You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by gg...@apache.org on 2022/12/03 16:37:46 UTC
[commons-net] 02/03: Add security page
This is an automated email from the ASF dual-hosted git repository.
ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-net.git
commit deeb30e7680fa23fd1efa3b54c6daeb1260cbdc3
Author: Gary Gregory <ga...@gmail.com>
AuthorDate: Sat Dec 3 11:17:26 2022 -0500
Add security page
---
pom.xml | 2 +-
src/site/site.xml | 1 +
src/site/xdoc/security.xml | 82 ++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 84 insertions(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index 0b2b2be6..9ee1f198 100644
--- a/pom.xml
+++ b/pom.xml
@@ -29,7 +29,7 @@
<groupId>commons-net</groupId>
<artifactId>commons-net</artifactId>
- <version>3.10.0-SNAPSHOT</version>
+ <version>3.9.0</version>
<name>Apache Commons Net</name>
<!-- N.B. the description content is deliberately not indented ! to improve the layout of the Release Notes generated
by mvn changes:announcement-generate -->
diff --git a/src/site/site.xml b/src/site/site.xml
index 5affdcda..c07262b4 100644
--- a/src/site/site.xml
+++ b/src/site/site.xml
@@ -32,6 +32,7 @@
<item name="Download" href="/download_net.cgi"/>
<item name="Javadoc" href="/apidocs/index.html"/>
<item name="Javadoc Archive" href="https://javadoc.io/doc/commons-net/commons-net/latest/index.html"/>
+ <item name="Security" href="security.html"/>
</menu>
<menu name="Development">
<item name="Coding Specifications" href="code-standards.html"/>
diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml
new file mode 100644
index 00000000..9b9e96c7
--- /dev/null
+++ b/src/site/xdoc/security.xml
@@ -0,0 +1,82 @@
+<?xml version="1.0"?>
+<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under
+ the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may
+ obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to
+ in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+ ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under
+ the License. -->
+<document>
+ <properties>
+ <title>Apache Commons Text Security Reports</title>
+ <author email="dev@commons.apache.org">Commons Team</author>
+ </properties>
+ <body>
+ <section name="Security Vulnerabilities">
+ <p>
+ For information about reporting or asking questions about
+ security, please see the
+ <a href="https://commons.apache.org/security.html">security page</a>
+ of the Apache Commons project.
+ </p>
+ <p>
+ This page lists all security vulnerabilities fixed in released versions of this component.
+ </p>
+
+ <p>
+ Please note that binary patches are never provided. If you need to apply a source code patch, use the
+ building instructions for the component version that you are using.
+ </p>
+
+ <p>
+ If you need help on building this component or other help on following the instructions to
+ mitigate the
+ known vulnerabilities listed here, please send your questions to the public
+ <a href="mail-lists.html">user mailing list</a>
+ .
+ </p>
+
+ <p>
+ If you have encountered an unlisted security vulnerability or other unexpected behavior that has security
+ impact, or if the descriptions here are incomplete, please report them privately to the Apache Security
+ Team. Thank you.
+ </p>
+
+ <subsection
+ name="CVE-2021-37533: Apache Commons Net's FTP client trusts the host from PASV response by default: Apache Commons Net's FTP client trusts the host from PASV response by default">
+ <p>
+ On 2022-12-03, the Apache Commons Text team disclosed
+ <a href="https://www.cve.org/CVERecord?id=CVE-2021-37533">CVE-2021-37533</a>
+ </p>
+ <p>
+ Severity: low
+ </p>
+ <p>
+ Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A
+ malicious server can redirect the Commons Net code to use a different host, but the user has to
+ connect to the malicious server in the first place. This may lead to leakage of information about
+ services running on the private network of the client.
+ The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See
+ <a href="https://issues.apache.org/jira/browse/NET-711">NET-711</a>.
+ </p>
+ <p>
+ Credit: Apache Commons would like to thank ZeddYu Lu for reporting this issue.
+ </p>
+ <p>
+ References:
+ <ul>
+ <li>
+ <a href="https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7">Announcement on dev@commons.apache.org</a>
+ </li>
+ <li>
+ <a href="https://www.openwall.com/lists/oss-security/2022/12/03/1">Announcement on oss-security</a>
+ </li>
+ <li>
+ <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37533">Advisory on cve.org</a>
+ </li>
+ </ul>
+ </p>
+ </subsection>
+ </section>
+ </body>
+</document>