Entries tagged [projects]
The Apache Weekly News Round-up: week ending 8 April 2022
Hello, everyone --let's review the Apache community's activities from over the past week:
The Apache Software Foundation – the all-volunteer developers, stewards,
and incubators of more than 350 Open Source projects and initiatives.
- The Apache Software Foundation Welcomes 52 New Members https://s.apache.org/2022NewMembers
ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
- CFP for ApacheCon North America 2022 (taking place 3-6 October in New Orleans) is now open https://blogs.apache.org/conferences/entry/call-for-presentations-apachecon-north
- Next Board Meeting: 20 April 2022. Running Board calendar and minutes are available.
ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
- 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.
Apache Code Snapshot – Over the past week, 355 Apache Committers changed 17,006,169 lines of code over 3,843 commits. Top 5 contributors, in order, are: Andi Huber, Claus Ibsen, Gary Gregory, Andrea Cosentino, and Chesnay Schepler.
Apache Project Announcements – the latest updates by category.
Big Data --- Apache Flink Kubernetes Operator 0.1.0 released
- Apache NiFi 1.16.0 released
-- CVE-2022-26850: Insufficiently protected credentials
- Apache Pinot 0.10.0 released
-- CVE-2022-23974: Pinot segment push endpoint has a vulnerability in unprotected environments
Databases --
- Apache Impala 3.4.1 released
- Apache Daffodil VS Code 1.0.0 Observability --
- Apache SkyWalking CLI 0.10.0 released Workflow --
Did You Know?
- Did you know that those interested in attending ApacheCon NA 2022 (3-6 October/New Orleans) but are unable to do so for financial reasons are invited to apply for Travel Assistance support? Applications open until 1 July https://apache.org/travel/
- Did you know that the ASF Infrastructure team launched a new GitBox platform with upgraded features and services?
- Did you know that Beam Summit will be held both online and in-person in Austin, Texas, 18-20 July? https://2022.beamsummit.org/
Apache Community Notices
- Apache in 2021 - By The Digits + Video highlights
- Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min]
- ASF Annual Report: FY2021 -- Press release and Report (PDF)
- The Apache Way to Sustainable Open Source Success
- Foundation Reports and Statements
- Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.
- "Success at Apache" focuses on the people and processes behind why the ASF "just works."
- Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn.
- Follow the Apache Community on Facebook and Twitter.
Stay updated about The ASF
For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, Planet Apache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.
Posted at 01:05PM Apr 11, 2022
by Swapnil M Mane in Newsletter |
|
The Apache Weekly News Round-up: week ending 1 April 2022
Welcome, April --we're opening the month with another great week. Here's what the Apache community has been up to:
ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
- CFP for ApacheCon North America 2022 (taking place 3-6 October in New Orleans) is now open https://blogs.apache.org/conferences/entry/call-for-presentations-apachecon-north
Sponsor Success at Apache
– the blog series that focuses on the people and processes behind why
the ASF "just works".
- "My experience with the Apache Way —a perfect society?" by Etienne Chauchot https://s.apache.org/oree2
- Next Board Meeting: 20 April 2022. Running Board calendar and minutes are available.
ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
- 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.
Apache Code Snapshot – Over the past week, 352 Apache Committers changed 26,605,053 lines of code over 3,949 commits. Top 5 contributors, in order, are: Jean-Baptiste Onofré, Brent Bovenzi, Jarek Potiuk, Gary Gregory, and Andrea Cosentino.
Apache Project Announcements – the latest updates by category.
APIs --
- Apache APISIX 2.13.0 released
-- CVE-2022-25757: body_schema check in request-validation plugin can be bypassed
Big Data --
- Apache Calcite Avatica Go 5.1.0 released
- Apache jclouds 2.5.0 released Eventing --
- Apache EventMesh (incubating) 1.4.0 released
Integration --
- Apache Camel 3.16.0 released
- Apache Qpid JMS 1.6.0 released
Servers --
- Apache Tomcat 8.5.78, 9.0.62, 9.0.62, and 10.1.0-M14 (alpha) released
Web Frameworks --
Did You Know?
- Did you know that the following Apache projects are celebrating anniversaries in April? Congratulations to Apache CXF (14 years); Avro, HBase, Mahout, Nutch, Tika, and Traffic Server (12 years); Creadur and Jena (10 years); DeltaSpike (9 years); ORC and Parquet (7 years); AsterixDB and Johnzon (6 years); CarbonData and Fineract (5 years); NetBeans, PLC4X, and SkyWalking (3 years); and ShardingSphere (2 years) https://projects.apache.org/committees.html?date
- Did you know that you can anonymously take the 2022 Apache Pulsar Website Survey and help improve the new Pulsar Website? https://lists.apache.org/thread/08hchngnrhz79jhc1d96g3rh8ox2x2db
- Did you know that the ASF has been accepted as a Google Summer of Code mentoring organization for the 17th consecutive year? Apache Project mentors welcome! https://lists.apache.org/thread/cbplf0mszmxx2dv6oor0v227h8kfrk2m
Apache Community Notices
- Apache in 2021 - By The Digits + Video highlights
- Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min]
- ASF Annual Report: FY2021 -- Press release and Report (PDF)
- The Apache Way to Sustainable Open Source Success
- Foundation Reports and Statements
- Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.
- "Success at Apache" focuses on the people and processes behind why the ASF "just works."
- Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn.
- Follow the Apache Community on Facebook and Twitter.
Stay updated about The ASF
For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, Planet Apache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.
Posted at 01:56PM Apr 04, 2022
by Swapnil M Mane in Newsletter |
|
The Apache Weekly News Round-up: week ending 25 March 2022
We're wrapping up another great week with the following activities from the Apache community:
ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.- Next Board Meeting: 20 April 2022. Running Board calendar and minutes are available.
ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
- 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.
Apache Code Snapshot – Over the past week, 333 Apache Committers changed 4,901,028 lines of code over 3,786 commits. Top 5 contributors, in order, are: Jean-Louis Monteiro, Jianyun Cheng, Sebastian Bazley, Benoit Tellier, and James Netherton.
Apache Project Announcements – the latest updates by category.
APIs --
- Apache APISIX 2.13.0 released
Big Data --
- Apache Calcite Avatica 1.30.0 released
- Apache SeaTunnel (Incubating) 2.1.0 released
- Apache Kyuubi (Incubating) 1.5.0-incubating released
Blockchain --
- Apache Tuweni (Incubating) 2.2.0 released
Content --
- Apache POI 5.2.2 released
- Apache Syncope 2.1.11 released
- Apache Sling 12 released
- Apache IoTDB 0.13.0 released
- Apache StreamPipes (Incubating) 0.69.0 released
Libraries --
- Apache OpenJPA 3.2.2 released
- Apache Daffodil 3.3.0 released
Messaging --
- Apache Qpid Proton 0.37.0 and Qpid Dispatch 1.19.0 released
- Apache Pulsar 2.8.3 released
- Apache Solr Operator v0.5.1 released
- Apache Lucene 9.1.0 released
Servers --
Did You Know?
- Did you know that improvements to Apache Drill 1.20 include backward
compatibility with Apache Hadoop 2; connectors for Apache Phoenix;
writing to JDBC data sources; support for new data file formats
(including Apache Iceberg and SAS files); and API query improvements?
- Did you know that Apache Calcite 1.30 includes Babel support for
<=> operator; SQL hints for temporal table join; fixtures so that
dependent projects can write parser, validator, and rules tests; and
upgrade jsonpath to fix CVE-2021-27568?
- Did you know that the CloudStack European User Group will be held virtually on 7 April?
Apache Community Notices
- Apache in 2021 - By The Digits + Video highlights
- Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min]
- ASF Annual Report: FY2021 -- Press release and Report (PDF)
- The Apache Way to Sustainable Open Source Success
- Foundation Reports and Statements
- Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.
- "Success at Apache" focuses on the people and processes behind why the ASF "just works."
- Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn.
- Follow the Apache Community on Facebook and Twitter.
Stay updated about The ASF
For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, Planet Apache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.
Posted at 11:30AM Mar 28, 2022
by Swapnil M Mane in Newsletter |
|
The Apache Weekly News Round-up: week ending 18 March 2022
Happy Friday! Let's take a look at what the Apache community has been up to over the past week:
ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.- Next Board Meeting: 20 April 2022. Running Board calendar and minutes are available.
ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
- 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.
Apache Code Snapshot – Over the past week, 328 Apache Committers changed 10,109,144 lines of code over 3,415 commits. Top 5 contributors, in order, are: Mark Thomas, Chesnay Schepler, Gary Gregory, Jean-Baptiste Onofré, and Claus Ibsen.
Apache Project Announcements – the latest updates by category.
Big Data --
- Apache Beam 2.37.0 released
Content --
- Apache Jackrabbit Oak 1.6.23 released
Cloud Computing --
- Apache Kafka 3.0.1 released
- Apache Libcloud 3.5.0 released
- CVE-2022-26779: Apache Cloudstack: insecure random number generation affects project email invitation
Database --
- Apache Geode 1.13.8 released
- Apache Camel 3.11.6 (LTS) released
Libraries --
- Apache Commons Daemon 1.3.0 released
Messaging --
- Apache ActiveMQ 5.17.0 released
- Apache Curator 5.2.1 released
Observability --
- Apache SkyWalking NodeJS 0.4.0 released
- Apache Groovy 4.0.1 released
Servers --
- Apache HTTP Server 2.4.53 released
-- CVE-2022-23943: mod_sed: Read/write beyond bounds
-- CVE-2022-22721: Possible buffer overflow with very large or unlimited LimitXMLRequestBody
-- CVE-2022-22720: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier
-- CVE-2022-22719: mod_lua Use of uninitialized value of in r:parsebody
- Apache Tomcat 8.5.77, 9.0.60, 10.0.18, 10.1.0-M12 (alpha) released
- Apache Traffic Server 9.1.2 released
- Apache HttpComponents Core 5.2-beta1 released
Did You Know?
- Did you know that the Apache Druid community will be holding a hybrid meetup on 29 March?
- Did you know that the Bangor Australia's Bangor Brumbies Football Club site uses Apache Wicket?
- Did you know that you can support the ASF through one-time and recurring tax-deductible donations online using Apple Pay, Google Pay, and Microsoft Pay using your mobile phone? https://donate.apache.org/
Apache Community Notices
- Apache in 2021 - By The Digits + Video highlights
- Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min]
- ASF Annual Report: FY2021 -- Press release and Report (PDF)
- The Apache Way to Sustainable Open Source Success
- Foundation Reports and Statements
- Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.
- "Success at Apache" focuses on the people and processes behind why the ASF "just works."
- Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn.
- Follow the Apache Community on Facebook and Twitter.
Stay updated about The ASF
For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, Planet Apache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.
Posted at 03:20PM Mar 21, 2022
by Swapnil M Mane in Newsletter |
|
The Apache Weekly News Round-up: week ending 11 March 2022
Hello, everyone --let's review the Apache community's activities from over the past week:
ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.- Next Board Meeting: 16 March 2022. Running Board calendar and minutes are available.
ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
- 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.
Apache Code Snapshot – Over the past week, 336 Apache Committers changed 4,769,139 lines of code over 3,697 commits. Top 5 contributors, in order, are: Jean-Baptiste Onofré, Otavio R. Piske, Gary Gregory, Andrea Cosentino, and Andi Huber.
Apache Project Announcements – the latest updates by category.
Big Data --
- CVE-2021-38296: Apache Spark: Key Negotiation Vulnerability
Content --
- Apache Any23 2.7 released
-- CVE-2022-25312: An XML external entity (XXE) injection vulnerability exists in the RDFa XSLTStylesheet extractor
- Apache Jackrabbit 2.20.5 released
Cloud Computing --
- Apache CloudStack 4.16.1.0 LTS released
Database --
- Apache ZooKeeper 3.8.0 released
- Apache Geode 1.12.9 released
IDE --
- Apache NetBeans 13 released
IoT --
- Apache IoTDB 0.12.5 released
Libraries --
- Apache Olingo 4.9.0 released
Mail --
- Apache James 3.7.0 released
Orchestration --
- Apache Hop 1.2.0 released
Did You Know?
- Did you know that the next Apache Druid MeetUp will be held both online and in-person in Tel Aviv on 29 March?
- Did you know that Apache ShardingSphere SQL Parse Format Function allows
you to easily understand and automatically format complicated SQL
statements?
- Did you know that the next Apache Airflow Community Meetup will be held on 16 March? Sign up to learn about Data Migration Pipeline with Apache Airflow http://bit.ly/3sES9fL
Apache Community Notices
- Apache in 2021 - By The Digits + Video highlights
- Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min]
- ASF Annual Report: FY2021 -- Press release and Report (PDF)
- The Apache Way to Sustainable Open Source Success
- Foundation Reports and Statements
- Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.
- "Success at Apache" focuses on the people and processes behind why the ASF "just works."
- Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn.
- Follow the Apache Community on Facebook and Twitter.
Stay updated about The ASF
For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, Planet Apache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.
Posted at 12:47PM Mar 14, 2022
by Swapnil M Mane in Newsletter |
|
The Apache Weekly News Round-up: week ending 4 March 2022
We're opening March with a cracking week. Here's what the Apache community has been up to:
Sponsor Apache – a number of tax-deductible sponsorships help offset the ASF's day-to-day operating expenses that include infrastructure support, bandwidth, connectivity, servers, hardware, development environments, legal counsel, accounting services, trademark protection, marketing and publicity, educational events, and more.
- The Apache Software Foundation Welcomes VMware as its Newest Platinum Sponsor
ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
- Announcing New ASF Board of Directors, elected during this week's Members' Meeting.
- Next Board Meeting: 16 March 2022. Running Board calendar and minutes are available.
ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
- 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.
Apache Code Snapshot – Over the past week, 332 Apache Committers changed 880,561 lines of code over 3,128 commits. Top 5 contributors, in order, are: Olivier Lamy, Andrea Cosentino, Claus Ibsen, Sebastian Rühl, and Eric Milles.
Apache Project Announcements – the latest updates by category.
Application Servers/Middleware --
- Apache Karaf Decanter 2.9.0 released
Content --
- Apache Jackrabbit Oak 1.22.11 released
- Apache POI 5.2.1 released
- CVE-2022-26336: poi-scratchpad: A carefully crafted TNEF file can cause an out of memory exception
FinTech --
- Apache Fineract 1.6.0 released
Libraries --
- Apache PDFBox JBIG2 ImageIO plugin 3.0.4 released
Logging Services --
- Apache Log4j 2.17.2 released
Network Application Framework --
- Apache MINA FtpServer 1.1.3 released
Servers --
- Apache Tomcat 9.0.59, 10.0.17 and 10.1.0-M11 (alpha) released
Workflow --
- CVE-2021-45229: Apache Airflow: Reflected XSS via Origin Query Argument in URL
Did You Know?
- Did you know that the Apache Ignite community's CFP for IgniteSummit (taking place online 14 June) closes on 29 April?
- Did you know that HugeGraph (incubating), a large-scale and easy-to-use graph database that stores and queries billions of vertices and edges, is the newest podling undergoing development in the Apache Incubator?
- Did you know that the ASF manages 2,180 mailing lists, 486 of which are private? Over the past year, 19,053 authors sent 1,946,990 emails on 869,461 topics!
Apache Community Notices
- Apache in 2021 - By The Digits + Video highlights
- The Apache Month in Review: January 2022 and video highlights
- Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min]
- ASF Annual Report: FY2021 -- Press release and Report (PDF)
- The Apache Way to Sustainable Open Source Success
- Foundation Reports and Statements
- Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.
- "Success at Apache" focuses on the people and processes behind why the ASF "just works."
- Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn.
- Follow the Apache Community on Facebook and Twitter.
Stay updated about The ASF
For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, Planet Apache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.
Posted at 02:37PM Mar 07, 2022
by Sally Khudairi in Newsletter |
|
The Apache Weekly News Round-up: week ending 25 February 2022
Farewell, February --we're wrapping up the month with another great week. Here are the latest updates on the Apache community's activities:
ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.- Next Board Meeting: 16 March 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html
ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
-
7M+ weekly checks yield uptime at 100.00%. Performance checks across 50
different service components spread over more than 250 machines in data
centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.
Apache Code Snapshot – Over the past week, 323 Apache Committers changed 1,586,514 lines of code over 3,215 commits. Top 5 contributors, in order, are: Claus Ibsen, Jean-Louis Monteiro, Andrea Cosentino, Gary Gregory, and Eric Milles.
Apache Project Announcements – the latest updates by category.
Application Servers/Middleware --- Apache Karaf Decanter 2.9.0 releasedContent --
- Apache Jackrabbit Oak 1.22.11 released
- Apache JSPWiki CVE-2022-24947: CSRF Account Takeover
-- CVE-2022-24948: Cross-site scripting vulnerability on User Preferences screenFinTech --
- Apache Fineract 1.6.0 released
Network Client --
- Apache MINA 2.0.23, 2.1.6 released
Workflow --
- Apache Airflow CVE-2022-24288: RCE in example DAGs
Did You Know?
- Did you know that Apache Beam helps Palo Alto Networks meet streaming
needs by providing a highly-performant, reliable, and resilient data
processing framework for 10 million security events per second across 3
petabytes per day?
- Did you know that the Australian Department of Transport's Vehicle Inspection System webapp is powered by Apache Wicket?
- Did you know that Apache Ignite is a distributed cache, a distributed database, an in-memory database, and an in-memory data grid?
Apache Community Notices
- Apache in 2021 - By The Digits + Video highlights
- The Apache Month in Review: January 2022 and video highlights
- Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min]
- ASF Annual Report: FY2021 -- Press release and Report (PDF)
- The Apache Way to Sustainable Open Source Success
- Foundation Reports and Statements
- Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.
- "Success at Apache" focuses on the people and processes behind why the ASF "just works."
- Inside Infra: the new interview series with members of the ASF infrastructure team --meet
Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris
Drew Foulks https://s.apache.org/InsideInfra-Drew
Greg Stein Part I https://s.apache.org/InsideInfra-Greg
...Part II https://s.apache.org/InsideInfra-Greg2 and Part III https://s.apache.org/InsideInfra-Greg3
Daniel Gruno Part I https://s.apache.org/InsideInfra-Daniel1 and Part II https://s.apache.org/InsideInfra-Daniel2
Gavin McDonald Part I https://s.apache.org/InsideInfra-Gavin and Part II https://s.apache.org/InsideInfra-Gavin2
Andrew Wetmore Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2
Chris Lambertus Part I https://s.apache.org/InsideInfra-ChrisL and Part II https://s.apache.org/InsideInfra-ChrisL2
- Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn.
- Follow the Apache Community on Facebook and Twitter.
Stay updated about The ASF
For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.
Posted at 02:49PM Feb 28, 2022
by Swapnil M Mane in Newsletter |
|
The Apache Weekly News Round-up: week ending 18 February 2022
We're wrapping up another great week with the following activities from the Apache community:
ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.- Next Board Meeting: 16 March 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html
ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
-
7M+ weekly checks yield uptime at 99.99%. Performance checks across 50
different service components spread over more than 250 machines in data
centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.
Apache Code Snapshot – Over the past week, 350 Apache Committers changed 12,933,273 lines of code over 3,260 commits. Top 5 contributors, in order, are: Claus Ibsen, Udo Schnurpfeil, Andrea Cosentino, Mark Thomas, and Paul King.
Apache Project Announcements – the latest updates by category.
Big Data --- Apache Accumulo 1.10.2 releasedContent --
- Apache Tika 1.28.1 released Libraries --
- Apache Commons JCS 3.1 released
Messaging --
- Apache ActiveMQ 5.16.4 released
Did You Know?
- Did you know that select Apache Projects and mentors are preparing for the upcoming GSoC 2022 (mentoring organizations will be announced on 7 March)? Those interested in participating can learn how to get involved at https://community.apache.org/gsoc.html
- Did you know that the next CloudStack European User Group will be held online on 7 April?
- Did you know that the CFP for Ignite Summit (taking place online on 14 June) closes on 29 April?
Apache Community Notices
- Apache in 2021 - By The Digits + Video highlights
- The Apache Month in Review: January 2022 and video highlights
- Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min]
- ASF Annual Report: FY2021 -- Press release and Report (PDF)
- The Apache Way to Sustainable Open Source Success
- Foundation Reports and Statements
- Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.
- "Success at Apache" focuses on the people and processes behind why the ASF "just works."
- Inside Infra: the new interview series with members of the ASF infrastructure team --meet
Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris
Drew Foulks https://s.apache.org/InsideInfra-Drew
Greg Stein Part I https://s.apache.org/InsideInfra-Greg
...Part II https://s.apache.org/InsideInfra-Greg2 and Part III https://s.apache.org/InsideInfra-Greg3
Daniel Gruno Part I https://s.apache.org/InsideInfra-Daniel1 and Part II https://s.apache.org/InsideInfra-Daniel2
Gavin McDonald Part I https://s.apache.org/InsideInfra-Gavin and Part II https://s.apache.org/InsideInfra-Gavin2
Andrew Wetmore Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2
Chris Lambertus Part I https://s.apache.org/InsideInfra-ChrisL and Part II https://s.apache.org/InsideInfra-ChrisL2
- Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn.
- Follow the Apache Community on Facebook and Twitter.
Stay updated about The ASF
For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.
Posted at 03:55PM Feb 21, 2022
by Swapnil M Mane in Newsletter |
|
The Apache Weekly News Round-up: week ending 11 February 2022
Hello, everyone --let's review the Apache community's activities from over the past week:
Apache Software Foundation Statement at 8 February 2022 Senate Committee hearing on Homeland Security and Government Affairs https://s.apache.org/485lz
ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.- Next Board Meeting: 16 February 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html
ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
-
7M+ weekly checks yield uptime at 100.00%. Performance checks across 50
different service components spread over more than 250 machines in data
centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.
Apache Code Snapshot – Over the past week, 308 Apache Committers changed 5,335,315 lines of code over 2,989 commits. Top 5 contributors, in order, are: Gary Gregory, Emmanuel Lecharny, Mark Thomas, Liang Zhang, and Tilmann Zäschke.
Apache Project Announcements – the latest updates by category.
APIs --- Apache APISIX 2.10.2 released
-- CVE-2022-24112: apisix/batch-requests plugin allows overwriting the X-REAL-IP header
Big Data --
- Apache Beam 2.36.0 released
- Apache Traffic Control 6.1.0 released
-- CVE-2022-23206: Server-Side Request Forgery in Traffic Ops endpoint POST /user/login/oauth
- Apache Tika 2.3.0 released
-- Apache Tika 1.x End-Of-Life (EOL) announcement https://s.apache.org/lkqid
- Apache Jackrabbit 2.21.10 released
Database --
- Apache JDO 3.2 released
- Apache Cassandra CVE-2021-44521: Remote code execution for scripted UDFs
- Apache James 3.6.2 released
-- CVE-2022-22931: Path traversal in Apache James Web Frameworks --
- Apache Wicket 9.8.0 released
Did You Know?
- Did you know that you can scale Apache SkyWalking in Kubernetes natively? https://skywalking.apache.org/blog/2022-01-24-scaling-with-apache-skywalking/
- Did you know that the next Apache Ignite Community Gathering MeetUp will take place online on 16 February?
- Did you know that the ASF's seven-member Infrastructure team performs
7M+ weekly checks to ensure services are available around the clock to
all Apache Projects and their communities? Average uptime in January
2022 was 100%!
Apache Community Notices
- Apache in 2021 - By The Digits + Video highlights
- The Apache Month in Review: January 2022 and video highlights
- Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min]
- ASF Annual Report: FY2021 -- Press release and Report (PDF)
- The Apache Way to Sustainable Open Source Success
- Foundation Reports and Statements
- Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.
- "Success at Apache" focuses on the people and processes behind why the ASF "just works."
- Inside Infra: the new interview series with members of the ASF infrastructure team --meet
Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris
Drew Foulks https://s.apache.org/InsideInfra-Drew
Greg Stein Part I https://s.apache.org/InsideInfra-Greg
...Part II https://s.apache.org/InsideInfra-Greg2 and Part III https://s.apache.org/InsideInfra-Greg3
Daniel Gruno Part I https://s.apache.org/InsideInfra-Daniel1 and Part II https://s.apache.org/InsideInfra-Daniel2
Gavin McDonald Part I https://s.apache.org/InsideInfra-Gavin and Part II https://s.apache.org/InsideInfra-Gavin2
Andrew Wetmore Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2
Chris Lambertus Part I https://s.apache.org/InsideInfra-ChrisL and Part II https://s.apache.org/InsideInfra-ChrisL2
- Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn.
- Follow the Apache Community on Facebook and Twitter.
Stay updated about The ASF
For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.
Posted at 02:35PM Feb 14, 2022
by Swapnil M Mane in Newsletter |
|
The Apache Weekly News Round-up: week ending 4 February 2022
Welcome, February --we're opening the month with another great week. Here's what the Apache community has been up to:
ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.- Next Board Meeting: 16 February 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html
ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
-
7M+ weekly checks yield uptime at 99.89%. Performance checks across 50
different service components spread over more than 250 machines in data
centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.
Apache Code Snapshot –
Over the past week, 303 Apache Committers changed 9,625,849 lines of
code over 3,255 commits. Top 5 contributors, in order, are: Jean-Baptiste Onofré, Claus Ibsen, Sebastian Bazley, Guillaume Nodet, and Eric Milles.
Apache Project Announcements – the latest updates by category.
Apache Attic -- provides process and solutions when an Apache project has reached its end of life.
- Apache Ambari is retired
- Apache Usergrid is retired
APIs --
- Apache APISIX 2.12.0 released
- Apache Kyuubi (incubating) 1.4.1-incubating released
- Apache Hudi 0.10.1 released
- Apache Gobblin CVE-2021-36151: Local Credentials Disclosure Vulnerability
Business Intelligence --
- Apache Superset CVE-2021-44451: API sensitive information leak
- Apache Jackrabbit Oak 1.8.26 released
Integration --
- Apache Camel 3.15.0 released
Messaging --
- Apache Pulsar CVE-2021-41571: Pulsar Admin API allows access to data from other tenants using getMessageById API
Middleware --
- Apache Linkis (incubating) released
- Apache Groovy 4.0.0 released
Servers --
- Apache HttpComponents Client 5.1.3 GA released
- Apache HTTP mod_perl 2.0.12 released
Web Frameworks --
- Apache Wicket 8.14.0 released
Did You Know?
- Did you know that the following Apache Projects are celebrating anniversaries this month? Congratulations to Apache HTTP Server (27 years!); Gump and Portals (18 years); Directory, MyFaces, and Xerces (17 years); Tapestry (16 years); Roller (15 years); Cassandra and Subversion (12 years); Chemistry (11 years); BVal and OpenNLP (10 years); Clerezza (9 years); Knox and Spark (8 years); DataFu (4 years); Unomi (3 years); Daffodil, Ratis, and Solr (2 years)! https://projects.apache.org/committees.html?date
- Did you know that the ASF is joining the Open Geospatial Consortium and Open Source Geospatial Foundation to hold the 2022 Joint OGC-OSGeo-ASF Code Sprint, taking place 8-10 March? Those interested in helping advance OGC Standards through numerous Apache and OSGeo projects are invited to learn more and sign up at https://portal.ogc.org/public_ogc/register/220225asf_codesprint.php
- Did you know that the CFP for Airflow Summit (taking place online 23-27 May) is now open?
Apache Community Notices
- Apache in 2021 - By The Digits + Video highlights
- The Apache Month in Review: January 2022 and video highlights
- Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min]
- ASF Annual Report: FY2021 -- Press release and Report (PDF)
- The Apache Way to Sustainable Open Source Success
- Foundation Reports and Statements
- Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.
- "Success at Apache" focuses on the people and processes behind why the ASF "just works."
- Inside Infra: the new interview series with members of the ASF infrastructure team --meet
Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris
Drew Foulks https://s.apache.org/InsideInfra-Drew
Greg Stein Part I https://s.apache.org/InsideInfra-Greg
...Part II https://s.apache.org/InsideInfra-Greg2 and Part III https://s.apache.org/InsideInfra-Greg3
Daniel Gruno Part I https://s.apache.org/InsideInfra-Daniel1 and Part II https://s.apache.org/InsideInfra-Daniel2
Gavin McDonald Part I https://s.apache.org/InsideInfra-Gavin and Part II https://s.apache.org/InsideInfra-Gavin2
Andrew Wetmore Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2
Chris Lambertus Part I https://s.apache.org/InsideInfra-ChrisL and Part II https://s.apache.org/InsideInfra-ChrisL2
- Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn.
- Follow the Apache Community on Facebook and Twitter.
Stay updated about The ASF
For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.
Posted at 02:21PM Feb 07, 2022
by Swapnil M Mane in Newsletter |
|
Apache Month in Review: January 2022
Welcome to the latest monthly overview of events from the Apache community. Here's a summary of what happened in January [video highlights available] :
New This Month --
- Apache in 2021 - By The Digits – a look at the achievements from the Apache Community over the past 12 months
-- Summary and stats at https://s.apache.org/Apache2021Digits
-- Video highlights https://youtu.be/GU0SV_2tWkU
- Apache Software Foundation statement on White House Open Source Security Summit
- Apache Month in Review: December 2021
- ASF Security Report 2021 – the annual state of security across all Apache projects
- The Apache Software Foundation Announces Open Source data orchestration platform Apache® Hop™ as a Top-Level Project
Important Dates --
- Next Board Meeting: 16 February 2022. Board calendar and minutes
Infrastructure --
In January, 672 Apache Committers changed 14,033,278 lines of code over 15,480 commits. The Committers with the top 5 highest contributions, in order, were: Gary Gregory, Claus Ibsen, Mark Thomas, Jarek Potiuk, and Sebastian Bazley.
Project Releases and Updates --
New releases from Apache Airflow (Workflow); APISIX (API); Avro (Big Data); Camel (Integration); DolphinScheduler (Workflow); Flink (Big Data); Geode (Database); Guacamole (Network Client); Hop (Orchestration); Ignite (Big Data); Jackrabbit (Content); James (Mail); Kafka (Big Data); Karaf (Application Servers/Middleware); Knox (Big Data); Log4j (Libraries); MINA (Network Client/Server); NiFi (Big Data); OFBiz (Enterprise Processes Automation / ERP); POI (Content); Portals (Web Frameworks); ShardingSphere (Big Data); ShenYu (Incubating; API); Skywalking (Application Performance Management); Struts (Web Frameworks); Tomcat (Servers); Tuweni (Incubating; Blockchain); and TVM (Machine Learning).
The Apache Incubator is the primary entry path for projects wishing to become an official part of the ASF. More than three dozen projects are currently undergoing development in the Apache Incubator.
# # #
To see our Weekly News Round-ups (published every Friday), visit https://blogs.apache.org/foundation/ and click on the calendar or hop directly to https://blogs.apache.org/foundation/category/Newsletter . For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. We appreciate your support!
Posted at 08:58PM Feb 01, 2022
by Swapnil M Mane in Newsletter |
|
The Apache Weekly News Round-up: week ending 28 January 2022
Farewell, January --we're wrapping up the month with another great week. Here are the latest updates on the Apache community's activities:
ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.- Next Board Meeting: 16 February 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html
ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
-
7M+ weekly checks yield uptime at 100.00%. Performance checks across 50
different service components spread over more than 250 machines in data
centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.
Apache Code Snapshot –
Over the past week, 337 Apache Committers changed 1,533,287 lines of
code over 3,738 commits. Top 5 contributors, in order, are: Jarek Potiuk, Sebastian Bazley, Claus Ibsen, Harikrishna Patnala, and Mark Thomas.
Apache Project Announcements – the latest updates by category.
APIs --
- Apache ShenYu (Incubating) 2.4.2 released
-- CVE-2022-23944: Improper access control
-- CVE-2022-23945: Missing authentication allows gateway registration
Application Servers/Middleware --
- Apache Karaf runtime 4.3.6 released
-- CVE-2021-41766: Insecure Java Deserialization
-- CVE-2022-22932: Path traversal flaws
- Apache Tuweni (Incubating) 2.1.0 released
Cloud Computing --
- Apache Kafka 3.1.0 released
Content --
- Apache Jackrabbit Oak 1.22.10 released
Databases --
- Apache Geode 1.14.3 released
- Apache Camel 3.14.1 (LTS) released
Orchestration --
- Apache Hop 1.1.0 released
Servers --
- Apache Tomcat CVE-2022-23181: Local Privilege Escalation
Web Frameworks --
- Apache Struts 2.5.29 released
Did You Know?
- Did you know that the ASF published a statement following the 13 January meeting at the White House on the security of Open Source software? https://s.apache.org/jri14
- Did you know that members of the Apache Arrow, Flink, Kafka, Mahout, Maven, OpenOffice, ShardingSphere, Spark, and other project communities will be presenting at FOSDEM (taking place online 5-6 February)?
- Did you know that the CFP for Beam Summit (hybrid event taking place 18-20 July) closes on 15 March?
Apache Community Notices
- Apache in 2021 - By The Digits + Video highlights
- The Apache Month in Review: December 2021 and video highlights
- Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min]
- ASF Annual Report: FY2021 -- Press release and Report (PDF)
- The Apache Way to Sustainable Open Source Success
- Foundation Reports and Statements
- Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.
- "Success at Apache" focuses on the people and processes behind why the ASF "just works."
- Inside Infra: the new interview series with members of the ASF infrastructure team --meet
Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris
Drew Foulks https://s.apache.org/InsideInfra-Drew
Greg Stein Part I https://s.apache.org/InsideInfra-Greg
...Part II https://s.apache.org/InsideInfra-Greg2 and Part III https://s.apache.org/InsideInfra-Greg3
Daniel Gruno Part I https://s.apache.org/InsideInfra-Daniel1 and Part II https://s.apache.org/InsideInfra-Daniel2
Gavin McDonald Part I https://s.apache.org/InsideInfra-Gavin and Part II https://s.apache.org/InsideInfra-Gavin2
Andrew Wetmore Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2
Chris Lambertus Part I https://s.apache.org/InsideInfra-ChrisL and Part II https://s.apache.org/InsideInfra-ChrisL2
- Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn.
- Follow the Apache Community on Facebook and Twitter.
Stay updated about The ASF
For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.
Posted at 03:05PM Jan 31, 2022
by Swapnil M Mane in Newsletter |
|
The Apache Weekly News Round-up: week ending 21 January 2022
We're wrapping up another great week with the following activities from the Apache community:
ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.- Next Board Meeting: 16 February 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html
ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
-
7M+ weekly checks yield uptime at 100.00%. Performance checks across 50
different service components spread over more than 250 machines in data
centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.
Apache Code Snapshot – Over the past week, 339 Apache Committers changed 2,470,884 lines of code over 3,505 commits. Top 5 contributors, in order, are: Gary Gregory, Claus Ibsen, Adam Kocoloski, Mark Thomas, and Tian Jiang.
Apache Project Announcements – the latest updates by category.
APIs --
- Apache APISIX Java Plugin Runner 0.2.0 released
Application Servers/Middleware --
- Apache Karaf runtime 4.2.15 and 4.3.6 released
- Apache NiFi 1.15.3 released
- Apache Flink 1.14.3 released
- Apache ShardingSphere ElasticJob UI 3.0.1 released
- Apache Knox 1.6.1 released
-- CVE-2021-42357: DOM based XSS Vulnerability
Content --
- Apache POI 5.2.0 released
Databases --
- Apache Geode 1.12.8, 1.13.7 and Kafka Connector 1.1.0 released
Data Management Platform --
- Apache Ignite 2.12.0 released
Enterprise Processes Automation / ERP --
- Apache OFBiz 17.12 End-Of-Life (EOL) announcement https://s.apache.org/hm5oe
Libraries --
- Apache Log4j CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x
-- CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1
-- CVE-2022-23307: A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution
Orchestration --
- The Apache Software Foundation Announces Open Source data orchestration platform Apache® Hop™ as a Top-Level Project https://s.apache.org/4s3ci
Observability --
- Apache SkyWalking Could on Kubernetes 0.6.1 released
Servers --
- Apache Tomcat 8.5.75, 9.0.58, 10.0.16, and 10.1.0-M10 (alpha) released
- Apache Airflow CVE-2021-45230: Creating DagRuns didn't respect Dag-level permissions in the Webserver
Did You Know?
- Did you know that the following Apache projects are celebrating anniversaries this month? Congratulations to Apache Cocoon, James, and Web Services (19 years); Lucene (17 years); ActiveMQ (15 years); Hadoop (14 years); River (11 years); Empire-db and Gora (10 years); OpenMeetings (9 years); Samza (7 years); Arrow (6 years); Ranger (5 years); and Gobblin (1 year) https://projects.apache.org/committees.html?date
- Did you know that Netflix and Target are building modern analytics applications to deliver interactive data experiences using Apache Druid?
- Did you know that Disney+Hotstar's streaming data lakes injest 1 million
events per second using Apache Kafka, store 14tb of data per day in an
Apache HBase warehouse, and stream using Apache Hudi? https://projects.apache.org/projects.html?category
Apache Community Notices
- Apache in 2021 - By The Digits + Video highlights
- The Apache Month in Review: December 2021 and video highlights
- Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min]
- ASF Annual Report: FY2021 -- Press release and Report (PDF)
- The Apache Way to Sustainable Open Source Success
- Foundation Reports and Statements
- Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.
- "Success at Apache" focuses on the people and processes behind why the ASF "just works."
- Inside Infra: the new interview series with members of the ASF infrastructure team --meet
Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris
Drew Foulks https://s.apache.org/InsideInfra-Drew
Greg Stein Part I https://s.apache.org/InsideInfra-Greg
...Part II https://s.apache.org/InsideInfra-Greg2 and Part III https://s.apache.org/InsideInfra-Greg3
Daniel Gruno Part I https://s.apache.org/InsideInfra-Daniel1 and Part II https://s.apache.org/InsideInfra-Daniel2
Gavin McDonald Part I https://s.apache.org/InsideInfra-Gavin and Part II https://s.apache.org/InsideInfra-Gavin2
Andrew Wetmore Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2
Chris Lambertus Part I https://s.apache.org/InsideInfra-ChrisL and Part II https://s.apache.org/InsideInfra-ChrisL2
- Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn.
- Follow the Apache Community on Facebook and Twitter.
Stay updated about The ASF
For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.
Posted at 02:06PM Jan 24, 2022
by Swapnil M Mane in Newsletter |
|
The Apache Weekly News Round-up: week ending 14 January 2022
Happy Friday! Let's take a look at what the Apache community has been up to over the past week:
ASF Security Report 2021 – the state of security across all Apache projects with key metrics, specific vulnerabilities, and the most common ways users of ASF projects were affected by security issues https://s.apache.org/SecurityReport2021
Apache Software Foundation statement on White House Open Source Security Summit https://s.apache.org/jri14
ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
-
7M+ weekly checks yield uptime at 100.00%. Performance checks across 50
different service components spread over more than 250 machines in data
centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.
Apache Code Snapshot – Over the past week, 322 Apache Committers changed 1,963,025 lines of code over 3,852 commits. Top 5 contributors, in order, are: Gary Gregory, Antoine Toulme, Claus Ibsen, Mark Thomas, and Dan Klco.
Apache Project Announcements – the latest updates by category.
Big Data --- Apache Flink ML 2.0.0 released
Content --
- Apache Jackrabbit 2.16.9 released
Machine Learning --
- Apache TVM 0.8.0 released
Network Client --
- Apache Guacamole 1.4.0 released
-- CVE-2021-41767: Private tunnel identifier may be included in the non-private details of active connections
-- CVE-2021-43999: Improper validation of SAML responses
Observability --
- Apache SkyWalking Kong version 0.2.0 released
- Apache DolphinScheduler 2.0.2 released
- Apache Airflow Helm Chart 1.4.0 released
Did You Know?
- Did you know that more than 630,000 individuals have contributed to Apache projects and initiatives since the ASF's incorporation in 1999? https://blogs.apache.org/foundation/entry/apache-in-2021-by-the
- Did you know that Apache DolphinScheduler won a "2021 OSC Most Popular Projects" award from OSCHINA?
- Did you know that video recordings from the 2021 TVMCon (Apache TVM and Open Source ML acceleration conference) are now available online?
Apache Community Notices
- Apache in 2021 - By The Digits + Video highlights
- The Apache Month in Review: December 2021 and video highlights
- Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min]
- ASF Annual Report: FY2021 -- Press release and Report (PDF)
- The Apache Way to Sustainable Open Source Success
- Foundation Reports and Statements
- Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.
- "Success at Apache" focuses on the people and processes behind why the ASF "just works."
- Inside Infra: the new interview series with members of the ASF infrastructure team --meet
Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris
Drew Foulks https://s.apache.org/InsideInfra-Drew
Greg Stein Part I https://s.apache.org/InsideInfra-Greg
...Part II https://s.apache.org/InsideInfra-Greg2 and Part III https://s.apache.org/InsideInfra-Greg3
Daniel Gruno Part I https://s.apache.org/InsideInfra-Daniel1 and Part II https://s.apache.org/InsideInfra-Daniel2
Gavin McDonald Part I https://s.apache.org/InsideInfra-Gavin and Part II https://s.apache.org/InsideInfra-Gavin2
Andrew Wetmore Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2
Chris Lambertus Part I https://s.apache.org/InsideInfra-ChrisL and Part II https://s.apache.org/InsideInfra-ChrisL2
- Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn.
- Follow the Apache Community on Facebook and Twitter.
Stay updated about The ASF
For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.
Posted at 02:56PM Jan 17, 2022
by Swapnil M Mane in Newsletter |
|
Apache Software Foundation Security Report: 2021
Synopsis: This report explores the state of security across all of The Apache Software Foundation projects for the calendar year 2021. We review key metrics, specific vulnerabilities, and the most common ways users of ASF projects were affected by security issues.
Released: January 2022
Author: Mark Cox, Vice President Security, The Apache Software Foundation
Background
The security committee of The Apache Software Foundation (ASF) oversees and coordinates the handling of vulnerabilities across all of the 350+ Apache projects. Established in 2002 and composed of all volunteers, we have a consistent process for how issues are handled, and this process includes how our projects must disclose security issues.
Anyone finding security issues in any Apache project can report them to security@apache.org where they are recorded and passed on to the relevant dedicated security teams or private project management committees (PMC) to handle. The security committee monitors all the issues reported across all the projects and keeps track of the issues throughout the vulnerability lifecycle.
The security committee is responsible for ensuring that issues are dealt with properly and actively reminds projects of their outstanding issues and responsibilities. As a board committee, we have the ability to take action including blocking their future releases or, worst case, archiving a project if such projects are unresponsive to handling their security issues. This, along with the Apache License v2,0, are key parts of the ASF’s general oversight function around official releases, allowing the ASF to protect individual developers and giving users confidence to deploy and rely on ASF software.
The oversight into all security reports, along with tools we have developed, gives us the ability to easily create metrics on the issues. Our last report covered the metrics for 2020.
Statistics for 2021
In 2021 our security email addresses received in total ~18,500 emails. After spam filtering and thread grouping there were 1272 (2020: 946, 2019: 620) non-spam threads. Unfortunately security reports do sometimes look like spam, especially if they include lots of attachments or large videos, and so the security team are careful to review all messages to ensure real reports are not missed for too long.
Diagram 1: Breakdown of ASF security email threads for calendar year 2021
Diagram 1 gives the breakdown of those 1272 threads. 359 threads (28%) were people confused by the Apache License. As many projects use the Apache License, not just those under the ASF umbrella, people can get confused when they see the Apache License and they don't understand what it is. This is most common for example on mobile phones where the licenses are displayed in the settings menu, usually due to the inclusion of software by Google released under the Apache License. We no longer reply to these emails. This is up from the 257 received in 2020.
The next 337 of the 1272 (26%) are email threads with people asking non-security (usually support-type) questions.
The next 135 of those reports were researchers reporting issues in an Apache web site. These are almost always false positives; where a researcher reports us having directory listings enabled, source code visible, public “.git” directories, and so on. These reports are generally the unfiltered output of some publicly available scanning tool, and often where the reporter asks us for some sort of monetary reward (bounty) for their report.
That left 441 (2020: 376, 2019: 320) reports of new vulnerabilities in 2021, which spanned 99 of the top level projects. These 441 reports are a mix of external reporters and internal. For example, where a project has found an issue themselves and followed the ASF process to assign it a CVE (Common Vulnerabilities and Exposures) name and address it, we’d still count it here. We don’t keep metrics that would give the breakdown of internal vs external reports.
The next step is that the appropriate project triages the report to see if it's really an issue or not. Invalid reports and reports of things that are not actually vulnerabilities get rejected back to the reporter. Of the remaining issues that are accepted they are assigned appropriate CVE names and eventually fixes are released.
As of January 1st 2022, 50 of those 441 reports were still under triage and investigation. This is where a project was working on an issue and had not rejected the issue or assigned it a CVE as of the snapshot taken on January 1st 2022. This number was higher than what we’d normally expect and was due to the large influx of reports that came at the end of December 2021.
The remaining 391 (2020: 341, 2019: 301) reports led to us assigning 183 (2020: 151, 2019: 122) CVE names. Some vulnerability reports may include multiple issues, some reports are across multiple projects, and some reports are duplicates where the same issue is found by different reporters, so there isn't an exact one-to-one mapping of accepted reports to CVE names. The Apache Security committee handles CVE name allocation and is a MITRE Candidate Naming Authority (CNA), so all requests for CVE names in any ASF project are routed through us, even if the reporter is unaware and contacts MITRE directly or goes public with an issue before contacting us.
Noteworthy events
During 2021 there were a few events worth discussing; either because they were severe and high risk, they had readily available exploits, or there was media attention. These included:
January: A cross-site scripting (XSS) flaw was found in the default error page of Apache Velocity (CVE-2020-13959) which affected a number of public visible websites. Despite a fix being available it then took several months to produce a new release to include the fix, causing the reporter to publicise it early. As a consequence, the security team did a deeper dive through all the outstanding open issues with the affected PMCs to ensure they were all being handled.
January: A report was published which showed how malware is still exploiting Apache ActiveMQ instances that have not been patched for over 5 years (CVE-2016-3088)
June: The Airflow PMC published a blog about how they handle security issues, how users are sometimes slow to deploy updates (CVE-2020-17526), and how flaws in dependencies can affect Airflow.
July: A third-party blog explained how threat actors are exploiting mis-configured Apache Hadoop YARN services
August: A researcher discovered a number of issues in HTTP/2 implementations. The Apache HTTP Server was affected by a moderate vulnerability (CVE-2021-33193)
September: A keynote presentation at ApacheCon 2021 discussed the security committee, the US Executive Order on Improving the Nation’s Cybersecurity, and third party security projects such as those under the OpenSSF.
September: A flaw in Apache OpenOffice could allow a malicious document to run arbitrary code if opened (CVE-2021-33035)
October: A critical issue was found in the Apache HTTP Server. The default configuration protected against this vulnerability, but in custom configurations without those protections, and with CGI support enabled, this could lead to remote code execution (CVE-2021-41773). The issue was fixed in an update 5 days after the issue was reported to the security team, however the fix was quickly found to be insufficient and a further update to fully address it was released 3 days after that (CVE-2021-42013). A MetaSploit exploit exists for this issue.
October: The Internet Bug Bounty from HackerOne extended their program to include Apache Airflow, the Apache HTTP Server, and Apache Commons. Unlike many other programs, this program relies on vulnerability finders following the standard ASF notification process, and allows finders to claim a reward for eligible issues after the fix is available and the issue is public.
December: A vulnerability in Log4J 2 (CVE-2021-44228, “Log4Shell”), a popular and common Java logging library, allowed remote attackers to achieve remote code execution in a default and likely installation. The issue was widely exploited, starting the day before a release with a fix was published. There is a MetaSploit exploit module for this issue. After the fixed release a few subsequent Log4J vulnerabilities were also fixed, but none had the same impact or default conditions.
December: The ASF is invited to a forum in 2022 around open source security. White House Extends Invitation to Improve Open-Source Security. We produced a position paper in advance of the meeting.
Other RCE exploits were also released in 2021 for vulnerabilities fixed in Apache OFBiz (CVE-2020-9496, CVE-2021-26295), Apache Airflow (in examples CVE-2020-11978), Apache Druid (CVE-2021-25646), Apache Tapestry (CVE-2021-27850), and Apache Storm (CVE-2021-38294).
Timescales
Our security teams and project management teams are all volunteers and so we do not give any formal SLA on the handling of issues. However we can break down our aims and goals for each part of the process:
Triage: Our aim is to handle incoming mails to the security@apache.org alias within three working days. We do not measure or report on this because we assess the severity of each incoming issue and apply the limited resources we have appropriately. The alias is staffed by a very small number of volunteers taken from the different project PMCs. After the security team forwards a report to a PMC, the PMC will reply to the reporter. Sometimes reporters send reports attaching large PDF files or even movies of exploitation that don’t make it to us due to size restrictions on incoming email, so please ensure any follow ups are a simple plain text email.
Investigation: Once a report is sent to the private list of the projects management committee, the process of triage and investigation varies in time depending on the project, availability of resources, and number of issues to be assessed. As security issues are dealt with in private, we send reports to a private list made up only of the PMC. Therefore these reports do not reach every project committer, so there is a smaller set of people in each project able to investigate and respond. As a general guideline we try to ensure projects have triaged issues within 90 days of the report. The ASF security team follow-up on any untriaged issues over 90 days old.
Fix: Once a security issue is triaged and accepted, the timeline for the fixing of issues depends on the schedules of the projects themselves. Issues of lower severity are most often held to pre-planned releases.
Announcement: Our process allows projects up to a few days between a fix release being pushed and the announcement of the vulnerability. All vulnerabilities and mitigating software releases are announced via the announce@apache.org list. We now aim to have them appear in the public CVE project list within a day of that announcement, and even quicker for critical issues.
Conclusion
The Apache Software Foundation projects are highly diverse and independent. They have different languages, communities, management, and security models. However one of the things every project has in common is a consistent process for how reported security issues are handled.
The ASF Security Committee works closely with the project teams, communities, and reporters to ensure that issues get handled quickly and correctly. This responsible oversight is a principle of The Apache Way and helps ensure Apache software is stable and can be trusted.
This report gave metrics for calendar year 2021 showing from the 18,500 emails received we triaged over 390 vulnerability reports relating to ASF projects, leading to fixing 183 (CVE) issues. The number of non-spam threads dealt with was up 34% from 2020 with the number of actual vulnerability reports up 17% and assigned CVE up 21%.
While the ASF often gets updates for critical issues out quickly, reports show that users are being exploited by old issues in ASF software that have failed to be updated for years, and vendors (and, thus, their users) still make use of end of life versions which have known unfixed vulnerabilities. This will continue to be a big problem and we are committed to engaging on this industry-wide problem to figure out what we can do to help.
If you have vulnerability information you would like to share please contact us or for comments on this report see the public security-discuss mailing list.
Posted at 03:51PM Jan 10, 2022
by Sally Khudairi in General |
|