Return-Path: X-Original-To: apmail-camel-commits-archive@www.apache.org Delivered-To: apmail-camel-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 8023A178FF for ; Mon, 16 Mar 2015 21:19:24 +0000 (UTC) Received: (qmail 35057 invoked by uid 500); 16 Mar 2015 21:19:24 -0000 Delivered-To: apmail-camel-commits-archive@camel.apache.org Received: (qmail 35009 invoked by uid 500); 16 Mar 2015 21:19:24 -0000 Mailing-List: contact commits-help@camel.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@camel.apache.org Delivered-To: mailing list commits@camel.apache.org Received: (qmail 35000 invoked by uid 99); 16 Mar 2015 21:19:24 -0000 Received: from eris.apache.org (HELO hades.apache.org) (140.211.11.105) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 16 Mar 2015 21:19:24 +0000 Received: from hades.apache.org (localhost [127.0.0.1]) by hades.apache.org (ASF Mail Server at hades.apache.org) with ESMTP id E414BAC02F5 for ; Mon, 16 Mar 2015 21:19:23 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r944021 - in /websites/production/camel/content: ./ 2015/03/16/ cache/ security-advisories.data/ Date: Mon, 16 Mar 2015 21:19:23 -0000 To: commits@camel.apache.org From: buildbot@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20150316211923.E414BAC02F5@hades.apache.org> Author: buildbot Date: Mon Mar 16 21:19:23 2015 New Revision: 944021 Log: Production update by buildbot for camel Added: websites/production/camel/content/2015/03/16/ websites/production/camel/content/2015/03/16/cve-2015-0263-and-cve-2015-0264-apache-camel-medium-disclosure-vulnerability.html websites/production/camel/content/security-advisories.data/CVE-2015-0263.txt.asc websites/production/camel/content/security-advisories.data/CVE-2015-0264.txt.asc Modified: websites/production/camel/content/cache/main.pageCache websites/production/camel/content/index.html websites/production/camel/content/news.html websites/production/camel/content/security-advisories.html Added: websites/production/camel/content/2015/03/16/cve-2015-0263-and-cve-2015-0264-apache-camel-medium-disclosure-vulnerability.html ============================================================================== --- websites/production/camel/content/2015/03/16/cve-2015-0263-and-cve-2015-0264-apache-camel-medium-disclosure-vulnerability.html (added) +++ websites/production/camel/content/2015/03/16/cve-2015-0263-and-cve-2015-0264-apache-camel-medium-disclosure-vulnerability.html Mon Mar 16 21:19:23 2015 @@ -0,0 +1,147 @@ + + + + + + + + + + + + + + + + + + + Apache Camel: CVE-2015-0263 and CVE-2015-0264 - Apache Camel medium disclosure vulnerability + + + +
+
+
+
+
+
+
+
+
+
+
+ + + +
+ + + + +
+ + + + + + + + +
+

If you are using Apache Camel to route XML messages, please note that the security advisories CVE-2015-0263 and CVE-2015-0264 may affect you.

Please study these critical security vulnerability carefully!

CVE-2015-0263
CVE-2015-0264

You can download the fixed Apache Camel 2.13.x and 2.14.x version from the Apache mirrors or from the Central Maven repository.

On behalf of the Camel PMC,
Christian

+ 		+
+
+ + + +
+
+
+ + +
+
+
+
+
+
+
+
+
+ +
+
+
+
+
+
+© 2004-2014 The Apache Software Foundation. +
+Apache Camel, Camel, Apache, the Apache feather logo, and the Apache Camel project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners. +
+Graphic Design By Hiram +
+ + + + + + + + Modified: websites/production/camel/content/cache/main.pageCache ============================================================================== Binary files - no diff available. Modified: websites/production/camel/content/index.html ============================================================================== --- websites/production/camel/content/index.html (original) +++ websites/production/camel/content/index.html Mon Mar 16 21:19:23 2015 @@ -105,17 +105,17 @@ There's a great discussion about Camel a

- - + + - Apache Camel 2.15.0 Released -
willem jiang posted on Mar 11, 2015
+ CVE-2015-0263 and CVE-2015-0264 - Apache Camel medium disclosure vulnerability +
Christian Mueller posted on Mar 16, 2015
-

The Camel community announces the immediate availability of the new major release Camel 2.15.0. This release contains a total of 500+ fixes applied in the past 6 months by the community on the Camel master branch.  

The artifacts are published and ready for you to download either from the Apache mirrors or from the Central Maven repository. For more details please take a look at the release notes.   

Many thanks to all who made this release possible.   

On behalf of the Camel PMC,   

Willem

+

If you are using Apache Camel to route XML messages, please note that the security advisories CVE-2015-0263 and CVE-2015-0264 may affect you.

Please study these critical security vulnerability carefully!

CVE-2015-0263
CVE-2015-0264

You can download the fixed Apache Camel 2.13.x and 2.14.x version from the Apache mirrors or from the Central Maven repository.

On behalf of the Camel PMC,
Christian

@@ -129,13 +129,13 @@ There's a great discussion about Camel a - Apache Camel 2.13.4 released + Apache Camel 2.15.0 Released
willem jiang posted on Mar 11, 2015
-

The Camel community announces the immediate availability of the new patch release Camel 2.13.4. This release contains a total of 81 fixes applied in the past 3 months by the community on the Camel 2.13.x maintenance branch.

The artifacts are published and ready for you to download either from the Apache mirrors or from the Central Maven repository. For more details please take a look at the release notes.

Many thanks to all who made this release possible.

On behalf of the Camel PMC,

Willem

+

The Camel community announces the immediate availability of the new major release Camel 2.15.0. This release contains a total of 500+ fixes applied in the past 6 months by the community on the Camel master branch.  

The artifacts are published and ready for you to download either from the Apache mirrors or from the Central Maven repository. For more details please take a look at the release notes.   

Many thanks to all who made this release possible.   

On behalf of the Camel PMC,   

Willem

@@ -149,13 +149,13 @@ There's a great discussion about Camel a - Apache Camel 2.14.2 + Apache Camel 2.13.4 released
willem jiang posted on Mar 11, 2015
-

The Camel community announces the immediate availability of the new patch release Camel 2.14.2. This release contains a total of 101 fixes applied in the past 3 months by the community on the Camel 2.14.x maintenance branch.

The artifacts are published and ready for you to download either from the Apache mirrors or from the Central Maven repository. For more details please take a look at the release notes.

Many thanks to all who made this release possible.

On behalf of the Camel PMC,

Willem

+

The Camel community announces the immediate availability of the new patch release Camel 2.13.4. This release contains a total of 81 fixes applied in the past 3 months by the community on the Camel 2.13.x maintenance branch.

The artifacts are published and ready for you to download either from the Apache mirrors or from the Central Maven repository. For more details please take a look at the release notes.

Many thanks to all who made this release possible.

On behalf of the Camel PMC,

Willem

@@ -169,13 +169,13 @@ There's a great discussion about Camel a - Camel 2.14.1 released -
willem jiang posted on Dec 17, 2014
+ Apache Camel 2.14.2 +
willem jiang posted on Mar 11, 2015
-

The Camel community announces the immediate availability of the new patch release Camel 2.14.1. This release contains a total of 139 fixes applied in the past 3 months by the community on the Camel 2.14.x maintenance branch.

The artifacts are published and ready for you to download either from the Apache mirrors or from the Central Maven repository. For more details please take a look at the release notes.

Many thanks to all who made this release possible.

On behalf of the Camel PMC,

Willem

+

The Camel community announces the immediate availability of the new patch release Camel 2.14.2. This release contains a total of 101 fixes applied in the past 3 months by the community on the Camel 2.14.x maintenance branch.

The artifacts are published and ready for you to download either from the Apache mirrors or from the Central Maven repository. For more details please take a look at the release notes.

Many thanks to all who made this release possible.

On behalf of the Camel PMC,

Willem

@@ -185,17 +185,17 @@ There's a great discussion about Camel a
- - + + - Welcome Colm O hEigeartaigh as the newest Camel Rider -
Christian Mueller posted on Nov 09, 2014
+ Camel 2.14.1 released +
willem jiang posted on Dec 17, 2014
-

Six days ago the Camel PMC voted another one of the very active and talented contributors to become a committer.

 

Colm O hEigeartaigh is actively involved with Apache Camel since months contributing code and helping other users. Colm proactively worked on reported issues and took them to resolution acting as a committer. He is an Apache Member and already in the PMC for Apache CXF, Incubator, Santaurio (chair), Syncope and WS and know how Apache works. In recognition of his work, the PMC only had to take care of the simple task of making that official. A few days ago, Colm got his committer account setup, concluding the process of becoming the newest Camel rider. Stay tuned for his first official commit. (wink)

 

On behalf of the Camel PMC, welcome aboard Colm and keep up the great work!

Christian

 

 

+

The Camel community announces the immediate availability of the new patch release Camel 2.14.1. This release contains a total of 139 fixes applied in the past 3 months by the community on the Camel 2.14.x maintenance branch.

The artifacts are published and ready for you to download either from the Apache mirrors or from the Central Maven repository. For more details please take a look at the release notes.

Many thanks to all who made this release possible.

On behalf of the Camel PMC,

Willem

@@ -209,13 +209,13 @@ There's a great discussion about Camel a - Apache Camel 2.13.3 released -
Christian Mueller posted on Oct 31, 2014
+ Welcome Colm O hEigeartaigh as the newest Camel Rider +
Christian Mueller posted on Nov 09, 2014
-

The Camel community announces the immediate availability of the new patch release Camel 2.13.3. This bug fix release is issued after more than 3 months of intense efforts of the Camel 2.13.x maintenance branch and resolves 103 issues in total.

The artifacts are published and ready for you to download either from the Apache mirrors or from the Central Maven repository. For more details please take a look at the release notes.

Many thanks to all who made this release possible.

 

On behalf of the Camel PMC,

Christian

+

Six days ago the Camel PMC voted another one of the very active and talented contributors to become a committer.

 

Colm O hEigeartaigh is actively involved with Apache Camel since months contributing code and helping other users. Colm proactively worked on reported issues and took them to resolution acting as a committer. He is an Apache Member and already in the PMC for Apache CXF, Incubator, Santaurio (chair), Syncope and WS and know how Apache works. In recognition of his work, the PMC only had to take care of the simple task of making that official. A few days ago, Colm got his committer account setup, concluding the process of becoming the newest Camel rider. Stay tuned for his first official commit. (wink)

 

On behalf of the Camel PMC, welcome aboard Colm and keep up the great work!

Christian

 

 

Modified: websites/production/camel/content/news.html ============================================================================== --- websites/production/camel/content/news.html (original) +++ websites/production/camel/content/news.html Mon Mar 16 21:19:23 2015 @@ -84,6 +84,26 @@
+ + + + + CVE-2015-0263 and CVE-2015-0264 - Apache Camel medium disclosure vulnerability +
Christian Mueller posted on Mar 16, 2015
+ +
+ +
+

If you are using Apache Camel to route XML messages, please note that the security advisories CVE-2015-0263 and CVE-2015-0264 may affect you.

Please study these critical security vulnerability carefully!

CVE-2015-0263
CVE-2015-0264

You can download the fixed Apache Camel 2.13.x and 2.14.x version from the Apache mirrors or from the Central Maven repository.

On behalf of the Camel PMC,
Christian

+
+ + +
+ + +
+
+ @@ -465,32 +485,6 @@ Hadrian

-
- - -
-
- - - - - - We welcome a new committer and PMC member -
Christian Mueller posted on Oct 10, 2013
- -
- -
-

The Camel Riders are growing their ranks again after only a few short months. We are pleasantly surprised ourselves with the growth of our community the increased interest in Camel and the quantity and quality of contributions. As a result we want to welcome as committer and PMC member James Carman who stuck with us and consistently helped out.

- -

James Carman has been around Camel for quite some time and has contributed some patches and helped with non trivial tasks and fixes. He demonstrated that he is both willing and capable of taking responsibilities that go beyond the code and involve the future of the project. With his involvement in other Apache projects he will also be a great addition to the team.

- -

On behalf of the Camel PMC, welcome aboard and we expect more great things coming from you!
-Christian Müller,
-VP, Apache Camel

-
- -
Added: websites/production/camel/content/security-advisories.data/CVE-2015-0263.txt.asc ============================================================================== --- websites/production/camel/content/security-advisories.data/CVE-2015-0263.txt.asc (added) +++ websites/production/camel/content/security-advisories.data/CVE-2015-0263.txt.asc Mon Mar 16 21:19:23 2015 @@ -0,0 +1,38 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + + +CVE-2015-0263: Apache Camel medium disclosure vulnerability + +Severity: MEDIUM + +Vendor: The Apache Software Foundation + +Versions Affected: Camel 2.13.0 to 2.13.3, Camel 2.14.0 to 2.14.1 +The unsupported Camel 2.3.x, 2.4.x, 2.5.x, 2.6.x, 2.7.x, 2.8.x, 2.9.x, 2.10.x, 2.11.x and 2.12.x versions may be also affected. + +Description: The XML converter setup in Apache Camel allows remote attackers to read arbitrary files via an SAXSource containing an XML External Entity (XXE) declaration. + +Mitigation: 2.13.x users should upgrade to 2.13.4, 2.14.x users should upgrade to 2.14.2. This patch will be included from Camel 2.15.0: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36 + +Credit: This issue was discovered by Stephan Siano. + +References: http://camel.apache.org/security-advisories.html +-----BEGIN PGP SIGNATURE----- +Version: GnuPG/MacGPG2 v2.0.22 (Darwin) +Comment: GPGTools - http://gpgtools.org + +iQIcBAEBAgAGBQJU/sahAAoJEImh9lEqI5wsKmkQAIPMcNnEvWWolihdFlC+4nQn +Fo39aZ+nr6mH38PgH1Ho2wGPYYX6j6r41cJIOtU5lZzSmC8yaX5tEavm0bKK9XJu +ScNKixYwxSejF326CKlm2Nl9X26OtZaPSrCyXn9fdFtvkSyo2qcypbYkIGujZW9R +8sKLKHPgCupBjrDh0271D2BEw9eqZvNsKeBE2o/sePcHy5dhS8GQdKbBmfF1tDDl +lfAWr+djLJ018X10krVek7GWajdXiZEsMmUZZ6i+Ao0Y9dTguVjTRxcO6gHPM4xq +AyyDBF2tT2/JvP6QzeaspAI9Wpjr2CD0HKS3eURsfghsjWNklueYeEc/kE/5Usls +4WiM2MCMPfhef5uY2cbt+BEeouAkIvNdyjzadEdIHJYzqwyWdTwuuabNG+X2zI+m ++Sz0aepvpAXdWrfNFAiiGrzIDRVnZsTjEQ8THAeoSND08e111cy0S2TmKhVlljF+ +Ag5gqduoReWnIrksxJ5M0wkaOfubBgactRFoc8ZhIdmyY8xbiFJmywI9sZ1aTP5s +tV/hFq7hcGCDqwFAHFsYRoXecfVHWEN/zr0MjXpQ6xT3f8Jedeamq1ZiaBDtfM5p +SHumY30Tc+cCBV3nFVjxM+zAcFQ8gjnORnZEnZ2F+HQaJHZzQOLWZ6V/urcuHUzu +HWeqvw4nphzuGl88Vv1M +=IvV+ +-----END PGP SIGNATURE----- Added: websites/production/camel/content/security-advisories.data/CVE-2015-0264.txt.asc ============================================================================== --- websites/production/camel/content/security-advisories.data/CVE-2015-0264.txt.asc (added) +++ websites/production/camel/content/security-advisories.data/CVE-2015-0264.txt.asc Mon Mar 16 21:19:23 2015 @@ -0,0 +1,38 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + + +CVE-2015-0264: Apache Camel medium disclosure vulnerability + +Severity: MEDIUM + +Vendor: The Apache Software Foundation + +Versions Affected: Camel 2.13.0 to 2.13.3, Camel 2.14.0 to 2.14.1 +The unsupported Camel 2.3.x, 2.4.x, 2.5.x, 2.6.x, 2.7.x, 2.8.x, 2.9.x, 2.10.x, 2.11.x and 2.12.x versions may be also affected. + +Description: The XPath handling in Apache Camel for invalid XML Strings or invalid XML GenericFile objects allows remote attackers to read arbitrary files via an XML External Entity (XXE) declaration. The XML External Entity (XXE) will be resolved before the Exception is thrown. + +Mitigation: 2.13.x users should upgrade to 2.13.4, 2.14.x users should upgrade to 2.14.2. This patch will be included from Camel 2.15.0: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=1df559649a96a1ca0368373387e542f46e4820da + +Credit: This issue was discovered by Stephan Siano. + +References: http://camel.apache.org/security-advisories.html +-----BEGIN PGP SIGNATURE----- +Version: GnuPG/MacGPG2 v2.0.22 (Darwin) +Comment: GPGTools - http://gpgtools.org + +iQIcBAEBAgAGBQJU/saFAAoJEImh9lEqI5wsh5MQALhKWptMPv5ktFPxVcqORosf +wXiUWvqL4MM67ZDzf4EqsOdMUWtoFB9gPD7ZUU529yji5uzEdPibrkvlPUUBkR6n +funLrsIK3/rFsY/UFWJxGpm0ZWRbp+XqS8iykU27jsACQFPZVSTeURkYHAvKbwOj +s6kAfF72y229kDGi12CP/z+r3XgL7dwrOCZ+Y+WxRUFq6TFSqECSn8+gQtRd9CN+ +/+sXjr+TBmVc2FBz06nFGbS72qVVVxKf0krdrqP8u34Ca9nV0686vozcINxH0CzC +LtGuTCcyqFP+efEbEsC29SlAtQqq0zdTVLmlJF6CmC7yB5wSr0l9BE3nWPDx6OLI +MXtoqXfdvQiOVQB8WlyP9D+c14Vl4U/ywuTERGl+e+QVSp35jdMju4UJJoMzGsM1 +2+PDm5BG7uuu5iuWQMTlwCBeJTPGhFLYrxTtwQ7zGvXZJdG7kElhzuESwDgo+gol +i1AHBVS2w800AkStpSxo6El1/RiZJtq0hp1JJI8oWyUuY4zJqKRAQXtymOgH5xae +o8BF5meg8UmidtQi9woG28o8VRxtfeZIhd/DeM6nuSWtFNdEItzV4ksm89F4Glhy +oNLR1ufk5BJlG7EPj89w7MIklX70u3Q/LWeJOk6u6TGVxPhrZzOH2k7RMALIlKoB +b4sZQjwpBaJG8hlJbvSK +=8G1w +-----END PGP SIGNATURE----- Modified: websites/production/camel/content/security-advisories.html ============================================================================== --- websites/production/camel/content/security-advisories.html (original) +++ websites/production/camel/content/security-advisories.html Mon Mar 16 21:19:23 2015 @@ -75,7 +75,7 @@ -

2013

  • CVE-2013-4330 - Writing files using FILE or FTP components, can potentially be exploited by a malicious user.

2014

  • CVE-2014-0002 - The Apache Camel XSLT component will resolve entities in XML messages when transforming them using an xslt route.
  • CVE-2014-0003 - The Apache Camel XSLT component allows XSL stylesheets to perform calls to external Java methods.
+

2015

  • CVE-2015-0264 - The XPath handling in Apache Camel for invalid XML Strings or invalid XML GenericFile objects allows remote attackers to read arbitrary files via an XML External Entity (XXE) declaration. The XML External Entity (XXE) will be resolved before the Exception is thrown.
  • CVE-2015-0263 - The XML converter setup in Apache Camel allows remote attackers to read arbitrary files via an SAXSource containing an XML External Entity (XXE) declaration.

2014

  • CVE-2014-0003 - The Apache Camel XSLT component allows XSL stylesheets to perform calls to external Java methods.
  • CVE-2014-0002 - The Apache Camel XSLT component will resolve entities in XML messages when transforming them using an xslt route.

2013

  • CVE-2013-4330 - Writing files using FILE or FTP components, can potentially be exploited by a malicious user.