Return-Path: Delivered-To: apmail-cxf-dev-archive@www.apache.org Received: (qmail 6547 invoked from network); 16 Jun 2010 15:30:09 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 16 Jun 2010 15:30:09 -0000 Received: (qmail 28179 invoked by uid 500); 16 Jun 2010 15:29:52 -0000 Delivered-To: apmail-cxf-dev-archive@cxf.apache.org Received: (qmail 27568 invoked by uid 500); 16 Jun 2010 15:29:50 -0000 Mailing-List: contact dev-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list dev@cxf.apache.org Received: (qmail 27466 invoked by uid 99); 16 Jun 2010 15:29:50 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 16 Jun 2010 15:29:50 +0000 X-ASF-Spam-Status: No, hits=0.1 required=10.0 tests=AWL,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [173.212.192.37] (HELO server.dankulp.com) (173.212.192.37) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 16 Jun 2010 15:29:42 +0000 Received: by server.dankulp.com (Postfix, from userid 5000) id D7C13D1D005D; Wed, 16 Jun 2010 11:29:19 -0400 (EDT) X-Spam-Checker-Version: SpamAssassin 3.2.1-gr2 (2007-05-02) on server.dankulp.com X-Spam-Level: X-Msg-File: /tmp/mailfilter-dev@cxf.apache.org.5iEz6g1Dea Received: from dilbert.dankulp.com (c-24-91-72-253.hsd1.ma.comcast.net [24.91.72.253]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by server.dankulp.com (Postfix) with ESMTPSA id 1ABFFD1D005C; Wed, 16 Jun 2010 11:29:19 -0400 (EDT) From: Daniel Kulp To: dev@cxf.apache.org, users@cxf.apache.org Subject: [Important] Apache CXF security advisory CVE-2010-2076 Date: Wed, 16 Jun 2010 11:29:13 -0400 User-Agent: KMail/1.13.3 (Linux/2.6.34; KDE/4.4.4; x86_64; ; ) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart11516507.KxOvdAuEOq"; protocol="application/pgp-signature"; micalg=pgp-sha256 Content-Transfer-Encoding: 7bit Message-Id: <201006161129.17025.dkulp@apache.org> X-Old-Spam-Status: No, score=-3.0 required=3.0 tests=ALL_TRUSTED,AWL,BAYES_00, DNS_FROM_OPENWHOIS autolearn=no version=3.2.1-gr2 --nextPart11516507.KxOvdAuEOq Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable The Apache CXF team recently discovered a security issue that may allow an= =20 attacker to carry out denial of service attacks and to read arbitrary files= on=20 the file system of the node where CXF runs. Details of the vulnerability ar= e=20 described in the following advisory: http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf This vulnerability may potentially be exploited on any CXF installation tha= t=20 receives XML messages from untrusted sources. We strongly recommend to all= =20 users who manage this type of installation to follow the instructions in th= e=20 above advisory in order to mitigate the security risk caused by this=20 vulnerability. =2D- The Apache CXF team --nextPart11516507.KxOvdAuEOq Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iQIcBAABCAAGBQJMGO3MAAoJEIWPxMT0OFajGSYP/2RuXLwUMZPy6AzdQyEEIxaY izZ0zlwDucEwHqmM07P+rejA5uPJpnkl+pJUXn7Uud2+y/eeszoGHd/BjA+71LzL 2HgRaq7bGoCBL1sIAVvyh1LUSisGsrTPWBkEoG7E7wQzTexoNxJ47lOkL2njQ9Qd hrdjYptYPPuat4ZSnquJKgv1yOHKydtWWkameiGtvaGeiEB1jclyHpuPjCbkv4RH CTJITQ2OO9V6BgaBLlhStqWdEzyZOyibsA96F1npLrWZzVWBdgE7hy28HlEGqsn2 ImVBAjRhJEe91jBWyzt62g0mmkcebLmgqyRClVxaQZixmTaL6lE9AUlL44SZaJqu UssMwyr/cAvMto+2tmKMCWIV6XNQjd2Y/V7wfdslmhaWQJCbafWlEhqT5iDdcx/i bR2ivLjnZmFPiVmd/32abK+pYMiGdaY375xfZzkiD1VunAw6cF8gYlrPCvjtiFmF 3m/iNbQ2jEGS72DSgfksZvMo2QSRB1nq9JhhGPMj6U7ksjdqG9uSp9pFmrUe8u6U nyVHpD7n2ZMbaQjDGfsV/IDSFvoK8dzzfOaObSwl/xuV/AvMcwTcH7KBimXygwhE iS4+2RIpaI9IjseWeSYnB8isxc9U2m8Kp8rYO11sZEy0z7wJES+q5MYQseMo4exH zWsb+uRTeOfX1l6K8mPt =elfS -----END PGP SIGNATURE----- --nextPart11516507.KxOvdAuEOq--