cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (Confluence)" <conflue...@apache.org>
Subject [CONF] Apache CXF > Security Advisories
Date Thu, 27 Jun 2013 09:12:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/en/2176/1/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF/Security+Advisories">Security
Advisories</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~coheigea@apache.org">Colm
O hEigeartaigh</a>
    </h4>
        <br/>
                         <h4>Changes (3)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-added-lines" style="background-color: #dfd;">
<br>h3. 2013 <br> <br> * [CVE-2013-2160|^CVE-2013-2160.txt.asc] - Denial
of Service Attacks on Apache CXF <br></td></tr>
            <tr><td class="diff-unchanged" > * [Note on CVE-2012-5575|CVE-2012-5575]
- XML Encryption backwards compatibility attack on Apache CXF. <br> * [CVE-2013-0239|CVE-2013-0239]
- Authentication bypass in the case of WS-SecurityPolicy enabled plaintext UsernameTokens.
<br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">
<br>h3. 2012 <br> <br></td></tr>
            <tr><td class="diff-unchanged" > * [CVE-2012-5633|CVE-2012-5633] -
WSS4JInInterceptor always allows HTTP Get requests from browser. <br> * [Note on CVE-2011-2487|Note
on CVE-2011-2487] - Bleichenbacher attack against distributed symmetric key in WS-Security.
<br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > * [Note on CVE-2011-1096|Note on
CVE-2011-1096] - XML Encryption flaw / Character pattern encoding attack. <br> * [CVE-2012-0803|CVE-2012-0803]
- Apache CXF does not validate UsernameToken policies correctly. <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">
<br>h3. 2010 <br> <br></td></tr>
            <tr><td class="diff-unchanged" > * [CVE-2010-2076|http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf]
- DTD based XML attacks. <br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        
<h3><a name="SecurityAdvisories-2013"></a>2013</h3>

<ul>
	<li><span class="error">&#91;CVE-2013-2160|^CVE-2013-2160.txt.asc&#93;</span>
- Denial of Service Attacks on Apache CXF</li>
	<li><a href="/confluence/display/CXF/CVE-2012-5575" title="CVE-2012-5575">Note
on CVE-2012-5575</a> - XML Encryption backwards compatibility attack on Apache CXF.</li>
	<li><a href="/confluence/display/CXF/CVE-2013-0239" title="CVE-2013-0239">CVE-2013-0239</a>
- Authentication bypass in the case of WS-SecurityPolicy enabled plaintext UsernameTokens.</li>
</ul>


<h3><a name="SecurityAdvisories-2012"></a>2012</h3>

<ul>
	<li><a href="/confluence/display/CXF/CVE-2012-5633" title="CVE-2012-5633">CVE-2012-5633</a>
- WSS4JInInterceptor always allows HTTP Get requests from browser.</li>
	<li><a href="/confluence/display/CXF/Note+on+CVE-2011-2487" title="Note on CVE-2011-2487">Note
on CVE-2011-2487</a> - Bleichenbacher attack against distributed symmetric key in WS-Security.</li>
	<li><a href="/confluence/display/CXF/CVE-2012-3451" title="CVE-2012-3451">CVE-2012-3451</a>
- Apache CXF is vulnerable to SOAP Action spoofing attacks on Document Literal web services.</li>
	<li><a href="/confluence/display/CXF/CVE-2012-2379" title="CVE-2012-2379">CVE-2012-2379</a>
- Apache CXF does not verify that elements were signed or encrypted by a particular Supporting
Token.</li>
	<li><a href="/confluence/display/CXF/CVE-2012-2378" title="CVE-2012-2378">CVE-2012-2378</a>
- Apache CXF does not pick up some child policies of WS-SecurityPolicy 1.1 SupportingToken
policy assertions on the client side.</li>
	<li><a href="/confluence/display/CXF/Note+on+CVE-2011-1096" title="Note on CVE-2011-1096">Note
on CVE-2011-1096</a> - XML Encryption flaw / Character pattern encoding attack.</li>
	<li><a href="/confluence/display/CXF/CVE-2012-0803" title="CVE-2012-0803">CVE-2012-0803</a>
- Apache CXF does not validate UsernameToken policies correctly.</li>
</ul>


<h3><a name="SecurityAdvisories-2010"></a>2010</h3>

<ul>
	<li><a href="http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf"
class="external-link" rel="nofollow">CVE-2010-2076</a> - DTD based XML attacks.</li>
</ul>

    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;" class="grey">
                        <a href="https://cwiki.apache.org/confluence/users/removespacenotification.action?spaceKey=CXF">Stop
watching space</a>
            <span style="padding: 0px 5px;">|</span>
                <a href="https://cwiki.apache.org/confluence/users/editmyemailsettings.action">Change
email notification preferences</a>
</div>
        <a href="https://cwiki.apache.org/confluence/display/CXF/Security+Advisories">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=27837502&revisedVersion=13&originalVersion=12">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF/Security+Advisories?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message