The Apache Software Foundation
Blogging in Action.

The Apache News Round-up: week ending 19 February 2021

Hello, Friday. Let's review the Apache community's activities from over the past week:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws. 
 - Next Board Meeting: 17 March 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

Apache Diversity & Inclusion – initiatives that promote diversity, equity, and inclusion across the greater Apache community.
 - Call for Apache project proposals and mentors: Outreachy Open Source internship program May-Aug 2021 https://s.apache.org/s7tz2

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – Over the past week, 337 Apache Committers changed 1,346,004 lines of code over 2,861 commits. Top 5 contributors, in order, are: Andrea Cosentino, Claus Ibsen, Leonid Frolov, Gary Gregory, and Guillaume Nodet.    

Apache Project Announcements – the latest updates by category.

APIs --
 - Apache APISIX Dashboard 2.4 released https://apisix.apache.org/

Big Data --
 - The Apache Software Foundation Announces Apache® Gobblin™ as a Top-Level Project https://s.apache.org/df92k
 - Apache NiFi 1.13.0 released http://nifi.apache.org/
 - Apache Airflow CVE-2021-26559: Privilege Escalation Attack https://s.apache.org/bzww8 , and
   CVE-2021-26697: Lineage API endpoint for Experimental API missed authentication check https://s.apache.org/4sp60

Integration --
 - Apache Camel 3.8.0 released https://camel.apache.org/

Natural Language Processing --
 - Apache NLPCraft 0.7.4 (incubating) released https://nlpcraft.apache.org/

Messaging --
 - Apache Qpid Dispatch 1.15.0 released https://qpid.apache.org/

Servers --
 - Apache HttpComponents Client 5.1-beta1 released https://hc.apache.org/

Templating --
- Apache FreeMarker 2.3.31 released https://freemarker.apache.org/

Web Frameworks --
 - Apache MyFaces CVE-2021-26296: Cross-Site Request Forgery (CSRF) vulnerability https://s.apache.org/ylllx

Did You Know?

- Did you know that the ASF is the top-ranked Open Source not-for-profit organization with the most stars on GitHub? #4 of all organizations as of February 2021! https://gitstar-ranking.com/

- Did you know that Apache OpenMeetings, HTTP Server, and Tomcat have been listed amongst StackShare’s newly-announced Top 100+ Developer Tools of 2020? OpenMeetings is a “New Tool of the Year” category winner for “Web and Video Conferencing”; Apache HTTP Server and Tomcat Apache are category winners for “Web Server of the Year”. https://stackshare.io/posts/top-developer-tools-2020

- Did you know that the Call for Participation for the first Ignite Summit is now open? Join members of the Apache Ignite community online (virtual event); registration is open and free of charge https://ignite-summit.org/

Apache Community Notices

- Apache Month In Review: January 2021 https://s.apache.org/Jan2021 + Video highlights https://youtu.be/hWMonAbaprU

- The Apache Software Foundation Operations Summary: Q2 FY2021 (August - October 2020) https://s.apache.org/Q2FY2021

- Apache in 2020 - By The Digits https://s.apache.org/Apache2020Digits + Video highlights https://s.apache.org/Apache2020Digits-vid

- ASF Security Report 2020 https://s.apache.org/SecurityReport2020

- ASF FY2020 Annual Report https://s.apache.org/FY2020AnnualReport

- "Trillions and Trillions Served" documentary on the ASF: 1) full feature https://s.apache.org/Trillions-Feature 2) "Apache Everywhere" https://s.apache.org/ApacheEverywhere 3) "Why Apache" https://s.apache.org/ASF-Trillions 4) “Apache Innovation” https://s.apache.org/ApacheInnovation 

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - All presentations from ApacheCon@Home are available at https://www.youtube.com/c/TheApacheFoundation/ 

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

Posted at 07:45AM Feb 19, 2021 by Swapnil M Mane in Newsletter  |   | 

The Apache News Round-up: week ending 12 February 2021

Friday arrived quickly --happy Lunar New Year to those who celebrate! The Apache community has had a productive week; let's review:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws. 
 - Next Board Meeting: 17 February 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

Apache Diversity & Inclusion – initiatives that promote diversity, equity, and inclusion across the greater Apache community.
 - Call for Apache project proposals and mentors: Outreachy Open Source internship program May-Aug 2021 https://lists.apache.org/thread.html/r7ba52de92d2a31d623aa510573de89c9d8a82ab01e85c87f43a792d4%40%3Cannounce.apache.org%3E

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - ApacheCon@Home keynotes, plenaries, and presentations on Big Data, Camel/Integration, Cassandra, Community, Content Delivery (Traffic Server/Traffic Control), cTAKES, Fineract/Fintech, Geode, Geospatial, Groovy, HTTP Server (httpd and the Web), Ignite, Incubator, IoT, Jena, Karaf, Machine Learning, Mahout, Multi-lingual tracks (Hindi/German/Mandarin/Spanish), Observability, OpenOffice, Pulsar/Bookkeeper, Royale, Solr/Lucene/Search Learning, Streaming, Tomcat, and more are available at https://www.youtube.com/c/TheApacheFoundation/  

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.96%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – Over the past week, 388 Apache Committers changed 2,346,803 lines of code over 4,410 commits. Top 5 contributors, in order, are: Bernd Bohmann, Gary Gregory, Tellier Benoit, Andrea Cosentino, and Claus Ibsen.

Apache Project Announcements – the latest updates by category.

APIs --
 - Apache APISIX 2.3 released https://apisix.apache.org/

IoT --
 - Apache PLC4X 0.8.0 released https://plc4x.apache.org/

Observability --
 - Apache SkyWalking CLI 0.6.0 released https://skywalking.apache.org/

Servers --
 - Apache HttpComponents Core 5.1 BETA3 released https://hc.apache.org/
 - Apache Tomcat 8.5.63 released https://tomcat.apache.org/

Web Frameworks --
 - Apache MyFaces Core 2.2.14 released http://myfaces.apache.org/ 

Did You Know?

- Did you know that downloads of Apache OpenOffice exceed 1 Million each month? https://openoffice.apache.org/

- Did you know that Airbnb uses Apache Superset for deep data insights, visualizing metrics, and business intelligence at scale? https://superset.apache.org/

- Did you know that the Apache Groovy, Kafka, and Maven communities will be participating at DevNexus online on 17 February? Registration is free and open to all http://devnexus.com

Apache Community Notices

- Apache Month In Review: January 2021 https://s.apache.org/Jan2021 + Video highlights https://youtu.be/hWMonAbaprU

- The Apache Software Foundation Operations Summary: Q2 FY2021 (August - October 2020) https://s.apache.org/Q2FY2021

- Apache in 2020 - By The Digits https://s.apache.org/Apache2020Digits + Video highlights https://s.apache.org/Apache2020Digits-vid

- ASF Security Report 2020 https://s.apache.org/SecurityReport2020

- ASF FY2020 Annual Report https://s.apache.org/FY2020AnnualReport

- "Trillions and Trillions Served" documentary on the ASF: 1) full feature https://s.apache.org/Trillions-Feature 2) "Apache Everywhere" https://s.apache.org/ApacheEverywhere 3) "Why Apache" https://s.apache.org/ASF-Trillions 4) “Apache Innovation” https://s.apache.org/ApacheInnovation 

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

Posted at 12:27PM Feb 12, 2021 by Sally in Newsletter  |   | 

The Apache News Round-up: week ending 5 February 2021

Welcome, February --we're opening the month with another great week. Here's what the Apache community has been up to:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - The Apache Software Foundation Operations Summary: Q2 FY2021 (August - October 2020) https://s.apache.org/Q2FY2021
 - Next Board Meeting: 17 February 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - videos from ApacheCon@Home presentations are available at https://www.youtube.com/c/TheApacheFoundation/  

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.99%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – Over the past week, 402 Apache Committers changed 3,696,305 lines of code over 3,791 commits. Top 5 contributors, in order, are: Jean-Baptiste Onofré, Andrea Cosentino, Claus Ibsen, Andi Huber, and Christofer Dutz.  

Apache Project Announcements – the latest updates by category.

Application Performance Monitoring --
 - Apache SkyWalking 8.4.0 released https://skywalking.apache.org/

Big Data --
 - Apache Flink 1.10.3 released https://flink.apache.org/
 - The Apache Software Foundation Announces Apache® DataSketches™ as a Top-Level Project https://s.apache.org/jhvqu
 - Apache Druid 0.20.1 released https://druid.apache.org/
 - Apache Druid CVE-2021-25646: Remote code execution vulnerability https://s.apache.org/7tkex

Search --
 - Apache Lucene 8.8.0 and Solr 8.8.0 released http://lucene.apache.org/

Servers --
 - Apache Tomcat 9.0.43 and 10.0.2 released https://tomcat.apache.org/

Web Frameworks --
 - Apache MyFaces Core 3.0.0 released http://myfaces.apache.org/ 

Did You Know?

- Did you know that the following Apache projects are celebrating anniversaries this month? Congratulations to Apache HTTP Server (26 years); Gump and Portals (17 years); Directory, MyFaces, and Xerces (16 years); Tapestry (15 years); Roller (14 years); Cassandra and Subversion (11 years); Chemistry (10 years); BVal and OpenNLP (9 years); Clerezza (8 years); Knox and Spark (7 years); DataFu (3 years); and Unomi (2 years) https://projects.apache.org/committees.html?date

- Did you know that Apache Arrow, Apache Ranger, and Apache Sentry power Dremio and Starburst, two of InfoWorld's 2021 Technology of the Year Award Winners? https://www.infoworld.com/article/3604653/infoworlds-2021-technology-of-the-year-award-winners.html

- Did you know that Apache DolphinScheduler (incubating) is used at China Telecom, IBM, Inspur, Lenovo, Tencent, Walmart, and dozens others for visual workflow scheduling? http://dolphinscheduler.apache.org/

Apache Community Notices

- Apache in 2020 - By The Digits https://s.apache.org/Apache2020Digits + Video highlights https://s.apache.org/Apache2020Digits-vid

- Apache Month In Review: January 2021 https://s.apache.org/Jan2021 + Video highlights https://youtu.be/hWMonAbaprU

- ASF Security Report 2020 https://s.apache.org/SecurityReport2020

- The Apache Software Foundation Operations Summary: 1 August - 31 October 2020 https://s.apache.org/Q2FY2021

- ASF FY2020 Annual Report https://s.apache.org/FY2020AnnualReport

- "Trillions and Trillions Served" documentary on the ASF: 1) full feature https://s.apache.org/Trillions-Feature 2) "Apache Everywhere" https://s.apache.org/ApacheEverywhere 3) "Why Apache" https://s.apache.org/ASF-Trillions 4) “Apache Innovation” https://s.apache.org/ApacheInnovation 

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

Posted at 10:59AM Feb 05, 2021 by Swapnil M Mane in Newsletter  |   | 

Apache Month in Review: January 2021

Welcome to the latest monthly overview of events from the Apache community. Here's a summary of what happened in January:

New this month --

 - Apache in 2020 - By The Digits – a look at the achievements from the Apache Community over the past 12 months.
   -- Summary and stats at https://s.apache.org/Apache2020Digits
   -- Video highlights https://s.apache.org/Apache2020Digits-vid

 - ASF Security Report 2020 – the annual state of security across all Apache projects https://s.apache.org/SecurityReport2020

 - The Apache Way to Sustainable Open Source Success  – Apache is for Everyone. Every developer has their personal motivations for building software. We celebrate their right to choose when and how they build their software, including their right to use a non-open license. https://s.apache.org/GhnI

 - ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
   -- Videos of all ApacheCon@Home sessions, including Plenaries and Keynotes, are available https://www.youtube.com/c/TheApacheFoundation/

 - Apache Software Foundation Operations Summary: Q2 FY2021 (August - October 2020) https://s.apache.org/Q2FY2021

 - "Inside Infra" – the interview series featuring members of the ASF Infrastructure team
   -- Meet Chris Lambertus --Part I https://s.apache.org/InsideInfra-ChrisL and Part II https://s.apache.org/InsideInfra-ChrisL2

 - Apache Month in Review: December 2020 https://s.apache.org/Dec2020

Important Dates --

  - Next Board Meeting: 17 February 2021. Board calendar and minutes http://apache.org/foundation/board/calendar.html

Infrastructure --

In January, 726 Apache Committers changed 11,011,714 lines of code over 14,708 commits. The Committers with the top 5 highest contributions, in order, were: Rohit Yadav, Jean-Baptiste Onofré, Andrea Cosentino, Gary Gregory, and Mark Thomas.

Project Releases and Updates --

New releases from Apache Accumulo (Big Data); Arrow (Big Data); Beam (Big Data); Camel (Integration); CloudStack (Cloud Computing); Commons Daemon (Libraries); Flink (Big Data);  Guacamole (Network Client); Hadoop (Big Data); Ignite (Big Data); IoTDB (IoT); Jackrabbit (Content); JMeter (Testing); Nutch (Web Crawler); OFBiz (Enterprise Processes Automation / ERP); Oak (Content); Rya (Big Data); Qpid Broker (Messaging); ShardingSphere (Big Data); Skywalking (Application Performance Management); Tika (Big Data); Tomcat (Servers); Traffic Server (Servers).

Upcoming Apache Project community events include ESUP Days & Apereo Paris (2 February); Airflow Virtual Meetup (12 February); Joint ASF–OCG–OSGeo Code Sprint (17-19 February); and Big Data Technology Warsaw Summit (23 February).

The Apache Incubator is the primary entry path for projects wishing to become an official part of the ASF. New to the Apache Incubator in January: ECharts (Library) and Superset (Big Data). We invite you to review the many projects currently in development in the Apache Incubator http://incubator.apache.org/ .

# # #

To see our Weekly News Round-ups (published every Friday), visit https://blogs.apache.org/foundation/ and click on the calendar or hop directly to https://blogs.apache.org/foundation/category/Newsletter . For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. We appreciate your support!

Posted at 01:17PM Feb 01, 2021 by Swapnil M Mane in Newsletter  |   | 

The Apache News Round-up: week ending 29 January 2021

Farewell, January --both the week and month have flown by. Let's review what the Apache community has been up to:

The Apache Way to Sustainable Open Source Success  – Apache is for Everyone. Every developer has their personal motivations for building software. We celebrate their right to choose when and how they build their software, including their right to use a non-open license. https://s.apache.org/GhnI

ASF Security Report 2020 – the annual state of security across all Apache projects https://s.apache.org/SecurityReport2020

Inside Infra – the interview series featuring members of the ASF Infrastructure team.
 - Chris Lambertus --Part II https://s.apache.org/InsideInfra-ChrisL2

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - The Apache Software Foundation Operations Summary: Q2 FY2021 (August - October 2020) https://s.apache.org/Q2FY2021
 - Next Board Meeting: 17 February 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - videos from ApacheCon@Home presentations are available at https://www.youtube.com/c/TheApacheFoundation/  

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.90%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – Over the past week, 368 Apache Committers changed 2,919,651 lines of code over 3,273 commits. Top 5 contributors, in order, are: Mark Thomas, Leonid Frolov, Andrea Cosentino, Andi Huber, and Christofer Dutz.  

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache Arrow 3.0.0 released https://arrow.apache.org/
 - Apache Hadoop CVE-2020-9492: Potential privilege escalation https://s.apache.org/d9h7j

IoT --
 - Apache IoTDB 0.11.2 released https://iotdb.apache.org/

Messaging --
 - Apache ActiveMQ CVE-2021-26117: LDAP-Authentication does not verify passwords on servers with anonymous bind https://s.apache.org/xvpov , and
   CVE-2021-26118: Flaw in ActiveMQ Artemis OpenWire support https://s.apache.org/bpp38

Libraries --
 - The Apache Software Foundation Announces Apache® ECharts™ as a Top-Level Project https://s.apache.org/txmmr
 - Apache Commons Daemon 1.2.4 released https://commons.apache.org/proper/commons-daemon/

Servers --
 - Apache Traffic Server 9.0.0 released https://trafficserver.apache.org/

Testing --
 - Apache JMeter 5.4.1 released https://jmeter.apache.org/

Web Crawler --
 - Apache Nutch 1.18 released https://nutch.apache.org/
 - Apache Nutch CVE-2021-23901: An XML external entity (XXE) injection vulnerability exists in the Nutch DmozParser https://s.apache.org/y0pir

Did You Know?

- Did you know that the Apache Kafka PMC has published a trademark disclaimer for naming non-java clients and connectors to help those building the Apache Kafka ecosystem? https://kafka.apache.org/trademark

- Did you know that video presentations from the 2020 Virtual Druid Summit are available online? http://ow.ly/HLQq50Df7rI

- Did you know that the 2021 Joint Apache Software Foundation – Open Geospatial Consortium – Open Source Geospatial Foundation Code Sprint will be taking place online and free-of-charge 17-19 February? All are welcome to participate https://s.apache.org/ilzbf

Apache Community Notices

- Apache in 2020 - By The Digits https://s.apache.org/Apache2020Digits + Video highlights https://s.apache.org/Apache2020Digits-vid

- The Apache Software Foundation Operations Summary: 1 August - 31 October 2020 https://s.apache.org/Q2FY2021

- Apache Month In Review: December 2020 https://s.apache.org/Dec2020 

- ASF FY2020 Annual Report https://s.apache.org/FY2020AnnualReport 

- "Trillions and Trillions Served" documentary on the ASF: 1) full feature https://s.apache.org/Trillions-Feature 2) "Apache Everywhere" https://s.apache.org/ApacheEverywhere 3) "Why Apache" https://s.apache.org/ASF-Trillions 4) “Apache Innovation” https://s.apache.org/ApacheInnovation 

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

Posted at 05:22AM Jan 29, 2021 by Swapnil M Mane in Newsletter  |   | 

Apache Software Foundation Security Report: 2020

Synopsis: This report explores the state of security across all Apache Software Foundation projects for the calendar year 2020. We review key metrics, specific vulnerabilities, and the most common ways users of ASF projects were affected by security issues.

Released: January 2021

Author: Mark Cox, Vice President Security, Apache Software Foundation

Background

The security committee of the Apache Software Foundation (ASF) oversees and coordinates the handling of vulnerabilities across all of the 340+ Apache projects.  Established in 2002 and composed of all volunteers, we have a consistent process for how issues are handled, and this process includes how our projects must disclose security issues.

Anyone finding security issues in any Apache project can report them to security@apache.org where they are recorded and passed on to the relevant dedicated security teams or private project management committees (PMC) to handle.  The security committee monitors all the issues reported across all the addresses and keeps track of the issues throughout the vulnerability lifecycle.

The security committee is responsible for ensuring that issues are dealt with properly and will actively remind projects of their outstanding issues and responsibilities.  As a board committee, we have the ability to take action including blocking their future releases or, worst case, archiving a project if such projects are unresponsive to handling their security issues.  This, along with the Apache Software License, are key parts of the ASF’s general oversight function around official releases, allowing the ASF to protect individual developers and giving users confidence to deploy and rely on ASF software.

The oversight into all security reports, along with tools we have developed, gives us the ability to easily create metrics on the issues.  Our last report covered the metrics for 2019.

Statistics for 2020

In 2020 our security email addresses received in total 18,000 emails. After spam filtering and thread grouping this was 946 (2019: 620) non-spam threads.  Unfortunately many security reports do look like spam and so the security team are careful to review all messages to ensure real reports are not missed for too long.

Diagram 1: Breakdown of ASF security email threads for calendar year 2020

Diagram 1 gives the breakdown of those 946 threads.  257 threads (27%) were people confused by the Apache License.  As many projects use the Apache License, not just those under the ASF umbrella, people can get confused when they see the Apache License and they don't understand what it is.  This is most common for example on mobile phones where the licenses are displayed in the settings menu, usually due to the inclusion of software by Google released under the Apache License.  We no longer reply to these emails. This is nearly double the number we saw in 2019.

The next 220 of the 946 (23%) are email threads with people asking non-security (usually support-type) questions.

The next 93 of those reports were researchers reporting issues in an Apache web site.  These are almost always false negatives; where a researcher reports us having directory listings enabled, source code visible, or the lack of various domain headers.  These reports are generally the unfiltered output of some publicly available scanning tool, and often where the reporter asks us for some sort of monetary reward (bounty) for their report.

That left 376 (2019: 320) reports of new vulnerabilities in 2020, which spanned across 101 of the top level projects.  These 376 reports are a mix of both external reporters and internal; for example where a project has found an issue themselves and followed the ASF process to assign it a CVE name and address it we’d still count it here.  We don’t keep metrics that would give the breakdown of internal vs external reports.

The next step is that the appropriate project triages the report to see if it's really an issue or not.  Invalid reports and reports of things that are not actually vulnerabilities get rejected back to the reporter.  Of the remaining issues that are accepted they are assigned appropriate CVE names and eventually fixes are released.

As of January 1st 2021, 35 of those 376 reports were still under triage (i.e. the project had not yet determined if the report is accepted or rejected).  

The remaining closed 341 (2019: 301) reports led to us assigning 151 (2019: 122) CVE names.  Some vulnerability reports may include multiple issues, some reports are across multiple projects, and some reports are duplicates where the same issue is found by different reporters, so there isn't an exact one-to-one mapping of accepted reports to CVE names.  The Apache Security committee handles CVE name allocation and is a Mitre Candidate Naming Authority (CNA), so all requests for CVE names in any ASF project are routed through us, even if the reporter is unaware and contacts Mitre directly or goes public with an issue before contacting us.

Noteworthy events

During 2020 there were a few events worth discussion; either because they were severe and high risk, they had readily available exploits, or otherwise due to media attention. These included:

• February: An issue in Tomcat CVE-2020-1938 gained press interest when it was given branding and a name (“Ghostcat”) and was disclosed by a third-party coordination centre before Tomcat released an advisory (although after the issue was fixed in new releases of Tomcat). Although serious if exploited, it only affected Tomcat installations which exposed an unprotected AJP Connector to untrusted networks (which is already not a good thing to do even without this issue). That limits the number of affected installations.  Various proof-of-concept exploits are public for this issue, including a Metasploit exploit.

• May: The Cybersecurity and Infrastructure Security Agency (CISA) released a list of Top 10 Routinely Exploited Vulnerabilities including CVE-2017-5638, the remote command execution (RCE) vulnerability in Apache Struts 2 disclosed and fixed in 2017.  This issue is known to be exploited in the wild, however the first exploitation was discovered after the advisory and fix was published. 

• July: Versions of Apache Guacamole 1.1.0 and earlier were vulnerable to issues in RDP, CVE-2020-9497 and CVE-2020-9498.  If a user connects to a malicious or compromised RDP server it could lead to memory disclosure and possible remote code execution. 

• August: A vulnerability in Apache Struts (CVE-2019-0230) could lead to arbitrary code execution. In order to exploit the vulnerability, an attacker would need to inject malicious Object-Graph Navigation Language (OGNL) expressions into an attribute that is used within an OGNL expression. Although Struts has mitigations to address potential injected expressions, versions before 2.5.22 left an attack vector open which was fixed in updates for this issue.  A metasploit exploit exists for this issue.

• November: Previously each ASF project was responsible for writing up their own CVE entries and submitting them to Mitre. This leads to many delays in the CVE database being updated with Apache issues as entries are often rejected as the legacy format causes issues. We released an internal tool providing projects dealing with security issues a way to edit, validate, and submit their entries to Mitre.  We aim to have the CVE database updated within a day of an issue being published.

• December: The CVE project released a new automation API and the ASF became the first organisation to get a live CVE name using it. Instead of the security team holding a pool of names requested in advance we now allocate them on demand, with the service taking care of emails to the PMC and other previously manual parts of the process. We expect more automation available during 2021 allowing us to streamline the CVE process for projects even further.

• Proof of Concepts or Metasploit exploits were also released for 2020 issues in Apache OFBiz (CSRF, CVE-2019-0235), Apache OpenMeetings (DoS, CVE-2020-13951), Apache Flink (arbitrary read/write RCE CVE-2020-17518, CVE-2020-17519)

Timescales

Our security teams and project management teams are all volunteers and so we do not give any formal SLA on handling of issues.  However we can break down our aims and goals for each part of the process:

Triage: Our aim is to handle incoming mails to the security@apache.org alias within three working days.  We do not measure or report on this because we assess the severity of each incoming issue and apply the limited resources we have appropriately.  The alias is staffed by a very small number of volunteers taken from the different project PMCs.  After the security team forward a report to a PMC they will reply to the reporter.  Therefore if you have reported an issue to us and not received any response after a week please send us a followup email.  Sometimes reporters send reports attaching large PDF files or even movies of exploitation that don’t make it to us, so please ensure any follow ups are a simple plain text email.

Investigation: Once a report is sent to the private list of the projects management committee, the process of triage and investigation varies in time depending on the project, availability of resources, and number of issues to be assessed.  As we send reports to this private list it does not reach every project committer, so there is a much smaller limited set of people in each project able to investigate and respond.  As a general guideline we try to ensure projects have triaged issues within 90 days of the report.  The ASF security team chase any untriaged issues over 90 days old.

Fix: Once a security issue is triaged and accepted, the timeline for the fixing of issues depends on the schedules of the projects themselves.  Issues of lower severity are most often held to future pre-planned releases.  

Announcement: Our process allows projects up to a few days between a fix release being pushed and the announcement of the vulnerability, to let mirrors catch up.  All vulnerabilities are announced via the announce@apache.org list.  We now aim to have them appear in the public Mitre list within a day of the announcement.

Conclusion

Apache Software Foundation projects are highly diverse and independent.  They have different languages, communities, management, and security models.  However one of the things every project has in common is a consistent process for how reported security issues are handled. The ASF Security Committee works closely with the project teams, communities, and reporters to ensure that issues get handled quickly and correctly.  This responsible oversight is a principle of The Apache Way and helps ensure Apache software is stable and can be trusted.

This report gave metrics for calendar year 2020 showing from the 18,000 emails received we triaged over 370 vulnerability reports relating to ASF projects, leading to fixing 151 (CVE) issues. The number of non-spam threads dealt with was up 53% from 2019 with the number of actual vulnerability reports up 13% and assigned CVE up 24%.

If you have vulnerability information you would like to share with or comments on this report please contact us.

# # #

Posted at 02:00PM Jan 25, 2021 by Sally in General  |   | 

The Apache News Round-up: week ending 22 January 2021

Happy Friday! Let's take a look at what the Apache community has been up to over the past week:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - The Apache Software Foundation Operations Summary: Q2 FY2021 (August - October 2020) https://s.apache.org/Q2FY2021
 - Next Board Meeting: 17 February 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - all videos from ApacheCon@Home are available at https://www.youtube.com/c/TheApacheFoundation/  

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100.00%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – Over the past week, 385 Apache Committers changed 3,309,050 lines of code over 5,192 commits. Top 5 contributors, in order, are: Rohit Yadav, Wei Zhou, Kaxil Naik, Gary Gregory, and Andrea Cosentino.

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache Flink 1.12.1 released https://flink.apache.org/
 - Apache Qpid Broker J 7.1.11 and J 8.0.3 released https://qpid.apache.org/
 - The Apache Software Foundation Announces Apache® Superset™ as a Top-Level Project https://s.apache.org/scefo

Cloud Computing --
 - The Apache CloudStack Project Releases Apache® CloudStack® v4.15 https://s.apache.org/vi0v8

Content --
 - Apache Jackrabbit Oak 1.22.6 released http://jackrabbit.apache.org/
 - Apache Tika 2.0.0-ALPHA released https://tika.apache.org/

Integration --
 - Apache Camel 3.7.1 released https://camel.apache.org/

Network Client --
 - Apache Guacamole CVE-2020-11997: Inconsistent restriction of connection history visibility https://s.apache.org/i80o1

Servers --
 - Apache Tomcat CVE-2020-17527: Apache Tomcat HTTP/2 Request header mix-up https://s.apache.org/wqss6

Did You Know?

- Did you know that the Apache Maven projects has action cards for their community to promote their activities on social media? https://maven.apache.org/resource/branding/actioncards.html

- Did you know that US Top 10 retailer Target's enterprise-scale analytics (delivered to all levels of the organization) is powered by Apache Druid? http://druid.apache.org/

- Did you know that K&H Bank, one of the largest commercial banks in Hungary, uses Apache Wicket for their consumer banking and insurance site? http://wicket.apache.org/ 

Apache Community Notices

- Apache in 2020 - By The Digits https://s.apache.org/Apache2020Digits + Video highlights https://s.apache.org/Apache2020Digits-vid

- The Apache Software Foundation Operations Summary: 1 August - 31 October 2020 https://s.apache.org/Q2FY2021

- Apache Month In Review: December 2020 https://s.apache.org/Dec2020 

- ASF FY2020 Annual Report https://s.apache.org/FY2020AnnualReport 

- "Trillions and Trillions Served" documentary on the ASF: 1) full feature https://s.apache.org/Trillions-Feature 2) "Apache Everywhere" https://s.apache.org/ApacheEverywhere 3) "Why Apache" https://s.apache.org/ASF-Trillions 4) “Apache Innovation” https://s.apache.org/ApacheInnovation 

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

Posted at 08:09AM Jan 22, 2021 by Swapnil M Mane in Newsletter  |   | 

The Apache News Round-up: week ending 15 January 2021

It's Friday already --the week has zipped by. Let's take a look at what the Apache community has been up to:

Inside Infra – the interview series featuring members of the ASF Infrastructure team. - Chris Lambertus --Part I https://s.apache.org/InsideInfra-ChrisL

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - The Apache Software Foundation Operations Summary: Q2 FY2021 (August - October 2020) https://s.apache.org/Q2FY2021
 - Next Board Meeting: 20 January 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - all videos from ApacheCon@Home are available at https://www.youtube.com/c/TheApacheFoundation/  

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.94%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – Over the past week, 395 Apache Committers changed 3,156,343 lines of code over 3,300 commits. Top 5 contributors, in order, are: Krzysztof Kopyściński, Gary Gregory, Andrea Cosentino, Duo Zhang, and Jean-Baptiste Onofré.  

Apache Project Announcements – the latest updates by category.

Application Performance Monitoring --
 - Apache SkyWalking Eyes v0.1.0 released https://skywalking.apache.org/

Big Data --
 - Apache Beam 2.27.0 released https://beam.apache.org/

Content --
 - Apache POI, XMLBeans CVE-2021-23926: XML Entity Expansion https://s.apache.org/vbzsd
 - Apache Jackrabbit 2.21.5 released http://jackrabbit.apache.org/

Enterprise Processes Automation / ERP --
 - Apache OFBiz 17.12.05 released https://ofbiz.apache.org/

Servers --
 - Apache Tomcat CVE-2021-24122: Information Disclosure https://s.apache.org/huz9p

Did You Know?

- Did you know that the Apache geospatial community is partnering with the Open Geospatial Consortium (OGC) and Open Source Geospatial Foundation (OSGeo) to hold a joint Virtual Code Sprint the last week of February 2021? Call for participation is open https://s.apache.org/kp6d8

- Did you know that DoorDash's Big Data platform is powered by Apache Beam, Cassandra, Druid, Flink, Pinot, Spark and other projects? https://projects.apache.org/projects.html?category

- Did you know that you can help Apache Pulsar better meet the needs of its user community? Complete the Pulsar user survey today https://s.apache.org/jvaji 

Apache Community Notices

- Apache in 2020 - By The Digits https://s.apache.org/Apache2020Digits + Video highlights https://s.apache.org/Apache2020Digits-vid

- The Apache Software Foundation Operations Summary: 1 August - 31 October 2020 https://s.apache.org/Q2FY2021

- Apache Month In Review: December 2020 https://s.apache.org/Dec2020 

- ASF FY2020 Annual Report https://s.apache.org/FY2020AnnualReport 

- "Trillions and Trillions Served" documentary on the ASF: 1) full feature https://s.apache.org/Trillions-Feature 2) "Apache Everywhere" https://s.apache.org/ApacheEverywhere 3) "Why Apache" https://s.apache.org/ASF-Trillions 4) “Apache Innovation” https://s.apache.org/ApacheInnovation 

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

Posted at 11:01AM Jan 15, 2021 by Swapnil M Mane in Newsletter  |   | 

The Apache News Round-up: week ending 8 January 2021

Happy Friday! Let's take a look at what the Apache community has been up to over the past week:

Apache in 2020 - By The Digits – a look at the achievements from the Apache Community over the past 12 months.
 - Summary and stats at https://s.apache.org/Apache2020Digits
 - Video highlights https://s.apache.org/Apache2020Digits-vid

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - The Apache Software Foundation Operations Summary: Q2 FY2021 (August - October 2020) https://s.apache.org/Q2FY2021
 - Next Board Meeting: 20 January 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - all videos from ApacheCon@Home are available at https://www.youtube.com/c/TheApacheFoundation/  

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 100%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – Over the past week, 348 Apache Committers changed 1,594,281 lines of code over 2,987 commits. Top 5 contributors, in order, are: Jean-Baptiste Onofré, Gary Gregory, Mark Thomas, Kartik Khare, and Andrea Cosentino.

Apache Project Announcements – the latest updates by category.

Application Performance Monitoring --
 - Apache SkyWalking NodeJS v0.1.0 released https://skywalking.apache.org/

Big Data --
 - Apache ShardingSphere ElasticJob UI 3.0.0-RC1 released http://shardingsphere.apache.org/elasticjob/
 - Apache Rya 4.0.1 released http://rya.apache.org/
 - Apache Flink CVE-2020-17518: Directory traversal attack: remote file writing through the REST API https://s.apache.org/qxl48 , and
   CVE-2020-17519: Directory traversal attack: reading remote files through the REST API https://s.apache.org/gith7

Network Client --
 - Apache Guacamole 1.3.0 released https://guacamole.apache.org/

Servers --
 - Apache Tomcat Native 1.2.26 released https://tomcat.apache.org/

Did You Know?

- Did you know that some of the latest podlings undergoing development in the Apache Incubator include BlueMarlin (advertising), HOP (orchestration), Pegasus (Big Data), Sedona (geospatial data processing), and Wayang (analytics)? http://incubator.apache.org/projects/

- Did you know that Apache Kafka is amongst the most popular streaming platform for disseminating COVID-19 related clinical data, test results, and caseload updates in real-time? http://kafka.apache.org/

- Did you know that the New Zealand Treasury Department, Prime Minister and Cabinet, National Emergency Management Agency, and Climate Change Commission's eRecruitment platform is powered by Apache Wicket? http://wicket.apache.org/

Apache Community Notices

- Apache Month In Review: December 2020 https://s.apache.org/Dec2020 

- Apache in 2020 - By The Digits https://s.apache.org/Apache2020Digits

- Video highlights: Apache in 2020 - By The Digits https://s.apache.org/Apache2020Digits-vid

- The Apache Software Foundation Operations Summary: 1 August - 31 October 2020 https://s.apache.org/Q2FY2021

- ASF FY2020 Annual Report https://s.apache.org/FY2020AnnualReport 

- "Trillions and Trillions Served" documentary on the ASF: 1) full feature https://s.apache.org/Trillions-Feature 2) "Apache Everywhere" https://s.apache.org/ApacheEverywhere 3) "Why Apache" https://s.apache.org/ASF-Trillions 4) “Apache Innovation” https://s.apache.org/ApacheInnovation 

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

Posted at 10:38AM Jan 08, 2021 by Swapnil M Mane in Newsletter  |   | 

The Apache News Round-up: week ending 1 January 2021

Welcome, 2021! We hope that you have had a festive holiday season and are excited to kick off the new year. Here's what happened over the past week:

Apache in 2020 - By The Digits – a look at the achievements from the Apache Community over the past 12 months.
 - Summary and stats at https://s.apache.org/Apache2020Digits
 - Video highlights https://s.apache.org/Apache2020Digits-vid

The Apache Month in Review – highlights of what we've accomplished over the past month. 
- December 2020 https://s.apache.org/Dec2020

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - The Apache Software Foundation Operations Summary: Q2 FY2021 (August - October 2020) https://s.apache.org/Q2FY2021
 - Next Board Meeting: 20 January 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - all videos from ApacheCon@Home are available at https://www.youtube.com/c/TheApacheFoundation/  

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.95%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – Over the past week, 214 Apache Committers changed 1,634,010 lines of code over 2,290 commits. Top 5 contributors, in order, are: Gary Gregory, Andreas Veithen, Chesnay Schepler, Rene Cordier, and Sylwester Lachiewicz.

Apache Project Announcements – the latest updates by category.

Application Performance Monitoring --
 - Apache SkyWalking Python v0.5.0 released https://skywalking.apache.org/

Big Data --
 - Apache ShardingSphere ElasticJob 3.0.0-RC1 released http://shardingsphere.apache.org/elasticjob/
 - Apache Accumulo 1.10.1 and 2.0.1 released http://accumulo.apache.org/
 - Apache Accumulo CVE-2020-17533: Improper Handling of Insufficient Permission https://s.apache.org/ixwwc

Data Management Platform --
 - Apache Ignite 2.9.1 released http://ignite.apache.org/

Did You Know?

- Did you know that the following Apache projects are celebrating anniversaries this month? Many happy returns to Apache Cocoon, James, and Web Services (17 years); Lucene (15 years); ActiveMQ (13 years); Hadoop (12 years); River (9 years); Empire-db and Gora (8 years); OpenMeetings (7 years); Samza (5 years); Arrow (4 years); and Ranger (3 years)! https://projects.apache.org/committees.html?date 

- Did you know that the Top Ten of Fortune's "Future 50" companies --ServiceNow, Veeva Systems, Atlassian, Workday, Splunk, Adyen, MercadoLibre, DexCom, Square, and Spotify-- are all Powered by Apache? Everyone is welcome to use ASF and Apache Project badges to show that your projects are Powered by Apache http://apache.org/foundation/press/kit/#poweredby

- Did you know that ASF Targeted Sponsor Manning Publications is offering special deals on the latest books on Apache Airflow, Pulsar, Spark, and Thrift, among other titles and MEAP (Manning Early Access Program) eBooks? https://deals.manning.com/the-latest-apache-innovations/

Apache Community Notices

- Apache Month In Review: November 2020 https://s.apache.org/Nov2020

- ASF FY2020 Annual Report https://s.apache.org/FY2020AnnualReport 

- "Trillions and Trillions Served" documentary on the ASF: 1) full feature https://s.apache.org/Trillions-Feature 2) "Apache Everywhere" https://s.apache.org/ApacheEverywhere 3) "Why Apache" https://s.apache.org/ASF-Trillions 4) “Apache Innovation” https://s.apache.org/ApacheInnovation 

 - The Apache Software Foundation Statement on the COVID-19 Coronavirus Outbreak https://s.apache.org/COVID-19  

 - The Apache Software Foundation Celebrates 21 Years of Open Source Leadership https://s.apache.org/21stAnniversary

 - Apache in 2019 - By The Digits https://s.apache.org/Apache2019Digits

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

Posted at 03:44PM Jan 01, 2021 by Swapnil M Mane in Newsletter  |   | 

Apache in 2020 - By The Digits

Whilst 2020 has been quite a challenging year world-wide, the all-volunteer Apache community has demonstrated commendable strength, resilience, and commitment to our tenet of "Community Over Code" — 

• 238 Apache Projects, sub-projects, incubating podlings, and their communities produced nearly 3,500 releases across dozens of categories. Release Categories: API Gateways, Application Performance Management, Big Data, Blockchain, Build Management Cloud Computing, Content, Cryptography, Customer Profile Platform, Databases, eMail, Enterprise Resource Planning, FinTech, Identity Management, Integrated Development Environments, Integration, IoT, Libraries, Logging, Machine Learning, Messaging, Natural Language Processing, Operating Systems, Programming Languages, Remote Desktop Gateway, Search, Security Frameworks, Servers, Services Framework, Templating, Testing, Version Control, Web Conferencing, Web Crawlers, Web Frameworks, and more.

• We produced the "Trillions and Trillions Served" documentary that showcases how The Apache Way skyrocketed the ASF from overseeing a single project two decades ago to 350+ projects that produce $22B+ worth of software today.

• Apache events moved online, and attracted our most diverse and greatest number of participants. ApacheCon@Home drew nearly 5,750 participants from more than 150 countries, who enjoyed 300+ sessions across 27 tracks. A staggering 1.5M+ viewers tuned in to the Apache Roadshow/China over its 2-day online event.

Additional highlights:

Apache Projects —https://projects.apache.org/

• Total number of projects + sub-projects - 342
• Top-Level Projects - 199
• Podlings undergoing development in the Apache Incubator - 41
• New Top-Level Projects that graduated from the Incubator - 10 

Community/People —http://home.apache.org/

The ASF’s merit-driven "Contributor-Committer-Member" progression is the central governing process across the Apache ecosystem. The core Apache Group of 21 individual Members grew with developers who contributed code, patches, or documentation. Some of these contributors were subsequently granted Committer status by the Membership, and provided access to: 1) commit code directly to Apache repositories; 2) vote on community-related decisions; and 3) propose an active user for Committership. Today, ASF Committers contribute not just code and documentation, but also an array of initiatives that provide value across the greater Apache ecosystem, including Project promotion and community development through mentoring, events, and diversity and inclusion programs. Those Committers who demonstrate merit in the Foundation's growth, evolution, and progress are nominated for ASF Membership by existing members.

The Apache community continues to grow: 

• We welcomed 3,612 contributors in 2020, 51.87% of whom were newcomers to Apache
• 905 individuals earned Committer status, totalling 8,022. 
• 34 individuals were elected as new ASF Members, totalling 813.

Apache Projects/Code —https://projects.apache.org/statistics.html

3,258 Apache Committers changed 117,350,563 lines of code over 247,451 commits.

Top 5 Committers

• Andrea Cosentino (6,357 commits; 2,003,123 lines changed)
• Jean-Baptiste Onofré (3,120 commits; 735,656 lines changed)
• Claus Ibsen (2,838 commits; 1,919,860 lines changed)
• Mark Thomas (2,360 commits; 185,548 lines changed)
• Gary Gregory (2,188 commits; 234,845 lines changed)

Top 5 Apache Project Repositories by Size (Lines of Code)

• Tuweni (incubating; 7,822,771 --Tuweni is Apache's first project in the Blockchain space)
• Flex (7,007,693)
• NetBeans (6,582,707)
• OpenOffice (6,376,683)
• Hadoop (3,521,559)

Top 5 Apache Project Repositories by Commits

• Camel
• Flink
• Airflow
• Lucene/Solr
• Spark

GitHub: Top 5 Most Active Apache Project Sources (clones)

• Thrift
• Beam
• Arrow
• Geode
• Cordova

GitHub: Top 5 Most Active Apache Project Sources (visits)

• Spark
• Flink
• Kafka
• Beam
• Camel

Mailing Lists —https://lists.apache.org/

"If it didn’t happen on-list, it didn’t happen"

The ASF’s day-to-day operations, including Apache project and community development, takes place on ~1,450 public and ~700 private mailing lists. 

In 2020, 18,388 authors sent 2,139,458 emails on 774,364 topics.

Top 5 most active Apache Project user@ mailing lists

• Flink
• Lucene-Solr
• OpenMeetings
• Ignite
• Tomcat

Top 5 most active Apache Project dev@ mailing lists

• Tomcat
• Flink
• Royale
• James
• Beam

Contributor License Agreements and Software Grants —https://www.apache.org/licenses/

Individuals who are granted write access to the Apache repositories must submit an Individual Contributor License Agreement (ICLA). Corporations that have assigned employees to work on Apache projects as part of an employment agreement may sign a Corporate CLA (CCLA) for contributing intellectual property via the corporation. Individuals or corporations donating a body of existing software or documentation to one of the Apache projects need to execute a formal Software Grant Agreement (SGA) with the ASF. Over the past year, the ASF had received: 

• ICLAs - 708
• CCLAs - 35
• Grants - 35

Sponsorship and Individual Support —http://apache.org/foundation/contributing.html

The ASF benefits from the generosity of hundreds of individual donors and corporate Sponsors, whose support helps offset the ASF's day-to-day expenses for Accounting, Fundraising, Infrastructure, Legal, Marketing & Publicity, and other services.

ASF Sponsors provide financial backing for the ASF's operations. They are:

PLATINUM: Amazon Web Services, Facebook, Comcast, Google, Huawei, Pineapple Fund, Tencent, and Verizon Media.

GOLD: Anonymous, Baidu, Bloomberg, Cloudera, Handshake, IBM, Reprise Software, Union Investment, and Workday.

SILVER: Aetna, Alibaba Cloud Computing, Budget Direct, Capital One, Cerner, Inspur, Red Hat, and Target.

BRONZE: Airport Rentals, The Blog Starter, Bookmakers. Cash Store, Bestecasinobonussen.nl, Casino2k, Curity, The Economic Secretariat, Gundry MD, Host Advice, HostChecka.com, Indian Online Casino, Journal Review, LeoVegas, Miro-Kredit AG, Mutuo Kredit AG, Online Holland Casino, ProPrivacy, PureVPN, RX-M, SCAMS.info, SevenJackpots.com, Software Guru, Start a Blog by Ryan Robinson, Talend, The Best VPN, Top10VPN, Twitter, and Xplenty.

ASF Targeted Sponsors provide the Foundation with non-financial contributions for specific operational activities or programs. They include:

TARGETED PLATINUM: Amazon Web Services, CloudBees, DLA Piper, JetBrains, LeaseWeb, Microsoft, OSU Open Source Labs, Sonatype, and Verizon Media.

TARGETED GOLD: Atlassian, The CrytpoFund, Datadog, PhoenixNAP, and Quenda.

TARGETED SILVER: HotWax Systems, Manning Publications, and Rackspace.

TARGETED BRONZE: Bintray, Education Networks of America, Friend of Apache Cordova, Google, Hopsie, No-IP, PagerDuty, Peregrine Computer Consultants Corporation, Sonic.net, SURFnet, and Virtru.

Apache Members, Committers, contributors, users, supporters, and Sponsors further the ASF’s mission of providing Open Source software for the public good. Help keep Apache software accessible to everyone by making a contribution* to the ASF https://donate.apache.org/ , becoming a Sponsor, or adding us to your Corporate Giving program. Please visit http://apache.org/foundation/contributing.html for more information.

Best wishes for a stellar 2021!

* The ASF is a US 501(c)(3) not-for-profit charitable organization, whose tax identification number is 47-0825376. The ASF is recognized by Charity Navigator and cited with the Gold Seal of Transparency by GuideStar.

# # #

Posted at 01:07PM Jan 01, 2021 by Sally in Milestones  |   | 

Apache Month in Review: December 2020

Welcome to the latest monthly overview of events from the Apache community. Here's a summary of what happened in December:

Support Apache --

When we founded the ASF 21 years ago, we made a commitment to ensure Apache software is freely available to everyone worldwide at 100% no cost. Today the ASF provides more than $21B worth of software developed by an all-volunteer community. 

 - from Individual and Corporate donations to online shopping, Corporate Charitable Giving, Matching Gifts, and Sponsorship, There are many ways to help the ASF with a tax-deductible contribution https://s.apache.org/2020SupportApache

New this month --

 - ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
   -- Videos of all ApacheCon@Home sessions, including Plenaries and Keynotes, are available https://www.youtube.com/c/TheApacheFoundation/

 - Apache Software Foundation Operations Summary: Q2 FY2021 (August - October 2020) https://s.apache.org/Q2FY2021

 - "Inside Infra" – the interview series featuring members of the ASF Infrastructure team
   -- Meet Andrew Wetmore --Part I https://s.apache.org/InsideInfra-Andrew and Part II https://s.apache.org/InsideInfra-Andrew2

 - Apache Month in Review: November 2020 https://s.apache.org/Nov2020

Important Dates --

  - Next Board Meeting: 20 January 2021. Board calendar and minutes http://apache.org/foundation/board/calendar.html

Infrastructure --

In December, 837 Apache Committers changed 11,192,118 lines of code over 18,775 commits. The Committers with the top 5 highest contributions, in order, were: Andrea Cosentino, Xiang Xiao, Hugh Miles, Andi Huber, and Gary Gregory.

Project Releases and Updates --

New releases from Apache Accumulo (Big Data); Airflow (Big Data); APISIX (API); Avro (Big Data); Beam (Big Data); Bigtop (Big Data); Camel (Integration); Flink (Big Data); Groovy (Programming Languages); HBase (Big Data); HttpComponents Core (Servers); IoTDB (IoT); Jackrabbit (Content); JMeter (Testing); JSPWiki (Content); Kafka (Big Data); Knox (Big Data); OpenMeetings (Web Conferencing); PDFBox (Content); Pulsar (Messaging); Rya (Big Data); ShardingSphere (Big Data); SINGA (Machine Learning); Skywalking (Application Performance Management); Struts (Web Frameworks); Syncope (Identity Management); Tika (Big Data); Tomcat (Servers); Traffic Control (Servers); Traffic Server (Servers); Yetus (Library).

The Apache Incubator is the primary entry path for projects wishing to become an official part of the ASF. New to the Apache Incubator in December: Wayang (Big Data). We invite you to review the many projects currently in development in the Apache Incubator http://incubator.apache.org/ .

# # #

To see our Weekly News Round-ups (published every Friday), visit https://blogs.apache.org/foundation/ and click on the calendar or hop directly to https://blogs.apache.org/foundation/category/Newsletter . For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. We appreciate your support!

Posted at 10:35AM Jan 01, 2021 by Swapnil M Mane in Newsletter  |   | 

The Apache News Round-up: week ending 25 December 2020

Hurrah for Friday: Happy Christmas to those who celebrate! We've had a great week within the Apache community. Here's what happened:

Support Apache – final days to make a tax-deductible, year end donation! Help the ASF continue to provide $20B+ worth of software –at 100% no cost– for the public good https://s.apache.org/2020SupportApache

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - The Apache Software Foundation Operations Summary: Q2 FY2021 (August - October 2020) https://s.apache.org/Q2FY2021
 - Next Board Meeting: 20 January 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - all videos from ApacheCon@Home are available at https://www.youtube.com/c/TheApacheFoundation/  

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.98%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – Over the past week, 301 Apache Committers changed 1,718,280 lines of code over 2,668 commits. Top 5 contributors, in order, are: Andi Huber, Michael Stack, Sylwester Lachiewicz, Andrea Cosentino, and Claus Ibsen.                              

Apache Project Announcements – the latest updates by category.

Big Data --
 - Apache Kafka 2.7.0 released https://kafka.apache.org/

Content --
 - Apache PDFBox 2.0.22 released https://pdfbox.apache.org/
 - Apache JSPWiki 2.11.0.M8 released https://jspwiki-wiki.apache.org/

Identity Management --
 - Apache Syncope 2.1.8 released https://syncope.apache.org/

Integration --
 - Apache Camel 3.4.5 released https://camel.apache.org/

Did You Know?

- Did you know that some of the latest podlings to enter the Apache Incubator include BlueMarlin (advertising), Hop (orchestration), Liminal (Machine Learning), Sedona (geospatial), and Wayang (Big Data)? http://incubator.apache.org/projects/

- Did you know that the top 5 languages of all Apache projects are (in order): Java, C, Python, C++, and JavaScript? https://projects.apache.org/

- Did you know that ASF Targeted Sponsor Manning Publications is offering special deals on the latest books on Apache Airfow, Pulsar, Spark, and Thrift, among other titles and MEAP (Manning Early Access Program) eBooks? https://deals.manning.com/the-latest-apache-innovations/

Apache Community Notices

- Apache Month In Review: November 2020 https://s.apache.org/Nov2020

- ASF FY2020 Annual Report https://s.apache.org/FY2020AnnualReport 

- "Trillions and Trillions Served" documentary on the ASF: 1) full feature https://s.apache.org/Trillions-Feature 2) "Apache Everywhere" https://s.apache.org/ApacheEverywhere 3) "Why Apache" https://s.apache.org/ASF-Trillions 4) “Apache Innovation” https://s.apache.org/ApacheInnovation 

 - The Apache Software Foundation Statement on the COVID-19 Coronavirus Outbreak https://s.apache.org/COVID-19  

 - The Apache Software Foundation Celebrates 21 Years of Open Source Leadership https://s.apache.org/21stAnniversary

 - Apache in 2019 - By The Digits https://s.apache.org/Apache2019Digits

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

Posted at 11:26AM Dec 25, 2020 by Swapnil M Mane in Newsletter  |   | 

The Apache News Round-up: week ending 18 December 2020

And it's Friday! Let's take a look at what the Apache community has been up to over the past week:

Inside Infra – the interview series featuring members of the ASF Infrastructure team.
 - Andrew Wetmore --Part II https://s.apache.org/InsideInfra-Andrew2

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 20 January 2021. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - all videos from ApacheCon@Home are available at https://www.youtube.com/c/TheApacheFoundation/  

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.93%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – Over the past week, 356 Apache Committers changed 1,752,073 lines of code over 3,151 commits. Top 5 contributors, in order, are: Gary Gregory, Andi Huber, Claus Ibsen, Tilman Hausherr, and Tomaz Muraus.                          

Apache Project Announcements – the latest updates by category.

API --
 - Apache APISIX Dashboard 2.2 released https://apisix.apache.org/

Big Data --
 - Apache Beam 2.26.0 released https://beam.apache.org/
 - Apache Knox 1.5.0 released http://knox.apache.org/
 - Apache Flink 1.12.0 and 1.11.3 released https://flink.apache.org/
 - Apache Qpid JMS 0.56.0 released https://qpid.apache.org/
 - Apache Bigtop 1.5.0 released https://bigtop.apache.org/
 - Apache HBase 2.4.0 released https://hbase.apache.org/
 - Apache Airflow 1.10.14 released https://airflow.apache.org/
 - Apache Airflow CVE-2020-17513: Server-Side Request Forgery (SSRF) in Charts & Query View https://s.apache.org/162rf , and
   CVE-2020-17511: Airflow admin password gets logged in plain text https://s.apache.org/2bbfj

Integration --
 - Apache Camel 3.7.0 released https://camel.apache.org/

IoT --
 - Apache IoTDB 0.11.1 released https://iotdb.apache.org/

Messaging --
 - Apache Pulsar CVE-2020-17520: Pulsar Manager security bug (bypass admin interceptor) https://s.apache.org/4fj8c

 
Did You Know?

- Did you know that the Apache Roadshow/China drew more than 1.5M viewers online? Sessions were organized by ASF Members and Apache Local Community Beijing Chapter participants, and featured Apache eCharts, IoTDB, SkyWalking, and more https://www.bagevent.com/event/6844986/p/431034  

- Did you know that Apache Airflow, Druid, Hadoop, HDFS, Hive, Kafka, Superset, and other projects power more than 1.5 petabytes of data at Airbnb? https://projects.apache.org/projects.html?category

- Did you know that ASF Corporate Giving Contributors Bloomberg Philanthropy, IBM, Microsoft, PayPal, Charles Schwab, Vanguard, and other supporting organizations help the ASF's all-volunteer community provide $20B+ worth of software 100% free-of-charge? Support Apache today with a one-off, recurring, matching gift, or other corporate contributions? Consider a year-end gift to benefit the ASF http://apache.org/foundation/contributing.html  

Apache Community Notices

- Apache Month In Review: November 2020 https://s.apache.org/Nov2020

- ASF FY2020 Annual Report https://s.apache.org/FY2020AnnualReport 

- "Trillions and Trillions Served" documentary on the ASF: 1) full feature https://s.apache.org/Trillions-Feature 2) "Apache Everywhere" https://s.apache.org/ApacheEverywhere 3) "Why Apache" https://s.apache.org/ASF-Trillions 4) “Apache Innovation” https://s.apache.org/ApacheInnovation 

 - The Apache Software Foundation Statement on the COVID-19 Coronavirus Outbreak https://s.apache.org/COVID-19  

 - The Apache Software Foundation Celebrates 21 Years of Open Source Leadership https://s.apache.org/21stAnniversary

 - Apache in 2019 - By The Digits https://s.apache.org/Apache2019Digits

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

Posted at 04:06PM Dec 18, 2020 by Swapnil M Mane in Newsletter  |   | 

The Apache News Round-up: week ending 11 December 2020

Happy Friday! Let's take a look at what the Apache community has been up to over the past week:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws.
 - Next Board Meeting: 16 December 2020. Board calendar and minutes https://apache.org/foundation/board/calendar.html

ApacheCon™ – the ASF's official global conference series, bringing Tomorrow's Technology Today since 1998.
 - all videos from ApacheCon@Home are available at https://www.youtube.com/c/TheApacheFoundation/  

ASF Infrastructure – our distributed team on three continents keeps the ASF's infrastructure running around the clock.
 - 7M+ weekly checks yield uptime at 99.91%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. http://www.apache.org/uptime/

Apache Code Snapshot – Over the past week, 398 Apache Committers changed 1,767,303 lines of code over 3,476 commits. Top 5 contributors, in order, are: Hugh Miles, Andi Huber, Mark Thomas, Ganesh Murthy, and Claus Ibsen.                   

Apache Project Announcements – the latest updates by category.

API --
 - Apache APISIX Dashboard 2.1.1 released https://apisix.apache.org/

Big Data --
 - Apache Avro 1.10.1 released https://avro.apache.org/

Content --
 -  Apache Jackrabbit Oak 1.8.24 released http://jackrabbit.apache.org/

Library --
 - Apache Yetus 0.13.0 released https://yetus.apache.org/

Programming Languages --
 - Apache Groovy 2.4.21, 2.5.14, 3.0.7, and 4.0.0-alpha-2 released https://groovy.apache.org/
 - Apache Groovy CVE-2020-17521: Groovy Information Disclosure https://s.apache.org/k8n0d

Messaging --
 - Apache Pulsar 2.7.0 released https://pulsar.apache.org/

Servers --
 - Apache Traffic Control 4.1.1 released https://trafficcontrol.apache.org/
 - Apache Tomcat 8.5.61, 9.0.41, and 10.0.0 (beta) available http://tomcat.apache.org/

Testing --
 - Apache JMeter 5.4 released https://jmeter.apache.org/

Web Conferencing --
 - Apache OpenMeetings 5.1.0 released https://openmeetings.apache.org/

Web Frameworks --
 - Apache Struts 2.5.26 released https://struts.apache.org/
 - Apache Struts CVE-2020-17530: Potential RCE when using forced evaluation https://s.apache.org/hwr92

 
Did You Know?

- Did you know that when we founded the ASF 21 years ago, we made a commitment to ensure our software is freely available to all users worldwide at 100% no cost? Today the ASF provides more than $21B worth of software developed by an all-volunteer community. Your tax-deductible contribution helps us continue our effort. https://donate.apache.org/  

- Did you know that the Financial Times' real-time batch processing, stream processing, and analytics are powered by Apache Airflow, Avro, Kafka, Parquet, and Spark? https://projects.apache.org/projects.html?category#big-data 

- Did you know that Airbnb uses Apache Druid, Hadoop, Hive, Kafka, Spark, Superset, ZooKeeper, and other Apache projects to power 1.5 petabytes of data in real-time? https://projects.apache.org/projects.html?category#big-data 

Apache Community Notices

- Apache Month In Review: November 2020 https://s.apache.org/Nov2020

- ASF FY2020 Annual Report https://s.apache.org/FY2020AnnualReport 

- "Trillions and Trillions Served" documentary on the ASF: 1) full feature https://s.apache.org/Trillions-Feature 2) "Apache Everywhere" https://s.apache.org/ApacheEverywhere 3) "Why Apache" https://s.apache.org/ASF-Trillions 4) “Apache Innovation” https://s.apache.org/ApacheInnovation 

 - The Apache Software Foundation Statement on the COVID-19 Coronavirus Outbreak https://s.apache.org/COVID-19  

 - The Apache Software Foundation Celebrates 21 Years of Open Source Leadership https://s.apache.org/21stAnniversary

 - Apache in 2019 - By The Digits https://s.apache.org/Apache2019Digits

 - The Apache Way to Sustainable Open Source Success https://s.apache.org/GhnI

 - Foundation Reports and Statements http://www.apache.org/foundation/reports.html

 - "Success at Apache" focuses on the people and processes behind why the ASF "just works". https://blogs.apache.org/foundation/category/SuccessAtApache

Posted at 12:27PM Dec 11, 2020 by Swapnil M Mane in Newsletter  |   |