cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r928502 - in /websites/production/cxf/content: cache/main.pageCache cve-2014-3566.html
Date Sun, 09 Nov 2014 14:46:48 GMT
Author: buildbot
Date: Sun Nov  9 14:46:47 2014
New Revision: 928502

Production update by buildbot for cxf


Modified: websites/production/cxf/content/cache/main.pageCache
Binary files - no diff available.

Added: websites/production/cxf/content/cve-2014-3566.html
--- websites/production/cxf/content/cve-2014-3566.html (added)
+++ websites/production/cxf/content/cve-2014-3566.html Sun Nov  9 14:46:47 2014
@@ -0,0 +1,149 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "">
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+  <head>
+<link type="text/css" rel="stylesheet" href="/resources/site.css">
+<script src='/resources/space.js'></script>
+<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
+<meta name="keywords" content="business integration, EAI, SOA, Service Oriented Architecture,
web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic Data Interchange, standards support,
integration standards, application integration, middleware, software, solutions, services,
CXF, open source">
+<meta name="description" content="Apache CXF, Services Framework - CVE-2014-3566">
+    <title>
+Apache CXF -- CVE-2014-3566
+    </title>
+  </head>
+<body onload="init()">
+<table width="100%" cellpadding="0" cellspacing="0">
+  <tr>
+    <td id="cell-0-0" colspan="2">&nbsp;</td>
+    <td id="cell-0-1">&nbsp;</td>
+    <td id="cell-0-2" colspan="2">&nbsp;</td>
+  </tr>
+  <tr>
+    <td id="cell-1-0">&nbsp;</td>
+    <td id="cell-1-1">&nbsp;</td>
+    <td id="cell-1-2">
+      <!-- Banner -->
+<div class="banner" id="banner"><div><table border="0" cellpadding="0" cellspacing="0"
width="100%"><tr><td align="left" colspan="1" nowrap>
+<a shape="rect" href="" title="Apache CXF"><span style="font-weight:
bold; font-size: 170%; color: white">Apache CXF</span></a>
+</td><td align="right" colspan="1" nowrap>
+<a shape="rect" href="" title="The Apache Software Foundation"><img
border="0" alt="ASF Logo" src=""></a>
+      <!-- Banner -->
+      <div id="top-menu">
+        <table border="0" cellpadding="1" cellspacing="0" width="100%">
+          <tr>
+            <td>
+              <div align="left">
+                <!-- Breadcrumbs -->
+<a href="index.html">Index</a>&nbsp;&gt;&nbsp;<a href="cve-2014-3566.html">CVE-2014-3566</a>
+                <!-- Breadcrumbs -->
+              </div>
+            </td>
+            <td>
+              <div align="right">
+                <!-- Quicklinks -->
+<div id="quicklinks"><p><a shape="rect" href="download.html">Download</a>
| <a shape="rect" href="">Documentation</a></p></div>
+                <!-- Quicklinks -->
+              </div>
+            </td>
+          </tr>
+        </table>
+      </div>
+    </td>
+    <td id="cell-1-3">&nbsp;</td>
+    <td id="cell-1-4">&nbsp;</td>
+  </tr>
+  <tr>
+    <td id="cell-2-0" colspan="2">&nbsp;</td>
+    <td id="cell-2-1">
+      <table>
+        <tr valign="top">
+          <td height="100%">
+            <div id="wrapper-menu-page-right">
+              <div id="wrapper-menu-page-top">
+                <div id="wrapper-menu-page-bottom">
+                  <div id="menu-page">
+                    <!-- NavigationBar -->
+<div id="navigation"><h3 id="Navigation-ApacheCXF"><a shape="rect" href="index.html">Apache
CXF</a></h3><ul class="alternate"><li><a shape="rect" href="index.html">Home</a></li><li><a
shape="rect" href="download.html">Download</a></li><li><a shape="rect"
href="people.html">People</a></li><li><a shape="rect" href="project-status.html">Project
Status</a></li><li><a shape="rect" href="roadmap.html">Roadmap</a></li><li><a
shape="rect" href="mailing-lists.html">Mailing Lists</a></li><li><a
shape="rect" class="external-link" href="">Issue
Reporting</a></li><li><a shape="rect" href="special-thanks.html">Special
Thanks</a></li><li><a shape="rect" class="external-link" href="">License</a></li><li><a
shape="rect" href="security-advisories.html">Security Advisories</a></li></ul><h3
id="Navigation-Users">Users</h3><ul class="alternate"><li><a shape="rect"
href="">User's Guide</a></li><li>
 <a shape="rect" href="support.html">Support</a></li><li><a shape="rect"
href="faq.html">FAQ</a></li><li><a shape="rect" href="resources-and-articles.html">Resources
and Articles</a></li></ul><h3 id="Navigation-Search">Search</h3><form
enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box" action=""><div>
<input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4"> <input
type="hidden" name="ie" value="UTF-8"> <input type="text" name="q" size="21"> <input
type="submit" name="sa" value="Search"> </div> </form> <script type="text/javascript"
<h3 id="Navigation-Developers">Developers</h3><ul class="alternate"><li><a
shape="rect" href="">Architecture Guide</a></li><li><a
shape="rect" href="source-repository.html">Source Repository</a></li><li><a
shape="rect" href="building.html">Building</a></li><li><a 
 shape="rect" href="automated-builds.html">Automated Builds</a></li><li><a
shape="rect" href="testing-debugging.html">Testing-Debugging</a></li><li><a
shape="rect" href="coding-guidelines.html">Coding Guidelines</a></li><li><a
shape="rect" href="getting-involved.html">Getting Involved</a></li><li><a
shape="rect" href="release-management.html">Release Management</a></li></ul><h3
id="Navigation-Subprojects">Subprojects</h3><ul class="alternate"><li><a
shape="rect" href="distributed-osgi.html">Distributed OSGi</a></li><li><a
shape="rect" href="xjc-utils.html">XJC Utils</a></li><li><a shape="rect"
href="build-utils.html">Build Utils</a></li><li><a shape="rect" href="fediz.html">Fediz</a></li></ul><h3
id="Navigation-ASF"><a shape="rect" class="external-link" href="">ASF</a></h3><ul
class="alternate"><li><a shape="rect" class="external-link" href="">How
Apache Works</a></li><li><a shape="rect" class="external-link" href
 ="">Foundation</a></li><li><a shape="rect"
class="external-link" href="">Sponsor
Apache</a></li><li><a shape="rect" class="external-link" href="">Thanks</a></li><li><a
shape="rect" class="external-link" href="">Security</a></li></ul></div>
+                    <!-- NavigationBar -->
+                  </div>
+              </div>
+            </div>
+          </div>
+         </td>
+         <td height="100%">
+           <!-- Content -->
+           <div class="wiki-content">
+<div id="ConfluenceContent"><p>The SSL protocol 3.0 uses non-deterministic CBC
padding, which makes it easier for man-in-the-middle attackers to obtain clear text data via
a padding-oracle attack, aka the "POODLE" issue.</p><p>Encryption in SSL 3.0 uses
either the RC4 stream cipher, or a block cipher in CBC mode. RC4 is well known to have biases
[RC4&#173;biases],meaning that if the same secret (such as a password or HTTP cookie)
is sent over many connections and thus encrypted with many RC4 streams, more and more information
about it will leak.</p><p>The problem with POODLE comes when the connection is
downgraded to use SSL 3.0 when higher level TLS comms fail. If an attacker in the middle of
a connection can cause this failure then they may be able to force the browser to do exactly
what it&#8217;s designed to do &#8211; fall back to SSL 3.0 and try again.</p><p>&#160;</p><p>Problem
fixed in CXF <span class="value editable-field inactive" title="Click to edit"><span
 "> <a shape="rect" class="external-link" href=""
title="3.0.3 ">3.0.3</a>, <a shape="rect" class="external-link" href=""
title="2.7.14 ">2.7.14</a> </span></span>by disabling by default for
both clients, as well as Jetty servers configured via CXF's HTTPJ namespace: <a shape="rect"
class="external-link" href="">CXF-6086</a></p></div>
+           </div>
+           <!-- Content -->
+         </td>
+        </tr>
+      </table>
+   </td>
+   <td id="cell-2-2" colspan="2">&nbsp;</td>
+  </tr>
+  <tr>
+   <td id="cell-3-0">&nbsp;</td>
+   <td id="cell-3-1">&nbsp;</td>
+   <td id="cell-3-2">
+     <div id="footer">
+       <!-- Footer -->
+       <div id="site-footer">
+         <a href="">Privacy Policy</a>
+         (<a href="">edit
+	 (<a href=";showComments=true&amp;showCommentArea=true#addcomment">add
+	Apache CXF, CXF, Apache, the Apache feather logo are trademarks of The Apache Software Foundation.<br>
+        All other marks mentioned may be trademarks or registered trademarks of their respective
+       </div>
+       <!-- Footer -->
+     </div>
+   </td>
+   <td id="cell-3-3">&nbsp;</td>
+   <td id="cell-3-4">&nbsp;</td>
+  </tr>
+  <tr>
+    <td id="cell-4-0" colspan="2">&nbsp;</td>
+    <td id="cell-4-1">&nbsp;</td>
+    <td id="cell-4-2" colspan="2">&nbsp;</td>
+  </tr>
+<script type="text/javascript">
+var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
+document.write(unescape("%3Cscript src='" + gaJsHost + "' type='text/javascript'%3E%3C/script%3E"));
+<script type="text/javascript">
+try {
+var pageTracker = _gat._getTracker("UA-4458903-1");
+} catch(err) {}</script>

View raw message