From commits-return-65079-archive-asf-public=cust-asf.ponee.io@camel.apache.org Wed Sep 12 12:21:14 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 63138180630 for ; Wed, 12 Sep 2018 12:21:13 +0200 (CEST) Received: (qmail 77937 invoked by uid 500); 12 Sep 2018 10:21:12 -0000 Mailing-List: contact commits-help@camel.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@camel.apache.org Delivered-To: mailing list commits@camel.apache.org Received: (qmail 77928 invoked by uid 99); 12 Sep 2018 10:21:12 -0000 Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 12 Sep 2018 10:21:12 +0000 Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id C99433A03A6 for ; Wed, 12 Sep 2018 10:21:11 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1035025 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2018-8041.txt.asc security-advisories.html Date: Wed, 12 Sep 2018 10:21:11 -0000 To: commits@camel.apache.org From: buildbot@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20180912102111.C99433A03A6@svn01-us-west.apache.org> Author: buildbot Date: Wed Sep 12 10:21:11 2018 New Revision: 1035025 Log: Production update by buildbot for camel Added: websites/production/camel/content/security-advisories.data/CVE-2018-8041.txt.asc Modified: websites/production/camel/content/cache/main.pageCache websites/production/camel/content/security-advisories.html Modified: websites/production/camel/content/cache/main.pageCache ============================================================================== Binary files - no diff available. Added: websites/production/camel/content/security-advisories.data/CVE-2018-8041.txt.asc ============================================================================== --- websites/production/camel/content/security-advisories.data/CVE-2018-8041.txt.asc (added) +++ websites/production/camel/content/security-advisories.data/CVE-2018-8041.txt.asc Wed Sep 12 10:21:11 2018 @@ -0,0 +1,32 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +CVE-2018-8041: Apache Camel's Mail is vulnerable to path traversal + +Severity: MEDIUM + +Vendor: The Apache Software Foundation + +Versions Affected: Camel 2.20.0 to 2.20.3, Camel 2.21.0 to 2.21.1 and Camel 2.22.0 + +The unsupported Camel 2.x (2.19 and earlier) versions may be also affected. + +Description: Apache Camel's Mail is vulnerable to path traversal + +Mitigation: 2.20.x users should upgrade to 2.20.4, 2.21.0 users should upgrade to 2.21.2 and Camel 2.22.x users should upgrade to 2.22.1 + +The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-12630 +refers to the various commits that resovoled the issue, and have more details. + +Credit: This issue was discovered by Eedo Shapira from GE . +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (GNU/Linux) + +iQEcBAEBAgAGBQJbmOMKAAoJEONOnzgC/0EAfSkH+wdNhAyFodwWREYgmHNbxTdf +c3JFH+jeqCpg1wiDZmGS4GpRi0f7s4W09tTIgiTtFhJINzpxJ6JOkZX8AzB43bSx +g83RdYmAplgrYaeY4dQnjAN9LrUSHTbLxWKsG+gR0FigkmL3B3qM30jGD3T4t3WM +AJ5PXRR87v85I9A1CzjtBgrxY6Zjn8A70Jm1AYdQ83Ywwj8dUD8Sw8qiFl/V/VBm +P77Y6/S0PzBu6AJR5k+31dy5aZaStwts0uWuCwwZl74DfDVwgM44rj9WTRJ9aseq +hc9T/Y3S7JKHMA3oo6Wu3MjU9kSO1PQ39CNO5/oCnjAtk4SVVSwU3wNYlXWj1t0= +=3846 +-----END PGP SIGNATURE----- Modified: websites/production/camel/content/security-advisories.html ============================================================================== --- websites/production/camel/content/security-advisories.html (original) +++ websites/production/camel/content/security-advisories.html Wed Sep 12 10:21:11 2018 @@ -78,7 +78,7 @@ -

2018

  • CVE-2018-8027 - Apache Camel's Core is vulnerable to XXE in XSD validation processor

2017

  • CVE-2017-12634 - Apache Camel's Castor unmarshalling operation is vulnerable to Remote Code Execution attacks
  • CVE-2017-12633 - Apache Camel's Hessian unmarshalling operation is vulnerable to Remote Code Execution attacks
  • CVE-2017-5643 - Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE
  • CVE-2017-3159 - Apache Camel's Snakeyaml unmarshalling operation is vulnerable to Remote Code Execution attacks

2016

  • CVE-2016-8749 60;- Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks

2015

  • CVE-2015-5344 - Apache Camel's XStream usage is vulnerable to Remote Code Execution attacks.
  • CVE-2015-5348 - Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability.
  • CVE-2015-0264 - The XPath handling in Apache Camel for invalid XML Strings or invalid XML GenericFile objects allows remote attackers to read arbitrary files via an XML External Entity (XXE) declaration . The XML External Entity (XXE) will be resolved before the Exception is thrown.
  • CVE-2015-0263 - The XML converter setup in Apache Camel allows remote attackers to read arbitrary files via an SAXSource containing an XML External Entity (XXE) declaration.

2014

  • CVE-2014-0003 - The Apache Camel XSLT component allows XSL stylesheets to perform calls to external Java methods.
  • CVE-2014-0002 - The Apache Camel XSLT component will resolve entities in XML messages when transforming them using an xslt route.

2 013

  • CVE-2013-4330 - Writing files using FILE or FTP components, can potentially be exploited by a malicious user.

 

+

2018

  • CVE-2018-8041 - Apache Camel's Mail is vulnerable to path traversal
  • CVE-2018-8027 - Apache Camel's Core is vulnerable to XXE in XSD validation processor

2017

  • CVE-2017-12634 - Apache Camel's Castor unmarshalling operation is vulnerable to Remote Code Execution attacks
  • CVE-2017-12633 - Apache Camel's Hessian unmarshalling operation is vulnerable to Remote Code Execution attacks
  • CVE-2017-5643 - Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE
  • CVE-2017-3159 - Apache Camel's Snakeyaml unmarshalling operation is vulnerable to Remote Code Execution attacks

2016

  • CVE-2016-8749  - Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks

2015

  • CVE-2015-5344 - Apache Camel's XStream usage is vulnerable to Remote Code Execution attacks.
  • CVE-2015-5348 - Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability.
  • CVE-2015-0264 - The XPath handling in Apache Camel for invalid XML Strings or invalid XML GenericFile objects allows remote attackers to read arbitrary files via an XML External Entity (XXE) decl aration. The XML External Entity (XXE) will be resolved before the Exception is thrown.
  • CVE-2015-0263 - The XML converter setup in Apache Camel allows remote attackers to read arbitrary files via an SAXSource containing an XML External Entity (XXE) declaration.

2014

  • CVE-2014-0003 - The Apache Camel XSLT component allows XSL stylesheets to perform calls to external Java methods.
  • CVE-2014-0002 - The Apache Camel XSLT component will resolve entities in XML messages when transforming them using an xslt route.

2013

  • CVE-2013-4330 - Writing files using FILE or FTP components, can potentially be exploited by a malicious user.