Happy Friday, everyone –let’s review the Apache community’s activities from over the past week:

ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation’s bylaws.

• Next Board Meeting: 19 October 2022. Running Board calendar and minutes are available.

ASF Infrastructure – our distributed team on three continents keeps the ASF’s infrastructure running around the clock.

• 7M+ weekly checks yield uptime at 100%. Performance checks across 50 different service components spread over more than 250 machines in data centers around the world. View the ASF’s Infrastructure Uptime site to see the most recent averages.

Apache Code Snapshot – Over the past week, 263 Apache Committers and 779 contributors changed 2,957,215 lines of code over 3,590 commits. Top five contributors, in order, are: Robbie Gemmell, Clebert Suconic, Jark Wu, Claus Ibsen, and Andrea Cosentino.

Apache Project Announcements – the latest updates by category.

Big Data –

• Apache InLong 1.3.0 released
  • CVE-2022-40955: Deserialization attack prior to version 1.3.0 allows RCE via JDBC

Content –

• Apache POI 5.2.3 released

Cloud Computing –

• Apache Kafka 2.8.2, 3.0.2, 3.1.2, and 3.2.3 released
  • CVE-2022-34917: Unauthenticated clients may cause OutOfMemoryError on Apache Kafka Brokers

Library –

• Apache SOAP CVE-2022-40705: XML External Entity Injection (XXE) allows unauthenticated users to read arbitrary files via HTTP

Logging Services –

• Apache Log4j 2.19.0 released

Mail –

• CVE-2022-28220: STARTTLS command injection in Apache JAMES

Messaging –

• Apache Pulsar 2.8.4 released
  • CVE-2022-24280: Proxy target broker address isn’t validated
  • CVE-2022-33681: Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM
  • CVE-2022-33682: Disabled Hostname Verification makes Brokers, Proxies vulnerable to MITM attack
  • CVE-2022-33683: Disabled Certificate Validation makes Broker, Proxy Admin Clients vulnerable to MITM attack
• Apache Qpid JMS 1.7.0 and 2.1.0 released

Observability –

• Apache SkyWalking CLI 0.11.0, Kubernetes 4.3.0, Cloud on Kubernetes 0.7.0 released

Programming Languages –

• Apache Groovy 3.0.13 released

Release Auditing –

• Apache Creadur RAT 0.15 is released

Servers –

• Apache Tomcat Migration tool for Jakarta EE 1.0.4 released

Workflow –

• Apache Airflow 2.4.0 released
  • CVE-2022-40604: Format String Vulnerability
  • CVE-2022-40754: Open Redirect

Apache Community Notices

• Apache in 2021 – By The Digits + Video highlights
• The Apache Way to Sustainable Open Source Success
• Foundation Reports and Statements
• Presentations from 2021’s ApacheCon Asia and ApacheCon@Home are available on the ASF YouTube channel.
• “Success at Apache” focuses on the people and processes behind why the ASF “just works.”
• Follow the ASF on social media: @TheASF on Twitter and The ASF page LinkedIn.
• Follow the Apache Community on Facebook and Twitter.
• Are your software solutions Powered by Apache? Download & use our “Powered By” logos.

Stay updated about The ASF

For real-time updates, sign up for Apache-related news by sending mail to announce-subscribe@apache.org and follow @TheASF on Twitter. For a broader spectrum from the Apache community, Planet Apache provides an aggregate of Project activities as well as the personal blogs and tweets of select ASF Committers.

Have an item? Contact us!

We try to catch all the major announcements and goings on at The ASF, but we’re not all-knowing. Have an item you want to see in the weekly round-up? Send it to press@apache.org.