commit 4aff7882906cf05a313433304332d04ee3eb2f0d
author Serge Huber <shuber@jahia.com> Thu Jun 04 16:44:48 2020 +0200
committer Serge Huber <shuber@jahia.com> Thu Jun 04 16:44:48 2020 +0200
tree e033d3c3e8bcaa70b93ce4d1a3499f5e177f746a
parent 303885d8896ec21367b761f085eafd2caa456327

Add CVE entries & other minor updates

src/main/webapp/community.html

diff --git a/src/main/webapp/community.html b/src/main/webapp/community.html
index 135b02c..2c56ac9 100644
--- a/src/main/webapp/community.html
+++ b/src/main/webapp/community.html
@@ -43,8 +43,8 @@
                 <td>Report bugs / discover known issues</td>
               </tr>
               <tr>
-                <td><a target="_blank" href="https://the-asf.slack.com/messages/CBP2Z98Q7/">Slack</a></td>
-                <td>Report bugs / discover known issues. Note: Please join the #unomi channel after you <a href="https://s.apache.org/slack-invite">created an account</a>. Please do not ask Unomi questions in #general.</td>
+                <td><a target="_blank" href="https://the-asf.slack.com/messages/CBP2Z98Q7/">Unomi Slack channel</a></td>
+                <td>Any topics about Unomi. Note: Please join the #unomi channel after you <a href="https://s.apache.org/slack-invite">created an account</a>. Please do not ask Unomi questions in #general.</td>
               </tr>
             </tbody>
           </table>

src/main/webapp/contribute.html

diff --git a/src/main/webapp/contribute.html b/src/main/webapp/contribute.html
index f71783e..8afeb63 100644
--- a/src/main/webapp/contribute.html
+++ b/src/main/webapp/contribute.html
@@ -43,10 +43,10 @@
             <p>The Apache Unomi community welcomes contributions from anyone!</p>
             <p>There are lots of opportunities:</p>
             <ul>
-              <li>ask or answer questions on dev@unomi.apache.org or Slack</li>
-              <li>review proposed design ideas on dev@unomi.apache.org</li>
+              <li>ask or answer questions on the <a href="community.html">mailing lists</a> or Slack</li>
+              <li>review proposed design ideas on <a href="community.html">dev@unomi.apache.org</a></li>
               <li>improve the documentation</li>
-              <li>contribute bug reports</li>
+              <li>contribute <a target="_blank" href="https://issues.apache.org/jira/browse/UNOMI">bug reports</a></li>
               <li>write new examples</li>
             </ul>
 

src/main/webapp/documentation.html

diff --git a/src/main/webapp/documentation.html b/src/main/webapp/documentation.html
index fa35856..28bddad 100644
--- a/src/main/webapp/documentation.html
+++ b/src/main/webapp/documentation.html
@@ -280,7 +280,7 @@
             </p>
             <ol>
               <li>Depending on your install, perform either the standalone or cluster migration</li>
-              <li>That’s it !</li>
+              <li>That's it !</li>
             </ol>
           </div><!-- /.blog-main -->
         </div>
@@ -288,12 +288,10 @@
         <div class="row mb-5 mt-5">
           <div class="col">
             <h2 class="pb-3 mb-3 border-bottom">Security Advisories</h2>
-            <!--
             <p>
-              CVE- : Apache Unomi
+              CVE-2020-11975 : Remote Code Execution in Apache Unomi
             </p>
-            <a class="btn btn-outline-primary" href="security/cve-*.txt">Notes</a>
-            -->
+            <a class="btn btn-outline-primary" href="security/cve-2020-11975.txt">Notes</a>
           </div>
         </div>
 

src/main/webapp/security/cve-2020-11975.txt

diff --git a/src/main/webapp/security/cve-2020-11975.txt b/src/main/webapp/security/cve-2020-11975.txt
new file mode 100644
index 0000000..7bd55ff
--- /dev/null
+++ b/src/main/webapp/security/cve-2020-11975.txt
@@ -0,0 +1,44 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+CVE-2020-11975: Remote Code Execution in Apache Unomi
+
+Severity: Critical
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+This vulnerability affects all versions of Apache Unomi prior to 1.5.1
+
+Description:
+
+Apache Unomi allows conditions to use OGNL scripting which offers the possibility
+to call static Java classes from the JDK that could execute code with the
+permission level of the running Java process.
+
+This has been fixed in revision:
+
+https://git-wip-us.apache.org/repos/asf?p=unomi.git;h=789ae8e820c507866b9c91590feebffa4e996f5e
+
+Migration:
+
+Apache Unomi users should upgrade to 1.5.1 or later.
+
+Credit: This issue was reported by Yiming Xiang of NSFOCUS.
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEFt9+Vnc4Fy+UXwQCfBnR+70asd8FAl7XwXcACgkQfBnR+70a
+sd9XYRAAjHv3p4IZd/Uy+JRS3+i2fgYEDJGVjLpewDeoLp1pCRc8hUTTeKQXgq+E
+j3YOAbji9rV0fFYyOCQzmMraIDoHzQFt49Oit2gglXnB9fSer5Rk9lOQf1DgaTJz
+Op1Hf/pTwMrrhUQqe4vNRg9NRp7DYyZkObpeXbZaLRarv/NuYsDEXl9A6xDyRabe
+5wLGLep85+OalIhAUAXlI6uLqfzfDbU2jlJgcSpvCstOj9vDpkB+jpZOxi7GsN+X
+An69bWE+otpE9KlIlhu9GD/lRzzNY8r9DkZXE5Mp24smNm8UYr8GutnYEmAQO09u
+Mc9H/hRcnTfiJUeG+pXSNQSRJ+FfgK5Lvp9P4cppo481AGwCTLP01uJu8nsJb/46
+AlDF4xA+d7D8TlbN6NXm4FUrP1/QhKyvPHfvGjrPjEs0TbirMU9ypwsO4ESh0O8B
+6CVDxSKqmBfWjwQ4AYo+Izddsuf9ABSscNRJmfNxMBQZ0MXvGULcboXipVASWjBF
+HS936RtYJY04SQ0aJuTpuN2c8J6S/P+OGzry2ETWuaE5e3nQXWsUry98GQ/qFrK9
+3Jm1QZiP9dv8epZ6my0k+845+F2W1P8vkzy2QpGbnYsjcf3/f5T6U+Nz/k0skMHZ
+iFNa6aoDShfbziW3pYqLiAwJ+zEQFvU0B9nSXIeiwZwg9ZqWCxk=
+=AjB8
+-----END PGP SIGNATURE-----