The Apache Software Foundation
Blogging in Action.

The Apache Weekly News Round-up: week ending 21 January 2022

We're wrapping up another great week with the following activities from the Apache community:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 February 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 339 Apache Committers changed 2,470,884 lines of code over 3,505 commits. Top 5 contributors, in order, are: Gary Gregory, Claus Ibsen, Adam Kocoloski, Mark Thomas, and Tian Jiang. 

Apache Project Announcements – the latest updates by category.

APIs --
 - Apache APISIX Java Plugin Runner 0.2.0 released

Application Servers/Middleware --
 - Apache Karaf runtime 4.2.15 and 4.3.6 released

Big Data --
 - Apache NiFi 1.15.3 released
 - Apache Flink 1.14.3 released
 - Apache ShardingSphere ElasticJob UI 3.0.1 released
 - Apache Knox 1.6.1 released
   -- CVE-2021-42357: DOM based XSS Vulnerability 

Content --
 - Apache POI 5.2.0 released 

Databases --
 - Apache Geode 1.12.8, 1.13.7 and Kafka Connector 1.1.0 released

Data Management Platform --
 - Apache Ignite 2.12.0 released 

Enterprise Processes Automation / ERP --
 - Apache OFBiz 17.12 End-Of-Life (EOL) announcement https://s.apache.org/hm5oe

Libraries --
 - Apache Log4j CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x
   -- CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1 
   -- CVE-2022-23307: A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution 

Orchestration --
 - The Apache Software Foundation Announces Open Source data orchestration platform Apache® Hop™ as a Top-Level Project https://s.apache.org/4s3ci

Observability --
 - Apache SkyWalking Could on Kubernetes 0.6.1 released

Servers --
 - Apache Tomcat 8.5.75, 9.0.58, 10.0.16, and 10.1.0-M10 (alpha) released 

Workflow --
 - Apache Airflow CVE-2021-45230: Creating DagRuns didn't respect Dag-level permissions in the Webserver 

Did You Know?

 - Did you know that the following Apache projects are celebrating anniversaries this month? Congratulations to Apache Cocoon, James, and Web Services (19 years); Lucene (17 years); ActiveMQ (15 years); Hadoop (14 years); River (11 years); Empire-db and Gora (10 years); OpenMeetings (9 years); Samza (7 years); Arrow (6 years); Ranger (5 years); and Gobblin (1 year) https://projects.apache.org/committees.html?date

 - Did you know that Netflix and Target are building modern analytics applications to deliver interactive data experiences using Apache Druid? 

 - Did you know that Disney+Hotstar's streaming data lakes injest 1 million events per second using Apache Kafka, store 14tb of data per day in an Apache HBase warehouse, and stream using Apache Hudi? https://projects.apache.org/projects.html?category

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - The Apache Month in Review: December 2021 and video highlights

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 02:06PM Jan 24, 2022 by Swapnil M Mane in Newsletter  |   | 

The Apache Weekly News Round-up: week ending 14 January 2022

Happy Friday! Let's take a look at what the Apache community has been up to over the past week:

ASF Security Report 2021 – the state of security across all Apache projects with key metrics, specific vulnerabilities, and the most common ways users of ASF projects were affected by security issues https://s.apache.org/SecurityReport2021

Apache Software Foundation statement on White House Open Source Security Summit https://s.apache.org/jri14

 - Next Board Meeting: 19 January 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 322 Apache Committers changed 1,963,025 lines of code over 3,852 commits. Top 5 contributors, in order, are: Gary Gregory, Antoine Toulme, Claus Ibsen, Mark Thomas, and Dan Klco. 

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache Flink ML 2.0.0 released

Content --
 - Apache Jackrabbit 2.16.9 released

Machine Learning --
 - Apache TVM 0.8.0 released

Network Client --
 - Apache Guacamole 1.4.0 released
   -- CVE-2021-41767: Private tunnel identifier may be included in the non-private details of active connections 
   -- CVE-2021-43999: Improper validation of SAML responses 

Observability --
 - Apache SkyWalking Kong version 0.2.0 released

Workflow --
 - Apache DolphinScheduler 2.0.2 released
 - Apache Airflow Helm Chart 1.4.0 released

Did You Know?

 - Did you know that more than 630,000 individuals have contributed to Apache projects and initiatives since the ASF's incorporation in 1999? https://blogs.apache.org/foundation/entry/apache-in-2021-by-the 

 - Did you know that Apache DolphinScheduler won a "2021 OSC Most Popular Projects" award from OSCHINA?

 - Did you know that video recordings from the 2021 TVMCon (Apache TVM and Open Source ML acceleration conference) are now available online?

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - The Apache Month in Review: December 2021 and video highlights

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 02:56PM Jan 17, 2022 by Swapnil M Mane in Newsletter  |   | 

Apache Software Foundation Security Report: 2021

Synopsis: This report explores the state of security across all of The Apache Software Foundation projects for the calendar year 2021. We review key metrics, specific vulnerabilities, and the most common ways users of ASF projects were affected by security issues.

Released: January 2022

Author: Mark Cox, Vice President Security, The Apache Software Foundation

Background

The security committee of The Apache Software Foundation (ASF) oversees and coordinates the handling of vulnerabilities across all of the 350+ Apache projects.  Established in 2002 and composed of all volunteers, we have a consistent process for how issues are handled, and this process includes how our projects must disclose security issues.

Anyone finding security issues in any Apache project can report them to security@apache.org where they are recorded and passed on to the relevant dedicated security teams or private project management committees (PMC) to handle.  The security committee monitors all the issues reported across all the projects and keeps track of the issues throughout the vulnerability lifecycle.  

The security committee is responsible for ensuring that issues are dealt with properly and actively reminds projects of their outstanding issues and responsibilities.  As a board committee, we have the ability to take action including blocking their future releases or, worst case, archiving a project if such projects are unresponsive to handling their security issues.  This, along with the Apache License v2,0, are key parts of the ASF’s general oversight function around official releases, allowing the ASF to protect individual developers and giving users confidence to deploy and rely on ASF software.  

The oversight into all security reports, along with tools we have developed, gives us the ability to easily create metrics on the issues.  Our last report covered the metrics for 2020.

Statistics for 2021

In 2021 our security email addresses received in total ~18,500 emails. After spam filtering and thread grouping there were 1272 (2020: 946, 2019: 620) non-spam threads.  Unfortunately security reports do sometimes look like spam, especially if they include lots of attachments or large videos, and so the security team are careful to review all messages to ensure real reports are not missed for too long.

Diagram 1: Breakdown of ASF security email threads for calendar year 2021

Diagram 1 gives the breakdown of those 1272 threads.  359 threads (28%) were people confused by the Apache License.  As many projects use the Apache License, not just those under the ASF umbrella, people can get confused when they see the Apache License and they don't understand what it is. This is most common for example on mobile phones where the licenses are displayed in the settings menu, usually due to the inclusion of software by Google released under the Apache License.  We no longer reply to these emails. This is up from the 257 received in 2020.

The next 337 of the 1272 (26%) are email threads with people asking non-security (usually support-type) questions.

The next 135 of those reports were researchers reporting issues in an Apache web site.  These are almost always false positives; where a researcher reports us having directory listings enabled, source code visible, public “.git” directories, and so on.  These reports are generally the unfiltered output of some publicly available scanning tool, and often where the reporter asks us for some sort of monetary reward (bounty) for their report.

That left 441 (2020: 376, 2019: 320) reports of new vulnerabilities in 2021, which spanned 99 of the top level projects.  These 441 reports are a mix of external reporters and internal. For example, where a project has found an issue themselves and followed the ASF process to assign it a CVE (Common Vulnerabilities and Exposures) name and address it, we’d still count it here.  We don’t keep metrics that would give the breakdown of internal vs external reports.

The next step is that the appropriate project triages the report to see if it's really an issue or not.  Invalid reports and reports of things that are not actually vulnerabilities get rejected back to the reporter.  Of the remaining issues that are accepted they are assigned appropriate CVE names and eventually fixes are released.

As of January 1st 2022, 50 of those 441 reports were still under triage and investigation. This is where a project was working on an issue and had not rejected the issue or assigned it a CVE as of the snapshot taken on January 1st 2022.  This number was higher than what we’d normally expect and was due to the large influx of reports that came at the end of December 2021.

The remaining 391 (2020: 341, 2019: 301) reports led to us assigning 183 (2020: 151, 2019: 122) CVE names.  Some vulnerability reports may include multiple issues, some reports are across multiple projects, and some reports are duplicates where the same issue is found by different reporters, so there isn't an exact one-to-one mapping of accepted reports to CVE names.  The Apache Security committee handles CVE name allocation and is a MITRE Candidate Naming Authority (CNA), so all requests for CVE names in any ASF project are routed through us, even if the reporter is unaware and contacts MITRE directly or goes public with an issue before contacting us.

Noteworthy events

During 2021 there were a few events worth discussing; either because they were severe and high risk, they had readily available exploits, or there was media attention. These included:

• January: A cross-site scripting (XSS) flaw was found in the default error page of Apache Velocity (CVE-2020-13959) which affected a number of public visible websites. Despite a fix being available it then took several months to produce a new release to include the fix, causing the reporter to publicise it early. As a consequence, the security team did a deeper dive through all the outstanding open issues with the affected PMCs to ensure they were all being handled.

• January: A report was published which showed how malware is still exploiting Apache ActiveMQ instances that have not been patched for over 5 years (CVE-2016-3088)

• June: The Airflow PMC published a blog about how they handle security issues, how users are sometimes slow to deploy updates (CVE-2020-17526), and how flaws in dependencies can affect Airflow.

• July: A third-party blog explained how threat actors are exploiting mis-configured Apache Hadoop YARN services

• August: A researcher discovered a number of issues in HTTP/2 implementations.  The Apache HTTP Server was affected by a moderate vulnerability (CVE-2021-33193)

• September: A keynote presentation at ApacheCon 2021 discussed the security committee, the US Executive Order on Improving the Nation’s Cybersecurity, and third party security projects such as those under the OpenSSF.

• September: A flaw in Apache OpenOffice could allow a malicious document to run arbitrary code if opened (CVE-2021-33035)

• October: A critical issue was found in the Apache HTTP Server. The default configuration protected against this vulnerability, but in custom configurations without those protections, and with CGI support enabled, this could lead to remote code execution (CVE-2021-41773). The issue was fixed in an update 5 days after the issue was reported to the security team, however the fix was quickly found to be insufficient and a further update to fully address it was released 3 days after that (CVE-2021-42013). A MetaSploit exploit exists for this issue.

• October: The Internet Bug Bounty from HackerOne extended their program to include Apache Airflow, the Apache HTTP Server, and Apache Commons.  Unlike many other programs, this program relies on vulnerability finders following the standard ASF notification process, and allows finders to claim a reward for eligible issues after the fix is available and the issue is public.

• December: A vulnerability in Log4J 2 (CVE-2021-44228, “Log4Shell”), a popular and common Java logging library, allowed remote attackers to achieve remote code execution in a default and likely installation.  The issue was widely exploited, starting the day before a release with a fix was published.  There is a MetaSploit exploit module for this issue. After the fixed release a few subsequent Log4J vulnerabilities were also fixed, but none had the same impact or default conditions.  

• December: The ASF is invited to a forum in 2022 around open source security. White House Extends Invitation to Improve Open-Source Security.  We produced a position paper in advance of the meeting.

• Other RCE exploits were also released in 2021 for vulnerabilities fixed in Apache OFBiz (CVE-2020-9496, CVE-2021-26295), Apache Airflow (in examples CVE-2020-11978), Apache Druid (CVE-2021-25646), Apache Tapestry (CVE-2021-27850), and Apache Storm (CVE-2021-38294).

Timescales

Our security teams and project management teams are all volunteers and so we do not give any formal SLA on the handling of issues.  However we can break down our aims and goals for each part of the process:

Triage: Our aim is to handle incoming mails to the security@apache.org alias within three working days.  We do not measure or report on this because we assess the severity of each incoming issue and apply the limited resources we have appropriately.  The alias is staffed by a very small number of volunteers taken from the different project PMCs.  After the security team forwards a report to a PMC, the PMC will reply to the reporter.  Sometimes reporters send reports attaching large PDF files or even movies of exploitation that don’t make it to us due to size restrictions on incoming email, so please ensure any follow ups are a simple plain text email.

Investigation: Once a report is sent to the private list of the projects management committee, the process of triage and investigation varies in time depending on the project, availability of resources, and number of issues to be assessed.  As security issues are dealt with in private, we send reports to a private list made up only of the PMC. Therefore these reports do not reach every project committer, so there is a smaller set of people in each project able to investigate and respond.  As a general guideline we try to ensure projects have triaged issues within 90 days of the report.  The ASF security team follow-up on any untriaged issues over 90 days old.

Fix: Once a security issue is triaged and accepted, the timeline for the fixing of issues depends on the schedules of the projects themselves.  Issues of lower severity are most often held to pre-planned releases.  

Announcement: Our process allows projects up to a few days between a fix release being pushed and the announcement of the vulnerability.  All vulnerabilities and mitigating software releases are announced via the announce@apache.org list.  We now aim to have them appear in the public CVE project list within a day of that announcement, and even quicker for critical issues.

Conclusion

The Apache Software Foundation projects are highly diverse and independent.  They have different languages, communities, management, and security models.  However one of the things every project has in common is a consistent process for how reported security issues are handled. 

The ASF Security Committee works closely with the project teams, communities, and reporters to ensure that issues get handled quickly and correctly.  This responsible oversight is a principle of The Apache Way and helps ensure Apache software is stable and can be trusted.

This report gave metrics for calendar year 2021 showing from the 18,500 emails received we triaged over 390 vulnerability reports relating to ASF projects, leading to fixing 183 (CVE) issues.  The number of non-spam threads dealt with was up 34% from 2020 with the number of actual vulnerability reports up 17% and assigned CVE up 21%.

While the ASF often gets updates for critical issues out quickly, reports show that users are being exploited by old issues in ASF software that have failed to be updated for years, and vendors (and, thus, their users) still make use of end of life versions which have known unfixed vulnerabilities. This will continue to be a big problem and we are committed to engaging on this industry-wide problem to figure out what we can do to help.

If you have vulnerability information you would like to share please contact us or for comments on this report see the public security-discuss mailing list.

Posted at 03:51PM Jan 10, 2022 by Sally Khudairi in General  |   | 

The Apache Weekly News Round-up: week ending 7 January 2022

Welcome, 2022! We hope that you have had a festive holiday season and are excited to kick off the new year. Here's what happened over the past week:

 - Next Board Meeting: 19 January 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.98%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 280 Apache Committers changed 2,780,891 lines of code over 2,868 commits. Top 5 contributors, in order, are: Jean-Baptiste Onofré, Gary Gregory, Mark Thomas, Harikrishna Patnala, and Claus Ibsen. 

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache Avro 1.11.0 released
   -- CVE-2021-43045: Possible DOS vulnerabilities in C# Avro SDK

Enterprise Processes Automation / ERP --
 - Apache OFBiz 18.12.05 released

Integration --
 - Apache Camel 3.11.5 (LTS) released 

Mail --
 - Apache James 3.6.1 released
    -- CVE-2021-38542: STARTTLS command injection (IMAP and POP3)
    -- CVE-2021-40110: IMAP vulnerable to a ReDoS
    -- CVE-2021-40111: IMAP parsing Denial Of Service
    -- CVE-2021-40525: Sieve file storage vulnerable to path traversal attacks 

Network Client --
 - Apache Guacamole 1.4.0 released
 - Apache MINA FTPServer 1.1.2 released

Web Frameworks--
 - Apache Struts 2.5.28.3 released
 - Apache Portals 3.1.1 released
   -- CVE-2021-36737: XSS in V3 Demo Portlet
   -- CVE-2021-36738: XSS vulnerability in the JSP version of the Pluto Applicant MVCBean CDI portlet
   -- CVE-2021-36739: XSS vulnerability in the MVCBean JSP portlet maven archetype

Did You Know?

 - Did you know that in 2021, 724 individuals new to the ASF contributed to Apache projects and initiatives? https://s.apache.org/Apache2021Digits

 - Did you know that Apache Druid is frequently used for AdTech data? https://druid.apache.org/

 - Did you know that PulsarSummit Asia 2022 will be held online on January 15-16? https://pulsar-summit.org/

Apache Community Notices

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 02:38PM Jan 10, 2022 by Swapnil M Mane in Newsletter  |   | 

Apache in 2021 - By The Digits

During 2021 the all-volunteer Apache community has demonstrated unwavering commitment to our tenet of "Community Over Code." Highlights over the past year include —[Read More]

Posted at 06:47PM Jan 03, 2022 by Sally Khudairi in Milestones  |   | 

Apache Month in Review: December 2021

Welcome to the latest monthly overview of events from the Apache community. Here's a summary of what happened in December  [video highlights available] :

New This Month --

- Apache Month in Review: November 2021

Important Dates --

- Next Board Meeting: 19 January 2022. Board calendar and minutes

Infrastructure --

In December, 600 Apache Committers changed 23,123,232 lines of code over 13,572 commits. The Committers with the top 5 highest contributions, in order, were: Gary Gregory, Claus Ibsen, Jean-Baptiste Onofré, Harikrishna Patnala, and Andi Huber.

Project Releases and Updates --
New releases from Apache Airflow (Workflow); APISIX (API); Archiva (Build Management); Calcite (Big Data); Camel (Integration); Daffodil (Libraries); DolphinScheduler (Workflow); Druid (Big Data); Flink (Big Data); Fortress (Identity Management); Geode (Database); Groovy (Programming Languages); HBase (Big Data); HttpComponents (Servers); HTTP Server (Servers); Ignite (Big Data); IoTDB (IoT); Jackrabbit (Content); James (Mail); JMeter (Testing); JSPWiki (Content); Karaf (Application Servers/Middleware); Kyuubi (Incubating; Big Data); Log4j (Libraries); Lucene (Search); MXNet (Incubating; Libraries); NetBeans (Integrated Development Environment); NiFi (Big Data); OFBiz (Enterprise Processes Automation / ERP); Parquet (Big Data); PDFBox (Content); PLC4X (IoT); Pulsar (Messaging); Qpid (Messaging); Skywalking (Application Performance Management); Solr (Search); Struts (Web Frameworks); Tika (Big Data); Tomcat (Servers); Traffic Control (Servers); Wicket (Web Frameworks); and XMLBeans (Library).

Apache Project Anniversaries in December: Apache Portable Runtime (APR; 21 years); Logging Services (18 years); Cayenne and OFBiz (15 years); Synapse (14 years); Camel (13 years); Axis, OpenWebBeans, Pivot (12 years); Aries (11 years); Flex (9 years); Helix (8 years); Flink (7 years); Beam (5 years); Airflow (3 years); Druid (2 years); DataSketches (1 year); ECharts (1 year); and Mnemonic (1 year). Many happy returns!

The Apache Incubator is the primary entry path for projects wishing to become an official part of the ASF. More than three dozen projects are currently undergoing development in the Apache Incubator.

# # #

To see our Weekly News Round-ups (published every Friday), visit https://blogs.apache.org/foundation/ and click on the calendar or hop directly to https://blogs.apache.org/foundation/category/Newsletter . For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. We appreciate your support!

Posted at 04:52PM Jan 03, 2022 by Swapnil M Mane in Newsletter  |   | 

The Apache Weekly News Round-up: week ending 31 December 2021

Here we are --the last day of the year-- we wish everyone a happy new year. Thank you for your dedicated readership: below is our final weekly round-up for 2021; we'll be back in your inbox in 2022:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 19 January 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 183 Apache Committers changed 8,306,446 lines of code over 2,124 commits. Top 5 contributors, in order, are: Gary Gregory, Claus Ibsen, Michael Osipov, Jacques Le Roux, and Tilman Hausherr.

Apache Project Announcements – the latest updates by category.

Application Servers/Middleware --
 - Apache Karaf runtime 4.2.14 and 4.3.5 released 

Big Data --
 - Apache XMLBeans 5.0.3 released

IoT --
 - Apache IoTDB 0.12.4 released 

Eventing --
 - Apache EventMesh (incubating) 1.3.0 released 

Libraries --
 - Apache Log4j 2.3.2 and 2.12.4 released 

Messaging -- 
 - Apache Qpid ProtonJ2 1.0.0-M4 released
 - Apache Pulsar 2.7.4 released

Observability --
 - Apache SkyWalking Nginx LUA 0.6.0 and Satellite 0.5.0 released 

Programming Languages --
 - Apache Groovy 4.0.0-rc-2 released

Testing --
 - Apache JMeter 5.4.3 released

Did You Know?

 - Did you know that the latest details on Apache Log4j vulnerabilities are available on the Apache Logging Services security page? https://logging.apache.org/log4j/2.x/security.html

 - Did you know that dozens of organizations such as Amazon, AT&T, Facebook (Meta), Uber, and Zillow use Apache Sedona (incubating) for their geospatial data processing pipelines? 

 - Did you know that tax-deductible donations support the ASF's day-to-day operations that benefit 350+ Apache Projects and their communities? Donate online using ACH, credit card, PayPal, Apple Pay, Google Pay, and Microsoft Pay https://donate.apache.org/

Apache Community Notices

 - The Apache Month in Review: November 2021 https://s.apache.org/November2021 and video highlights https://youtu.be/L1qMXw5MxJQ

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 03:25PM Jan 03, 2022 by Swapnil M Mane in Newsletter  |   | 

The Apache Weekly News Round-up: week ending 24 December 2021

Happy Friday, everyone. The Apache community has had another great week. Let's review what we've been up to:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 19 January 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.99%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 317 Apache Committers changed 9,133,089 lines of code over 3,258 commits. Top 5 contributors, in order, are: Gary Gregory, Harikrishna Patnala, Claus Ibsen, Duo Zhang, and Andi Huber.

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache NiFi 1.15.2 released
 - Apache HBase 3.0.0-alpha-2 released
 - Apache Parquet 1.11.2 and 1.12.2 released
   -- CVE-2021-41561: Potential DoS in case of malicious Parquet file

Build Management --
 - Apache Archiva 2.2.7 released

Content --
 - Apache JSPWiki 2.11.1 released
 - Apache Traffic Control 6.0.2 released
 - Apache Jackrabbit FileVault 3.5.8  released
 - Apache Tika 1.28 and 2.2.1 released

Databases --
 - Apache Geode 1.12.7, 1.13.6, and 1.14.2 released 

Data Management Platform --
 - Apache Ignite 2.11.1 released

IoT --
 - Apache PLC4X 0.9.1 released
   -- CVE-2021-43083: Buffer overflow in PLC4C via crafted server response 

Enterprise Processes Automation / ERP --
 - Apache OFBiz 18.12.04 released 

Libraries --
 - Apache Log4j 2.3.1, 2.12.3, and 2.17.0 released
   -- CVE-2021-45105: Log4j2 does not always protect from infinite recursion in lookup evaluation
 - Apache MXNet (Incubating) 1.9.0 released
 - Apache Daffodil 3.2.1 released

Mail --
  - Apache James 3.6.1 released 

Messaging -- 
 - Apache Qpid JMS 0.60.1, 0.61.0, 1.4.1, and 1.5.0 released
 - Apache Pulsar 2.9.1 released 

Search --
 - Apache Lucene 8.11.1 released
 - Apache Solr 8.11.1 released
   -- CVE-2021-44548: Apache Solr information disclosure vulnerability through DataImportHandler 

Servers --
 - Apache HTTP Server 2.4.52 released
   -- CVE-2021-44790: Possible buffer overflow when parsing multipart content in mod_lua
   -- CVE-2021-44224: Possible NULL dereference or SSRF in forward proxy configurations
 - Apache HttpComponents Core 5.1.3 GA released

Web Frameworks--
- Apache Struts 2.5.28.1 and 2.5.28.2 released 

Workflow --
 - Apache DolphinScheduler 2.0.1 released
 - Apache Airflow 2.2.3 released

Did You Know?

 - Did you know that ASF Security posted the status of more than three dozen Apache Projects in relation to the recent Apache Log4j vulnerability? https://blogs.apache.org/security/entry/cve-2021-44228 (please check individual projects not included in this list for updates)

 - Did you know that Apache Roller (which powers blogs.apache.org) new v6.1.0 contains upgrades for more than a dozen dependencies (including Log4j), along with many bug fixes and improvements to the code base? https://roller.apache.org/

 - Did you know that tax-deductible donations support the ASF's day-to-day operations that benefit 350+ Apache Projects and their communities? Donate online using ACH, credit card, PayPal, Apple Pay, Google Pay, and Microsoft Pay https://donate.apache.org/

Apache Community Notices

 - The Apache Month in Review: November 2021 https://s.apache.org/November2021 and video highlights https://youtu.be/L1qMXw5MxJQ

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 02:38PM Dec 27, 2021 by Swapnil M Mane in Newsletter  |   | 

The Apache Weekly News Round-up: week ending 17 December 2021

We're wrapping up another great week with the following activities from the Apache community:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 19 January 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.99%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 346 Apache Committers changed 1,957,663 lines of code over 3,699 commits. Top 5 contributors, in order, are: Sebastian Bazley, Claus Ibsen, Owen Nichols, Gary Gregory, and Daniel Gruno.  

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache Druid 0.22.1 released
 - Apache Calcite Avatica 1.20.0 released
 - Apache NiFi 1.15.1 released
 - Apache Flink 1.14.2, 1.13.5, 1.12.7, and 1.11.6 released 

Build Management --
 - Apache Archiva 2.2.6 released

Content --
 - Apache Jackrabbit 2.21.9  released
 - Apache Tika 2.2.0 released
 - Apache PDFBox 2.0.25 released 

Databases --
 - Apache Geode 1.12.6, 1.13.5, and 1.14.1 released 

Enterprise Processes Automation / ERP --
 - Apache OFBiz 18.12.03 released

Identity Management --
 - Apache Fortress 2.0.7 released 

Integration --
 - Apache Camel 3.14.0 released

Libraries --
 - Apache Log4j 2.12.2 and 2.16.0 released
   -- CVE-2021-4104: Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2
   -- CVE-2021-45046: Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

Search --
 - Apache Solr 8.11.1 released 

Servers --
 - Apache HttpComponents HttpAsyncClient 4.1.5 GA released 

Testing --
 - Apache JMeter 5.4.2 released 

Web Frameworks --
 - Apache Struts 2.5.28 released

Did You Know?

 - Did you know that the Apache Logging Services Project Management Committee (PMC) worked around the clock to release v.2.15.0 and v2.16.0 to address the critical Log4j RCE vulnerability? https://logging.apache.org/log4j/2.x/

 - Did you know that many Apache Projects and their communities have provided patches, fixes, or guidelines for their users to mitigate the recent Apache Log4j Zero Day vulnerability? Check the list of Apache Projects affected by the Log4j CVE https://blogs.apache.org/security/entry/cve-2021-44228 , and read our published statement and FAQs at https://blogs.apache.org/foundation/entry/apache-log4j-cves for more information.

 - Did you know that the Apache Local Chapter/Beijing recently celebrated its 2-year anniversary, joining Indore (2.5 years), Warsaw and Budapest (1.5 years), Lagos (4 months), and Shenzhen (launching this week!)? 

- Did you know that individuals and organizations can support the ASF through one-time and recurring tax-deductible donations online using ACH, credit card, and PayPal, as well as Apple Pay, Google Pay, and Microsoft Pay (using your mobile device)? https://donate.apache.org/

Apache Community Notices

 - The Apache Month in Review: November 2021 https://s.apache.org/November2021 and video highlights https://youtu.be/L1qMXw5MxJQ

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 02:14PM Dec 20, 2021 by Swapnil M Mane in Newsletter  |   | 

The Apache Weekly News Round-up: week ending 10 December 2021

Hello, everyone --let's review the Apache community's activities from over the past week:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 15 December 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.80%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 286 Apache Committers changed 2,227,208 lines of code over 2,986 commits. Top 5 contributors, in order, are: Jean-Baptiste Onofré, Mark Thomas, Sylwester Lachiewicz, Andi Huber, and Claus Ibsen.

Apache Project Announcements – the latest updates by category.

Apache Attic --provides process and solutions when an Apache project has reached its end of life.
 - Apache Joshua is now retired

Big Data --
 - Apache Kyuubi (incubating) 1.4.0-incubating released

IDE --
 - Apache NetBeans 12.6 released

Libraries --
 - Apache Daffodil 3.2.0 released
 - Apache Log4j 2.15.0 released
   -- CVE-2021-44228: JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints

Observability --
- Apache SkyWalking 8.9.0, Satellite 0.4.0, and Kubernetes 4.2.0 released

Programming Languages --
 - Apache Groovy 4.0.0-rc-1 released

Search --
 - Apache Lucene 9.0.0 released

Servers --
 - Apache Tomcat 10.1.0-M8 (alpha), 10.0.14, and 9.0.56 released
 - Apache HttpComponents Core 4.4.15 released

Did You Know?

 - Did you know that Banco Central Do Brasil uses Apache Wicket for its Central Bank's Circulation Management System?

 - Did you know that the Apache Pinot Annual Recap and Roadmap MeetUp has been rescheduled to 13 December?

 - Did you know that individuals and organizations can support the ASF through one-time and repeat donations (weekly/monthly/quarterly/annually) online using ACH, credit card, and PayPal, as well as Apple Pay, Google Pay, and Microsoft Pay (using your mobile device)? https://donate.apache.org/

Apache Community Notices

 - The Apache Month in Review: November 2021 https://s.apache.org/November2021 and video highlights https://youtu.be/L1qMXw5MxJQ

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 09:43PM Dec 13, 2021 by Swapnil M Mane in Newsletter  |   | 

The Apache Weekly News Round-up: week ending 3 December 2021

Welcome, December --we're opening the month with another great week. Here's what the Apache community has been up to:

Apache Month in Review – a round-up of our Round-ups and other newsworthy bits over the past month.
 - November Month in Review

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 15 December 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.74%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 286 Apache Committers changed 9,525,136 lines of code over 4,725 commits. Top 5 contributors, in order, are: Krist Wongsuphasawat, Jesse Yang, Yongjie Zhao, Gary Gregory, and Ville Brofeldt.

Apache Project Announcements – the latest updates by category.

APIs --
 - Apache APISIX 2.11.0 released

Web Frameworks -
 - Apache Wicket 9.7.0 released

Did You Know?

 - Did you know that the following Apache Projects are celebrating anniversaries this month? Congratulations to Apache Ant (19 years); HttpComponents (14 years); Attic, Buildr, CouchDB, and Qpid (13 years); Community Development (12 years); OODT and ZooKeeper (11 years); Kafka and Syncope (9 years); Ambari (8 years); BookKeeper and Drill (7 years); Brooklyn, Groovy, Kylin, and REEF (6 years); Geode (5 years); Guacamole and Impala (4 years); Griffin (3 years); Petri (2 years); Superset and TVM (1 year)!

 - Did you know that Apache Hudi enables streaming of hundreds of terabytes of data into data lakes each day?

 - Did you know that individual and corporate donations help the all-volunteer ASF continue to steward 350+ Apache Projects and their communities, and provide more than $22B worth of Apache software to the public good at 100% no charge? https://donate.apache.org/

Apache Community Notices

- Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 02:50PM Dec 06, 2021 by Swapnil M Mane in Newsletter  |   | 

Apache Month in Review: November 2021

Welcome to the latest monthly overview of events from the Apache community. Here's a summary of what happened in November  [video highlights available] :

New This Month --

- Sponsor Success at Apache - the blog series that focuses on the people and processes behind why the ASF "just works", featuring insights and experiences from the perspective of select ASF Sponsors. The latest entry is "Exploration and Practice of the Apache Way in Tencent" by Mark Shan.

- Apache Month in Review: October 2021

Important Dates --

- Next Board Meeting: 15 December 2021. Board calendar and minutes

- Apache TVM TVMCon - 15-17 December 2021

Infrastructure --

In November, 628 Apache Committers changed 39,505,956 lines of code over 18,511 commits. The Committers with the top 5 highest contributions, in order, were: Krist Wongsuphasawat, Jesse Yang, Ville Brofeldt, Yongjie Zhao, and Mark Thomas. 

Project Releases and Updates --

New releases from Apache Airflow (Big Data); APISIX (API); Arrow (Big Data); Avro (Big Data); Beam (Big Data); Camel (Integration); CloudStack (Cloud Computing); Commons CLI (Libraries); DolphinScheduler (Workflow); Groovy (Programming Languages); HttpComponents (Servers); IoTDB (IoT); Jackrabbit (Content); JSPWiki (Content); Kafka (Big Data); Lucene (Search); MINA (Network Client/Server); NiFi (Big Data); OFBiz (Enterprise Processes Automation / ERP); Ozone (Big Data); POI (Content); Qpid (Messaging); ShardingSphere (Big Data); Skywalking (Application Performance Management); Solr (Search); Struts (Web Frameworks); Superset (Big Data); Tomcat (Servers); Traffic Control (Servers); Traffic Server (Servers); Wicket (Web Frameworks).

Apache Project Anniversaries in November: Apache Ant (19 years); HttpComponents (14 years); Attic, Buildr, CouchDB, and Qpid (13 years); Community Development ("ComDev", 12 years); OODT and ZooKeeper (11 years); Kafka and Syncope (9 years); Ambari (8 years); BookKeeper, Drill, and MetaModel (7 years); Brooklyn, Groovy, Kylin, and REEF (6 years); Geode (5 years); Guacamole, Impala, and Mnemonic (4 years); Griffin (3 years); Petri (2 years); and Superset and TVM (1 year). Many happy returns!

The Apache Incubator is the primary entry path for projects wishing to become an official part of the ASF. More than three dozen projects are currently undergoing development in the Apache Incubator.

# # #

To see our Weekly News Round-ups (published every Friday), visit https://blogs.apache.org/foundation/ and click on the calendar or hop directly to https://blogs.apache.org/foundation/category/Newsletter . For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. We appreciate your support!

Posted at 04:54PM Dec 01, 2021 by Swapnil M Mane in Newsletter  |   | 

The Apache Weekly News Round-up: week ending 26 November 2021

We're wrapping up another great week with the following activities from the Apache community:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 15 December 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.97%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 303 Apache Committers changed 18,449,074 lines of code over 6,624 commits. Top 5 contributors, in order, are: Krist Wongsuphasawat, Jesse Yang, Ville Brofeldt, Yongjie Zhao, and Harikrishna Patnala.    

Apache Project Announcements – the latest updates by category.

APIs --
 - Apache APISIX 2.10.2 released
   -- CVE-2021-43557: Path traversal in request_uri variable

Big Data --
 - Apache Beam 2.34.0 released

Cloud Computing --
 - Apache Kafka 2.6.3 released 

Content --
 - Apache JSPWiki 2.11.0 released
   -- CVE-2021-44140: Arbitrary file deletion on logout
   -- CVE-2021-40369: Cross-site scripting vulnerability on Denounce plugin

Enterprise Processes Automation / ERP --
 - Apache OFBiz 18.12.02 released

Integration --
 - Apache Camel 3.11.4 (LTS) released

Messaging --
 - Apache Qpid Dispatch 1.18.0 released

Did You Know?

 - Did you know that Giving Tuesday, the global day of giving, takes place this year on Tuesday 30 November. Your individual and corporate donations help the all-volunteer ASF continue to steward 350+ Apache Projects and their communities, and provide more than $22B worth of Apache software to the public good at 100% no charge? https://donate.apache.org/

 - Did you know that you can learn more about Apache TVM --the ASF's first full stack software and hardware co-optimization project-- at TVMCon, taking place online and free-of-charge 15-17 December?

 - Did you know that the New Zealand government uses Apache Wicket for its national statistics Website?

Apache Community Notices

- The Apache Month in Review: October 2021 and video highlights

- Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 03:27PM Nov 29, 2021 by Swapnil M Mane in Newsletter  |   | 

The Apache Weekly News Round-up: week ending 19 November 2021

Happy Friday, everyone. The Apache community has had another great week. Let's review what we've been up to:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 15 December 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.57%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 340 Apache Committers changed 4,175,400 lines of code over 3,102 commits. Top 5 contributors, in order, are: Daniel Gruno, Christofer Dutz, Sebastian Rühl, Sebastian Bazley, and Claus Ibsen.  

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache Arrow 6.0.1 released
 - Apache Ozone 1.2.0 released
   -- CVE-2021-36372: Original block tokens are persisted and can be retrieved
   -- CVE-2021-39231: Missing authentication/authorization on internal RPC endpoints
   -- CVE-2021-39232: Missing admin check for SCM related admin commands
   -- CVE-2021-39233: Container-related datanode operations can be called without authorization
   -- CVE-2021-39234: Raw block data can be read bypassing ACL/authorization
   -- CVE-2021-39235: Access mode of block tokens are not enforced
   -- CVE-2021-39236: Owners of the S3 tokens are not validated
   -- CVE-2021-41532: Unauthenticated access to Ozone Recon HTTP endpoints 

Business Intelligence --
 - Apache Superset CVE-2021-42250: Possible log injection

Cloud Computing --
 - Apache CloudStack 4.16.0.0 released

Content --
 - Apache Jackrabbit Oak 1.6.22 released

Integration --
 - Apache Camel 3.13.0 released

IoT --
 - Apache IoTDB 0.12.3 released

Observability --

- Apache SkyWalking Infra E2E 1.1.0 released

Programming Languages --
 - Apache Groovy 4.0.0-beta-2 released

Search --
 - Apache Lucene 8.11.0 released
 - Apache Solr 8.11.0 and Operator v0.5.0 released

Servers --
 - Apache Tomcat 8.5.73, 9.0.55, 10.0.13, 10.1.0-M7 (alpha) released
 - Apache HttpComponents Client 5.1.2 GA released
 - Apache Traffic Control: CVE-2021-43350: LDAP filter injection vulnerability in Traffic Ops

Web Frameworks --
 - Apache Struts 2.5.27 released

Did You Know?

 - Did you know that the ASF's Corporate Contribution options include Employee Giving Programs, Volunteer Grants, and Corporate Matching Gifts? End-of-year donations are welcome in any amount --thank you in advance for considering supporting the ASF! https://apache.org/foundation/contributing#support-the-asf-today

 - Did you know that Apache Pinot was featured in the Disney comedy film, "Home Sweet Home Alone"? https://twitter.com/ApachePinot/status/1459378780586262528

 - Did you know that Apache DolphinScheduler v2.0 is 20x more performant than previous versions? http://dolphinscheduler.apache.org/

Apache Community Notices

- The Apache Month in Review: October 2021 and video highlights

- Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 02:32PM Nov 22, 2021 by Swapnil M Mane in Newsletter  |   | 

The Apache Weekly News Round-up: week ending 12 November 2021

Hello, everyone --let's review the Apache community's activities from over the past week:

Sponsor Success at Apache – the blog series that focuses on the people and processes behind why the ASF "just works", featuring insights and experiences from the perspective of select ASF Sponsors
 - "Exploration and Practice of the Apache Way in Tencent" by Mark Shan

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 17 November 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.94%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 352 Apache Committers changed 11,730,654 lines of code over 3,823 commits. Top 5 contributors, in order, are: Krzysztof Kopyściński, Mark Thomas, Andrea Cosentino, Adam Kocoloski, and Tomaž Muraus.

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache NiFi 1.15.0 released
 - Apache ShardingSphere 5.0.0 released

Business Intelligence --
 - Apache Superset CVE-2021-41972: Credentials leak

Content --
 - Apache Jackrabbit 2.20.4 and Jackrabbit Oak 1.8.25 released
 - Apache Traffic Control 6.0.1 released and CVE-2021-43350: LDAP filter injection vulnerability in Traffic Ops

Messaging --
 - Apache Qpid Proton 0.36.0 released

Did You Know?

 - Did you know that the Apache Unomi community will be holding their first Unomi developer MeetUp online and free of charge on 18 November?

 - Did you know that the Apache Ignite community are preparing for the vote on v2.12, are redesigning their project Website, and will be kicking off Ignite Summit Cloud Edition 16 November? Catch up on a busy week ahead!

 - Did you know that Uber Eats' new real-time exactly-once ad event processing is powered by Apache Flink, Apache Kafka, and Apache Pinot? 

Apache Community Notices

- The Apache Month in Review: October 2021 and video highlights

- Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

Posted at 02:46PM Nov 15, 2021 by Sally Khudairi in Newsletter  |   |