From commits-return-6343-apmail-continuum-commits-archive=continuum.apache.org@continuum.apache.org Thu Feb 10 13:51:30 2011 Return-Path: Delivered-To: apmail-continuum-commits-archive@www.apache.org Received: (qmail 74163 invoked from network); 10 Feb 2011 13:51:30 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 10 Feb 2011 13:51:30 -0000 Received: (qmail 50644 invoked by uid 500); 10 Feb 2011 13:51:30 -0000 Delivered-To: apmail-continuum-commits-archive@continuum.apache.org Received: (qmail 50508 invoked by uid 500); 10 Feb 2011 13:51:28 -0000 Mailing-List: contact commits-help@continuum.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@continuum.apache.org Delivered-To: mailing list commits@continuum.apache.org Received: (qmail 50498 invoked by uid 99); 10 Feb 2011 13:51:27 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Feb 2011 13:51:27 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Feb 2011 13:51:25 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id BF3F423888FE; Thu, 10 Feb 2011 13:51:03 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1069390 - in /continuum/site/src/site: apt/security.apt xdoc/index.xml Date: Thu, 10 Feb 2011 13:51:03 -0000 To: commits@continuum.apache.org From: brett@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20110210135103.BF3F423888FE@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: brett Date: Thu Feb 10 13:51:03 2011 New Revision: 1069390 URL: http://svn.apache.org/viewvc?rev=1069390&view=rev Log: add security notes Added: continuum/site/src/site/apt/security.apt Modified: continuum/site/src/site/xdoc/index.xml Added: continuum/site/src/site/apt/security.apt URL: http://svn.apache.org/viewvc/continuum/site/src/site/apt/security.apt?rev=1069390&view=auto ============================================================================== --- continuum/site/src/site/apt/security.apt (added) +++ continuum/site/src/site/apt/security.apt Thu Feb 10 13:51:03 2011 @@ -0,0 +1,65 @@ + ------ + Security Vulnerabilities + ------ + +~~ Licensed to the Apache Software Foundation (ASF) under one +~~ or more contributor license agreements. See the NOTICE file +~~ distributed with this work for additional information +~~ regarding copyright ownership. The ASF licenses this file +~~ to you under the Apache License, Version 2.0 (the +~~ "License"); you may not use this file except in compliance +~~ with the License. You may obtain a copy of the License at +~~ +~~ http://www.apache.org/licenses/LICENSE-2.0 +~~ +~~ Unless required by applicable law or agreed to in writing, +~~ software distributed under the License is distributed on an +~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +~~ KIND, either express or implied. See the License for the +~~ specific language governing permissions and limitations +~~ under the License. + +~~ NOTE: For help with the syntax of this file, see: +~~ http://maven.apache.org/guides/mini/guide-apt-format.html + + +Security Vulnerabilities + + Please note that binary patches are not produced for individual vulnerabilities. To obtain the binary fix for a particular + vulnerability you should upgrade to an Apache Continuum version where that vulnerability has been fixed. + +* CVE-2011-0533: Apache Continuum cross-site scripting vulnerability + + A request that included a specially crafted request parameter could be used to inject arbitrary HTML or Javascript into the + Continuum user management page and project details pages. This fix is available in version {{{./download.html} 1.3.7}} of + Apache Continuum. All users must upgrade to this version (or higher). + + Versions Affected: + + * Continuum 1.3.6 + + * Continuum 1.4.0 (Beta) + + * The unsupported versions Continuum 1.1 - 1.2.3.1 are also affected. + + [] + +* CVE-2010-3449: Apache Continuum CSRF vulnerability + + Apache Continuum doesn't check which form sends credentials. An attacker can create a specially crafted page and force + Continuum administrators to view it and change their credentials. To fix this, a referrer check was added to the security + interceptor for all secured actions. A prompt for the administrator's password when changing a user account was also set + in place. This fix is available in version {{{./download.html} 1.3.7}} of Apache Continuum. All users must upgrade to this + version (or higher). + + Versions Affected: + + * Continuum 1.3.6 + + * Continuum 1.4.0 (Beta) + + * The unsupported versions Continuum 1.1 - 1.2.3.1 are also affected. + + [] + + Modified: continuum/site/src/site/xdoc/index.xml URL: http://svn.apache.org/viewvc/continuum/site/src/site/xdoc/index.xml?rev=1069390&r1=1069389&r2=1069390&view=diff ============================================================================== --- continuum/site/src/site/xdoc/index.xml (original) +++ continuum/site/src/site/xdoc/index.xml Thu Feb 10 13:51:03 2011 @@ -71,6 +71,9 @@

Apache License 2.0

+

+ Security Vulnerabilities +