Repository: james-site Updated Branches: refs/heads/asf-site 427374bab -> 1b35e747e Adding posts about 3.0.1 release Project: http://git-wip-us.apache.org/repos/asf/james-site/repo Commit: http://git-wip-us.apache.org/repos/asf/james-site/commit/1b35e747 Tree: http://git-wip-us.apache.org/repos/asf/james-site/tree/1b35e747 Diff: http://git-wip-us.apache.org/repos/asf/james-site/diff/1b35e747 Branch: refs/heads/asf-site Commit: 1b35e747ee8785e3649afff69b9f68391ee2c1fa Parents: 427374b Author: Antoine Duprat Authored: Wed Oct 25 08:54:42 2017 +0200 Committer: Antoine Duprat Committed: Wed Oct 25 08:54:42 2017 +0200 ---------------------------------------------------------------------- content/feed.xml | 54 ++++--- content/index.html | 5 +- .../james/update/2017/10/19/james-3.0.1.html | 142 +++++++++++++++++++ content/posts.html | 10 ++ 4 files changed, 191 insertions(+), 20 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/james-site/blob/1b35e747/content/feed.xml ---------------------------------------------------------------------- diff --git a/content/feed.xml b/content/feed.xml index 7723a0a..a031886 100644 --- a/content/feed.xml +++ b/content/feed.xml @@ -29,6 +29,42 @@ Jekyll v3.4.3 + Security release: Apache James server 3.0.1 + <p>The Apache James PMCs are glad to announce you the release +version 3.0.1 of Apache James server.</p> + +<p>It fixes vulnerability described in CVE-2017-12628. The JMX server, also +used by the command line client is exposed to a java de-serialization +issue, and thus can be used to execute arbitrary commands. As James +exposes JMX socket by default only on local-host, this vulnerability can +only be used for privilege escalation.</p> + +<p>Release 3.0.1 upgrades the incriminated library.</p> + +<p>Note that you can take additional defensive steps in order to mitigate this vulnerability:</p> + +<ul> + <li>Ensure that you restrict the access to JMX only on local-host</li> + <li>Ensure that you are using a recent Java Run-time Environment. For instance OpenJDK 8 u111 is vulnerable but OpenJDK 8 u 141 is not.</li> + <li>You can additionally run James in a container to limit damages of potential exploits</li> + <li>And of course upgrade to the newest 3.0.1 version.</li> +</ul> + +<p>Read more about Java deserialization <a href="https://www.sourceclear.com/blog/Commons-Collections-Deserialization-Vulnerability-Research-Findings/">issues</a>.</p> + + + Thu, 19 Oct 2017 22:00:22 +0000 + http://james.apache.org/james/update/2017/10/19/james-3.0.1.html + http://james.apache.org/james/update/2017/10/19/james-3.0.1.html + + + james + + update + + + + Hacktoberfest: contribute to James <p>The James project joins the <a href="https://hacktoberfest.digitalocean.com/">Hactoberfest</a>!</p> @@ -209,24 +245,6 @@ features explained with working examples!</p> - Apache James Server 3.0 - <p>We are currently working on the release.</p> - -<p>Keep an eye on the <a href="http://james.apache.org/newsarchive.html">news</a>, we are planning to release the next version in November.</p> - - - Mon, 19 Sep 2016 21:13:22 +0700 - http://localhost:4000/james/update/2016/09/19/james-3.0.html - http://localhost:4000/james/update/2016/09/19/james-3.0.html - - - james - - update - - - - JMAP implementation <p>Full text search via JMAP.</p> http://git-wip-us.apache.org/repos/asf/james-site/blob/1b35e747/content/index.html ---------------------------------------------------------------------- diff --git a/content/index.html b/content/index.html index 322bd1f..1bfc834 100644 --- a/content/index.html +++ b/content/index.html @@ -150,7 +150,8 @@ WHAT WILL YOU TRY:
  • - Hacktoberfest: contribute to James - October 03, 2017

    The James project joins the Hactoberfest!

    + Security release: Apache James server 3.0.1 - October 19, 2017

    The Apache James PMCs are glad to announce you the release +version 3.0.1 of Apache James server.

    @@ -159,7 +160,7 @@ WHAT WILL YOU TRY:
  • - Blog post: Easy and secure James installation - October 03, 2017

    In a recent blog post, Thibaut explains us how to easily set up a James server on a personal domain.

    + Hacktoberfest: contribute to James - October 03, 2017

    The James project joins the Hactoberfest!

    http://git-wip-us.apache.org/repos/asf/james-site/blob/1b35e747/content/james/update/2017/10/19/james-3.0.1.html ---------------------------------------------------------------------- diff --git a/content/james/update/2017/10/19/james-3.0.1.html b/content/james/update/2017/10/19/james-3.0.1.html new file mode 100644 index 0000000..c534a04 --- /dev/null +++ b/content/james/update/2017/10/19/james-3.0.1.html @@ -0,0 +1,142 @@ + + + + + + Apache James + + + + + + + + + + + +
    +
    + +
    + + + + + +
    + + +
    + +

    Security release: Apache James server 3.0.1

    +

    October 19, 2017

    + +
    + +
    +

    The Apache James PMCs are glad to announce you the release +version 3.0.1 of Apache James server.

    + +

    It fixes vulnerability described in CVE-2017-12628. The JMX server, also +used by the command line client is exposed to a java de-serialization +issue, and thus can be used to execute arbitrary commands. As James +exposes JMX socket by default only on local-host, this vulnerability can +only be used for privilege escalation.

    + +

    Release 3.0.1 upgrades the incriminated library.

    + +

    Note that you can take additional defensive steps in order to mitigate this vulnerability:

    + +
      +
    • Ensure that you restrict the access to JMX only on local-host
    • +
    • Ensure that you are using a recent Java Run-time Environment. For instance OpenJDK 8 u111 is vulnerable but OpenJDK 8 u 141 is not.
    • +
    • You can additionally run James in a container to limit damages of potential exploits
    • +
    • And of course upgrade to the newest 3.0.1 version.
    • +
    + +

    Read more about Java deserialization issues.

    + + + +
    + +
    +
    + +
    + + + http://git-wip-us.apache.org/repos/asf/james-site/blob/1b35e747/content/posts.html ---------------------------------------------------------------------- diff --git a/content/posts.html b/content/posts.html index 1575f4c..00985e4 100644 --- a/content/posts.html +++ b/content/posts.html @@ -65,6 +65,16 @@
  • + Security release: Apache James server 3.0.1 - October 19, 2017

    The Apache James PMCs are glad to announce you the release +version 3.0.1 of Apache James server.

    + +
    +
    +
  • + +
  • + + Hacktoberfest: contribute to James - October 03, 2017

    The James project joins the Hactoberfest!

    --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org For additional commands, e-mail: server-dev-help@james.apache.org