블로그 이미지
News and Announcements (at) Apache Software Foundation. 노안돼지
Apache Software Foundation The Apache User Group KLDP From download

Recent Post»

Recent Comment»

Recent Trackback»

Archive»

« 2024/5 »
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31
 
 
아파치 소프트웨어 재단은 아파치 오픈 소스 소프트웨어 프로젝트 커뮤니티 지원을 제공합니다.
아파치 프로젝트는 협업과 개발 프로세스를 기반으로 하는 상호간의 공감대와 개방되어 있는 실용적인 소프트웨어 라이센스, 그 분야에서 선두를 달릴 수 있는 고품질 소프트웨어 개발을 추구하고 있습니다.

우리는 심플한 서버 공유 프로젝트의 모임이라고도 하지만 오히려 개발자와 사용자간의 커뮤니티라고 생각합니다.

Apache Commons Daemon Information 보안 취약점

뉴스/소식 | 2011. 8. 16. 17:51 | Posted by 노안돼지
CVE-2011-2729: Commons Daemon fails to drop capabilities

Severity: high

Vendor:
The Apache Software Foundation

Versions Affected:
Commons Daemon 1.0.3 to 1.0.6
Additionally, these vulnerabilities only occur when all of the following are true:
a) running on Linux operating system
b) jsvc was compiled with libcap
c) -user parameter is used

Description:
Due to bug in capabilities code, jsvc does not drop capabilities allowing the application to access files and directories owned by superuser.

Mitigation:
Affected users of all versions can mitigate these vulnerabilities by taking any of the following actions:
a) upgrade to a version where the vulnerabilities have been fixed  jsvc 1.0.3 - 1.0.6 users should upgrade to 1.0.7 version
b) do not use -user parameter to switch user
c) recompile the jsvc without libcap support

Example:
[root@fedora jsvctest]# ./jsvc -cp commons-daemon-1.0.6.jar:. -user jsvc ....
[root@fedora jsvctest]# grep ^Cap /proc/<pid>/status
CapInh: 0000000000000406
CapPrm: 0000000000000406
CapEff: 0000000000000406
CapBnd: ffffffffffffffff

[root@fedora jsvctest]# ./jsvc -cp commons-daemon-1.0.7.jar:. -user jsvc ....
[root@fedora jsvctest]# grep ^Cap /proc/<pid>/status
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: ffffffffffffffff

Credit:
This issue was identified by Wilfried Weissmann.
저작자표시 비영리 동일조건
:

Apache Commons Daemon 1.0.7 릴리즈

뉴스/소식 | 2011. 8. 16. 17:49 | Posted by 노안돼지
The Apache Commons Daemon team is pleased to announce the commons-daemon-1.0.7 release!
Version 1.0.7 is bug fix release fixing the CVE-2011-2729 security issue.

Source and binary distributions are available for download from the Apache Commons download site:

http://commons.apache.org/daemon/download_daemon.cgi

When downloading, please verify signatures using the KEYS file available at the above location when downloading the release.

For more information on Apache Commons Daemon, visit the Commons Daemon home page:

http://commons.apache.org/daemon/
저작자표시 비영리 동일조건
:

Apache Commons Lang 3.0.1 릴리즈

뉴스/소식 | 2011. 8. 16. 17:46 | Posted by 노안돼지
The Apache Commons team is pleased to announce the release of Commons Lang 3.0.1.

As the version suggests, this is a drop-in replacement for 3.0. A list of the 9 changes and 6 bug fixes in this release are found in the release notes:

 https://commons.apache.org/lang/changes-report.html#a3.0.1

For general information on Commons Lang please visit the Lang website:

 http://commons.apache.org/lang/

The latest version may be downloaded from the following page:

 http://commons.apache.org/lang/download_lang.cgi

For advice on upgrading from 2.x to 3.x, see the following page:

   http://commons.apache.org/lang/article3_0.html

Thanks again to all involved in the release, both Commons users and  Commons developers.

Hen
on behalf of the Apache Commons community
저작자표시 비영리 동일조건
:

Apache Commons Compress 1.2 릴리즈

뉴스/소식 | 2011. 8. 4. 06:56 | Posted by 노안돼지
The Apache Commons Compress team is pleased to announce the
commons-compress-1.2 release!

The Apache Commons Compress Library defines a Java API for working with
ar, cpio, tar, zip, gzip and bzip2 files.

Version 1.2 is a bug fix release and the last release expected to be
compatible with Java 1.4.

Source and binary distributions are available for download from the
Apache Commons download site:

http://commons.apache.org/compress/download_compress.cgi

When downloading, please verify signatures using the KEYS file available
at the above location when downloading the release.

Changes in this version include:

New features:
o COMPRESS-123:  ZipArchiveEntry has a new method getRawName that provides the
       original bytes that made up the name.  This may allow user
       code to detect the encoding.
o COMPRESS-122:  TarArchiveEntry provides access to the flags that determine
       whether it is an archived symbolic link, pipe or other
       "uncommon" file system object.

Fixed Bugs:
o COMPRESS-129:  ZipArchiveInputStream could fail with a "Truncated ZIP" error
       message for entries between 2 GByte and 4 GByte in size.
o COMPRESS-145:  TarArchiveInputStream now detects sparse entries using the
       oldgnu format and properly reports it cannot extract their
       contents.
o COMPRESS-130:  The Javadoc for ZipArchiveInputStream#skip now matches the
       implementation, the code has been made more defensive.
o COMPRESS-140:  ArArchiveInputStream fails if entries contain only blanks for
       userId or groupId. Thanks to Trejkaz.
o COMPRESS-139:  ZipFile may leak resources on some JDKs.
o COMPRESS-125:  BZip2CompressorInputStream throws IOException if
       underlying stream returns available() == 0.
       Removed the check.
o COMPRESS-127:  Calling close() on inputStream returned by
       CompressorStreamFactory.createCompressorInputStream()
       does not close the underlying input stream.
o COMPRESS-119:  TarArchiveOutputStream#finish now writes all buffered
       data to the stream

Changes:
o ZipFile now implements finalize which closes the underlying
       file.
o COMPRESS-117:  Certain tar files not recognised by ArchiveStreamFactory.


For complete information on Commons Compress, including instructions
on how to submit bug reports, patches, or suggestions for improvement,
see the Apache Commons Compress website:

http://commons.apache.org/compress/

Stefan Bodewig, on behalf of the Apache Commons community
저작자표시 비영리 동일조건
:

Apache Commons Codec 1.5 릴리즈

뉴스/소식 | 2011. 3. 31. 10:47 | Posted by 노안돼지
The Commons Codec team is pleased to announce the commons-codec-1.5 release!

The codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal.  In addition to thes widely used encoders and decoders, the codec package also maintains acollection of phonetic encoding utilities.

Changes in this version include:

New features:
o Add test(s) to check that encodeBase64() does not chunk output.  Issue: CODEC-93. Thanks to sebb. 
o ArrayIndexOutOfBoundsException when doing multiple reads() on encoding Base64InputStream.  Issue: CODEC-105. Thanks to zak. 
o Add the Cologne Phonetic to codec.lang.  Issue: CODEC-106. Thanks to it2mmeyerfa. 
o org.apache.commons.codec.net.URLCodec.ESCAPE_CHAR isn't final but should be.  Issue: CODEC-111. Thanks to ggregory. 
o Base64.encodeBase64(byte[] binaryData, boolean isChunked, boolean urlSafe, int maxResultSize) throws IAE for valid maxResultSize if isChunked is false.  Issue: CODEC-112. Thanks to sebb. 
o org.apache.commons.codec.language.RefinedSoundex.US_ENGLISH_MAPPING should be package protected MALICIOUS_CODE.  Issue: CODEC-113. Thanks to ggregory. 
o org.apache.commons.codec.language.Soundex.US_ENGLISH_MAPPING should be package protected MALICIOUS_CODE.  Issue: CODEC-114. Thanks to ggregory. 
o DoubleMetaphone.maxCodeLen should probably be private.  Issue: CODEC-115. Thanks to sebb. 
o Split Caverphone class into two classes for Caverphone 1.0 and 2.0.  Issue: CODEC-118. Thanks to ggregory. 

Fixed Bugs:
o new Base64().encode() appends a CRLF, and chunks results into 76 character lines.  Issue: CODEC-89. 
o Many test cases use getBytes() which uses the default platform encoding so tests may fail on some platforms.  Issue: CODEC-92. 
o Base64 default constructor behaviour changed to enable chunking in 1.4.  Issue: CODEC-97. Thanks to mjryall. 
o Base64.encodeBase64String() shouldn't chunk.  Issue: CODEC-99. Thanks to julius. 
o Base64InputStream#read(byte[]) incorrectly returns 0 at end of any stream which is multiple of 3 bytes long.  Issue: CODEC-101. Thanks to balusc. 
o Typo in DecoderException message thrown from Hex.decodeHex.  Issue: CODEC-103. Thanks to gnuf. 
o Caverphone encodes names starting and ending with "mb" incorrectly.  Issue: CODEC-117. Thanks to ggregory. 

Removed:
o Remove deprecated package private method Base64.discardWhitespace(byte[])  Issue: CODEC-116. Thanks to ggregory. 




Have fun!
-Commons Codec team
저작자표시 비영리 동일조건
:
 

티스토리툴바