cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r858245 - in /websites/production/cxf/content: cache/main.pageCache cve-2012-5575.html security-advisories.html
Date Fri, 12 Apr 2013 16:48:02 GMT
Author: buildbot
Date: Fri Apr 12 16:48:01 2013
New Revision: 858245

Log:
Production update by buildbot for cxf

Added:
    websites/production/cxf/content/cve-2012-5575.html
Modified:
    websites/production/cxf/content/cache/main.pageCache
    websites/production/cxf/content/security-advisories.html

Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.

Added: websites/production/cxf/content/cve-2012-5575.html
==============================================================================
--- websites/production/cxf/content/cve-2012-5575.html (added)
+++ websites/production/cxf/content/cve-2012-5575.html Fri Apr 12 16:48:01 2013
@@ -0,0 +1,227 @@
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<html>
+  <head>
+    <link type="text/css" rel="stylesheet" href="http://cxf.apache.org/resources/site.css">
+    <script src="http://cxf.apache.org/resources/space.js" type="text/javascript"></script>
+    
+<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
+<meta name="keywords" content="business integration, EAI, SOA, Service Oriented Architecture,
web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic Data Interchange, standards support,
integration standards, application integration, middleware, software, solutions, services,
CXF, open source">
+<meta name="description" content="Apache CXF, Services Framework - CVE-2012-5575">
+    <title>
+Apache CXF -- CVE-2012-5575
+    </title>
+  </head>
+<body onload="init()">
+
+
+<table width="100%" cellpadding="0" cellspacing="0">
+  <tr>
+    <td id="cell-0-0" colspan="2">&nbsp;</td>
+    <td id="cell-0-1">&nbsp;</td>
+    <td id="cell-0-2" colspan="2">&nbsp;</td>
+  </tr>
+  <tr>
+    <td id="cell-1-0">&nbsp;</td>
+    <td id="cell-1-1">&nbsp;</td>
+    <td id="cell-1-2">
+      <div style="padding: 5px;">
+        <div id="banner">
+          <!-- Banner -->
+<div id="banner-content">
+<table border="0" cellpadding="0" cellspacing="0" width="100%"><tr><td align="left"
colspan="1" nowrap>
+<a shape="rect" href="http://cxf.apache.org/" title="Apache CXF"><span style="font-weight:
bold; font-size: 170%; color: white">Apache CXF</span></a>
+</td><td align="right" colspan="1" nowrap>
+<a shape="rect" href="http://www.apache.org/" title="The Apache Software Foundation"><img
border="0" alt="ASF Logo" src="http://cxf.apache.org/images/asf-logo.png"></a>
+</td></tr></table>
+</div>
+          <!-- Banner -->
+        </div>
+      </div>
+      <div id="top-menu">
+        <table border="0" cellpadding="1" cellspacing="0" width="100%">
+          <tr>
+            <td>
+              <div align="left">
+                <!-- Breadcrumbs -->
+<a href="index.html">Index</a>&nbsp;&gt;&nbsp;<a href="security-advisories.html">Security
Advisories</a>&nbsp;&gt;&nbsp;<a href="cve-2012-5575.html">CVE-2012-5575</a>
+                <!-- Breadcrumbs -->
+              </div>
+            </td>
+            <td>
+              <div align="right">
+                <!-- Quicklinks -->
+<div id="quicklinks"><p><a shape="rect" href="download.html" title="Download">Download</a>
| <a shape="rect" href="http://cxf.apache.org/docs/index.html">Documentation</a></p></div>
+                <!-- Quicklinks -->
+              </div>
+            </td>
+          </tr>
+        </table>
+      </div>
+    </td>
+    <td id="cell-1-3">&nbsp;</td>
+    <td id="cell-1-4">&nbsp;</td>
+  </tr>
+  <tr>
+    <td id="cell-2-0" colspan="2">&nbsp;</td>
+    <td id="cell-2-1">
+      <table>
+        <tr valign="top">
+          <td height="100%">
+            <div id="wrapper-menu-page-right">
+              <div id="wrapper-menu-page-top">
+                <div id="wrapper-menu-page-bottom">
+                  <div id="menu-page">
+                    <!-- NavigationBar -->
+<div id="navigation"><h3><a shape="rect" name="Navigation-ApacheCXFIndex"></a><a
shape="rect" href="index.html" title="Index">Apache CXF</a></h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" href="index.html"
title="Index">Home</a></li><li><a shape="rect" href="download.html"
title="Download">Download</a></li><li><a shape="rect" href="people.html"
title="People">People</a></li><li><a shape="rect" href="project-status.html"
title="Project Status">Project Status</a></li><li><a shape="rect"
href="roadmap.html" title="Roadmap">Roadmap</a></li><li><a shape="rect"
href="mailing-lists.html" title="Mailing Lists">Mailing Lists</a></li><li><a
shape="rect" class="external-link" href="http://issues.apache.org/jira/browse/CXF">Issue
Reporting</a></li><li><a shape="rect" href="special-thanks.html" title="Special
Thanks">Special Thanks</a></li><li><a shape="rect" class="external-link"
href="http://www.apache.org/licenses/">License</a></li><li><a shape="rect"
href="security-advisories.html" title="Security Advisories">Security Advisories</a></li></ul>
+
+
+<h3><a shape="rect" name="Navigation-Users"></a>Users</h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" href="http://cxf.apache.org/docs/index.html">User's
Guide</a></li><li><a shape="rect" href="support.html" title="Support">Support</a></li><li><a
shape="rect" href="faq.html" title="FAQ">FAQ</a></li><li><a shape="rect"
href="resources-and-articles.html" title="Resources and Articles">Resources and Articles</a></li></ul>
+
+
+<h3><a shape="rect" name="Navigation-Search"></a>Search</h3>
+
+<form enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box" action="http://www.google.com/cse">
+  <div>
+    <input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4">
+    <input type="hidden" name="ie" value="UTF-8">
+    <input type="text" name="q" size="21">
+    <input type="submit" name="sa" value="Search">
+  </div>
+</form>
+<script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&amp;lang=en"></script>
+
+
+<h3><a shape="rect" name="Navigation-Developers"></a>Developers</h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" href="http://cxf.apache.org/docs/cxf-architecture.html">Architecture
Guide</a></li><li><a shape="rect" href="source-repository.html" title="Source
Repository">Source Repository</a></li><li><a shape="rect" href="building.html"
title="Building">Building</a></li><li><a shape="rect" href="automated-builds.html"
title="Automated Builds">Automated Builds</a></li><li><a shape="rect"
href="testing-debugging.html" title="Testing-Debugging">Testing-Debugging</a></li><li><a
shape="rect" href="coding-guidelines.html" title="Coding Guidelines">Coding Guidelines</a></li><li><a
shape="rect" href="getting-involved.html" title="Getting Involved">Getting Involved</a></li><li><a
shape="rect" href="release-management.html" title="Release Management">Release Management</a></li></ul>
+
+
+<h3><a shape="rect" name="Navigation-Subprojects"></a>Subprojects</h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" href="distributed-osgi.html"
title="Distributed OSGi">Distributed OSGi</a></li><li><a shape="rect"
href="xjc-utils.html" title="XJC Utils">XJC Utils</a></li><li><a shape="rect"
href="build-utils.html" title="Build Utils">Build Utils</a></li><li><a
shape="rect" href="fediz.html" title="Fediz">Fediz</a></li></ul>
+
+
+<h3><a shape="rect" name="Navigation-ASF"></a><a shape="rect" class="external-link"
href="http://www.apache.org">ASF</a></h3>
+
+<ul class="alternate" type="square"><li><a shape="rect" class="external-link"
href="http://www.apache.org/foundation/how-it-works.html">How Apache Works</a></li><li><a
shape="rect" class="external-link" href="http://www.apache.org/foundation/">Foundation</a></li><li><a
shape="rect" class="external-link" href="http://www.apache.org/foundation/sponsorship.html">Sponsor
Apache</a></li><li><a shape="rect" class="external-link" href="http://www.apache.org/foundation/thanks.html">Thanks</a></li><li><a
shape="rect" class="external-link" href="http://www.apache.org/security/">Security</a></li></ul>
+</div>
+                    <!-- NavigationBar -->
+                  </div>
+              </div>
+            </div>
+          </div>
+         </td>
+         <td height="100%">
+           <!-- Content -->
+           <div class="wiki-content">
+<div id="ConfluenceContent"><p>----<del>BEGIN PGP SIGNED MESSAGE</del>----<br
clear="none">
+Hash: SHA1</p>
+
+<p>An XML Encryption backwards compatibility attack on Apache CXF is described by<br
clear="none">
+CVE-2012-5575:</p>
+
+<p><a shape="rect" class="external-link" href="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5575"
rel="nofollow">https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5575</a></p>
+
+<p>This attack relates to a previous security advisory CVE-2011-1096<br clear="none">
+(<a shape="rect" href="http://cxf.apache.org/note-on-cve-2011-1096.html">http://cxf.apache.org/note-on-cve-2011-1096.html</a>).
CVE-2011-1096 exploited a<br clear="none">
+cryptographic weakness in the CBC mode of XML Encryption, to conduct chosen<br clear="none">
+ciphertext attacks leading to the recovery of the entire plaintext. The fix<br clear="none">
+for CVE-2011-1096 was to switch to use GCM instead of CBC. Please see the note <br clear="none">
+linked above for more information.</p>
+
+<p>CVE-2012-5575 resurrects the previous attack by relying on the fact that<br clear="none">
+Apache CXF will attempt to decrypt arbitrary ciphertexts, without first<br clear="none">
+checking to see if the algorithm corresponds to the given encryption algorithm<br clear="none">
+defined by the WS-SecurityPolicy AlgorithmSuite definition. </p>
+
+<p>Migration:</p>
+
+<p>Any version of CXF that uses Apache WSS4J 1.6.7 or below is vulnerable to this<br
clear="none">
+attack. In other words, any version of CXF below 2.5.7, 2.6.4, or 2.7.1. <br clear="none">
+However due to separate security advisories, we urge CXF users to upgrade to<br clear="none">
+one of the latest releases as follows:</p>
+
+<p>CXF 2.5.x users should upgrade to CXF 2.5.10.<br clear="none">
+CXF 2.6.x users should upgrade to CXF 2.6.7.<br clear="none">
+CXF 2.7.x users should upgrade to CXF 2.7.4.</p>
+
+<p>----<del>BEGIN PGP SIGNATURE</del>----<br clear="none">
+Version: GnuPG v1.4.11 (GNU/Linux)</p>
+
+<p>iQEcBAEBAgAGBQJRaC0LAAoJEGe/gLEK1TmDwSoIALmJm+8ke1Yrcq/QycOElEA4<br clear="none">
+JC37j2VxUS7BM9qshojLAN9VWMeuRVpSVkeTPSv4wJaVl/pRKOedOt1x4JHon8sD<br clear="none">
+0jF7H2K0GyzXHDoeh3NVcEtnhRNsizD0wBzqCfoXt8wuHxlq3BAJAcMbNiLenNk1<br clear="none">
+5RarIUeaq7yQLtCf/s99sj643iZgk95x8/ccUUBFmdt4rC695rsC/fRqkM3+IcU4<br clear="none">
+pZpnffMCe5Y0sfUi/54gIiaZ1VoddpFt8NwzkP6AhcQdjLrq/Qoi2gw5wKSkjtQq<br clear="none">
+Jy/D+vifVW95xf+UkCeGl0evozorIx+LZoN6jGHiakv9TxoJ2zE0d69x+wGzFsU=<br clear="none">
+=0gnx<br clear="none">
+----<del>END PGP SIGNATURE</del>----</p></div>
+           </div>
+           <!-- Content -->
+         </td>
+        </tr>
+      </table>
+   </td>
+   <td id="cell-2-2" colspan="2">&nbsp;</td>
+  </tr>
+  <tr>
+   <td id="cell-3-0">&nbsp;</td>
+   <td id="cell-3-1">&nbsp;</td>
+   <td id="cell-3-2">
+     <div id="footer">
+       <!-- Footer -->
+       <div id="site-footer">
+         <a href="http://cxf.apache.org/privacy-policy.html">Privacy Policy</a>
- 
+         (<a href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=31817958">edit
page</a>) 
+	 (<a href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=31817958&amp;showComments=true&amp;showCommentArea=true#addcomment">add
comment</a>)<br>
+	Apache CXF, CXF, Apache, the Apache feather logo are trademarks of The Apache Software Foundation.<br>
+        All other marks mentioned may be trademarks or registered trademarks of their respective
owners.
+       </div>
+       <!-- Footer -->
+     </div>
+   </td>
+   <td id="cell-3-3">&nbsp;</td>
+   <td id="cell-3-4">&nbsp;</td>
+  </tr>
+  <tr>
+    <td id="cell-4-0" colspan="2">&nbsp;</td>
+    <td id="cell-4-1">&nbsp;</td>
+    <td id="cell-4-2" colspan="2">&nbsp;</td>
+  </tr>
+</table>
+
+<script type="text/javascript">
+var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
+document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
+</script>
+<script type="text/javascript">
+try {
+var pageTracker = _gat._getTracker("UA-4458903-1");
+pageTracker._trackPageview();
+} catch(err) {}</script>
+
+</body>
+</html>
+

Modified: websites/production/cxf/content/security-advisories.html
==============================================================================
--- websites/production/cxf/content/security-advisories.html (original)
+++ websites/production/cxf/content/security-advisories.html Fri Apr 12 16:48:01 2013
@@ -136,7 +136,7 @@ Apache CXF -- Security Advisories
          <td height="100%">
            <!-- Content -->
            <div class="wiki-content">
-<div id="ConfluenceContent"><ul><li><a shape="rect" href="cve-2013-0239.html"
title="CVE-2013-0239">CVE-2013-0239</a> - Authentication bypass in the case of WS-SecurityPolicy
enabled plaintext UsernameTokens.</li><li><a shape="rect" href="cve-2012-5633.html"
title="CVE-2012-5633">CVE-2012-5633</a> - WSS4JInInterceptor always allows HTTP Get
requests from browser.</li><li><a shape="rect" href="note-on-cve-2011-2487.html"
title="Note on CVE-2011-2487">Note on CVE-2011-2487</a> - Bleichenbacher attack against
distributed symmetric key in WS-Security.</li><li><a shape="rect" href="cve-2012-3451.html"
title="CVE-2012-3451">CVE-2012-3451</a> - Apache CXF is vulnerable to SOAP Action
spoofing attacks on Document Literal web services.</li><li><a shape="rect"
href="cve-2012-2379.html" title="CVE-2012-2379">CVE-2012-2379</a> - Apache CXF does
not verify that elements were signed or encrypted by a particular Supporting Token.</li><li><a
shape="rect" href="cve-2012-2378.html" title="CVE
 -2012-2378">CVE-2012-2378</a> - Apache CXF does not pick up some child policies
of WS-SecurityPolicy 1.1 SupportingToken policy assertions on the client side.</li><li><a
shape="rect" href="note-on-cve-2011-1096.html" title="Note on CVE-2011-1096">Note on CVE-2011-1096</a>
- XML Encryption flaw / Character pattern encoding attack.</li><li><a shape="rect"
href="cve-2012-0803.html" title="CVE-2012-0803">CVE-2012-0803</a> - Apache CXF does
not validate UsernameToken policies correctly.</li><li><a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf">CVE-2010-2076</a>
- DTD based XML attacks.</li></ul>
+<div id="ConfluenceContent"><ul><li><a shape="rect" href="cve-2012-5575.html"
title="CVE-2012-5575">Note on CVE-2012-5575</a> - XML Encryption backwards compatibility
attack on Apache CXF.</li><li><a shape="rect" href="cve-2013-0239.html" title="CVE-2013-0239">CVE-2013-0239</a>
- Authentication bypass in the case of WS-SecurityPolicy enabled plaintext UsernameTokens.</li><li><a
shape="rect" href="cve-2012-5633.html" title="CVE-2012-5633">CVE-2012-5633</a> -
WSS4JInInterceptor always allows HTTP Get requests from browser.</li><li><a
shape="rect" href="note-on-cve-2011-2487.html" title="Note on CVE-2011-2487">Note on CVE-2011-2487</a>
- Bleichenbacher attack against distributed symmetric key in WS-Security.</li><li><a
shape="rect" href="cve-2012-3451.html" title="CVE-2012-3451">CVE-2012-3451</a> -
Apache CXF is vulnerable to SOAP Action spoofing attacks on Document Literal web services.</li><li><a
shape="rect" href="cve-2012-2379.html" title="CVE-2012-2379">CVE-2012-2379</a> -
  Apache CXF does not verify that elements were signed or encrypted by a particular Supporting
Token.</li><li><a shape="rect" href="cve-2012-2378.html" title="CVE-2012-2378">CVE-2012-2378</a>
- Apache CXF does not pick up some child policies of WS-SecurityPolicy 1.1 SupportingToken
policy assertions on the client side.</li><li><a shape="rect" href="note-on-cve-2011-1096.html"
title="Note on CVE-2011-1096">Note on CVE-2011-1096</a> - XML Encryption flaw / Character
pattern encoding attack.</li><li><a shape="rect" href="cve-2012-0803.html"
title="CVE-2012-0803">CVE-2012-0803</a> - Apache CXF does not validate UsernameToken
policies correctly.</li><li><a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf">CVE-2010-2076</a>
- DTD based XML attacks.</li></ul>
 </div>
            </div>
            <!-- Content -->



Mime
View raw message