Entries tagged [projects]

Monday April 11, 2022

The Apache Weekly News Round-up: week ending 8 April 2022

Hello, everyone --let's review the Apache community's activities from over the past week:

The Apache Software Foundation – the all-volunteer developers, stewards, and incubators of more than 350 Open Source projects and initiatives.
 - The Apache Software Foundation Welcomes 52 New Members https://s.apache.org/2022NewMembers

ApacheCon – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - CFP for ApacheCon North America 2022 (taking place 3-6 October in New Orleans) is now open https://blogs.apache.org/conferences/entry/call-for-presentations-apachecon-north

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 20 April 2022. Running Board calendar and minutes are available.

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 355 Apache Committers changed 17,006,169 lines of code over 3,843 commits. Top 5 contributors, in order, are: Andi Huber, Claus Ibsen, Gary Gregory, Andrea Cosentino, and Chesnay Schepler.   

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache Flink Kubernetes Operator 0.1.0 released 
 - Apache NiFi 1.16.0 released 
   -- CVE-2022-26850: Insufficiently protected credentials 
 - Apache Pinot 0.10.0 released 
   -- CVE-2022-23974: Pinot segment push endpoint has a vulnerability in unprotected environments 

Databases --
 - Apache Impala 3.4.1 released

Libraries --
 - Apache Daffodil VS Code 1.0.0

Observability --
 - Apache SkyWalking CLI 0.10.0 released 

Workflow --
 - Apache Airflow 2.2.5 released

Did You Know?

- Did you know that those interested in attending ApacheCon NA 2022 (3-6 October/New Orleans) but are unable to do so for financial reasons are invited to apply for Travel Assistance support? Applications open until 1 July https://apache.org/travel/

- Did you know that the ASF Infrastructure team launched a new GitBox platform with upgraded features and services? 

- Did you know that Beam Summit will be held both online and in-person in Austin, Texas, 18-20 July? https://2022.beamsummit.org/

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

 - Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn

 - Follow the Apache Community on Facebook and Twitter

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos.


Stay updated about The ASF

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, Planet Apache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Monday April 04, 2022

The Apache Weekly News Round-up: week ending 1 April 2022

Welcome, April --we're opening the month with another great week. Here's what the Apache community has been up to:

ApacheCon – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - CFP for ApacheCon North America 2022 (taking place 3-6 October in New Orleans) is now open https://blogs.apache.org/conferences/entry/call-for-presentations-apachecon-north

Sponsor Success at Apache – the blog series that focuses on the people and processes behind why the ASF "just works".
 - "My experience with the Apache Way —a perfect society?" by Etienne Chauchot https://s.apache.org/oree2

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 20 April 2022. Running Board calendar and minutes are available.

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 352 Apache Committers changed 26,605,053 lines of code over 3,949 commits. Top 5 contributors, in order, are: Jean-Baptiste Onofré, Brent Bovenzi, Jarek Potiuk, Gary Gregory, and Andrea Cosentino.  

Apache Project Announcements – the latest updates by category.

APIs --
 - Apache APISIX 2.13.0 released
   -- CVE-2022-25757: body_schema check in request-validation plugin can be bypassed

Big Data --
 - Apache Calcite Avatica Go 5.1.0 released 

Cloud --
 - Apache jclouds 2.5.0 released 

Eventing --
 - Apache EventMesh (incubating) 1.4.0 released

Integration --
 - Apache Camel 3.16.0 released

Messaging --
 - Apache Qpid JMS 1.6.0 released

Servers --
 - Apache Tomcat 8.5.78, 9.0.62, 9.0.62, and 10.1.0-M14 (alpha) released 

Security Framework --
 -  Apache Shiro 1.9.0 released 

Web Frameworks --
 - Apache Wicket 9.9.0 released


Did You Know?

- Did you know that the following Apache projects are celebrating anniversaries in April? Congratulations to Apache CXF (14 years); Avro, HBase, Mahout, Nutch, Tika, and Traffic Server (12 years); Creadur and Jena (10 years); DeltaSpike (9 years); ORC and Parquet (7 years); AsterixDB and Johnzon (6 years); CarbonData and Fineract (5 years); NetBeans, PLC4X, and SkyWalking (3 years); and ShardingSphere (2 years) https://projects.apache.org/committees.html?date

- Did you know that you can anonymously take the 2022 Apache Pulsar Website Survey and help improve the new Pulsar Website? https://lists.apache.org/thread/08hchngnrhz79jhc1d96g3rh8ox2x2db

- Did you know that the ASF has been accepted as a Google Summer of Code mentoring organization for the 17th consecutive year? Apache Project mentors welcome! https://lists.apache.org/thread/cbplf0mszmxx2dv6oor0v227h8kfrk2m

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

 - Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn

 - Follow the Apache Community on Facebook and Twitter

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos.


Stay updated about The ASF

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, Planet Apache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Monday March 28, 2022

The Apache Weekly News Round-up: week ending 25 March 2022

We're wrapping up another great week with the following activities from the Apache community:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 20 April 2022. Running Board calendar and minutes are available.

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 333 Apache Committers changed 4,901,028 lines of code over 3,786 commits. Top 5 contributors, in order, are: Jean-Louis Monteiro, Jianyun Cheng, Sebastian Bazley, Benoit Tellier, and James Netherton.

Apache Project Announcements – the latest updates by category.

APIs --
 - Apache APISIX 2.13.0 released 

Big Data --
 - Apache Calcite Avatica 1.30.0 released
 - Apache SeaTunnel (Incubating) 2.1.0 released 
 - Apache Kyuubi (Incubating) 1.5.0-incubating released

Blockchain --
 - Apache Tuweni (Incubating) 2.2.0 released 

Content --
 - Apache POI 5.2.2 released 
 - Apache Syncope 2.1.11 released 
 - Apache Sling 12 released

IoT --
 - Apache IoTDB 0.13.0 released 
 - Apache StreamPipes (Incubating) 0.69.0 released

Libraries --
 - Apache OpenJPA 3.2.2 released 
 - Apache Daffodil 3.3.0 released

Messaging --
 - Apache Qpid Proton 0.37.0 and Qpid Dispatch 1.19.0 released 
 - Apache Pulsar 2.8.3 released

Search --
 - Apache Solr Operator v0.5.1 released 
 - Apache Lucene 9.1.0 released

Servers --
 - Apache Tomcat Native 1.2.32 released 


Did You Know?

- Did you know that improvements to Apache Drill 1.20 include backward compatibility with Apache Hadoop 2; connectors for Apache Phoenix; writing to JDBC data sources; support for new data file formats (including Apache Iceberg and SAS files); and API query improvements?

- Did you know that Apache Calcite 1.30 includes Babel support for <=> operator; SQL hints for temporal table join; fixtures so that dependent projects can write parser, validator, and rules tests; and upgrade jsonpath to fix CVE-2021-27568?

- Did you know that the CloudStack European User Group will be held virtually on 7 April? 

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

 - Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn

 - Follow the Apache Community on Facebook and Twitter

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos.


Stay updated about The ASF

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, Planet Apache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Monday March 21, 2022

The Apache Weekly News Round-up: week ending 18 March 2022

Happy Friday! Let's take a look at what the Apache community has been up to over the past week:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 20 April 2022. Running Board calendar and minutes are available.

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 328 Apache Committers changed 10,109,144 lines of code over 3,415 commits. Top 5 contributors, in order, are: Mark Thomas, Chesnay Schepler, Gary Gregory, Jean-Baptiste Onofré, and Claus Ibsen.     

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache Beam 2.37.0 released

Content --
 - Apache Jackrabbit Oak 1.6.23 released 

Cloud Computing --
 - Apache Kafka 3.0.1 released 
 - Apache Libcloud 3.5.0 released 
 - CVE-2022-26779: Apache Cloudstack: insecure random number generation affects project email invitation 

Database --
 - Apache Geode 1.13.8 released 

Integration --
 - Apache Camel 3.11.6 (LTS) released 

Libraries --
 - Apache Commons Daemon 1.3.0 released 

Messaging --
 - Apache ActiveMQ 5.17.0 released
 - Apache Curator 5.2.1 released

Observability --
 - Apache SkyWalking NodeJS 0.4.0 released 

Programming Languages --
 - Apache Groovy 4.0.1 released 

Servers --
 - Apache HTTP Server 2.4.53 released
   -- CVE-2022-23943: mod_sed: Read/write beyond bounds 
   -- CVE-2022-22721: Possible buffer overflow with very large or unlimited LimitXMLRequestBody
   -- CVE-2022-22720: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier
   -- CVE-2022-22719: mod_lua Use of uninitialized value of in r:parsebody
 - Apache Tomcat 8.5.77, 9.0.60, 10.0.18, 10.1.0-M12 (alpha) released
 - Apache Traffic Server 9.1.2 released
 - Apache HttpComponents Core 5.2-beta1 released

Workflow --
 - Apache Airflow Helm Chart 1.5.0 released 


Did You Know?

- Did you know that the Apache Druid community will be holding a hybrid meetup on 29 March? 

- Did you know that the Bangor Australia's Bangor Brumbies Football Club site uses Apache Wicket

- Did you know that you can support the ASF through one-time and recurring tax-deductible donations online using Apple Pay, Google Pay, and Microsoft Pay using your mobile phone? https://donate.apache.org/

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

 - Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn

 - Follow the Apache Community on Facebook and Twitter

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos.


Stay updated about The ASF

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, Planet Apache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Monday March 14, 2022

The Apache Weekly News Round-up: week ending 11 March 2022

Hello, everyone --let's review the Apache community's activities from over the past week:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 March 2022. Running Board calendar and minutes are available.

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 336 Apache Committers changed 4,769,139 lines of code over 3,697 commits. Top 5 contributors, in order, are: Jean-Baptiste Onofré, Otavio R. Piske, Gary Gregory, Andrea Cosentino, and Andi Huber.   

Apache Project Announcements – the latest updates by category.

Big Data --
 - CVE-2021-38296: Apache Spark: Key Negotiation Vulnerability

Content --
 - Apache Any23 2.7 released
   -- CVE-2022-25312: An XML external entity (XXE) injection vulnerability exists in the RDFa XSLTStylesheet extractor
 - Apache Jackrabbit 2.20.5 released 

Cloud Computing --
  - Apache CloudStack 4.16.1.0 LTS released 

Database --
 - Apache ZooKeeper 3.8.0 released
 - Apache Geode 1.12.9 released

IDE --
 - Apache NetBeans 13 released

IoT --
 - Apache IoTDB 0.12.5 released

Libraries --
 - Apache Olingo 4.9.0 released

Mail --
 - Apache James 3.7.0 released

Orchestration --
 - Apache Hop 1.2.0 released

Programming Languages --
 - Apache Groovy 2.5.16 and 3.0.10 released


Did You Know?

- Did you know that the next Apache Druid MeetUp will be held both online and in-person in Tel Aviv on 29 March? 

- Did you know that Apache ShardingSphere SQL Parse Format Function allows you to easily understand and automatically format complicated SQL statements?

- Did you know that the next Apache Airflow Community Meetup will be held on 16 March? Sign up to learn about Data Migration Pipeline with Apache Airflow http://bit.ly/3sES9fL

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

 - Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn

 - Follow the Apache Community on Facebook and Twitter

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos.


Stay updated about The ASF

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, Planet Apache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Monday March 07, 2022

The Apache Weekly News Round-up: week ending 4 March 2022

We're opening March with a cracking week. Here's what the Apache community has been up to:

Sponsor Apache – a number of tax-deductible sponsorships help offset the ASF's day-to-day operating expenses that include infrastructure support, bandwidth, connectivity, servers, hardware, development environments, legal counsel, accounting services, trademark protection, marketing and publicity, educational events, and more.
 - The Apache Software Foundation Welcomes VMware as its Newest Platinum Sponsor

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Announcing New ASF Board of Directors, elected during this week's Members' Meeting.
 - Next Board Meeting: 16 March 2022. Running Board calendar and minutes are available.

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 332 Apache Committers changed 880,561 lines of code over 3,128 commits. Top 5 contributors, in order, are: Olivier Lamy, Andrea Cosentino, Claus Ibsen, Sebastian Rühl, and Eric Milles. 

Apache Project Announcements – the latest updates by category.

Application Servers/Middleware --
 - Apache Karaf Decanter 2.9.0 released

Content --
 - Apache Jackrabbit Oak 1.22.11 released
 - Apache POI 5.2.1 released
 - CVE-2022-26336: poi-scratchpad: A carefully crafted TNEF file can cause an out of memory exception 

FinTech --
 - Apache Fineract 1.6.0 released

Libraries --
 - Apache PDFBox JBIG2 ImageIO plugin 3.0.4 released

Logging Services --
 - Apache Log4j 2.17.2 released

Network Application Framework --
 - Apache MINA FtpServer 1.1.3 released

Servers --
 - Apache Tomcat 9.0.59, 10.0.17 and 10.1.0-M11 (alpha) released 

Workflow --
 - CVE-2021-45229: Apache Airflow: Reflected XSS via Origin Query Argument in URL


Did You Know?

- Did you know that the Apache Ignite community's CFP for IgniteSummit (taking place online 14 June) closes on 29 April?

- Did you know that HugeGraph (incubating), a large-scale and easy-to-use graph database that stores and queries billions of vertices and edges, is the newest podling undergoing development in the Apache Incubator?

- Did you know that the ASF manages 2,180 mailing lists, 486 of which are private? Over the past year, 19,053 authors sent 1,946,990 emails on 869,461 topics! 

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - The Apache Month in Review: January 2022 and video highlights

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

 - Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn

 - Follow the Apache Community on Facebook and Twitter

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos.


Stay updated about The ASF

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, Planet Apache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Monday February 28, 2022

The Apache Weekly News Round-up: week ending 25 February 2022

Farewell, February --we're wrapping up the month with another great week. Here are the latest updates on the Apache community's activities:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 March 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 323 Apache Committers changed 1,586,514 lines of code over 3,215 commits. Top 5 contributors, in order, are: Claus Ibsen, Jean-Louis Monteiro, Andrea Cosentino, Gary Gregory, and Eric Milles. 

Apache Project Announcements – the latest updates by category.

Application Servers/Middleware --
 - Apache Karaf Decanter 2.9.0 released

Content --
 - Apache Jackrabbit Oak 1.22.11 released
 - Apache JSPWiki CVE-2022-24947: CSRF Account Takeover
   -- CVE-2022-24948: Cross-site scripting vulnerability on User Preferences screen

FinTech --
 - Apache Fineract 1.6.0 released

Network Client --
 - Apache MINA 2.0.23, 2.1.6 released

Workflow --
 - Apache Airflow CVE-2022-24288: RCE in example DAGs


Did You Know?

 - Did you know that Apache Beam helps Palo Alto Networks meet streaming needs by providing a highly-performant, reliable, and resilient data processing framework for 10 million security events per second across 3 petabytes per day?

 - Did you know that the Australian Department of Transport's Vehicle Inspection System webapp is powered by Apache Wicket?

 - Did you know that Apache Ignite is a distributed cache, a distributed database, an in-memory database, and an in-memory data grid? 

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - The Apache Month in Review: January 2022 and video highlights

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

 - Inside Infra: the new interview series with members of the ASF infrastructure team --meet 
    Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris
    Drew Foulks https://s.apache.org/InsideInfra-Drew
    Greg Stein Part I https://s.apache.org/InsideInfra-Greg
      ...Part II https://s.apache.org/InsideInfra-Greg2 and Part III https://s.apache.org/InsideInfra-Greg3
    Daniel Gruno Part I https://s.apache.org/InsideInfra-Daniel1 and Part II https://s.apache.org/InsideInfra-Daniel2
    Gavin McDonald Part I https://s.apache.org/InsideInfra-Gavin and Part II https://s.apache.org/InsideInfra-Gavin2
    Andrew Wetmore Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2
    Chris Lambertus Part I  https://s.apache.org/InsideInfra-ChrisL  and Part II https://s.apache.org/InsideInfra-ChrisL2

 - Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn

 - Follow the Apache Community on Facebook and Twitter

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos.


Stay updated about The ASF

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Monday February 21, 2022

The Apache Weekly News Round-up: week ending 18 February 2022

We're wrapping up another great week with the following activities from the Apache community:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 March 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.99%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 350 Apache Committers changed 12,933,273 lines of code over 3,260 commits. Top 5 contributors, in order, are: Claus Ibsen, Udo Schnurpfeil, Andrea Cosentino, Mark Thomas, and Paul King.

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache Accumulo 1.10.2 released

Content --
 - Apache Tika 1.28.1 released

Libraries --
 - Apache Commons JCS 3.1 released 

Messaging --
 - Apache ActiveMQ 5.16.4 released 


Did You Know?

 - Did you know that select Apache Projects and mentors are preparing for the upcoming GSoC 2022 (mentoring organizations will be announced on 7 March)? Those interested in participating can learn how to get involved at https://community.apache.org/gsoc.html

 - Did you know that the next CloudStack European User Group will be held online on 7 April? 

 - Did you know that the CFP for Ignite Summit (taking place online on 14 June) closes on 29 April? 

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - The Apache Month in Review: January 2022 and video highlights

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

 - Inside Infra: the new interview series with members of the ASF infrastructure team --meet 
    Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris
    Drew Foulks https://s.apache.org/InsideInfra-Drew
    Greg Stein Part I https://s.apache.org/InsideInfra-Greg
      ...Part II https://s.apache.org/InsideInfra-Greg2 and Part III https://s.apache.org/InsideInfra-Greg3
    Daniel Gruno Part I https://s.apache.org/InsideInfra-Daniel1 and Part II https://s.apache.org/InsideInfra-Daniel2
    Gavin McDonald Part I https://s.apache.org/InsideInfra-Gavin and Part II https://s.apache.org/InsideInfra-Gavin2
    Andrew Wetmore Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2
    Chris Lambertus Part I  https://s.apache.org/InsideInfra-ChrisL  and Part II https://s.apache.org/InsideInfra-ChrisL2

 - Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn

 - Follow the Apache Community on Facebook and Twitter

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos.


Stay updated about The ASF

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Monday February 14, 2022

The Apache Weekly News Round-up: week ending 11 February 2022

Hello, everyone --let's review the Apache community's activities from over the past week:

Apache Software Foundation Statement at 8 February 2022 Senate Committee hearing on Homeland Security and Government Affairs https://s.apache.org/485lz

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 February 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 308 Apache Committers changed 5,335,315 lines of code over 2,989 commits. Top 5 contributors, in order, are: Gary Gregory, Emmanuel Lecharny, Mark Thomas, Liang Zhang, and Tilmann Zäschke. 

Apache Project Announcements – the latest updates by category.

APIs --
 - Apache APISIX 2.10.2 released
   -- CVE-2022-24112: apisix/batch-requests plugin allows overwriting the X-REAL-IP header 

Big Data --
 - Apache Beam 2.36.0 released

Content --
 - Apache Traffic Control 6.1.0 released
   -- CVE-2022-23206: Server-Side Request Forgery in Traffic Ops endpoint POST /user/login/oauth
 - Apache Tika 2.3.0 released
   -- Apache Tika 1.x End-Of-Life (EOL) announcement https://s.apache.org/lkqid
 - Apache Jackrabbit 2.21.10 released

Database --
 - Apache JDO 3.2 released
 - Apache Cassandra CVE-2021-44521: Remote code execution for scripted UDFs

Mail --
 - Apache James 3.6.2 released
   -- CVE-2022-22931: Path traversal in Apache James  

Web Frameworks --
 - Apache Wicket 9.8.0 released 


Did You Know?

 - Did you know that you can scale Apache SkyWalking in Kubernetes natively? https://skywalking.apache.org/blog/2022-01-24-scaling-with-apache-skywalking/

 - Did you know that the next Apache Ignite Community Gathering MeetUp will take place online on 16 February? 

 - Did you know that the ASF's seven-member Infrastructure team performs 7M+ weekly checks to ensure services are available around the clock to all Apache Projects and their communities? Average uptime in January 2022 was 100%!

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - The Apache Month in Review: January 2022 and video highlights

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

 - Inside Infra: the new interview series with members of the ASF infrastructure team --meet 
    Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris
    Drew Foulks https://s.apache.org/InsideInfra-Drew
    Greg Stein Part I https://s.apache.org/InsideInfra-Greg
      ...Part II https://s.apache.org/InsideInfra-Greg2 and Part III https://s.apache.org/InsideInfra-Greg3
    Daniel Gruno Part I https://s.apache.org/InsideInfra-Daniel1 and Part II https://s.apache.org/InsideInfra-Daniel2
    Gavin McDonald Part I https://s.apache.org/InsideInfra-Gavin and Part II https://s.apache.org/InsideInfra-Gavin2
    Andrew Wetmore Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2
    Chris Lambertus Part I  https://s.apache.org/InsideInfra-ChrisL  and Part II https://s.apache.org/InsideInfra-ChrisL2

 - Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn

 - Follow the Apache Community on Facebook and Twitter

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos.


Stay updated about The ASF

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Monday February 07, 2022

The Apache Weekly News Round-up: week ending 4 February 2022

Welcome, February --we're opening the month with another great week. Here's what the Apache community has been up to:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 February 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.89%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 303 Apache Committers changed 9,625,849 lines of code over 3,255 commits. Top 5 contributors, in order, are: Jean-Baptiste Onofré, Claus Ibsen, Sebastian Bazley, Guillaume Nodet, and Eric Milles.

Apache Project Announcements – the latest updates by category.

Apache Attic -- provides process and solutions when an Apache project has reached its end of life.
 - Apache Ambari is retired
 - Apache Usergrid is retired 

APIs --
 - Apache APISIX 2.12.0 released

Big Data --
 - Apache Kyuubi (incubating) 1.4.1-incubating released
 - Apache Hudi 0.10.1 released
 - Apache Gobblin CVE-2021-36151: Local Credentials Disclosure Vulnerability 

Business Intelligence --
 - Apache Superset CVE-2021-44451: API sensitive information leak 

Content --
 - Apache Jackrabbit Oak 1.8.26 released

Integration --
 - Apache Camel 3.15.0 released

Messaging --
 - Apache Pulsar CVE-2021-41571: Pulsar Admin API allows access to data from other tenants using getMessageById API 

Middleware --
 - Apache Linkis (incubating) released 

Programming Languages --
 - Apache Groovy 4.0.0 released 

Servers --
 - Apache HttpComponents Client 5.1.3 GA released
 - Apache HTTP mod_perl 2.0.12 released

Web Frameworks --
 - Apache Wicket 8.14.0 released 


Did You Know?

 - Did you know that the following Apache Projects are celebrating anniversaries this month? Congratulations to Apache HTTP Server (27 years!); Gump and Portals (18 years); Directory, MyFaces, and Xerces (17 years); Tapestry (16 years); Roller (15 years); Cassandra and Subversion (12 years); Chemistry (11 years); BVal and OpenNLP (10 years); Clerezza (9 years); Knox and Spark (8 years); DataFu (4 years); Unomi (3 years); Daffodil, Ratis, and Solr (2 years)! https://projects.apache.org/committees.html?date

 - Did you know that the ASF is joining the Open Geospatial Consortium and Open Source Geospatial Foundation to hold the 2022 Joint OGC-OSGeo-ASF Code Sprint, taking place 8-10 March? Those interested in helping advance OGC Standards through numerous Apache and OSGeo projects are invited to learn more and sign up at https://portal.ogc.org/public_ogc/register/220225asf_codesprint.php 

 - Did you know that the CFP for Airflow Summit (taking place online 23-27 May) is now open?

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - The Apache Month in Review: January 2022 and video highlights

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

 - Inside Infra: the new interview series with members of the ASF infrastructure team --meet 
    Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris
    Drew Foulks https://s.apache.org/InsideInfra-Drew
    Greg Stein Part I https://s.apache.org/InsideInfra-Greg
      ...Part II https://s.apache.org/InsideInfra-Greg2 and Part III https://s.apache.org/InsideInfra-Greg3
    Daniel Gruno Part I https://s.apache.org/InsideInfra-Daniel1 and Part II https://s.apache.org/InsideInfra-Daniel2
    Gavin McDonald Part I https://s.apache.org/InsideInfra-Gavin and Part II https://s.apache.org/InsideInfra-Gavin2
    Andrew Wetmore Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2
    Chris Lambertus Part I  https://s.apache.org/InsideInfra-ChrisL  and Part II https://s.apache.org/InsideInfra-ChrisL2

 - Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn

 - Follow the Apache Community on Facebook and Twitter

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos.


Stay updated about The ASF

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Tuesday February 01, 2022

Apache Month in Review: January 2022

Welcome to the latest monthly overview of events from the Apache community. Here's a summary of what happened in January  [video highlights available] :

New This Month --

- Apache in 2021 - By The Digits – a look at the achievements from the Apache Community over the past 12 months
   -- Summary and stats at https://s.apache.org/Apache2021Digits
   -- Video highlights https://youtu.be/GU0SV_2tWkU

- Apache Software Foundation statement on White House Open Source Security Summit 

- Apache Month in Review: December 2021

- ASF Security Report 2021 – the annual state of security across all Apache projects

- The Apache Software Foundation Announces Open Source data orchestration platform Apache® Hop™ as a Top-Level Project


Important Dates --

- Next Board Meeting: 16 February 2022. Board calendar and minutes


Infrastructure --

Our seven-member Infrastructure team on three continents oversees our highly-reliable, distributed network under the leadership of VP Infrastructure David Nalley and Infrastructure Administrator Greg Stein. ASF Infrastructure supports 300+ Apache projects and their communities across ~200 individual machines, 1,400+ repositories, 5-6PB in traffic annually, ~75M downloads per month, and 2-3M daily emails on 2,000+ lists. ASF Infra performs 7M+ weekly checks to ensure services are available around the clock. The average uptime in January was 100%.

Committer Activity --

In January, 672 Apache Committers changed 14,033,278 lines of code over 15,480 commits. The Committers with the top 5 highest contributions, in order, were: Gary Gregory, Claus Ibsen, Mark Thomas, Jarek Potiuk, and Sebastian Bazley.


Project Releases and Updates --

New releases from Apache Airflow (Workflow); APISIX (API); Avro (Big Data); Camel (Integration); DolphinScheduler (Workflow); Flink (Big Data); Geode (Database); Guacamole (Network Client); Hop (Orchestration); Ignite (Big Data); Jackrabbit (Content); James (Mail); Kafka (Big Data); Karaf (Application Servers/Middleware); Knox (Big Data); Log4j (Libraries); MINA (Network Client/Server); NiFi (Big Data); OFBiz (Enterprise Processes Automation / ERP); POI (Content); Portals (Web Frameworks); ShardingSphere (Big Data); ShenYu (Incubating; API); Skywalking (Application Performance Management); Struts (Web Frameworks); Tomcat (Servers); Tuweni (Incubating; Blockchain); and TVM (Machine Learning).


Apache Project Anniversaries in January: Apache Cocoon, James, and Web Services (18 years); Lucene (16 years); ActiveMQ (14 years); Hadoop (13 years); River (10 years); Empire-db and Gora (9 years); OpenMeetings (8 years); Samza (6 years); Arrow (5 years); Ranger (2 years); and Gobblin (1 year). Many happy returns!

The Apache Incubator is the primary entry path for projects wishing to become an official part of the ASF. More than three dozen projects are currently undergoing development in the Apache Incubator.

# # #

To see our Weekly News Round-ups (published every Friday), visit https://blogs.apache.org/foundation/ and click on the calendar or hop directly to https://blogs.apache.org/foundation/category/Newsletter . For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. We appreciate your support!


Monday January 31, 2022

The Apache Weekly News Round-up: week ending 28 January 2022

Farewell, January --we're wrapping up the month with another great week. Here are the latest updates on the Apache community's activities:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 February 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 337 Apache Committers changed 1,533,287 lines of code over 3,738 commits. Top 5 contributors, in order, are: Jarek Potiuk, Sebastian Bazley, Claus Ibsen, Harikrishna Patnala, and Mark Thomas.

Apache Project Announcements – the latest updates by category.

APIs --
 - Apache ShenYu (Incubating) 2.4.2 released
   -- CVE-2022-23944: Improper access control
   -- CVE-2022-23945: Missing authentication allows gateway registration 

Application Servers/Middleware --
 - Apache Karaf runtime 4.3.6 released
   -- CVE-2021-41766: Insecure Java Deserialization
   -- CVE-2022-22932: Path traversal flaws 

Blockchain --
 - Apache Tuweni (Incubating) 2.1.0 released

Cloud Computing --
 - Apache Kafka 3.1.0  released 

Content --
 - Apache Jackrabbit Oak 1.22.10 released

Databases --
 - Apache Geode 1.14.3 released 

Integration --
 - Apache Camel 3.14.1 (LTS) released 

Orchestration --
 - Apache Hop 1.1.0 released 

Servers --
 - Apache Tomcat CVE-2022-23181: Local Privilege Escalation 

Web Frameworks --
 - Apache Struts 2.5.29 released 


Did You Know?

 - Did you know that the ASF published a statement following the 13 January meeting at the White House on the security of Open Source software? https://s.apache.org/jri14

 - Did you know that members of the Apache Arrow, Flink, Kafka, Mahout, Maven, OpenOffice, ShardingSphere, Spark, and other project communities will be presenting at FOSDEM (taking place online 5-6 February)? 

 - Did you know that the CFP for Beam Summit (hybrid event taking place 18-20 July) closes on 15 March?

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - The Apache Month in Review: December 2021 and video highlights

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

 - Inside Infra: the new interview series with members of the ASF infrastructure team --meet 
    Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris
    Drew Foulks https://s.apache.org/InsideInfra-Drew
    Greg Stein Part I https://s.apache.org/InsideInfra-Greg
      ...Part II https://s.apache.org/InsideInfra-Greg2 and Part III https://s.apache.org/InsideInfra-Greg3
    Daniel Gruno Part I https://s.apache.org/InsideInfra-Daniel1 and Part II https://s.apache.org/InsideInfra-Daniel2
    Gavin McDonald Part I https://s.apache.org/InsideInfra-Gavin and Part II https://s.apache.org/InsideInfra-Gavin2
    Andrew Wetmore Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2
    Chris Lambertus Part I  https://s.apache.org/InsideInfra-ChrisL  and Part II https://s.apache.org/InsideInfra-ChrisL2

 - Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn

 - Follow the Apache Community on Facebook and Twitter

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos.


Stay updated about The ASF

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Monday January 24, 2022

The Apache Weekly News Round-up: week ending 21 January 2022

We're wrapping up another great week with the following activities from the Apache community:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 February 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 339 Apache Committers changed 2,470,884 lines of code over 3,505 commits. Top 5 contributors, in order, are: Gary Gregory, Claus Ibsen, Adam Kocoloski, Mark Thomas, and Tian Jiang. 

Apache Project Announcements – the latest updates by category.

APIs --
 - Apache APISIX Java Plugin Runner 0.2.0 released

Application Servers/Middleware --
 - Apache Karaf runtime 4.2.15 and 4.3.6 released

Big Data --
 - Apache NiFi 1.15.3 released
 - Apache Flink 1.14.3 released
 - Apache ShardingSphere ElasticJob UI 3.0.1 released
 - Apache Knox 1.6.1 released
   -- CVE-2021-42357: DOM based XSS Vulnerability 

Content --
 - Apache POI 5.2.0 released 

Databases --
 - Apache Geode 1.12.8, 1.13.7 and Kafka Connector 1.1.0 released

Data Management Platform --
 - Apache Ignite 2.12.0 released 

Enterprise Processes Automation / ERP --
 - Apache OFBiz 17.12 End-Of-Life (EOL) announcement https://s.apache.org/hm5oe

Libraries --
 - Apache Log4j CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x
   -- CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1 
   -- CVE-2022-23307: A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution 

Orchestration --
 - The Apache Software Foundation Announces Open Source data orchestration platform Apache® Hop™ as a Top-Level Project https://s.apache.org/4s3ci

Observability --
 - Apache SkyWalking Could on Kubernetes 0.6.1 released

Servers --
 - Apache Tomcat 8.5.75, 9.0.58, 10.0.16, and 10.1.0-M10 (alpha) released 

Workflow --
 - Apache Airflow CVE-2021-45230: Creating DagRuns didn't respect Dag-level permissions in the Webserver 


Did You Know?

 - Did you know that the following Apache projects are celebrating anniversaries this month? Congratulations to Apache Cocoon, James, and Web Services (19 years); Lucene (17 years); ActiveMQ (15 years); Hadoop (14 years); River (11 years); Empire-db and Gora (10 years); OpenMeetings (9 years); Samza (7 years); Arrow (6 years); Ranger (5 years); and Gobblin (1 year) https://projects.apache.org/committees.html?date

 - Did you know that Netflix and Target are building modern analytics applications to deliver interactive data experiences using Apache Druid

 - Did you know that Disney+Hotstar's streaming data lakes injest 1 million events per second using Apache Kafka, store 14tb of data per day in an Apache HBase warehouse, and stream using Apache Hudi? https://projects.apache.org/projects.html?category

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - The Apache Month in Review: December 2021 and video highlights

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

 - Inside Infra: the new interview series with members of the ASF infrastructure team --meet 
    Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris
    Drew Foulks https://s.apache.org/InsideInfra-Drew
    Greg Stein Part I https://s.apache.org/InsideInfra-Greg
      ...Part II https://s.apache.org/InsideInfra-Greg2 and Part III https://s.apache.org/InsideInfra-Greg3
    Daniel Gruno Part I https://s.apache.org/InsideInfra-Daniel1 and Part II https://s.apache.org/InsideInfra-Daniel2
    Gavin McDonald Part I https://s.apache.org/InsideInfra-Gavin and Part II https://s.apache.org/InsideInfra-Gavin2
    Andrew Wetmore Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2
    Chris Lambertus Part I  https://s.apache.org/InsideInfra-ChrisL  and Part II https://s.apache.org/InsideInfra-ChrisL2

 - Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn

 - Follow the Apache Community on Facebook and Twitter

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos.


Stay updated about The ASF

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Monday January 17, 2022

The Apache Weekly News Round-up: week ending 14 January 2022

Happy Friday! Let's take a look at what the Apache community has been up to over the past week:

ASF Security Report 2021 – the state of security across all Apache projects with key metrics, specific vulnerabilities, and the most common ways users of ASF projects were affected by security issues https://s.apache.org/SecurityReport2021

Apache Software Foundation statement on White House Open Source Security Summit https://s.apache.org/jri14

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 19 January 2022. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF's Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 322 Apache Committers changed 1,963,025 lines of code over 3,852 commits. Top 5 contributors, in order, are: Gary Gregory, Antoine Toulme, Claus Ibsen, Mark Thomas, and Dan Klco. 

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache Flink ML 2.0.0 released

Content --
 - Apache Jackrabbit 2.16.9 released

Machine Learning --
 - Apache TVM 0.8.0 released

Network Client --
 - Apache Guacamole 1.4.0 released
   -- CVE-2021-41767: Private tunnel identifier may be included in the non-private details of active connections 
   -- CVE-2021-43999: Improper validation of SAML responses 

Observability --
 - Apache SkyWalking Kong version 0.2.0 released

Workflow --
 - Apache DolphinScheduler 2.0.2 released
 - Apache Airflow Helm Chart 1.4.0 released


Did You Know?

 - Did you know that more than 630,000 individuals have contributed to Apache projects and initiatives since the ASF's incorporation in 1999? https://blogs.apache.org/foundation/entry/apache-in-2021-by-the 

 - Did you know that Apache DolphinScheduler won a "2021 OSC Most Popular Projects" award from OSCHINA?

 - Did you know that video recordings from the 2021 TVMCon (Apache TVM and Open Source ML acceleration conference) are now available online?

Apache Community Notices

 - Apache in 2021 - By The Digits + Video highlights 

 - The Apache Month in Review: December 2021 and video highlights

 - Watch "Trillions and Trillions Served", the documentary on the ASF 1) full feature [49 min] 2) "Apache Everywhere" [6 min] 3) "Why Apache" [2.5 min] 4) “Apache Innovation” [40 min] 

 - ASF Annual Report: FY2021 -- Press release and Report (PDF)

 - The Apache Way to Sustainable Open Source Success 

 - Foundation Reports and Statements

 - Presentations from 2021's ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works." 

 - Inside Infra: the new interview series with members of the ASF infrastructure team --meet 
    Chris Thistlethwaite https://s.apache.org/InsideInfra-Chris
    Drew Foulks https://s.apache.org/InsideInfra-Drew
    Greg Stein Part I https://s.apache.org/InsideInfra-Greg
      ...Part II https://s.apache.org/InsideInfra-Greg2 and Part III https://s.apache.org/InsideInfra-Greg3
    Daniel Gruno Part I https://s.apache.org/InsideInfra-Daniel1 and Part II https://s.apache.org/InsideInfra-Daniel2
    Gavin McDonald Part I https://s.apache.org/InsideInfra-Gavin and Part II https://s.apache.org/InsideInfra-Gavin2
    Andrew Wetmore Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2
    Chris Lambertus Part I  https://s.apache.org/InsideInfra-ChrisL  and Part II https://s.apache.org/InsideInfra-ChrisL2

 - Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn

 - Follow the Apache Community on Facebook and Twitter

 - Are your software solutions Powered by Apache? Download & use our "Powered By" logos.


Stay updated about The ASF

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, https://twitter.com/PlanetApache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Monday January 10, 2022

Apache Software Foundation Security Report: 2021

Synopsis: This report explores the state of security across all of The Apache Software Foundation projects for the calendar year 2021. We review key metrics, specific vulnerabilities, and the most common ways users of ASF projects were affected by security issues.


Released: January 2022


Author: Mark Cox, Vice President Security, The Apache Software Foundation

Background

The security committee of The Apache Software Foundation (ASF) oversees and coordinates the handling of vulnerabilities across all of the 350+ Apache projects.  Established in 2002 and composed of all volunteers, we have a consistent process for how issues are handled, and this process includes how our projects must disclose security issues.


Anyone finding security issues in any Apache project can report them to security@apache.org where they are recorded and passed on to the relevant dedicated security teams or private project management committees (PMC) to handle.  The security committee monitors all the issues reported across all the projects and keeps track of the issues throughout the vulnerability lifecycle.  


The security committee is responsible for ensuring that issues are dealt with properly and actively reminds projects of their outstanding issues and responsibilities.  As a board committee, we have the ability to take action including blocking their future releases or, worst case, archiving a project if such projects are unresponsive to handling their security issues.  This, along with the Apache License v2,0, are key parts of the ASF’s general oversight function around official releases, allowing the ASF to protect individual developers and giving users confidence to deploy and rely on ASF software.  


The oversight into all security reports, along with tools we have developed, gives us the ability to easily create metrics on the issues.  Our last report covered the metrics for 2020.

Statistics for 2021

In 2021 our security email addresses received in total ~18,500 emails. After spam filtering and thread grouping there were 1272 (2020: 946, 2019: 620) non-spam threads.  Unfortunately security reports do sometimes look like spam, especially if they include lots of attachments or large videos, and so the security team are careful to review all messages to ensure real reports are not missed for too long.


Diagram 1: Breakdown of ASF security email threads for calendar year 2021


Diagram 1 gives the breakdown of those 1272 threads.  359 threads (28%) were people confused by the Apache License.  As many projects use the Apache License, not just those under the ASF umbrella, people can get confused when they see the Apache License and they don't understand what it is. This is most common for example on mobile phones where the licenses are displayed in the settings menu, usually due to the inclusion of software by Google released under the Apache License.  We no longer reply to these emails. This is up from the 257 received in 2020.


The next 337 of the 1272 (26%) are email threads with people asking non-security (usually support-type) questions.


The next 135 of those reports were researchers reporting issues in an Apache web site.  These are almost always false positives; where a researcher reports us having directory listings enabled, source code visible, public “.git” directories, and so on.  These reports are generally the unfiltered output of some publicly available scanning tool, and often where the reporter asks us for some sort of monetary reward (bounty) for their report.


That left 441 (2020: 376, 2019: 320) reports of new vulnerabilities in 2021, which spanned 99 of the top level projects.  These 441 reports are a mix of external reporters and internal. For example, where a project has found an issue themselves and followed the ASF process to assign it a CVE (Common Vulnerabilities and Exposures) name and address it, we’d still count it here.  We don’t keep metrics that would give the breakdown of internal vs external reports.


The next step is that the appropriate project triages the report to see if it's really an issue or not.  Invalid reports and reports of things that are not actually vulnerabilities get rejected back to the reporter.  Of the remaining issues that are accepted they are assigned appropriate CVE names and eventually fixes are released.


As of January 1st 2022, 50 of those 441 reports were still under triage and investigation. This is where a project was working on an issue and had not rejected the issue or assigned it a CVE as of the snapshot taken on January 1st 2022.  This number was higher than what we’d normally expect and was due to the large influx of reports that came at the end of December 2021.


The remaining 391 (2020: 341, 2019: 301) reports led to us assigning 183 (2020: 151, 2019: 122) CVE names.  Some vulnerability reports may include multiple issues, some reports are across multiple projects, and some reports are duplicates where the same issue is found by different reporters, so there isn't an exact one-to-one mapping of accepted reports to CVE names.  The Apache Security committee handles CVE name allocation and is a MITRE Candidate Naming Authority (CNA), so all requests for CVE names in any ASF project are routed through us, even if the reporter is unaware and contacts MITRE directly or goes public with an issue before contacting us.

Noteworthy events

During 2021 there were a few events worth discussing; either because they were severe and high risk, they had readily available exploits, or there was media attention. These included:

  • January: A cross-site scripting (XSS) flaw was found in the default error page of Apache Velocity (CVE-2020-13959) which affected a number of public visible websites. Despite a fix being available it then took several months to produce a new release to include the fix, causing the reporter to publicise it early. As a consequence, the security team did a deeper dive through all the outstanding open issues with the affected PMCs to ensure they were all being handled.

  • January: A report was published which showed how malware is still exploiting Apache ActiveMQ instances that have not been patched for over 5 years (CVE-2016-3088)

  • June: The Airflow PMC published a blog about how they handle security issues, how users are sometimes slow to deploy updates (CVE-2020-17526), and how flaws in dependencies can affect Airflow.

  • July: A third-party blog explained how threat actors are exploiting mis-configured Apache Hadoop YARN services

  • August: A researcher discovered a number of issues in HTTP/2 implementations.  The Apache HTTP Server was affected by a moderate vulnerability (CVE-2021-33193)

  • September: A keynote presentation at ApacheCon 2021 discussed the security committee, the US Executive Order on Improving the Nation’s Cybersecurity, and third party security projects such as those under the OpenSSF.

  • September: A flaw in Apache OpenOffice could allow a malicious document to run arbitrary code if opened (CVE-2021-33035)

  • October: A critical issue was found in the Apache HTTP Server. The default configuration protected against this vulnerability, but in custom configurations without those protections, and with CGI support enabled, this could lead to remote code execution (CVE-2021-41773). The issue was fixed in an update 5 days after the issue was reported to the security team, however the fix was quickly found to be insufficient and a further update to fully address it was released 3 days after that (CVE-2021-42013). A MetaSploit exploit exists for this issue.

  • October: The Internet Bug Bounty from HackerOne extended their program to include Apache Airflow, the Apache HTTP Server, and Apache Commons.  Unlike many other programs, this program relies on vulnerability finders following the standard ASF notification process, and allows finders to claim a reward for eligible issues after the fix is available and the issue is public.

  • December: A vulnerability in Log4J 2 (CVE-2021-44228, “Log4Shell”), a popular and common Java logging library, allowed remote attackers to achieve remote code execution in a default and likely installation.  The issue was widely exploited, starting the day before a release with a fix was published.  There is a MetaSploit exploit module for this issue. After the fixed release a few subsequent Log4J vulnerabilities were also fixed, but none had the same impact or default conditions.  

  • December: The ASF is invited to a forum in 2022 around open source security. White House Extends Invitation to Improve Open-Source Security.  We produced a position paper in advance of the meeting.

Timescales

Our security teams and project management teams are all volunteers and so we do not give any formal SLA on the handling of issues.  However we can break down our aims and goals for each part of the process:


Triage: Our aim is to handle incoming mails to the security@apache.org alias within three working days.  We do not measure or report on this because we assess the severity of each incoming issue and apply the limited resources we have appropriately.  The alias is staffed by a very small number of volunteers taken from the different project PMCs.  After the security team forwards a report to a PMC, the PMC will reply to the reporter.  Sometimes reporters send reports attaching large PDF files or even movies of exploitation that don’t make it to us due to size restrictions on incoming email, so please ensure any follow ups are a simple plain text email.


Investigation: Once a report is sent to the private list of the projects management committee, the process of triage and investigation varies in time depending on the project, availability of resources, and number of issues to be assessed.  As security issues are dealt with in private, we send reports to a private list made up only of the PMC. Therefore these reports do not reach every project committer, so there is a smaller set of people in each project able to investigate and respond.  As a general guideline we try to ensure projects have triaged issues within 90 days of the report.  The ASF security team follow-up on any untriaged issues over 90 days old.


Fix: Once a security issue is triaged and accepted, the timeline for the fixing of issues depends on the schedules of the projects themselves.  Issues of lower severity are most often held to pre-planned releases.  


Announcement: Our process allows projects up to a few days between a fix release being pushed and the announcement of the vulnerability.  All vulnerabilities and mitigating software releases are announced via the announce@apache.org list.  We now aim to have them appear in the public CVE project list within a day of that announcement, and even quicker for critical issues.

Conclusion

The Apache Software Foundation projects are highly diverse and independent.  They have different languages, communities, management, and security models.  However one of the things every project has in common is a consistent process for how reported security issues are handled. 


The ASF Security Committee works closely with the project teams, communities, and reporters to ensure that issues get handled quickly and correctly.  This responsible oversight is a principle of The Apache Way and helps ensure Apache software is stable and can be trusted.


This report gave metrics for calendar year 2021 showing from the 18,500 emails received we triaged over 390 vulnerability reports relating to ASF projects, leading to fixing 183 (CVE) issues.  The number of non-spam threads dealt with was up 34% from 2020 with the number of actual vulnerability reports up 17% and assigned CVE up 21%.


While the ASF often gets updates for critical issues out quickly, reports show that users are being exploited by old issues in ASF software that have failed to be updated for years, and vendors (and, thus, their users) still make use of end of life versions which have known unfixed vulnerabilities. This will continue to be a big problem and we are committed to engaging on this industry-wide problem to figure out what we can do to help.


If you have vulnerability information you would like to share please contact us or for comments on this report see the public security-discuss mailing list.

Calendar

Search

Hot Blogs (today's hits)

Tag Cloud

Categories

Feeds

Links

Navigation