The Apache Weekly News Round-up: week ending 25 February 2022

Farewell, February --we're wrapping up the month with another great week. Here are the latest updates on the Apache community's activities:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 March 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 323 Apache Committers changed 1,586,514 lines of code over 3,215 commits. Top 5 contributors, in order, are: Claus Ibsen, Jean-Louis Monteiro, Andrea Cosentino, Gary Gregory, and Eric Milles. 

Apache Project Announcements – the latest updates by category.

Application Servers/Middleware --
 - Apache Karaf Decanter 2.9.0 released

Content --
 - Apache Jackrabbit Oak 1.22.11 released
 - Apache JSPWiki CVE-2022-24947: CSRF Account Takeover
   -- CVE-2022-24948: Cross-site scripting vulnerability on User Preferences screen

FinTech --
 - Apache Fineract 1.6.0 released

Network Client --
 - Apache MINA 2.0.23, 2.1.6 released

Workflow --
 - Apache Airflow CVE-2022-24288: RCE in example DAGs

Did You Know?

 - Did you know that Apache Beam helps Palo Alto Networks meet streaming needs by providing a highly-performant, reliable, and resilient data processing framework for 10 million security events per second across 3 petabytes per day?

 - Did you know that the Australian Department of Transport's Vehicle Inspection System webapp is powered by Apache Wicket?

 - Did you know that Apache Ignite is a distributed cache, a distributed database, an in-memory database, and an in-memory data grid? 

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - The Apache Month in Review: January 2022 and video highlights

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 02:49PM Feb 28, 2022 by Swapnil M Mane in Newsletter  |   | 

The Apache Weekly News Round-up: week ending 18 February 2022

We're wrapping up another great week with the following activities from the Apache community:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 March 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.99%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 350 Apache Committers changed 12,933,273 lines of code over 3,260 commits. Top 5 contributors, in order, are: Claus Ibsen, Udo Schnurpfeil, Andrea Cosentino, Mark Thomas, and Paul King.

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache Accumulo 1.10.2 released

Content --
 - Apache Tika 1.28.1 released

Libraries --
 - Apache Commons JCS 3.1 released 

Messaging --
 - Apache ActiveMQ 5.16.4 released 

Did You Know?

 - Did you know that select Apache Projects and mentors are preparing for the upcoming GSoC 2022 (mentoring organizations will be announced on 7 March)? Those interested in participating can learn how to get involved at https://community.apache.org/gsoc.html

 - Did you know that the next CloudStack European User Group will be held online on 7 April? 

 - Did you know that the CFP for Ignite Summit (taking place online on 14 June) closes on 29 April? 

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - The Apache Month in Review: January 2022 and video highlights

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 03:55PM Feb 21, 2022 by Swapnil M Mane in Newsletter  |   | 

The Apache Weekly News Round-up: week ending 11 February 2022

Hello, everyone --let's review the Apache community's activities from over the past week:

Apache Software Foundation Statement at 8 February 2022 Senate Committee hearing on Homeland Security and Government Affairs https://s.apache.org/485lz

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 February 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 308 Apache Committers changed 5,335,315 lines of code over 2,989 commits. Top 5 contributors, in order, are: Gary Gregory, Emmanuel Lecharny, Mark Thomas, Liang Zhang, and Tilmann Zäschke. 

Apache Project Announcements – the latest updates by category.

APIs --
 - Apache APISIX 2.10.2 released
   -- CVE-2022-24112: apisix/batch-requests plugin allows overwriting the X-REAL-IP header 

Big Data --
 - Apache Beam 2.36.0 released

Content --
 - Apache Traffic Control 6.1.0 released
   -- CVE-2022-23206: Server-Side Request Forgery in Traffic Ops endpoint POST /user/login/oauth
 - Apache Tika 2.3.0 released
   -- Apache Tika 1.x End-Of-Life (EOL) announcement https://s.apache.org/lkqid
 - Apache Jackrabbit 2.21.10 released

Database --
 - Apache JDO 3.2 released
 - Apache Cassandra CVE-2021-44521: Remote code execution for scripted UDFs

Mail --
 - Apache James 3.6.2 released
   -- CVE-2022-22931: Path traversal in Apache James  

Web Frameworks --
 - Apache Wicket 9.8.0 released 

Did You Know?

 - Did you know that you can scale Apache SkyWalking in Kubernetes natively? https://skywalking.apache.org/blog/2022-01-24-scaling-with-apache-skywalking/

 - Did you know that the next Apache Ignite Community Gathering MeetUp will take place online on 16 February? 

 - Did you know that the ASF's seven-member Infrastructure team performs 7M+ weekly checks to ensure services are available around the clock to all Apache Projects and their communities? Average uptime in January 2022 was 100%!

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - The Apache Month in Review: January 2022 and video highlights

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 02:35PM Feb 14, 2022 by Swapnil M Mane in Newsletter  |   | 

Foundation Statement at 8 February 2022 Senate Committee hearing on Homeland Security and Government Affairs

“Responding to and Learning from the Log4Shell Vulnerability”

Opening Statement by David Nalley

President, Apache Software Foundation

Senate Committee on Homeland Security and Government Affairs

February 8, 2022

---

    Chairman Peters, Ranking Member Portman, and distinguished members of the Committee: thank you for the invitation to appear this morning.

    My name is David Nalley, and I am the President of the Apache Software Foundation (ASF). The ASF is a non-profit public-benefit charity established in 1999 to facilitate the development of open source software. Thanks to the ingenuity and collaboration of our community of programmers, the ASF has grown into one of the largest open source organizations in the world. Today, more than 650,000 contributors around the world contribute to more than 350 ongoing projects, comprising more than 237 million lines of code.

    Open source is not simply a large component of the software industry -- it is one of the foundations of the modern global economy. Whether they realize it or not, most businesses, individuals, non-profits, or government agencies depend on open source; it is an indispensable part of America’s digital infrastructure.

    Projects developed from open source, like Log4j, tend to resolve problems that many people have, essentially serving as reusable building blocks for solving those problems. This enables faster innovation because it eliminates the need for every company or developer to reimplement software for already solved problems. This efficiency allows programmers to stand on the shoulders of giants. The ASF provides a vendor-neutral environment to enable interested programmers – oftentimes direct competitors of one another – to do this common work together in transparent, open-handed cooperation.

This is the essence of open-source software: brilliant individuals contributing their time and expertise to do unglamorous work solving problems – many with the intent of incorporating the results into their employer’s products. And it’s why I’ve dedicated my professional life to it.

    Log4j – first released by Apache in 2001 – is the product of just this kind of collaboration. It performs a particular set of functions, like recording a computer’s operating events, so well that it has been used in products as diverse as storage management software, software development tools, virtualization software and (most famously) the Minecraft video game. As Log4j’s footprint grew over the years, so did its feature list. It was a 2013 addition to Log4j, along with a part of the Java programming environment, that combined in such a way that exposed this security flaw.

    The vulnerability was reported to Apache’s Log4j team late November 2021, after having been latent for many years. The Apache Logging project, and Apache’s Security team immediately got to work addressing the vulnerability in the code. The full solution was released approximately two weeks later. Given the near ubiquity of Log4j’s use, it may be months or even years before all deployed instances of this vulnerability are eliminated. As a software professional myself, I am proud of how the Logging project and the ASF’s security team (and many others across the ASF’s projects) responded and remediated last fall. We acted quickly and in accordance with practices we have adopted over many years of supporting a diverse set of open source projects. We will continue to develop our projects in responding to and preventing security vulnerabilities.

    Moreover, every stakeholder in the software industry – including its largest customers, like the federal government – should be investing in software supply chain security. While ideas like the Software Bills of Materials won’t prevent vulnerabilities, they can mitigate the impact by accelerating the identification of potentially vulnerable software. However, the ability to quickly update to the most secure and up-to-date versions remains a significant hurdle for the software industry.

    The reality is that humans write software, and as a result there will continue to be bugs, and despite best efforts some of those will include security vulnerabilities. As we continue to become ever more connected and digital, the number of vulnerabilities and potential consequences are likely to grow. There is no easy software security solution - it requires defense in depth – incorporating upstream development in open source projects, vendors that incorporate these projects, developers that make use of the software in custom applications, and even down to the organizations that deploy these applications to provide services important to their users.

    Rather than shying away from this risk, I submit that software developers, open-source communities, and federal policymakers should face it head-on together – with the determination and the vigilance it demands.

    Thank you again, and I look forward to answering any questions you might have.

Posted at 06:16PM Feb 08, 2022 by Sally Khudairi in General  |   | 

The Apache Weekly News Round-up: week ending 4 February 2022

Welcome, February --we're opening the month with another great week. Here's what the Apache community has been up to:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 February 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.89%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 303 Apache Committers changed 9,625,849 lines of code over 3,255 commits. Top 5 contributors, in order, are: Jean-Baptiste Onofré, Claus Ibsen, Sebastian Bazley, Guillaume Nodet, and Eric Milles.

Apache Project Announcements – the latest updates by category.

Apache Attic -- provides process and solutions when an Apache project has reached its end of life.
 - Apache Ambari is retired
 - Apache Usergrid is retired 

APIs --
 - Apache APISIX 2.12.0 released

Big Data --
 - Apache Kyuubi (incubating) 1.4.1-incubating released
 - Apache Hudi 0.10.1 released
 - Apache Gobblin CVE-2021-36151: Local Credentials Disclosure Vulnerability 

Business Intelligence --
 - Apache Superset CVE-2021-44451: API sensitive information leak 

Content --
 - Apache Jackrabbit Oak 1.8.26 released

Integration --
 - Apache Camel 3.15.0 released

Messaging --
 - Apache Pulsar CVE-2021-41571: Pulsar Admin API allows access to data from other tenants using getMessageById API 

Middleware --
 - Apache Linkis (incubating) released 

Programming Languages --
 - Apache Groovy 4.0.0 released 

Servers --
 - Apache HttpComponents Client 5.1.3 GA released
 - Apache HTTP mod_perl 2.0.12 released

Web Frameworks --
 - Apache Wicket 8.14.0 released 

Did You Know?

 - Did you know that the following Apache Projects are celebrating anniversaries this month? Congratulations to Apache HTTP Server (27 years!); Gump and Portals (18 years); Directory, MyFaces, and Xerces (17 years); Tapestry (16 years); Roller (15 years); Cassandra and Subversion (12 years); Chemistry (11 years); BVal and OpenNLP (10 years); Clerezza (9 years); Knox and Spark (8 years); DataFu (4 years); Unomi (3 years); Daffodil, Ratis, and Solr (2 years)! https://projects.apache.org/committees.html?date

 - Did you know that the ASF is joining the Open Geospatial Consortium and Open Source Geospatial Foundation to hold the 2022 Joint OGC-OSGeo-ASF Code Sprint, taking place 8-10 March? Those interested in helping advance OGC Standards through numerous Apache and OSGeo projects are invited to learn more and sign up at https://portal.ogc.org/public_ogc/register/220225asf_codesprint.php 

 - Did you know that the CFP for Airflow Summit (taking place online 23-27 May) is now open?

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - The Apache Month in Review: January 2022 and video highlights

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 02:21PM Feb 07, 2022 by Swapnil M Mane in Newsletter  |   | 

Apache Month in Review: January 2022

Welcome to the latest monthly overview of events from the Apache community. Here's a summary of what happened in January  [video highlights available] :

New This Month --

- Apache in 2021 - By The Digits – a look at the achievements from the Apache Community over the past 12 months
   -- Summary and stats at https://s.apache.org/Apache2021Digits
   -- Video highlights https://youtu.be/GU0SV_2tWkU

- Apache Software Foundation statement on White House Open Source Security Summit 

- Apache Month in Review: December 2021

- ASF Security Report 2021 – the annual state of security across all Apache projects

- The Apache Software Foundation Announces Open Source data orchestration platform Apache® Hop™ as a Top-Level Project

Important Dates --

- Next Board Meeting: 16 February 2022. Board calendar and minutes

Infrastructure --

In January, 672 Apache Committers changed 14,033,278 lines of code over 15,480 commits. The Committers with the top 5 highest contributions, in order, were: Gary Gregory, Claus Ibsen, Mark Thomas, Jarek Potiuk, and Sebastian Bazley.

Project Releases and Updates --

New releases from Apache Airflow (Workflow); APISIX (API); Avro (Big Data); Camel (Integration); DolphinScheduler (Workflow); Flink (Big Data); Geode (Database); Guacamole (Network Client); Hop (Orchestration); Ignite (Big Data); Jackrabbit (Content); James (Mail); Kafka (Big Data); Karaf (Application Servers/Middleware); Knox (Big Data); Log4j (Libraries); MINA (Network Client/Server); NiFi (Big Data); OFBiz (Enterprise Processes Automation / ERP); POI (Content); Portals (Web Frameworks); ShardingSphere (Big Data); ShenYu (Incubating; API); Skywalking (Application Performance Management); Struts (Web Frameworks); Tomcat (Servers); Tuweni (Incubating; Blockchain); and TVM (Machine Learning).

Apache Project Anniversaries in January: Apache Cocoon, James, and Web Services (18 years); Lucene (16 years); ActiveMQ (14 years); Hadoop (13 years); River (10 years); Empire-db and Gora (9 years); OpenMeetings (8 years); Samza (6 years); Arrow (5 years); Ranger (2 years); and Gobblin (1 year). Many happy returns!

The Apache Incubator is the primary entry path for projects wishing to become an official part of the ASF. More than three dozen projects are currently undergoing development in the Apache Incubator.

# # #

To see our Weekly News Round-ups (published every Friday), visit https://blogs.apache.org/foundation/ and click on the calendar or hop directly to https://blogs.apache.org/foundation/category/Newsletter . For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. We appreciate your support!

Posted at 08:58PM Feb 01, 2022 by Swapnil M Mane in Newsletter  |   |