continuum-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From br...@apache.org
Subject svn commit: r1069390 - in /continuum/site/src/site: apt/security.apt xdoc/index.xml
Date Thu, 10 Feb 2011 13:51:03 GMT
Author: brett
Date: Thu Feb 10 13:51:03 2011
New Revision: 1069390

URL: http://svn.apache.org/viewvc?rev=1069390&view=rev
Log:
add security notes

Added:
    continuum/site/src/site/apt/security.apt
Modified:
    continuum/site/src/site/xdoc/index.xml

Added: continuum/site/src/site/apt/security.apt
URL: http://svn.apache.org/viewvc/continuum/site/src/site/apt/security.apt?rev=1069390&view=auto
==============================================================================
--- continuum/site/src/site/apt/security.apt (added)
+++ continuum/site/src/site/apt/security.apt Thu Feb 10 13:51:03 2011
@@ -0,0 +1,65 @@
+ ------
+ Security Vulnerabilities
+ ------
+
+~~ Licensed to the Apache Software Foundation (ASF) under one
+~~ or more contributor license agreements.  See the NOTICE file
+~~ distributed with this work for additional information
+~~ regarding copyright ownership.  The ASF licenses this file
+~~ to you under the Apache License, Version 2.0 (the
+~~ "License"); you may not use this file except in compliance
+~~ with the License.  You may obtain a copy of the License at
+~~
+~~   http://www.apache.org/licenses/LICENSE-2.0
+~~
+~~ Unless required by applicable law or agreed to in writing,
+~~ software distributed under the License is distributed on an
+~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+~~ KIND, either express or implied.  See the License for the
+~~ specific language governing permissions and limitations
+~~ under the License.
+
+~~ NOTE: For help with the syntax of this file, see:
+~~ http://maven.apache.org/guides/mini/guide-apt-format.html
+
+
+Security Vulnerabilities
+
+  Please note that binary patches are not produced for individual vulnerabilities. To obtain
the binary fix for a particular 
+  vulnerability you should upgrade to an Apache Continuum version where that vulnerability
has been fixed.
+
+* CVE-2011-0533: Apache Continuum cross-site scripting vulnerability
+
+  A request that included a specially crafted request parameter could be used to inject arbitrary
HTML or Javascript into the
+  Continuum user management page and project details pages. This fix is available in version
{{{./download.html} 1.3.7}} of
+  Apache Continuum. All users must upgrade to this version (or higher).
+
+  Versions Affected:
+
+    * Continuum 1.3.6
+
+    * Continuum 1.4.0 (Beta)
+
+    * The unsupported versions Continuum 1.1 - 1.2.3.1 are also affected.
+
+    []
+
+* CVE-2010-3449: Apache Continuum CSRF vulnerability
+
+  Apache Continuum doesn't check which form sends credentials. An attacker can create a specially
crafted page and force
+  Continuum administrators to view it and change their credentials. To fix this, a referrer
check was added to the security
+  interceptor for all secured actions. A prompt for the administrator's password when changing
a user account was also set
+  in place. This fix is available in version {{{./download.html} 1.3.7}} of Apache Continuum.
All users must upgrade to this
+  version (or higher).
+
+  Versions Affected:
+
+    * Continuum 1.3.6
+
+    * Continuum 1.4.0 (Beta)
+
+    * The unsupported versions Continuum 1.1 - 1.2.3.1 are also affected.
+
+    []
+
+

Modified: continuum/site/src/site/xdoc/index.xml
URL: http://svn.apache.org/viewvc/continuum/site/src/site/xdoc/index.xml?rev=1069390&r1=1069389&r2=1069390&view=diff
==============================================================================
--- continuum/site/src/site/xdoc/index.xml (original)
+++ continuum/site/src/site/xdoc/index.xml Thu Feb 10 13:51:03 2011
@@ -71,6 +71,9 @@
       <p>
         <a href="license.html">Apache License 2.0</a>
       </p>
+      <p>
+        <a href="security.html">Security Vulnerabilities</a>
+      </p>
     </div>
  
     <div class="frontpagebox">



Mime
View raw message