geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Geronimo > Geronimo 2.2.x CVE-2010-1632 Patch Instructions
Date Wed, 29 Sep 2010 13:00:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1810/9/1/_/styles/combined.css?spaceKey=GMOxSITE&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/GMOxSITE/Geronimo+2.2.x+CVE-2010-1632+Patch+Instructions">Geronimo
2.2.x CVE-2010-1632 Patch Instructions</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~rickmcguire">Rick
McGuire</a>
    </h4>
        <br/>
                         <h4>Changes (7)</h4>
                                 
    
<div id="page-diffs">
            <table class="diff" cellpadding="0" cellspacing="0">
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >h2.How can I avoid these vulnerabilities
in Apache Geronimo? <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >These vulnerabilities will be
fixed in a future Geronimo v2.2.1 <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">release
that will be available once the axis2 1.5.2 and axiom 1.2.9 releases are available.</span>
<span class="diff-added-words"style="background-color: #dfd;">release.</span>
 Until the new releases are available, the web services support can be disabled or the release
can be patched with updated axis2 and axiom components. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>If you are not using the
web services support, you can explicitly disable the web services to remove the vulnerability.
 To disable all web services, make the following  <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >Follow these steps if you are using
Apache Axis2 as the web services runtime in Geronimo v2.2.  By default, the Geronimo Tomcat
assembly uses Axis2 as the web services runtime. <br> <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">This
vulnerability will be fixed in the axiom 1.2.9 and axis2 1.5.2 releases, which are not yet
available.  Patching the Geronimo server requires building these components from source. 
<br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">This
vulnerability is fixed in the axiom 1.2.9 and axis2 1.5.2 releases.  Patching the Geronimo
server requires replacing these components in the server repository.  <br></td></tr>
            <tr><td class="diff-unchanged" > <br>* If your server is running
stop the server. <br>* Make a backup of the directories &lt;GERONIMO_HOME&gt;/repository/org/apache/axis2/
and &lt;GERONIMO_HOME&gt;/repository/org/apache/ws/commons/axiom/.  Once done, delete
the directories &lt;GERONIMO_HOME&gt;/repository/org/apache/axis2/ and &lt;GERONIMO_HOME&gt;/repository/org/apache/ws/commons/axiom/.
<br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">*
Checkout the axiom 1.2.9 source from the svn repository and build the axiom release:     
                                                                  <br></td></tr>
            <tr><td class="diff-added-lines" style="background-color: #dfd;">*
Download the 1.2.9 version of all jars present in the axiom repository directory from [http://repo1.maven.org/maven2/org/apache/ws/commons/axiom/].
For example, axiom-api-1.2.9.jar can be downloaded from [http://repo1.maven.org/maven2/org/apache/ws/commons/axiom/axiom-api/1.2.9/].
The following jars are required: <br>** [http://repo1.maven.org/maven2/org/apache/ws/commons/axiom/axiom-api/1.2.9/axiom-api-1.2.9.jar]
<br>** [http://repo1.maven.org/maven2/org/apache/ws/commons/axiom/axiom-dom/1.2.9/axiom-dom-1.2.9.jar]
<br>** [http://repo1.maven.org/maven2/org/apache/ws/commons/axiom/axiom-impl/1.2.9/axiom-impl-1.2.9.jar]
<br>* Copy all the jars according to the original repository directory structure. For
example, copy axiom-api-1.2.9.jar to &lt;GERONIMO_HOME&gt;/repository/org/apache/ws/commons/axiom/1.2.9.
<br>* Download the 1.5.2 version of all jars present in the axis2 repository directory
from [http://repo1.maven.org/maven2/org/apache/axis2/]. For example, axis2-jaxws-1.5.2.jar
can be downloaded from [http://repo1.maven.org/maven2/org/apache/axis2/axis2-jaxws/1.5.2/axis2-jaxws-1.5.2.jar].
The following jars are required: <br>** [http://repo1.maven.org/maven2/org/apache/axis2/axis2-jaxws/1.5.2/axis2-jaxws-1.5.2.jar]
<br>** [http://repo1.maven.org/maven2/org/apache/axis2/axis2-kernel/1.5.2/axis2-kernel-1.5.2.jar]
<br>** [http://repo1.maven.org/maven2/org/apache/axis2/axis2-metadata/1.5.2/axis2-metadata-1.5.2.jar]
<br>** [http://repo1.maven.org/maven2/org/apache/axis2/axis2-saaj/1.5.2/axis2-saaj-1.5.2.jar]
<br>** [http://repo1.maven.org/maven2/org/apache/axis2/axis2-transport-http/1.5.2/axis2-transport-http-1.5.2.jar]
<br>** [http://repo1.maven.org/maven2/org/apache/axis2/axis2-transport-local/1.5.2/axis2-transport-local-1.5.2.jar]
<br>* Copy all the jars according to the original repository directory structure. For
example, copy axis2-jaxws-1.5.2.jar to &lt;GERONIMO_HOME&gt;/repository/org/apache/axis2/axis2-jaxws/1.5.2.
<br></td></tr>
            <tr><td class="diff-changed-lines" ><span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">{noformat}</span>
<span class="diff-added-words"style="background-color: #dfd;"> </span> <br></td></tr>
            <tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">svn
co http://svn.apache.org/repos/asf/webservices/commons/tags/axiom/1.2.9/ axiom <br>cd
axiom  <br>mvn clean install  <br>{noformat}                  <br>* Copy
the 1.2.9 version of all jars from the build to the original directory structure.  For example,
axiom-api-1.2.9.jar can be copied from axiom/modules/axiom-api/target/.  The following jars
are required:  <br>{noformat}             <br>axiom/modules/axiom-api/target/axiom-api-1.2.9.jar
<br>axiom/modules/axiom-dom/target/axiom-dom-1.2.9.jar <br>axiom/modules/axiom-impl/target/axiom-impl-1.2.9.jar
<br>{noformat}             <br>* Checkout revision 952842 from the axis2 trunk
and rebuild the axis2 release:                                                           
            <br>{noformat}             <br>svn co https://svn.apache.org/repos/asf/axis/axis2/java/core/trunk@952842
axis2 <br>cd axis2 <br>mvn clean install -Dmaven.test.skip=true  <br>{noformat}
            <br>*  Copy the SNAPSHOT version of all jars present in the axis2 repository
directory to the original directory structure, renaming the jar versions from * -SNAPSHOT
to * -1.5.2-r952842. For example, axis2-kernel-SNAPSHOT.jar should be copied from axis2/modules/kernel/target/axis2-kernel-SNAPSHOT.jar
to &lt;GERONIMO_HOME&gt;//repository/org/apache/axis2/axis2-kernel/1.5.2-r952842/axis2-kernel-1.5.2-r952842.jar.
 The following jars are required:  <br>{noformat}             <br>axis2/modules/jaxws/target/axis2-jaxws-SNAPSHOT.jar
<br>axis2/modules/kernel/target/axis2-kernel-SNAPSHOT.jar <br>axis2/modules/metadata/target/axis2-metadata-SNAPSHOT.jar
<br>axis2/modules/saaj/target/axis2-saaj-SNAPSHOT.jar <br>axis2/modules/transport/http/target/axis2-transport-http-SNAPSHOT.jar
<br>axis2/modules/transport/local/target/axis2-transport-local-SNAPSHOT.jar <br>{noformat}
            <br></td></tr>
            <tr><td class="diff-unchanged" >* Open the &lt;GERONIMO_HOME&gt;/var/config/artifact_aliases.properties
in edit mode and add the following entries: <br>{noformat}             <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
        </table>
</div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="Geronimo2.2.xCVE-2010-1632PatchInstructions-Geronimo2.1.xPatchInstructionsforCVE20101632andCVE20102076"></a>Geronimo
2.1.x Patch Instructions for CVE-2010-1632 and CVE-2010-2076</h1>

<p>The Axis2 team has recently discovered a security vulnerability which may allow a
remote attacker to launch a denial of service attack. It is also possible for the attacker
to steal information from the machine which is running the web services. For more information
on this security vulnerability please refer the following document:</p>

<ul>
	<li><a href="https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf"
class="external-link" rel="nofollow">https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf</a></li>
</ul>


<p>A similar vulnerability is found in the Apache CXF web services runtime as well.
 The CXF vulnerability is documented in the following document:</p>

<ul>
	<li><a href="https://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf"
class="external-link" rel="nofollow">https://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf</a></li>
</ul>


<h2><a name="Geronimo2.2.xCVE-2010-1632PatchInstructions-HowisApacheGeronimoAffected%3F"></a>How
is Apache Geronimo Affected?</h2>

<p>Apache Geronimo includes Apache Axis2 and Apache CXF as the web services runtimes.
As a result, web services running on Apache Geronimo are vulnerable to this security issue.</p>

<p>These issues have been fixed in Apache CXF v2.1.10, Apache Axis2 v1.5.2, and Axiom
v1.2.9.  </p>

<h2><a name="Geronimo2.2.xCVE-2010-1632PatchInstructions-HowcanIavoidthesevulnerabilitiesinApacheGeronimo%3F"></a>How
can I avoid these vulnerabilities in Apache Geronimo?</h2>

<p>These vulnerabilities will be fixed in a future Geronimo v2.2.1 release.  Until the
new releases are available, the web services support can be disabled or the release can be
patched with updated axis2 and axiom components. </p>

<p>If you are not using the web services support, you can explicitly disable the web
services to remove the vulnerability.  To disable all web services, make the following <br/>
updates to &lt;GERONIMO_HOME&gt;/var/config/config.xml file:</p>
<ol>
	<li>Remove the condition attribute and add the load="false"  attribute to org.apache.geronimo.configs/cxf-deployer//car
module.</li>
	<li>Remove the condition attribute and add the load="false" attribute to org.apache.geronimo.configs/axis2-deployer//car
module.</li>
</ol>


<p>If you still require web services access, the following steps will upgrade the Axis2
and CXF versions used by the server. </p>

<h3><a name="Geronimo2.2.xCVE-2010-1632PatchInstructions-UpgradingAxis2andCXFonanexistingserver"></a>Upgrading
Axis2 and CXF on an existing server</h3>

<h4><a name="Geronimo2.2.xCVE-2010-1632PatchInstructions-UpgradingAxis2"></a>Upgrading
Axis2</h4>

<p>Follow these steps if you are using Apache Axis2 as the web services runtime in Geronimo
v2.2.  By default, the Geronimo Tomcat assembly uses Axis2 as the web services runtime.</p>

<p>This vulnerability is fixed in the axiom 1.2.9 and axis2 1.5.2 releases.  Patching
the Geronimo server requires replacing these components in the server repository. </p>

<ul>
	<li>If your server is running stop the server.</li>
	<li>Make a backup of the directories &lt;GERONIMO_HOME&gt;/repository/org/apache/axis2/
and &lt;GERONIMO_HOME&gt;/repository/org/apache/ws/commons/axiom/.  Once done, delete
the directories &lt;GERONIMO_HOME&gt;/repository/org/apache/axis2/ and &lt;GERONIMO_HOME&gt;/repository/org/apache/ws/commons/axiom/.</li>
	<li>Download the 1.2.9 version of all jars present in the axiom repository directory
from <a href="http://repo1.maven.org/maven2/org/apache/ws/commons/axiom/" class="external-link"
rel="nofollow">http://repo1.maven.org/maven2/org/apache/ws/commons/axiom/</a>. For
example, axiom-api-1.2.9.jar can be downloaded from <a href="http://repo1.maven.org/maven2/org/apache/ws/commons/axiom/axiom-api/1.2.9/"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/ws/commons/axiom/axiom-api/1.2.9/</a>.
The following jars are required:
	<ul>
		<li><a href="http://repo1.maven.org/maven2/org/apache/ws/commons/axiom/axiom-api/1.2.9/axiom-api-1.2.9.jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/ws/commons/axiom/axiom-api/1.2.9/axiom-api-1.2.9.jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/ws/commons/axiom/axiom-dom/1.2.9/axiom-dom-1.2.9.jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/ws/commons/axiom/axiom-dom/1.2.9/axiom-dom-1.2.9.jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/ws/commons/axiom/axiom-impl/1.2.9/axiom-impl-1.2.9.jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/ws/commons/axiom/axiom-impl/1.2.9/axiom-impl-1.2.9.jar</a></li>
	</ul>
	</li>
	<li>Copy all the jars according to the original repository directory structure. For
example, copy axiom-api-1.2.9.jar to &lt;GERONIMO_HOME&gt;/repository/org/apache/ws/commons/axiom/1.2.9.</li>
	<li>Download the 1.5.2 version of all jars present in the axis2 repository directory
from <a href="http://repo1.maven.org/maven2/org/apache/axis2/" class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/axis2/</a>.
For example, axis2-jaxws-1.5.2.jar can be downloaded from <a href="http://repo1.maven.org/maven2/org/apache/axis2/axis2-jaxws/1.5.2/axis2-jaxws-1.5.2.jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/axis2/axis2-jaxws/1.5.2/axis2-jaxws-1.5.2.jar</a>.
The following jars are required:
	<ul>
		<li><a href="http://repo1.maven.org/maven2/org/apache/axis2/axis2-jaxws/1.5.2/axis2-jaxws-1.5.2.jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/axis2/axis2-jaxws/1.5.2/axis2-jaxws-1.5.2.jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/axis2/axis2-kernel/1.5.2/axis2-kernel-1.5.2.jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/axis2/axis2-kernel/1.5.2/axis2-kernel-1.5.2.jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/axis2/axis2-metadata/1.5.2/axis2-metadata-1.5.2.jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/axis2/axis2-metadata/1.5.2/axis2-metadata-1.5.2.jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/axis2/axis2-saaj/1.5.2/axis2-saaj-1.5.2.jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/axis2/axis2-saaj/1.5.2/axis2-saaj-1.5.2.jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/axis2/axis2-transport-http/1.5.2/axis2-transport-http-1.5.2.jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/axis2/axis2-transport-http/1.5.2/axis2-transport-http-1.5.2.jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/axis2/axis2-transport-local/1.5.2/axis2-transport-local-1.5.2.jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/axis2/axis2-transport-local/1.5.2/axis2-transport-local-1.5.2.jar</a></li>
	</ul>
	</li>
	<li>Copy all the jars according to the original repository directory structure. For
example, copy axis2-jaxws-1.5.2.jar to &lt;GERONIMO_HOME&gt;/repository/org/apache/axis2/axis2-jaxws/1.5.2.</li>
</ul>


<ul>
	<li>Open the &lt;GERONIMO_HOME&gt;/var/config/artifact_aliases.properties in
edit mode and add the following entries:
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent
panelContent">
<pre>            
org.apache.axis2/axis2-jaxws/1.5/jar=org.apache.axis2/axis2-jaxws/1.5.2-r952842/jar
org.apache.axis2/axis2-kernel/1.5/jar=org.apache.axis2/axis2-kernel/1.5.2-r952842/jar
org.apache.axis2/axis2-metadata/1.5/jar=org.apache.axis2/axis2-metadata/1.5.2-r952842/jar
org.apache.axis2/axis2-saaj/1.5/jar=org.apache.axis2/axis2-saaj/1.5.2-r952842/jar
org.apache.axis2/axis2-transport-http/1.5/jar=org.apache.axis2/axis2-transport-http/1.5.2-r952842/jar
org.apache.axis2/axis2-transport-local/1.5/jar=org.apache.axis2/axis2-transport-local/1.5.2-r952842/jar
org.apache.axis2/axis2-jaxws//jar=org.apache.axis2/axis2-jaxws/1.5.2-r952842/jar
org.apache.axis2/axis2-kernel//jar=org.apache.axis2/axis2-kernel/1.5.2-r952842/jar
org.apache.axis2/axis2-metadata//jar=org.apache.axis2/axis2-metadata/1.5.2-r952842/jar
org.apache.axis2/axis2-saaj//jar=org.apache.axis2/axis2-saaj/1.5.2-r952842/jar
org.apache.axis2/axis2-transport-http//jar=org.apache.axis2/axis2-transport-http/1.5.2-r952842/jar
org.apache.axis2/axis2-transport-local//jar=org.apache.axis2/axis2-transport-local/1.5.2-r952842/jar
org.apache.ws.commons.axiom/axiom-api/1.2.8/jar=org.apache.ws.commons.axiom/axiom-api/1.2.9/jar
org.apache.ws.commons.axiom/axiom-dom/1.2.8/jar=org.apache.ws.commons.axiom/axiom-dom/1.2.9/jar
org.apache.ws.commons.axiom/axiom-impl/1.2.8/jar=org.apache.ws.commons.axiom/axiom-impl/1.2.9/jar
org.apache.ws.commons.axiom/axiom-api//jar=org.apache.ws.commons.axiom/axiom-api/1.2.9/jar
org.apache.ws.commons.axiom/axiom-dom//jar=org.apache.ws.commons.axiom/axiom-dom/1.2.9/jar
org.apache.ws.commons.axiom/axiom-impl//jar=org.apache.ws.commons.axiom/axiom-impl/1.2.9/jar
</pre>
</div></div>            </li>
	<li>Start the server.</li>
</ul>


<h4><a name="Geronimo2.2.xCVE-2010-1632PatchInstructions-UpgradingCXF"></a>Upgrading
CXF</h4>

<p>Follow these steps if you are using Apache CXF as the web services runtime in Apache
Geronimo v2.2. By default, the Geronimo Jetty assembly uses CXF as the web services runtime.</p>
<ul>
	<li>If your server is running, stop the server.</li>
	<li>Make a backup of &lt;GERONIMO_HOME&gt;/repository/org/apache/cxf directory.
Once done, delete the directory &lt;GERONIMO_HOME&gt;/repository/org/apache/cxf.</li>
	<li>Download the 2.1.10 version of all jars present in the cxf repository directory
from <a href="http://repo1.maven.org/maven2/org/apache/cxf/" class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/</a>.
For example, cxf-common-utilities-2.1.10.jar can be downloaded from <a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-common-utilities/2.1.10/"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-common-utilities/2.1.10/</a>.
The following jars are required:
	<ul>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-api/2.1.10/cxf-api-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-api/2.1.10/cxf-api-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-common-utilities/2.1.10/cxf-common-utilities-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-common-utilities/2.1.10/cxf-common-utilities-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-bindings-soap/2.1.10/cxf-rt-bindings-soap-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-bindings-soap/2.1.10/cxf-rt-bindings-soap-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-bindings-xml/2.1.10/cxf-rt-bindings-xml-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-bindings-xml/2.1.10/cxf-rt-bindings-xml-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-core/2.1.10/cxf-rt-core-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-core/2.1.10/cxf-rt-core-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-databinding-jaxb/2.1.10/cxf-rt-databinding-jaxb-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-databinding-jaxb/2.1.10/cxf-rt-databinding-jaxb-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-frontend-jaxws/2.1.10/cxf-rt-frontend-jaxws-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-frontend-jaxws/2.1.10/cxf-rt-frontend-jaxws-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-frontend-simple/2.1.10/cxf-rt-frontend-simple-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-frontend-simple/2.1.10/cxf-rt-frontend-simple-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-transports-http/2.1.10/cxf-rt-transports-http-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-transports-http/2.1.10/cxf-rt-transports-http-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-ws-addr/2.1.10/cxf-rt-ws-addr-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-ws-addr/2.1.10/cxf-rt-ws-addr-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-ws-security/2.1.10/cxf-rt-ws-security-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-rt-ws-security/2.1.10/cxf-rt-ws-security-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-common/2.1.10/cxf-tools-common-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-common/2.1.10/cxf-tools-common-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-java2ws/2.1.10/cxf-tools-java2ws-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-java2ws/2.1.10/cxf-tools-java2ws-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-validator/2.1.10/cxf-tools-validator-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-validator/2.1.10/cxf-tools-validator-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-wsdlto-core/2.1.10/cxf-tools-wsdlto-core-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-wsdlto-core/2.1.10/cxf-tools-wsdlto-core-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-wsdlto-databinding-jaxb/2.1.10/cxf-tools-wsdlto-databinding-jaxb-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-wsdlto-databinding-jaxb/2.1.10/cxf-tools-wsdlto-databinding-jaxb-2.1.10-jar</a></li>
		<li><a href="http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-wsdlto-frontend-jaxws/2.1.10/cxf-tools-wsdlto-frontend-jaxws-2.1.10-jar"
class="external-link" rel="nofollow">http://repo1.maven.org/maven2/org/apache/cxf/cxf-tools-wsdlto-frontend-jaxws/2.1.10/cxf-tools-wsdlto-frontend-jaxws-2.1.10-jar</a></li>
	</ul>
	</li>
</ul>


<ul>
	<li>Copy all the jars according to the original repository directory structure. For
example, copy cxf-common-utilities-2.1.10.jar to &lt;GERONIMO_HOME&gt;/repository/org/apache/cxf/cxf-common-utilities/2.1.10/</li>
	<li>Launch &lt;GERONIMO_HOME&gt;/var/config/artifact-aliases.properties in
edit mode and add the following entries:
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent
panelContent">
<pre>            
org.apache.cxf/cxf-api/2.1.4/jar=org.apache.cxf/cxf-api/2.1.10/jar
org.apache.cxf/cxf-common-schemas/2.1.4/jar=org.apache.cxf/cxf-common-schemas/2.1.10/jar
org.apache.cxf/cxf-common-utilities/2.1.4/jar=org.apache.cxf/cxf-common-utilities/2.1.10/jar
org.apache.cxf/cxf-rt-bindings-soap/2.1.4/jar=org.apache.cxf/cxf-rt-bindings-soap/2.1.10/jar
org.apache.cxf/cxf-rt-bindings-xml/2.1.4/jar=org.apache.cxf/cxf-rt-bindings-xml/2.1.10/jar
org.apache.cxf/cxf-rt-core/2.1.4/jar=org.apache.cxf/cxf-rt-core/2.1.10/jar
org.apache.cxf/cxf-rt-databinding-jaxb/2.1.4/jar=org.apache.cxf/cxf-rt-databinding-jaxb/2.1.10/jar
org.apache.cxf/cxf-rt-frontend-jaxws/2.1.4/jar=org.apache.cxf/cxf-frontend-jaxws/2.1.10/jar
org.apache.cxf/cxf-rt-frontend-simple/2.1.4/jar=org.apache.cxf/cxf-frontend-simple/2.1.10/jar
org.apache.cxf/cxf-rt-transports-http/2.1.4/jar=org.apache.cxf/cxf-transports-http/2.1.10/jar
org.apache.cxf/cxf-rt-ws-addr/2.1.4/jar=org.apache.cxf/cxf-rt-ws-addr/2.1.10/jar
org.apache.cxf/cxf-rt-ws-security/2.1.4/jar=org.apache.cxf/cxf-rt-ws-security/2.1.10/jar
org.apache.cxf/cxf-tools-common/2.1.4/jar=org.apache.cxf/cxf-tools-common/2.1.10/jar
org.apache.cxf/cxf-tools-java2ws/2.1.4/jar=org.apache.cxf/cxf-tools-java2ws/2.1.10/jar
org.apache.cxf/cxf-tools-validator/2.1.4/jar=org.apache.cxf/cxf-tools-validator/2.1.10/jar
org.apache.cxf/cxf-tools-wsdlto-core/2.1.4/jar=org.apache.cxf/cxf-tools-wsdlto-core/2.1.10/jar
org.apache.cxf/cxf-tools-wsdlto-databinding-jaxb/2.1.4/jar=org.apache.cxf/cxf-tools-wsdlto-databinding-jaxb/2.1.10/jar
org.apache.cxf/cxf-tools-wsdlto-frontend-jaxws/2.1.4/jar=org.apache.cxf/cxf-tools-wsdlto-frontend-jaxws/2.1.10/jar
org.apache.cxf/cxf-api//jar=org.apache.cxf/cxf-api/2.1.10/jar
org.apache.cxf/cxf-common-schemas//jar=org.apache.cxf/cxf-common-schemas/2.1.10/jar
org.apache.cxf/cxf-common-utilities//jar=org.apache.cxf/cxf-common-utilities/2.1.10/jar
org.apache.cxf/cxf-rt-bindings-soap//jar=org.apache.cxf/cxf-rt-bindings-soap/2.1.10/jar
org.apache.cxf/cxf-rt-bindings-xml//jar=org.apache.cxf/cxf-rt-bindings-xml/2.1.10/jar
org.apache.cxf/cxf-rt-core//jar=org.apache.cxf/cxf-rt-core/2.1.10/jar
org.apache.cxf/cxf-rt-databinding-jaxb//jar=org.apache.cxf/cxf-rt-databinding-jaxb/2.1.10/jar
org.apache.cxf/cxf-rt-frontend-jaxws//jar=org.apache.cxf/cxf-frontend-jaxws/2.1.10/jar
org.apache.cxf/cxf-rt-frontend-simple//jar=org.apache.cxf/cxf-frontend-simple/2.1.10/jar
org.apache.cxf/cxf-rt-transports-http//jar=org.apache.cxf/cxf-transports-http/2.1.10/jar
org.apache.cxf/cxf-rt-ws-addr//jar=org.apache.cxf/cxf-rt-ws-addr/2.1.10/jar
org.apache.cxf/cxf-rt-ws-security//jar=org.apache.cxf/cxf-rt-ws-security/2.1.10/jar
org.apache.cxf/cxf-tools-common//jar=org.apache.cxf/cxf-tools-common/2.1.10/jar
org.apache.cxf/cxf-tools-java2ws//jar=org.apache.cxf/cxf-tools-java2ws/2.1.10/jar
org.apache.cxf/cxf-tools-validator//jar=org.apache.cxf/cxf-tools-validator/2.1.10/jar
org.apache.cxf/cxf-tools-wsdlto-core//jar=org.apache.cxf/cxf-tools-wsdlto-core/2.1.10/jar
org.apache.cxf/cxf-tools-wsdlto-databinding-jaxb//jar=org.apache.cxf/cxf-tools-wsdlto-databinding-jaxb/2.1.10/jar
org.apache.cxf/cxf-tools-wsdlto-frontend-jaxws//jar=org.apache.cxf/cxf-tools-wsdlto-frontend-jaxws/2.1.10/jar
</pre>
</div></div>            </li>
	<li>Start the server</li>
</ul>





    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/GMOxSITE/Geronimo+2.2.x+CVE-2010-1632+Patch+Instructions">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=23332008&revisedVersion=2&originalVersion=1">View
Changes</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message