cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r867613 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/ security-advisories.data/CVE-2013-2160.txt.asc security-advisories.html
Date Thu, 27 Jun 2013 09:47:52 GMT
Author: buildbot
Date: Thu Jun 27 09:47:52 2013
New Revision: 867613

Log:
Production update by buildbot for cxf

Added:
    websites/production/cxf/content/security-advisories.data/
    websites/production/cxf/content/security-advisories.data/CVE-2013-2160.txt.asc
Modified:
    websites/production/cxf/content/cache/main.pageCache
    websites/production/cxf/content/security-advisories.html

Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.

Added: websites/production/cxf/content/security-advisories.data/CVE-2013-2160.txt.asc
==============================================================================
--- websites/production/cxf/content/security-advisories.data/CVE-2013-2160.txt.asc (added)
+++ websites/production/cxf/content/security-advisories.data/CVE-2013-2160.txt.asc Thu Jun
27 09:47:52 2013
@@ -0,0 +1,53 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+
+CVE-2013-2160: Denial of Service Attacks on Apache CXF
+
+Severity: Critical
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+This vulnerability affects all versions of Apache CXF prior to 2.5.10, 2.6.7
+and 2.7.4.
+
+Description:
+
+It is possible to execute Denial of Service attacks on Apache CXF, exploiting
+the fact that the streaming XML parser does not put limits on things like the
+number of elements, number of attributes, the nested structure of the document
+received, etc. The effects of these attacks can vary from causing high CPU
+usage, to causing the JVM to run out of memory.
+
+Apache CXF 2.5.10, 2.6.7 and 2.7.4 onwards pick up Woodstox 4.2.0 as the
+streaming XML parser, which enforces appropriate limits to prevent these
+attacks.
+
+This has been fixed in revisions:
+
+http://svn.apache.org/viewvc?view=revision&revision=1460428
+
+Migration:
+
+CXF 2.5.x users should upgrade to 2.5.10 or later as soon as possible.
+CXF 2.6.x users should upgrade to 2.6.7 or later as soon as possible.
+CXF 2.7.x users should upgrade to 2.7.4 or later as soon as possible.
+
+Credit: This issue was reported by Andreas Falkenberg of SEC Consult
+Deutschland GmbH, and Christian Mainka, Juraj Somorovsky and Joerg Schwenk of
+Ruhr-University Bochum.
+
+References: http://cxf.apache.org/security-advisories.html
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.12 (GNU/Linux)
+
+iQEcBAEBAgAGBQJRzAEPAAoJEGe/gLEK1TmDX+IH/jAVBIlf4Gri4oqTe46/Un8I
+Qc297NQT+aBe9NRftrfv5zAQLPIE8UTAyecr/RILE9Fr5O0OkyR++/AO0V/x0QqL
+Bf2DHuwNN1UZfsjaO8osbUJAVVJLbt5ab4IsVrJNe0EuTEC2X/oQHBMtLr/Vn4Dm
+0YiXUjBRsIz1sGCXJ9ptQasfc4FQaBTRNlhWSoJhsix9EcfhZh3GaewbyXPsOGTU
++zfYsRRWjg+m8GT3b01gsxBRqUNvGw3M0g1Z96raDJSEzW7YRXUpwvrlUkBGvr1c
+drWZ6YqPqYJS7hZru7DbrLky9utR8qJCaPLFNLPA77auTDB9wLyKAslNL/6GhPI=
+=R9Kh
+-----END PGP SIGNATURE-----

Modified: websites/production/cxf/content/security-advisories.html
==============================================================================
--- websites/production/cxf/content/security-advisories.html (original)
+++ websites/production/cxf/content/security-advisories.html Thu Jun 27 09:47:52 2013
@@ -132,7 +132,20 @@ Apache CXF -- Security Advisories
          <td height="100%">
            <!-- Content -->
            <div class="wiki-content">
-<div id="ConfluenceContent"><ul><li><a shape="rect" href="cve-2012-5575.html"
title="CVE-2012-5575">Note on CVE-2012-5575</a> - XML Encryption backwards compatibility
attack on Apache CXF.</li><li><a shape="rect" href="cve-2013-0239.html" title="CVE-2013-0239">CVE-2013-0239</a>
- Authentication bypass in the case of WS-SecurityPolicy enabled plaintext UsernameTokens.</li><li><a
shape="rect" href="cve-2012-5633.html" title="CVE-2012-5633">CVE-2012-5633</a> -
WSS4JInInterceptor always allows HTTP Get requests from browser.</li><li><a
shape="rect" href="note-on-cve-2011-2487.html" title="Note on CVE-2011-2487">Note on CVE-2011-2487</a>
- Bleichenbacher attack against distributed symmetric key in WS-Security.</li><li><a
shape="rect" href="cve-2012-3451.html" title="CVE-2012-3451">CVE-2012-3451</a> -
Apache CXF is vulnerable to SOAP Action spoofing attacks on Document Literal web services.</li><li><a
shape="rect" href="cve-2012-2379.html" title="CVE-2012-2379">CVE-2012-2379</a> -
  Apache CXF does not verify that elements were signed or encrypted by a particular Supporting
Token.</li><li><a shape="rect" href="cve-2012-2378.html" title="CVE-2012-2378">CVE-2012-2378</a>
- Apache CXF does not pick up some child policies of WS-SecurityPolicy 1.1 SupportingToken
policy assertions on the client side.</li><li><a shape="rect" href="note-on-cve-2011-1096.html"
title="Note on CVE-2011-1096">Note on CVE-2011-1096</a> - XML Encryption flaw / Character
pattern encoding attack.</li><li><a shape="rect" href="cve-2012-0803.html"
title="CVE-2012-0803">CVE-2012-0803</a> - Apache CXF does not validate UsernameToken
policies correctly.</li><li><a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf">CVE-2010-2076</a>
- DTD based XML attacks.</li></ul>
+<div id="ConfluenceContent">
+<h3><a shape="rect" name="SecurityAdvisories-2013"></a>2013</h3>
+
+<ul><li><a shape="rect" href="security-advisories.data/CVE-2013-2160.txt.asc?version=1&amp;modificationDate=1372324301037">CVE-2013-2160</a>
- Denial of Service Attacks on Apache CXF</li><li><a shape="rect" href="cve-2012-5575.html"
title="CVE-2012-5575">Note on CVE-2012-5575</a> - XML Encryption backwards compatibility
attack on Apache CXF.</li><li><a shape="rect" href="cve-2013-0239.html" title="CVE-2013-0239">CVE-2013-0239</a>
- Authentication bypass in the case of WS-SecurityPolicy enabled plaintext UsernameTokens.</li></ul>
+
+
+<h3><a shape="rect" name="SecurityAdvisories-2012"></a>2012</h3>
+
+<ul><li><a shape="rect" href="cve-2012-5633.html" title="CVE-2012-5633">CVE-2012-5633</a>
- WSS4JInInterceptor always allows HTTP Get requests from browser.</li><li><a
shape="rect" href="note-on-cve-2011-2487.html" title="Note on CVE-2011-2487">Note on CVE-2011-2487</a>
- Bleichenbacher attack against distributed symmetric key in WS-Security.</li><li><a
shape="rect" href="cve-2012-3451.html" title="CVE-2012-3451">CVE-2012-3451</a> -
Apache CXF is vulnerable to SOAP Action spoofing attacks on Document Literal web services.</li><li><a
shape="rect" href="cve-2012-2379.html" title="CVE-2012-2379">CVE-2012-2379</a> -
Apache CXF does not verify that elements were signed or encrypted by a particular Supporting
Token.</li><li><a shape="rect" href="cve-2012-2378.html" title="CVE-2012-2378">CVE-2012-2378</a>
- Apache CXF does not pick up some child policies of WS-SecurityPolicy 1.1 SupportingToken
policy assertions on the client side.</li><li><a shape="rect" href="note-on-cve-2011-109
 6.html" title="Note on CVE-2011-1096">Note on CVE-2011-1096</a> - XML Encryption
flaw / Character pattern encoding attack.</li><li><a shape="rect" href="cve-2012-0803.html"
title="CVE-2012-0803">CVE-2012-0803</a> - Apache CXF does not validate UsernameToken
policies correctly.</li></ul>
+
+
+<h3><a shape="rect" name="SecurityAdvisories-2010"></a>2010</h3>
+
+<ul><li><a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf">CVE-2010-2076</a>
- DTD based XML attacks.</li></ul>
 </div>
            </div>
            <!-- Content -->



Mime
View raw message