commons-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bode...@apache.org
Subject svn commit: r1803679 - in /commons/proper/email/trunk: ./ README.md RELEASE-NOTES.txt pom.xml src/changes/changes.xml src/site/site.xml src/site/xdoc/security-reports.xml
Date Tue, 01 Aug 2017 18:33:48 GMT
Author: bodewig
Date: Tue Aug  1 18:33:48 2017
New Revision: 1803679

URL: http://svn.apache.org/viewvc?rev=1803679&view=rev
Log:
prepare for next iteration

Added:
    commons/proper/email/trunk/README.md
      - copied unchanged from r1803511, commons/proper/email/tags/EMAIL_1_5_RC1/README.md
    commons/proper/email/trunk/src/site/xdoc/security-reports.xml   (with props)
Modified:
    commons/proper/email/trunk/   (props changed)
    commons/proper/email/trunk/RELEASE-NOTES.txt
    commons/proper/email/trunk/pom.xml
    commons/proper/email/trunk/src/changes/changes.xml
    commons/proper/email/trunk/src/site/site.xml

Propchange: commons/proper/email/trunk/
------------------------------------------------------------------------------
    svn:mergeinfo = /commons/proper/email/tags/EMAIL_1_5_RC1:1803366-1803511

Modified: commons/proper/email/trunk/RELEASE-NOTES.txt
URL: http://svn.apache.org/viewvc/commons/proper/email/trunk/RELEASE-NOTES.txt?rev=1803679&r1=1803678&r2=1803679&view=diff
==============================================================================
--- commons/proper/email/trunk/RELEASE-NOTES.txt (original)
+++ commons/proper/email/trunk/RELEASE-NOTES.txt Tue Aug  1 18:33:48 2017
@@ -1,4 +1,4 @@
-                         Commons Email Package
+                          Apache Commons Email
                               Version 1.5
                              Release Notes
 
@@ -15,8 +15,12 @@ downloads, reports, and bug status:
 
 http://commons.apache.org/email/
 
-This is a major release which adds some new features and fixes several bugs
-present in the 1.4.0 release. All current users are encouraged to upgrade.
+This is a major and security bugfix release which adds some new
+features and fixes several bugs present in the 1.4 release. All
+current users are encouraged to upgrade.
+
+For the security bugfix see
+https://commons.apache.org/proper/commons-email/security-reports.html#Fixed_in_Apache_Commons_Email_1.5
 
 CHANGES FROM 1.4:
 -----------------
@@ -55,6 +59,9 @@ Issue: EMAIL-154. Thanks to Ken Geis, Ba
 * DataSourceClassPathResolver doesn't close InputStream when resolving resources
 Issue: EMAIL-167. Thanks to Lucian Burja.
 
+* CVE-2017-9801 - stripped all line-breaks from subjects in order to
+  prevent SMTP header injection.
+
 CHANGES FROM 1.3.3:
 -----------------
 
@@ -315,4 +322,4 @@ Java 2 Enterprise Edition 1.4 users must
 JavaMail and JAF indicated above are available to their applications;
 the J2EE 1.4 specification only requires earlier versions.
 
-Earlier versions of J2EE are not supported.
\ No newline at end of file
+Earlier versions of J2EE are not supported.

Modified: commons/proper/email/trunk/pom.xml
URL: http://svn.apache.org/viewvc/commons/proper/email/trunk/pom.xml?rev=1803679&r1=1803678&r2=1803679&view=diff
==============================================================================
--- commons/proper/email/trunk/pom.xml (original)
+++ commons/proper/email/trunk/pom.xml Tue Aug  1 18:33:48 2017
@@ -24,7 +24,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>org.apache.commons</groupId>
     <artifactId>commons-email</artifactId>
-    <version>1.5-SNAPSHOT</version>
+    <version>1.6-SNAPSHOT</version>
     <name>Apache Commons Email</name>
 
     <inceptionYear>2001</inceptionYear>
@@ -41,9 +41,9 @@
     </issueManagement>
 
     <scm>
-        <connection>scm:svn:http://svn.apache.org/repos/asf/commons/proper/email/trunk</connection>
+        <connection>scm:svn:http://svn.apache.org/repos/asf/commons/proper/email/tags/EMAIL_1_5</connection>
         <developerConnection>scm:svn:https://svn.apache.org/repos/asf/commons/proper/email/trunk</developerConnection>
-        <url>http://svn.apache.org/viewvc/commons/proper/email/trunk</url>
+        <url>http://svn.apache.org/viewvc/commons/proper/email/tags/EMAIL_1_5</url>
     </scm> 
 
     <developers>

Modified: commons/proper/email/trunk/src/changes/changes.xml
URL: http://svn.apache.org/viewvc/commons/proper/email/trunk/src/changes/changes.xml?rev=1803679&r1=1803678&r2=1803679&view=diff
==============================================================================
--- commons/proper/email/trunk/src/changes/changes.xml (original)
+++ commons/proper/email/trunk/src/changes/changes.xml Tue Aug  1 18:33:48 2017
@@ -22,7 +22,9 @@
   </properties>
 
   <body>
-    <release version="1.5" date="2017-MM-DD">
+    <release version="1.6" date="2017-MM-DD">
+    </release>
+    <release version="1.5" date="2017-08-01">
       <!-- N.B. AFAICT the date attribute is not used anywhere so no point in adding it
-->
       <action dev="kinow" type="fix" issue="EMAIL-172" due-to="Thomas Grainger">
         Grammar error in comment
@@ -45,6 +47,10 @@
       <action dev="ggregory" type="add" issue="EMAIL-154" date="2015-07-26" due-to="Ken
Geis, Balachandran Sivakumar">
         Add Email#getHeader(String) and Email#getHeaders() methods.
       </action>
+      <action dev="ggregory" type="fix">
+        CVE-2017-9801 - stripped all line-breaks from subjects in
+        order to prevent SMTP header injection.
+      </action>
     </release>
     <release version="1.4" date="2015-05-23">
       <action dev="tn" type="fix" issue="EMAIL-149" date="2015-03-10" due-to="Richard
DiCroce">

Modified: commons/proper/email/trunk/src/site/site.xml
URL: http://svn.apache.org/viewvc/commons/proper/email/trunk/src/site/site.xml?rev=1803679&r1=1803678&r2=1803679&view=diff
==============================================================================
--- commons/proper/email/trunk/src/site/site.xml (original)
+++ commons/proper/email/trunk/src/site/site.xml Tue Aug  1 18:33:48 2017
@@ -27,6 +27,7 @@
             <item name="Overview"                      href="/index.html"/>
             <item name="Download"                      href="http://commons.apache.org/email/download_email.cgi"/>
             <item name="User guide"                    href="/userguide.html"/>
+            <item name="Security Reports"              href="/security-reports.html"/>
             <item name="Latest API docs (development)" href="/apidocs/index.html"/>
             <item name="Javadoc (1.5 release)"         href="/javadocs/api-release/index.html"/>
             <item name="Javadoc (1.4 release)"         href="/javadocs/api-1.4/index.html"/>

Added: commons/proper/email/trunk/src/site/xdoc/security-reports.xml
URL: http://svn.apache.org/viewvc/commons/proper/email/trunk/src/site/xdoc/security-reports.xml?rev=1803679&view=auto
==============================================================================
--- commons/proper/email/trunk/src/site/xdoc/security-reports.xml (added)
+++ commons/proper/email/trunk/src/site/xdoc/security-reports.xml Tue Aug  1 18:33:48 2017
@@ -0,0 +1,82 @@
+<?xml version="1.0"?>
+<!--
+
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+-->
+<document>
+    <properties>
+        <title>Commons Email Security Reports</title>
+        <author email="dev@commons.apache.org">Commons Documentation Team</author>
+    </properties>
+    <body>
+      <section name="General Information">
+        <p>For information about reporting or asking questions about
+        security problems, please see the <a
+        href="http://commons.apache.org/security.html">security page
+        of the Commons project</a>.</p>
+      </section>
+
+      <section name="Apache Commons Email Security Vulnerabilities">
+        <p>This page lists all security vulnerabilities fixed in
+        released versions of Apache Commons Email. Each
+        vulnerability is given a security impact rating by the
+        development team - please note that this rating may vary from
+        platform to platform. We also list the versions of Commons
+        Email the flaw is known to affect, and where a flaw has not
+        been verified list the version with a question mark.</p>
+
+        <p>Please note that binary patches are never provided. If you
+        need to apply a source code patch, use the building
+        instructions for the Commons Email version that you are
+        using.</p>
+
+        <p>If you need help on building Commons Email or other help
+        on following the instructions to mitigate the known
+        vulnerabilities listed here, please send your questions to the
+        public <a href="mail-lists.html">Commons Users mailing
+        list</a>.</p>
+
+        <p>If you have encountered an unlisted security vulnerability
+        or other unexpected behaviour that has security impact, or if
+        the descriptions here are incomplete, please report them
+        privately to the Apache Security Team. Thank you.</p>
+
+        <subsection name="Fixed in Apache Commons Email 1.5">
+          <p><b>Low: SMTP header injection vulnerabilty</b> <a
+          href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9801">CVE-2017-9801</a></p>
+
+          <p>When passing text that contains line-breaks as the
+            subject of an email arbitrary SMTP headers can be added.</p>
+
+          <p>This was fixed in revisions
+          <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1801385">1801385</a>
+          <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1801388">1801388</a>
and
+          <a href="https://svn.apache.org/viewvc?view=revision&amp;revision=1801389">1801389</a>.</p>
+
+          <p>This was first reported to the Security Team on 27 June
+          2017 and made public on 1 August 2017.</p>
+
+          <p>Affects: 1.0 - 1.4</p>
+
+        </subsection>
+      </section>
+
+      <section name="Errors and Ommissions">
+        <p>Please report any errors or omissions to <a
+        href="mail-lists.html">the dev mailing list</a>.</p>
+      </section>
+    </body>
+</document>

Propchange: commons/proper/email/trunk/src/site/xdoc/security-reports.xml
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message