Update for Apache Unomi 1.5.5 release
diff --git a/pom.xml b/pom.xml
index 23c89f6..36a9203 100644
--- a/pom.xml
+++ b/pom.xml
@@ -46,9 +46,9 @@
</repositories>
<properties>
- <latest.stable.version>1.5.4</latest.stable.version>
- <next.stable.version>1.5.5</next.stable.version>
- <next.development.version>1.5.5-SNAPSHOT</next.development.version>
+ <latest.stable.version>1.5.5</latest.stable.version>
+ <next.stable.version>1.5.6</next.stable.version>
+ <next.development.version>1.5.6-SNAPSHOT</next.development.version>
<latest.development.version>2.0.0-SNAPSHOT</latest.development.version>
</properties>
diff --git a/src/main/webapp/contribute-release-guide.html b/src/main/webapp/contribute-release-guide.html
index b83486e..d453cb6 100644
--- a/src/main/webapp/contribute-release-guide.html
+++ b/src/main/webapp/contribute-release-guide.html
@@ -169,16 +169,18 @@
<a href="https://www.apache.org/dev/publishing-maven-artifacts.html" target="_blank">https://www.apache.org/dev/publishing-maven-artifacts.html</a> and <a href="https://maven.apache.org/guides/mini/guide-encryption.html#How_to_encrypt_server_passwords" target="_blank">https://maven.apache.org/guides/mini/guide-encryption.html#How_to_encrypt_server_passwords</a>
</li>
<li>Check into the target directory and unzip the source release and compile it using:
- <pre class="alert alert-primary"><code>cd target
+ <pre class="alert alert-primary"><code>pushd
+cd target
gpg --verify unomi-root-${next.development.version}-source-release.zip.asc unomi-root-${next.development.version}-source-release.zip
shasum -a 512 unomi-root-${next.development.version}-source-release.zip
cat unomi-root-${next.development.version}-source-release.zip.sha512
unzip unomi-root-${next.development.version}-source-release.zip
cd unomi-root-${next.development.version}
-mvn clean install</code></pre>
+mvn clean install
+popd</code></pre>
to check that the packaged source build properly
</li>
- <li>Go back to the root project directory and run:
+ <li>Go back to the root project directory (pushd/popd did that for you normally) and run:
<pre class="alert alert-primary"><code>mvn release:prepare -DskipITs=true -DskipTests=true -Darguments="-DskipITs=true -DskipTests=true" -DdryRun=true -P apache-release,integration-tests,performance-tests,docker,\!run-tests</code></pre>
</li>
<li>Publish a snapshot to test the deployment passwords:
@@ -222,6 +224,13 @@
<a href="https://repository.apache.org/content/repositories/orgapacheunomi-1014/org/apache/unomi/unomi/${next.stable.version}/" target="_blank">https://repository.apache.org/content/repositories/orgapacheunomi-1014/org/apache/unomi/unomi/${next.stable.version}/</a>
and
<a href="https://repository.apache.org/content/repositories/orgapacheunomi-1014/org/apache/unomi/unomi-root/${next.stable.version}/" target="_blank">https://repository.apache.org/content/repositories/orgapacheunomi-1014/org/apache/unomi/unomi-root/${next.stable.version}/</a>
+ using commands such as : <pre class="alert alert-primary"><code>wget https://repository.apache.org/content/repositories/orgapacheunomi-1030/org/apache/unomi/unomi-root/${next.stable.version}/unomi-root-${next.stable.version}-source-release.zip
+wget https://repository.apache.org/content/repositories/orgapacheunomi-1030/org/apache/unomi/unomi-root/${next.stable.version}/unomi-root-${next.stable.version}-source-release.zip.asc
+wget https://repository.apache.org/content/repositories/orgapacheunomi-1030/org/apache/unomi/unomi/${next.stable.version}/unomi-${next.stable.version}.tar.gz
+wget https://repository.apache.org/content/repositories/orgapacheunomi-1030/org/apache/unomi/unomi/${next.stable.version}/unomi-${next.stable.version}.tar.gz.asc
+wget https://repository.apache.org/content/repositories/orgapacheunomi-1030/org/apache/unomi/unomi/${next.stable.version}/unomi-${next.stable.version}.zip
+wget https://repository.apache.org/content/repositories/orgapacheunomi-1030/org/apache/unomi/unomi/${next.stable.version}/unomi-${next.stable.version}.zip.asc</code></pre>
+
</li>
<li>
Rename the source and binary files to something shorter and consistent with previous releases and generate
diff --git a/src/main/webapp/documentation.html b/src/main/webapp/documentation.html
index 593e6c8..f8b8b01 100644
--- a/src/main/webapp/documentation.html
+++ b/src/main/webapp/documentation.html
@@ -13,8 +13,8 @@
<div class="card flex-md-row mb-4 box-shadow h-md-250">
<div class="card-body d-flex flex-column align-items-start">
<strong class="d-inline-block mb-2 text-success"><i class="fas fa-circle"></i> Stable</strong>
- <h3 class="mb-0 text-dark">Unomi <span class="text-muted">1.5.4</span></h3>
- <div class="mb-1 text-muted">Last update: November 23rd, 2020</div>
+ <h3 class="mb-0 text-dark">Unomi <span class="text-muted">1.5.5</span></h3>
+ <div class="mb-1 text-muted">Last update: April 27th, 2021</div>
<p class="card-text">
<a href="manual/1_5_x/index.html">online</a><br>
<a target="_blank" href="https://dist.apache.org/repos/dist/release/unomi/1.5.4/unomi-manual-1_5_x.zip">html (zipped)</a>
@@ -289,13 +289,14 @@
<div class="col">
<h2 class="pb-3 mb-3 border-bottom">Security Advisories</h2>
<p>
- CVE-2020-11975 : Remote Code Execution in Apache Unomi
+ <a href="security/cve-2020-11975.txt">CVE-2020-11975</a> : Remote Code Execution in Apache Unomi
</p>
- <a class="btn btn-outline-primary" href="security/cve-2020-11975.txt">Notes</a>
<p>
- CVE-2020-13942 : Remote Code Execution in Apache Unomi
+ <a href="security/cve-2020-13942.txt">CVE-2020-13942</a> : Remote Code Execution in Apache Unomi
</p>
- <a class="btn btn-outline-primary" href="security/cve-2020-13942.txt">Notes</a>
+ <p>
+ <a href="security/cve-2021-31164.txt">CVE-2021-31164</a> : CRLF Log injection in Apache Unomi
+ </p>
</div>
</div>
diff --git a/src/main/webapp/download.html b/src/main/webapp/download.html
index 8d550b4..71e2520 100644
--- a/src/main/webapp/download.html
+++ b/src/main/webapp/download.html
@@ -11,22 +11,22 @@
<div class="card flex-md-row mb-2 box-shadow h-md-250">
<div class="card-body d-flex flex-column align-items-start">
<strong class="d-inline-block mb-2 text-success"><i class="fas fa-circle"></i> Latest release</strong>
- <h3 class="mb-0 text-dark">Unomi <span class="text-muted">1.5.4</span></h3>
- <div class="mb-1 text-muted">November 23rd, 2020</div>
+ <h3 class="mb-0 text-dark">Unomi <span class="text-muted">1.5.5</span></h3>
+ <div class="mb-1 text-muted">April 27th, 2021</div>
<p class="card-text mb-auto">
Binary Distribution :
- <a target="_blank" href="https://www.apache.org/dyn/closer.lua/unomi/1.5.4/unomi-1.5.4-bin.tar.gz">tar.gz</a>
- [<a target="_blank" href="https://www.apache.org/dist/unomi/1.5.4/unomi-1.5.4-bin.tar.gz.asc">PGP</a>]
- [<a target="_blank" href="https://www.apache.org/dist/unomi/1.5.4/unomi-1.5.4-bin.tar.gz.sha512">SHA512</a>] -
- <a target="_blank" href="https://www.apache.org/dyn/closer.lua/unomi/1.5.4/unomi-1.5.4-bin.zip">zip</a>
- [<a target="_blank" href="https://www.apache.org/dist/unomi/1.5.4/unomi-1.5.4-bin.zip.asc">PGP</a>]
- [<a target="_blank" href="https://www.apache.org/dist/unomi/1.5.4/unomi-1.5.4-bin.zip.sha512">SHA512</a>]
+ <a target="_blank" href="https://www.apache.org/dyn/closer.lua/unomi/1.5.5/unomi-1.5.5-bin.tar.gz">tar.gz</a>
+ [<a target="_blank" href="https://www.apache.org/dist/unomi/1.5.5/unomi-1.5.5-bin.tar.gz.asc">PGP</a>]
+ [<a target="_blank" href="https://www.apache.org/dist/unomi/1.5.5/unomi-1.5.5-bin.tar.gz.sha512">SHA512</a>] -
+ <a target="_blank" href="https://www.apache.org/dyn/closer.lua/unomi/1.5.5/unomi-1.5.5-bin.zip">zip</a>
+ [<a target="_blank" href="https://www.apache.org/dist/unomi/1.5.5/unomi-1.5.5-bin.zip.asc">PGP</a>]
+ [<a target="_blank" href="https://www.apache.org/dist/unomi/1.5.5/unomi-1.5.5-bin.zip.sha512">SHA512</a>]
</p>
<p class="card-text mb-auto">
Source Distribution :
- <a target="_blank" href="https://www.apache.org/dyn/closer.lua/unomi/1.5.4/unomi-1.5.4-src.zip">zip</a>
- [<a target="_blank" href="https://www.apache.org/dist/unomi/1.5.4/unomi-1.5.4-src.zip.asc">PGP</a>]
- [<a target="_blank" href="https://www.apache.org/dist/unomi/1.5.4/unomi-1.5.4-src.zip.sha512">SHA512</a>]
+ <a target="_blank" href="https://www.apache.org/dyn/closer.lua/unomi/1.5.5/unomi-1.5.5-src.zip">zip</a>
+ [<a target="_blank" href="https://www.apache.org/dist/unomi/1.5.5/unomi-1.5.5-src.zip.asc">PGP</a>]
+ [<a target="_blank" href="https://www.apache.org/dist/unomi/1.5.5/unomi-1.5.5-src.zip.sha512">SHA512</a>]
</p>
<a class="btn btn-outline-dark mt-3" href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12319220&version=12349372" role="button" target="_blank">Release notes »</a>
</div>
@@ -84,6 +84,33 @@
</thead>
<tbody>
<tr>
+ <td>1.5.4</td>
+ <td><a target="_blank"
+ href="https://archive.apache.org/dist/unomi/1.5.4/unomi-1.5.4-bin.tar.gz">tar.gz</a>
+ [<a target="_blank"
+ href="https://archive.apache.org/dist/unomi/1.5.4/unomi-1.5.4-bin.tar.gz.asc">PGP</a>]
+ [<a target="_blank"
+ href="https://archive.apache.org/dist/unomi/1.5.4/unomi-1.5.4-bin.tar.gz.sha512">SHA512</a>]<br>
+ <a target="_blank"
+ href="https://archive.apache.org/dist/unomi/1.5.4/unomi-1.5.4-bin.zip">zip</a>
+ [<a target="_blank"
+ href="https://archive.apache.org/dist/unomi/1.5.4/unomi-1.5.4-bin.zip.asc">PGP</a>]
+ [<a target="_blank"
+ href="https://archive.apache.org/dist/unomi/1.5.4/unomi-1.5.4-bin.zip.sha512">SHA512</a>]
+ </td>
+ <td>
+ <a target="_blank"
+ href="https://archive.apache.org/dist/unomi/1.5.4/unomi-1.5.4-src.zip">zip</a>
+ [<a target="_blank"
+ href="http://archive.apache.org/dist/unomi/1.5.4/unomi-1.5.4-src.zip.asc">PGP</a>]
+ [<a target="_blank"
+ href="https://archive.apache.org/dist/unomi/1.5.4/unomi-1.5.4-src.zip.sha1">SHA512</a>]
+ </td>
+ <td><a target="_blank"
+ href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12319220&version=12349372">Release
+ Notes</a></td>
+ </tr>
+ <tr>
<td>1.5.3</td>
<td><a target="_blank"
href="https://archive.apache.org/dist/unomi/1.5.3/unomi-1.5.3-bin.tar.gz">tar.gz</a>
diff --git a/src/main/webapp/index.html b/src/main/webapp/index.html
index 00ed47b..abdd205 100644
--- a/src/main/webapp/index.html
+++ b/src/main/webapp/index.html
@@ -182,6 +182,7 @@
<div class="col-md-12">
<h2 class="featurette-heading">News</h2>
<ul>
+ <li>2021-04-27 Released version 1.5.5</li>
<li>2020-11-23 Released version 1.5.4</li>
<li>2020-11-21 Released version 1.5.3</li>
<li>2020-11-01 Released version 1.5.2</li>
diff --git a/src/main/webapp/security/cve-2021-31164.txt b/src/main/webapp/security/cve-2021-31164.txt
new file mode 100644
index 0000000..9210489
--- /dev/null
+++ b/src/main/webapp/security/cve-2021-31164.txt
@@ -0,0 +1,42 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+CVE-2021-31164: CRLF Log injection in Apache Unomi
+
+Severity: Medium
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+This vulnerability affects all versions of Apache Unomi prior to 1.5.5
+
+Description:
+
+Apache Unomi allows CRLF log injection because of lack of escaping in the log statements.
+
+This has been fixed in revision:
+
+https://github.com/apache/unomi/commit/1c088702511ef44a056244cb968682daf8f21946
+
+Migration:
+
+Apache Unomi users should upgrade to 1.5.5 or later.
+
+Credit: This issue was reported by Christos - Minas Mathas
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEFt9+Vnc4Fy+UXwQCfBnR+70asd8FAmCIDQQACgkQfBnR+70a
+sd/GWhAAvWvLtZ2//ZBK6CVvlYB6/eZgFISifAcDCm/551tTIA2q8F6rifM7NWEb
+e07ntX+LxTrbB0ZEmwwLUjUo4KK5LhtjZafE/7Xwj4U0Lo06WiHdH9jsZwNCO+ao
+ikI7tgvdDCbky+xd2mA/f8r0EuQYEKbM+S9S5Qu6nKLivReJQ8Y6PCA3RNUmaiPt
+Ir/Y3WYaETt9c2XhH/OhV9uV1LJhmCU5tRF+9gLmad3nuVPYTMyE967t6t511vXt
+ESoAiRCnb4SCPbybpevhkjqL5wlhxqthswK/O6ZAPWLUhigE2iwv9CXTUQDSv9/I
+hotq3hkfka/PS51GQiVe4IsEyWMw1jW5uXAe+I1BURq7VKPhrhLtNm1qdouay9oN
+rR4QMJAXcHtN2rn3ZqZS+Ck9a/PwiMH3lp4FkI4tx69iG5Q8FPdmYZfLCfuNX0P/
+4YV7TpNFDN0SmE/VA9ms5BeB3ijGwgxkX4UtwahdnSggjBSfhVN/Mgf5CfqwX5Sb
+fA1kdeRQl3+S0tfIDIsvdV5d0uf+CjwGR4pzaNymhj4MJ3FAeWCj5XjDdcE/cLHN
+WuXCxDdMtDZayBP2e3/wssqeOPaNOWf0QWuFV/DV+CyDUkwKxWBtW50xHiJ0lwgI
+GmNbU7t853BWuBK4/nGWMe3lJq70FTfhZPW15qKYffJxIWrjTLk=
+=HiSw
+-----END PGP SIGNATURE-----