cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r963139 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2015-5175.txt.asc security-advisories.html
Date Wed, 26 Aug 2015 14:47:31 GMT
Author: buildbot
Date: Wed Aug 26 14:47:30 2015
New Revision: 963139

Log:
Production update by buildbot for cxf

Added:
    websites/production/cxf/content/security-advisories.data/CVE-2015-5175.txt.asc
Modified:
    websites/production/cxf/content/cache/main.pageCache
    websites/production/cxf/content/security-advisories.html

Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.

Added: websites/production/cxf/content/security-advisories.data/CVE-2015-5175.txt.asc
==============================================================================
--- websites/production/cxf/content/security-advisories.data/CVE-2015-5175.txt.asc (added)
+++ websites/production/cxf/content/security-advisories.data/CVE-2015-5175.txt.asc Wed Aug
26 14:47:30 2015
@@ -0,0 +1,45 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+
+CVE-2015-5175: Apache CXF Fediz application plugins are vulnerable to Denial of Service (DoS)
attacks
+
+Severity: Major
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+This vulnerability affects all versions of Apache CXF Fediz prior to 1.2.1 and
+1.1.3.
+
+Description:
+
+Apache CXF Fediz is a subproject of Apache CXF which implements the
+WS-Federation Passive Requestor Profile for SSO specification. It provides a
+number of container based plugins to enable SSO for Relying Party applications.
+These plugins are potentially vulnerable to DoS attacks due to the fact that
+support for Document Type Declarations (DTDs) is not disabled when parsing
+the response from the Identity Provider (IdP).
+
+This has been fixed in revision:
+
+https://git-wip-us.apache.org/repos/asf?p=cxf-fediz.git;a=commit;h=f65c961ea31e3c1851daba8e7e49fc37bbf77b19
+
+Migration:
+
+Fediz 1.1.x users should upgrade to 1.1.3 or later as soon as possible.
+Fediz 1.2.x users should upgrade to 1.2.1 or later as soon as possible.
+
+References: http://cxf.apache.org/security-advisories.html
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQEcBAEBAgAGBQJV3IHcAAoJEGe/gLEK1TmDFSEH/04dyMI4uZPOMc/xI1D/4Jf2
+GmtJFzkEDeNVGEUBx3nZW8PwO6zuQ1n7puQpWNNXLyiBY3SRb1rl56WgflgXoJCA
+Ma302BWP3ONVKfTZepwuzIXCLw8WfsXK9yjZKbP38PrURoZJNlgO/KFC4YCK5L+F
+oe09JIpv3412HMGt5RxJQ2c0szBoMEQzQEFpETex9IMCNuLvFmLTRFjGUpYMiFvh
+v/OaOIjUwADJEQyAQlJ0Vr0OROKaApB/nsqnGn1MViRW5qOzJdA0wTi9ic0lZt7F
+OKnptVKFwaICKiNKO/QRkESmbXyxQCrkiXp5urjog7/c0cFzCLeBtNlJ1v+0swI=
+=uJn7
+-----END PGP SIGNATURE-----

Modified: websites/production/cxf/content/security-advisories.html
==============================================================================
--- websites/production/cxf/content/security-advisories.html (original)
+++ websites/production/cxf/content/security-advisories.html Wed Aug 26 14:47:30 2015
@@ -99,7 +99,7 @@ Apache CXF -- Security Advisories
          <td height="100%">
            <!-- Content -->
            <div class="wiki-content">
-<div id="ConfluenceContent"><h3 id="SecurityAdvisories-2015">2015</h3><p>&#160;</p><h3
id="SecurityAdvisories-2014">2014</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2014-3577.txt.asc?version=1&amp;modificationDate=1419245371000&amp;api=v2"
data-linked-resource-id="51183657" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3577.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502" data-linked-resource-container-version="19">CVE-2014-3577</a>:
Apache CXF SSL hostname verification bypass</li><li><a shape="rect" href="security-advisories.data/CVE-2014-3566.txt.asc?version=1&amp;modificationDate=1418740474000&amp;api=v2"
data-linked-resource-id="50561078" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3566.txt.asc" data-nice-type="Text File" data-linked-resourc
 e-content-type="text/plain" data-linked-resource-container-id="27837502" data-linked-resource-container-version="19">Note
on CVE-2014-3566</a>: SSL 3.0 support in Apache CXF, aka the "POODLE" attack.</li><li><a
shape="rect" href="security-advisories.data/CVE-2014-3623.txt.asc?version=1&amp;modificationDate=1414169368000&amp;api=v2"
data-linked-resource-id="47743195" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3623.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502" data-linked-resource-container-version="19">CVE-2014-3623</a>:
Apache CXF does not properly enforce the security semantics of SAML SubjectConfirmation methods
when used with the TransportBinding</li><li><a shape="rect" href="security-advisories.data/CVE-2014-3584.txt.asc?version=1&amp;modificationDate=1414169326000&amp;api=v2"
data-linked-resource-id="47743194" data-linked-re
 source-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2014-3584.txt.asc"
data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27837502"
data-linked-resource-container-version="19">CVE-2014-3584</a>: Apache CXF JAX-RS
SAML handling is vulnerable to a Denial of Service (DoS) attack</li><li><a
shape="rect" href="security-advisories.data/CVE-2014-0109.txt.asc?version=1&amp;modificationDate=1398873370000&amp;api=v2"
data-linked-resource-id="40895138" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0109.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502" data-linked-resource-container-version="19">CVE-2014-0109</a>:
HTML content posted to SOAP endpoint could cause OOM errors</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-0110.txt.a
 sc?version=1&amp;modificationDate=1398873378000&amp;api=v2" data-linked-resource-id="40895139"
data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2014-0110.txt.asc"
data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27837502"
data-linked-resource-container-version="19">CVE-2014-0110</a>: Large invalid content
could cause temporary space to fill</li><li><a shape="rect" href="security-advisories.data/CVE-2014-0034.txt.asc?version=1&amp;modificationDate=1398873385000&amp;api=v2"
data-linked-resource-id="40895140" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0034.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502" data-linked-resource-container-version="19">CVE-2014-0034</a>:
The SecurityTokenService accepts certain invalid 
 SAML Tokens as valid</li><li><a shape="rect" href="security-advisories.data/CVE-2014-0035.txt.asc?version=1&amp;modificationDate=1398873391000&amp;api=v2"
data-linked-resource-id="40895141" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0035.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502" data-linked-resource-container-version="19">CVE-2014-0035</a>:
UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy</li></ul><h3
id="SecurityAdvisories-2013">2013</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2013-2160.txt.asc?version=1&amp;modificationDate=1372324301000&amp;api=v2"
data-linked-resource-id="33095710" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2013-2160.txt.asc" data-nice-type="Text File" data-linked-resource-content-type=
 "text/plain" data-linked-resource-container-id="27837502" data-linked-resource-container-version="19">CVE-2013-2160</a>
- Denial of Service Attacks on Apache CXF</li><li><a shape="rect" href="cve-2012-5575.html">Note
on CVE-2012-5575</a> - XML Encryption backwards compatibility attack on Apache CXF.</li><li><a
shape="rect" href="cve-2013-0239.html">CVE-2013-0239</a> - Authentication bypass
in the case of WS-SecurityPolicy enabled plaintext UsernameTokens.</li></ul><h3
id="SecurityAdvisories-2012">2012</h3><ul><li><a shape="rect" href="cve-2012-5633.html">CVE-2012-5633</a>
- WSS4JInInterceptor always allows HTTP Get requests from browser.</li><li><a
shape="rect" href="note-on-cve-2011-2487.html">Note on CVE-2011-2487</a> - Bleichenbacher
attack against distributed symmetric key in WS-Security.</li><li><a shape="rect"
href="cve-2012-3451.html">CVE-2012-3451</a> - Apache CXF is vulnerable to SOAP Action
spoofing attacks on Document Literal web services.</li><li><a shape="rect"
href="cv
 e-2012-2379.html">CVE-2012-2379</a> - Apache CXF does not verify that elements were
signed or encrypted by a particular Supporting Token.</li><li><a shape="rect"
href="cve-2012-2378.html">CVE-2012-2378</a> - Apache CXF does not pick up some child
policies of WS-SecurityPolicy 1.1 SupportingToken policy assertions on the client side.</li><li><a
shape="rect" href="note-on-cve-2011-1096.html">Note on CVE-2011-1096</a> - XML Encryption
flaw / Character pattern encoding attack.</li><li><a shape="rect" href="cve-2012-0803.html">CVE-2012-0803</a>
- Apache CXF does not validate UsernameToken policies correctly.</li></ul><h3
id="SecurityAdvisories-2010">2010</h3><ul><li><a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf">CVE-2010-2076</a>
- DTD based XML attacks.</li></ul></div>
+<div id="ConfluenceContent"><h3 id="SecurityAdvisories-2015">2015</h3><ul><li><a
shape="rect" href="security-advisories.data/CVE-2015-5175.txt.asc?version=1&amp;modificationDate=1440598018000&amp;api=v2"
data-linked-resource-id="61316328" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-5175.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502" data-linked-resource-container-version="20">CVE-2015-5175</a>:
Apache CXF Fediz application plugins are vulnerable to Denial of Service (DoS) attacks</li></ul><h3
id="SecurityAdvisories-2014">2014</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2014-3577.txt.asc?version=1&amp;modificationDate=1419245371000&amp;api=v2"
data-linked-resource-id="51183657" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3577.txt.asc" data-ni
 ce-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27837502"
data-linked-resource-container-version="20">CVE-2014-3577</a>: Apache CXF SSL hostname
verification bypass</li><li><a shape="rect" href="security-advisories.data/CVE-2014-3566.txt.asc?version=1&amp;modificationDate=1418740474000&amp;api=v2"
data-linked-resource-id="50561078" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3566.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502" data-linked-resource-container-version="20">Note
on CVE-2014-3566</a>: SSL 3.0 support in Apache CXF, aka the "POODLE" attack.</li><li><a
shape="rect" href="security-advisories.data/CVE-2014-3623.txt.asc?version=1&amp;modificationDate=1414169368000&amp;api=v2"
data-linked-resource-id="47743195" data-linked-resource-version="1" data-linked-resource-type="att
 achment" data-linked-resource-default-alias="CVE-2014-3623.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="27837502"
data-linked-resource-container-version="20">CVE-2014-3623</a>: Apache CXF does not
properly enforce the security semantics of SAML SubjectConfirmation methods when used with
the TransportBinding</li><li><a shape="rect" href="security-advisories.data/CVE-2014-3584.txt.asc?version=1&amp;modificationDate=1414169326000&amp;api=v2"
data-linked-resource-id="47743194" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-3584.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502" data-linked-resource-container-version="20">CVE-2014-3584</a>:
Apache CXF JAX-RS SAML handling is vulnerable to a Denial of Service (DoS) attack</li><li><a
shape="rect" href="security-advisories.d
 ata/CVE-2014-0109.txt.asc?version=1&amp;modificationDate=1398873370000&amp;api=v2"
data-linked-resource-id="40895138" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0109.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502" data-linked-resource-container-version="20">CVE-2014-0109</a>:
HTML content posted to SOAP endpoint could cause OOM errors</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-0110.txt.asc?version=1&amp;modificationDate=1398873378000&amp;api=v2"
data-linked-resource-id="40895139" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0110.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502" data-linked-resource-container-version="20">CVE-2014-0110</a>:
Large invalid content co
 uld cause temporary space to fill</li><li><a shape="rect" href="security-advisories.data/CVE-2014-0034.txt.asc?version=1&amp;modificationDate=1398873385000&amp;api=v2"
data-linked-resource-id="40895140" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0034.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502" data-linked-resource-container-version="20">CVE-2014-0034</a>:
The SecurityTokenService accepts certain invalid SAML Tokens as valid</li><li><a
shape="rect" href="security-advisories.data/CVE-2014-0035.txt.asc?version=1&amp;modificationDate=1398873391000&amp;api=v2"
data-linked-resource-id="40895141" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0035.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27
 837502" data-linked-resource-container-version="20">CVE-2014-0035</a>: UsernameTokens
are sent in plaintext with a Symmetric EncryptBeforeSigning policy</li></ul><h3
id="SecurityAdvisories-2013">2013</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2013-2160.txt.asc?version=1&amp;modificationDate=1372324301000&amp;api=v2"
data-linked-resource-id="33095710" data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2013-2160.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="27837502" data-linked-resource-container-version="20">CVE-2013-2160</a>
- Denial of Service Attacks on Apache CXF</li><li><a shape="rect" href="cve-2012-5575.html">Note
on CVE-2012-5575</a> - XML Encryption backwards compatibility attack on Apache CXF.</li><li><a
shape="rect" href="cve-2013-0239.html">CVE-2013-0239</a> - Authentication bypass
in the case of WS-SecurityPolicy enable
 d plaintext UsernameTokens.</li></ul><h3 id="SecurityAdvisories-2012">2012</h3><ul><li><a
shape="rect" href="cve-2012-5633.html">CVE-2012-5633</a> - WSS4JInInterceptor always
allows HTTP Get requests from browser.</li><li><a shape="rect" href="note-on-cve-2011-2487.html">Note
on CVE-2011-2487</a> - Bleichenbacher attack against distributed symmetric key in WS-Security.</li><li><a
shape="rect" href="cve-2012-3451.html">CVE-2012-3451</a> - Apache CXF is vulnerable
to SOAP Action spoofing attacks on Document Literal web services.</li><li><a
shape="rect" href="cve-2012-2379.html">CVE-2012-2379</a> - Apache CXF does not verify
that elements were signed or encrypted by a particular Supporting Token.</li><li><a
shape="rect" href="cve-2012-2378.html">CVE-2012-2378</a> - Apache CXF does not pick
up some child policies of WS-SecurityPolicy 1.1 SupportingToken policy assertions on the client
side.</li><li><a shape="rect" href="note-on-cve-2011-1096.html">Note on
CVE-2011-1096</a> - XML Encrypt
 ion flaw / Character pattern encoding attack.</li><li><a shape="rect" href="cve-2012-0803.html">CVE-2012-0803</a>
- Apache CXF does not validate UsernameToken policies correctly.</li></ul><h3
id="SecurityAdvisories-2010">2010</h3><ul><li><a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf">CVE-2010-2076</a>
- DTD based XML attacks.</li></ul></div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message