You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by bt...@apache.org on 2022/09/03 22:06:28 UTC
[james-site] branch asf-site updated: Annouce CVE-2021-44228
This is an automated email from the ASF dual-hosted git repository.
btellier pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/james-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 749a8bca7 Annouce CVE-2021-44228
749a8bca7 is described below
commit 749a8bca736fea1a56490774ac1508872de0d1aa
Author: Benoit Tellier <bt...@linagora.com>
AuthorDate: Sun Sep 4 05:06:08 2022 +0700
Annouce CVE-2021-44228
---
content/feed.xml | 10 +++++++---
content/james/update/2022/08/26/james-3.7.1.html | 6 +++++-
content/rat-report.html | 8 ++++++--
content/server/feature-security.html | 14 ++++++++++++++
4 files changed, 32 insertions(+), 6 deletions(-)
diff --git a/content/feed.xml b/content/feed.xml
index e1e6a918c..e7894be0c 100644
--- a/content/feed.xml
+++ b/content/feed.xml
@@ -24,8 +24,8 @@
</description>
<link>http://james.apache.org/</link>
<atom:link href="http://james.apache.org/feed.xml" rel="self" type="application/rss+xml"/>
- <pubDate>Sun, 04 Sep 2022 04:30:17 +0700</pubDate>
- <lastBuildDate>Sun, 04 Sep 2022 04:30:17 +0700</lastBuildDate>
+ <pubDate>Sun, 04 Sep 2022 05:05:06 +0700</pubDate>
+ <lastBuildDate>Sun, 04 Sep 2022 05:05:06 +0700</lastBuildDate>
<generator>Jekyll v4.2.0</generator>
<item>
@@ -38,7 +38,11 @@
<h2 id="announcement">Announcement</h2>
-<p>As this is a minor maintenance release, including bug fixes, there is no major announcements.</p>
+<p>As this is a minor maintenance release.</p>
+
+<p>This release addresses CVE-2022-28220 <code class="language-plaintext highlighter-rouge">STARTTLS command injection in Apache JAMES</code>.</p>
+
+<p>It also includes various bugfixes.</p>
<h2 id="release-changelog">Release changelog</h2>
diff --git a/content/james/update/2022/08/26/james-3.7.1.html b/content/james/update/2022/08/26/james-3.7.1.html
index 81f6c2d4f..84949f6b4 100644
--- a/content/james/update/2022/08/26/james-3.7.1.html
+++ b/content/james/update/2022/08/26/james-3.7.1.html
@@ -83,7 +83,11 @@
<h2 id="announcement">Announcement</h2>
-<p>As this is a minor maintenance release, including bug fixes, there is no major announcements.</p>
+<p>As this is a minor maintenance release.</p>
+
+<p>This release addresses CVE-2022-28220 <code class="language-plaintext highlighter-rouge">STARTTLS command injection in Apache JAMES</code>.</p>
+
+<p>It also includes various bugfixes.</p>
<h2 id="release-changelog">Release changelog</h2>
diff --git a/content/rat-report.html b/content/rat-report.html
index 4c8689706..b797a13cd 100644
--- a/content/rat-report.html
+++ b/content/rat-report.html
@@ -163,7 +163,7 @@
*****************************************************
Summary
-------
-Generated at: 2022-09-03T21:28:05+00:00
+Generated at: 2022-09-03T22:04:02+00:00
Notes: 44
Binaries: 191
@@ -20699,7 +20699,11 @@ The Apache James PMC would like to thanks all contributors who made this release
## Announcement
-As this is a minor maintenance release, including bug fixes, there is no major announcements.
+As this is a minor maintenance release.
+
+This release addresses CVE-2022-28220 `STARTTLS command injection in Apache JAMES`.
+
+It also includes various bugfixes.
## Release changelog
diff --git a/content/server/feature-security.html b/content/server/feature-security.html
index b5c2700ee..108804041 100644
--- a/content/server/feature-security.html
+++ b/content/server/feature-security.html
@@ -278,6 +278,20 @@
<a class="externalLink" href="https://apache.org/security/committers.html#vulnerability-handling">vulnerability handling</a>.
</section>
<section>
+<h3><a name="CVE-2021-44228:_STARTTLS_command_injection_in_Apache_JAMES"></a>CVE-2021-44228: STARTTLS command injection in Apache JAMES</h3>
+
+<p>Apache James distribution prior to release 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command.</p>
+
+
+<p>Fix of CVE-2021-38542, which solved similar problem from Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.</p>
+
+
+<p><b>Severity</b>: Moderate</p>
+
+
+<p><b>Mitigation</b>: We recommend to upgrade to Apache James 3.7.1 or higher, which fixes this vulnerability.</p>
+ </section>
+ <section>
<h3><a name="CVE-2021-44228:_Log4Shell"></a>CVE-2021-44228: Log4Shell</h3>
<p>Apache James Spring distribution prior to release 3.6.1 is vulnerable to attacks leveraging Log4Shell.
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org