https://security-site.bzzt.net/ Recent content on Apache Security Team Hugo -- gohugo.io en-us Tue, 31 Jan 2023 00:00:00 +0000 https://security-site.bzzt.net/blog/asf-security-report-2022/ Tue, 31 Jan 2023 00:00:00 +0000 https://security-site.bzzt.net/blog/asf-security-report-2022/ Background The security committee of The Apache Software Foundation (ASF) oversees and coordinates the handling of vulnerabilities across all of the 350+ Apache projects handling over 60 incoming emails a day. Established in 2002, we have a consistent process for how issues are handled, and this process includes how our projects must disclose security issues. During 2022, the ASF hired an administrator to help deal with incoming vulnerability handling work, with the rest of the team being volunteers. https://security-site.bzzt.net/blog/cve-2022-42889/ Tue, 18 Oct 2022 00:00:00 +0000 https://security-site.bzzt.net/blog/cve-2022-42889/ On 2022-10-13, the Apache Commons Text team disclosed CVE-2022-42889. Key takeaways: If you rely on software that uses a version of commons-text prior to 1.10.0, you are likely still not vulnerable: you are only affected when this software uses the StringSubstitutor API without properly sanitizing any untrusted input. If your own software uses commons-text, double-check whether it uses the StringSubstitutor API without properly sanitizing any untrusted input. If so, an update to 1. https://security-site.bzzt.net/blog/cve-2021-44228/ Tue, 14 Dec 2021 00:00:00 +0000 https://security-site.bzzt.net/blog/cve-2021-44228/ Project Status Apache Ant Not Affected, a deprecated module uses log4j 1.x Apache Archiva Affected, release 2.2.6 will address this Apache AsterixDB Affected, fixed in 0.9.7.1 Apache Calcite Avatica Affected, update to 1.20.0 Apache Camel Not affected Apache CloudStack Not Affected Apache Druid Affected, update to 0.22.1 Apache EventMesh Affected Apache Flink Affected, fixed in 1.14.2, 1.13.5, 1.12,7, 1.11.6 Apache Fortress Affected, update to 2.0.7 Apache Geode Affected, update to 1.