ode-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nowakowski, Mateusz" <Mateusz.Nowakow...@sabre-holdings.com>
Subject RE: [ANNOUNCE] Apache ODE 1.3.3
Date Thu, 13 Aug 2009 08:21:49 GMT
Any update on that?

I'm trying to find for example ODE 1.3.3 here:
http://repo1.maven.org/maven2/org/apache/ode/ode-jbi/
but the newest version is 1.3.2.

-- 
Regards
Mateusz Nowakowski
-----Original Message-----
From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com] 
Sent: Tuesday, August 11, 2009 5:32 PM
To: dev@ode.apache.org
Subject: RE: [ANNOUNCE] Apache ODE 1.3.3 - 

Hi,

I couldn't find ODE 1.3.3 in the main maven repository.
Could you place it there?

Thanks

-- 
Regards
Mateusz Nowakowski

-----Original Message-----
From: matthieu.riou@gmail.com [mailto:matthieu.riou@gmail.com] On Behalf Of Matthieu Riou
Sent: Saturday, August 08, 2009 6:41 AM
To: security@apache.org; full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com; dev@ode.apache.org;
user@ode.apache.org; Marc Schoenefeld; announce@apache.org
Subject: [ANNOUNCE] Apache ODE 1.3.3

Hi,

I'm pleased to announce the release of ODE 1.3.3, a security release of
Apache ODE. It fixes a vulnerability in the process deployment that allowed,
using a forged message, to create, overwrite or delete files on the server
file system. See the full vulnerability announcement below.

Apache ODE is a WS-BPEL compliant web service orchestration engine. It
organizes web services calls following a process description written in the
BPEL XML grammar. Another way to describe it would be a web-service capable
workflow engine.

This new release also includes new features, bug fixes and improvements See
the release notes for an exhaustive list for
details.<https://issues.apache.org/jira/browse/ODE/fixforversion/12313906>

For more information, check the Apache ODE website:
http://ode.apache.org/

Apache ODE is an open source project released under a business-friendly
license (Apache License v2.0), as such we welcome your help and
contributions. To participate and get involved, our mailing lists are the
best resources to start from:
http://ode.apache.org/mailing-lists.html

Thank you,
The Apache ODE Team

------

CVE-2008-2370: Apache ODE information disclosure vulnerability

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected: ODE 1.0-incubating to ODE 1.3.2. The unsupported ODE
2.0-beta1 and 2.0-beta2 are also affected.

Description: The process deployment web service was sensible to deployment
messages with forged names. Using a path for the name was allowing directory
traversal, resulting in the potential writing of files under unwanted
locations (like a new WAR under a webapp deployment directory), the
overwriting of existing files or their deletion.

Mitigation: 1.x users should upgrade to 1.3.3. 2.0-betaX users should obtain
the latest source from svn or apply the patch published under
http://people.apache.org/~mriou/CVE-2008-2370-patch.txt<http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>.


Example: Deleting a file /tmp/blabla using undeploy by sending the following
message to the deployment service:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:pmap="http://www.apache.org/ode/pmapi">
  <soapenv:Header/>
  <soapenv:Body>
     <pmap:undeploy>
<packageName>../../../../../../../../../../../../../../tmp/blabla</packageName>
     </pmap:undeploy>
  </soapenv:Body>
</soapenv:Envelope>
Credit: This issue was discovered by ´╗┐Marc Schoenefeld of Red Hat.
Mime
View raw message