From commits-return-44916-apmail-cxf-commits-archive=cxf.apache.org@cxf.apache.org Fri Jan 27 15:50:58 2017 Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 846B419E78 for ; Fri, 27 Jan 2017 15:50:58 +0000 (UTC) Received: (qmail 79314 invoked by uid 500); 27 Jan 2017 15:50:55 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 78287 invoked by uid 500); 27 Jan 2017 15:50:54 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 76973 invoked by uid 99); 27 Jan 2017 15:50:52 -0000 Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 27 Jan 2017 15:50:52 +0000 Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id 304D33A47BA for ; Fri, 27 Jan 2017 15:50:50 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1005758 [26/27] - in /websites/production/cxf/content: ./ cache/ Date: Fri, 27 Jan 2017 15:50:47 -0000 To: commits@cxf.apache.org From: buildbot@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20170127155050.304D33A47BA@svn01-us-west.apache.org> Modified: websites/production/cxf/content/scalable-cxf-applications-using-jms-transport.html ============================================================================== --- websites/production/cxf/content/scalable-cxf-applications-using-jms-transport.html (original) +++ websites/production/cxf/content/scalable-cxf-applications-using-jms-transport.html Fri Jan 27 15:50:45 2017 @@ -98,7 +98,7 @@ Apache CXF -- Scalable CXF applications
- +
Modified: websites/production/cxf/content/security-advisories.html ============================================================================== --- websites/production/cxf/content/security-advisories.html (original) +++ websites/production/cxf/content/security-advisories.html Fri Jan 27 15:50:45 2017 @@ -89,7 +89,7 @@ Apache CXF -- Security Advisories
- +
@@ -99,7 +99,7 @@ Apache CXF -- Security Advisories
-

2016

  • CVE-2016-8739: Atom entity provider of Apache CXF JAX-RS is vulnerable to XXE
  • CVE-2016-6812: XSS risk in Apache CXF FormattedServiceListWriter when a request URL contains matrix parameters
  • CVE-2016-4464: Apache CXF Fediz application plugins do not match the SAML AudienceRestriction values against the list of configured audience URIs

2015

  • CVE-2015-5253: Apache CXF SAML SSO processing is vulnerable to a wrapping attack
  • CVE-2015-5175: Apache CXF Fediz application plugins are vulnerable to Denial of Service (DoS) attacks

2014

  • CVE-2014-3577: Apache CXF SSL hostname verification bypass
  • Note on CVE-2014-3566: SSL 3.0 support in Apache CXF, aka the "POODLE" attack.
  • CVE-2014-3623: Apache CXF does not properly enforce the security semantics of SAML SubjectConfirmation methods when used with the TransportBinding
  • CVE-2014-3584: Apache CXF JAX-RS SAML handling is vulnerable to a Denial of Service (DoS) attack
  • CVE-2014-0109: HTML content posted to SOAP endpoint could cause OOM errors
  • CVE-2014-0110: Large invalid content could cause temporary space to fill
  • CVE-2014-0034: The SecurityTokenService accepts certain invalid SAML Tokens as valid
  • CVE-2014-0035: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy

2013

  • CVE-2013-2160 - Denial of Service Attacks on Apache CXF
  • Note on CVE-2012-5575 - XML Encryption backwards compatibility attack on Apache CXF.
  • CVE-2013-0239 - Authentication bypass in the case of WS-SecurityPolicy enabled plaintext UsernameTokens.

2012

  • CVE-2012-5633 - WSS4JInInterceptor always allows HTTP Get requests from browser.
  • Note on CVE-2011-2487 - Bleichenbacher attack against distributed symmetric key in WS-Security.
  • CVE-2012-3451 - Apache CXF is vulnerable to SOAP Action spoofing attacks on Document Literal web services.
  • CVE-2012-2379 - Apache CXF does not verify that elements were signed or encrypted by a particular Supporting Token.
  • CVE-2012-2378 - Apache CXF does not pick up some child policies of WS-SecurityPolicy 1.1 SupportingToken policy assertions on the client side.
  • Note on CVE-2011-1096 - XML Encryption flaw / Character pattern encoding attack.
  • CVE-2012-0803 - Apache CXF does not validate UsernameToken policies correctly.

2010

+

2016

  • CVE-2016-8739: Atom entity provider of Apache CXF JAX-RS is vulnerable to XXE
  • CVE-2016-6812: XSS risk in Apache CXF FormattedServiceListWriter when a request URL contains matrix parameters
  • CVE-2016-4464: Apache CXF Fediz application plugins do not match the SAML AudienceRestriction values against the list of configured audience URIs

2015

  • CVE-2015-5253: Apache CXF SAML SSO processing is vulnerable to a wrapping attack
  • CVE-2015-5175: Apache CXF Fediz application plugins are vulnerable to Denial of Service (DoS) attacks

2014

  • CVE-2014-3577: Apache CXF SSL hostname verification bypass
  • Note on CVE-2014-3566: SSL 3.0 support in Apache CXF, aka the "POODLE" attack.
  • CVE-2014-3623: Apache CXF does not properly enforce the security semantics of SAML SubjectConfirmation methods when used with the TransportBinding
  • CVE-2014-3584: Apache CXF JAX-RS SAML handling is vulnerable to a Denial of Service (DoS) attack
  • CVE-2014-0109: HTML content posted to SOAP endpoint could cause OOM errors
  • CVE-2014-0110: Large invalid content could cause temporary space to fill
  • CVE-2014-0034: The SecurityTokenService accepts certain invalid SAML Tokens as valid
  • CVE-2014-0035: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy

2013

  • CVE-2013-2160 - Denial of Service Attacks on Apache CXF
  • Note on CVE-2012-5575 - XML Encryption backwards compatibility attack on Apache CXF.
  • CVE-2013-0239 - Authentication bypass in the case of WS-SecurityPolicy enabled plaintext UsernameTokens.

2012

  • CVE-2012-5633 - WSS4JInInterceptor always allows HTTP Get requests from browser.
  • Note on CVE-2011-2487 - Bleichenbacher attack against distributed symmetric key in WS-Security.
  • CVE-2012-3451 - Apache CXF is vulnerable to SOAP Action spoofing attacks on Document Literal web services.
  • CVE-2012-2379 - Apache CXF does not verify that elements were signed or encrypted by a particular Supporting Token.
  • CVE-2012-2378 - Apache CXF does not pick up some child policies of WS-SecurityPolicy 1.1 SupportingToken policy assertions on the client side.
  • Note on CVE-2011-1096 - XML Encryption flaw / Character pattern encoding attack.
  • CVE-2012-0803 - Apache CXF does not validate UsernameToken policies correctly.

2010

Modified: websites/production/cxf/content/setting-up-eclipse.html ============================================================================== --- websites/production/cxf/content/setting-up-eclipse.html (original) +++ websites/production/cxf/content/setting-up-eclipse.html Fri Jan 27 15:50:45 2017 @@ -98,7 +98,7 @@ Apache CXF -- Setting up Eclipse
- +
Modified: websites/production/cxf/content/site.html ============================================================================== --- websites/production/cxf/content/site.html (original) +++ websites/production/cxf/content/site.html Fri Jan 27 15:50:45 2017 @@ -89,7 +89,7 @@ Apache CXF -- Site
- +
Modified: websites/production/cxf/content/source-repository.html ============================================================================== --- websites/production/cxf/content/source-repository.html (original) +++ websites/production/cxf/content/source-repository.html Fri Jan 27 15:50:45 2017 @@ -98,7 +98,7 @@ Apache CXF -- Source Repository
- +
Modified: websites/production/cxf/content/special-thanks.html ============================================================================== --- websites/production/cxf/content/special-thanks.html (original) +++ websites/production/cxf/content/special-thanks.html Fri Jan 27 15:50:45 2017 @@ -89,7 +89,7 @@ Apache CXF -- Special Thanks
- +
Modified: websites/production/cxf/content/support.html ============================================================================== --- websites/production/cxf/content/support.html (original) +++ websites/production/cxf/content/support.html Fri Jan 27 15:50:45 2017 @@ -89,7 +89,7 @@ Apache CXF -- Support
- +
Modified: websites/production/cxf/content/testing-debugging.html ============================================================================== --- websites/production/cxf/content/testing-debugging.html (original) +++ websites/production/cxf/content/testing-debugging.html Fri Jan 27 15:50:45 2017 @@ -98,7 +98,7 @@ Apache CXF -- Testing-Debugging
- +
Modified: websites/production/cxf/content/using-ws-policy-in-cxf-projects.html ============================================================================== --- websites/production/cxf/content/using-ws-policy-in-cxf-projects.html (original) +++ websites/production/cxf/content/using-ws-policy-in-cxf-projects.html Fri Jan 27 15:50:45 2017 @@ -99,7 +99,7 @@ Apache CXF -- Using WS-Policy in CXF pro
- +