2.1.x Security Report has been edited by Donald Woods (Aug 26, 2008).

(View changes)

Content:

Apache Geronimo 2.1.x vulnerabilities

This page lists all security vulnerabilities fixed in maintenance releases or interim builds of Apache Geronimo 2.1. Each vulnerability is given a security impact rating by either the Apache Geronimo team or by the dependent project supplying the fix - please note that this rating is not uniform and will vary from project to project. We also list the versions of Apache Geronimo the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please send comments or corrections for these vulnerabilities to the Geronimo Security mailing list.


Known vulnerabilities (targeting build 20080827)

DWR

Upgraded from DWR 2.0.3 to 2.0.5 to include the following security fixes -

  • DWR version 2.0.5 fixed 1 XSS vulnerabilities in r2077
    r2077 | joe | 2008-06-22 09:28:22 -0400 (Sun, 22 Jun 2008) | 7 lines
    
    Fix for XSS issue in ExceptionHandler:
    
    PartialResponse.fromOrdinal() throws a NumberFormatException trying to
    parse the 'partialResponse' parameter.  This exception is never caught,
    prompting UrlProcessor to invoke DWR's default ExceptionHandler class,
    which calls out.println(cause.getMessage()), thereby causing the XSS.
    

JIRA: GERONIMO-4266
Affects: 2.1-2.1.2


Fixed in Geronimo 2.1.3-SNAPSHOT build 20080825 or later

Please visit the 2.1.3 Release Status page for details on the expected content and target release date.

ActiveMQ

Included ActiveMQ patch for the following security exposure -

  • AMQ-1272 - Stomp protocol does not correctly check authentication (security hole)

JIRA: GERONIMO-4262
Affects: 2.1-2.1.2

Tomcat

Upgraded from Tomcat 6.0.16 to 6.0.18 to include the following security fixes -

For more details on each fix, please visit the Tomcat 6.x Security page.

JIRA: GERONIMO-4245
Affects: 2.1-2.1.2


Fixed in Geronimo 2.1.2

DWR

Upgraded from DWR 2.0.1 to 2.0.3 to include the following security fixes -

JIRA: GERONIMO-4116
Affects: 2.1-2.1.1


Fixed in Geronimo 2.1.1


Powered by Atlassian Confluence (Version: 2.2.9 Build:#527 Sep 07, 2006) - Bug/feature request

Unsubscribe or edit your notifications preferences