-2021-44228

This is an automated email from the ASF dual-hosted git repository.

btellier pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/james-site.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new 749a8bca7 Annouce CVE-2021-44228
749a8bca7 is described below

commit 749a8bca736fea1a56490774ac1508872de0d1aa
Author: Benoit Tellier <bt...@linagora.com>
AuthorDate: Sun Sep 4 05:06:08 2022 +0700

    Annouce CVE-2021-44228
---
 content/feed.xml                                 | 10 +++++++---
 content/james/update/2022/08/26/james-3.7.1.html |  6 +++++-
 content/rat-report.html                          |  8 ++++++--
 content/server/feature-security.html             | 14 ++++++++++++++
 4 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/content/feed.xml b/content/feed.xml
index e1e6a918c..e7894be0c 100644
--- a/content/feed.xml
+++ b/content/feed.xml
@@ -24,8 +24,8 @@
 </description>
     <link>http://james.apache.org/</link>
     <atom:link href="http://james.apache.org/feed.xml" rel="self" type="application/rss+xml"/>
-    <pubDate>Sun, 04 Sep 2022 04:30:17 +0700</pubDate>
-    <lastBuildDate>Sun, 04 Sep 2022 04:30:17 +0700</lastBuildDate>
+    <pubDate>Sun, 04 Sep 2022 05:05:06 +0700</pubDate>
+    <lastBuildDate>Sun, 04 Sep 2022 05:05:06 +0700</lastBuildDate>
     <generator>Jekyll v4.2.0</generator>
     
       <item>
@@ -38,7 +38,11 @@
 
 &lt;h2 id=&quot;announcement&quot;&gt;Announcement&lt;/h2&gt;
 
-&lt;p&gt;As this is a minor maintenance release, including bug fixes, there is no major announcements.&lt;/p&gt;
+&lt;p&gt;As this is a minor maintenance release.&lt;/p&gt;
+
+&lt;p&gt;This release addresses CVE-2022-28220 &lt;code class=&quot;language-plaintext highlighter-rouge&quot;&gt;STARTTLS command injection in Apache JAMES&lt;/code&gt;.&lt;/p&gt;
+
+&lt;p&gt;It also includes various bugfixes.&lt;/p&gt;
 
 &lt;h2 id=&quot;release-changelog&quot;&gt;Release changelog&lt;/h2&gt;
 
diff --git a/content/james/update/2022/08/26/james-3.7.1.html b/content/james/update/2022/08/26/james-3.7.1.html
index 81f6c2d4f..84949f6b4 100644
--- a/content/james/update/2022/08/26/james-3.7.1.html
+++ b/content/james/update/2022/08/26/james-3.7.1.html
@@ -83,7 +83,11 @@
 
 <h2 id="announcement">Announcement</h2>
 
-<p>As this is a minor maintenance release, including bug fixes, there is no major announcements.</p>
+<p>As this is a minor maintenance release.</p>
+
+<p>This release addresses CVE-2022-28220 <code class="language-plaintext highlighter-rouge">STARTTLS command injection in Apache JAMES</code>.</p>
+
+<p>It also includes various bugfixes.</p>
 
 <h2 id="release-changelog">Release changelog</h2>
 
diff --git a/content/rat-report.html b/content/rat-report.html
index 4c8689706..b797a13cd 100644
--- a/content/rat-report.html
+++ b/content/rat-report.html
@@ -163,7 +163,7 @@
 *****************************************************
 Summary
 -------
-Generated at: 2022-09-03T21:28:05+00:00
+Generated at: 2022-09-03T22:04:02+00:00
 
 Notes: 44
 Binaries: 191
@@ -20699,7 +20699,11 @@ The Apache James PMC would like to thanks all contributors who made this release
 
 ## Announcement
 
-As this is a minor maintenance release, including bug fixes, there is no major announcements.
+As this is a minor maintenance release.
+
+This release addresses CVE-2022-28220 `STARTTLS command injection in Apache JAMES`.
+
+It also includes various bugfixes.
 
 ## Release changelog
 
diff --git a/content/server/feature-security.html b/content/server/feature-security.html
index b5c2700ee..108804041 100644
--- a/content/server/feature-security.html
+++ b/content/server/feature-security.html
@@ -278,6 +278,20 @@
             <a class="externalLink" href="https://apache.org/security/committers.html#vulnerability-handling">vulnerability handling</a>.
         </section>
         <section>
+<h3><a name="CVE-2021-44228:_STARTTLS_command_injection_in_Apache_JAMES"></a>CVE-2021-44228: STARTTLS command injection in Apache JAMES</h3>
+            
+<p>Apache James distribution prior to release 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command.</p>
+
+            
+<p>Fix of CVE-2021-38542, which solved similar problem from Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.</p>
+
+            
+<p><b>Severity</b>: Moderate</p>
+
+            
+<p><b>Mitigation</b>: We recommend to upgrade to Apache James 3.7.1 or higher, which fixes this vulnerability.</p>
+        </section>
+        <section>
 <h3><a name="CVE-2021-44228:_Log4Shell"></a>CVE-2021-44228: Log4Shell</h3>
             
 <p>Apache James Spring distribution prior to release 3.6.1 is vulnerable to attacks leveraging Log4Shell.


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org