openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeremy Bauer <techhu...@gmail.com>
Subject Re: [CVE-2013-1768] Apache OpenJPA security vulnerability
Date Thu, 13 Jun 2013 14:28:35 GMT
The CVE post doesn't state it, but trunk implicitly does have the fix, so
you if you grab a recent snapshot (revision >= 1461876) you'll have it.
Cutting a new release from trunk was considered when deciding which
official releases to provide, but the decision was to use the 2.2.x stream
since it is the very latest stable branch on the JPA 2.0 spec level and has
had plenty of time to bake.

Cutting a new release from trunk requires creating a new branch, which may
result in additional maintenance (if maintained), and a branch owner.

Mark - if you are interested, you could cut 2.3.0 release.  It is a time
consuming process, but our instructions are very good and recently
updated.  One of the other committers might be willing to do the release,
but may not want to own the 2.3.x branch if it needs to be maintained.

http://openjpa.apache.org/apache-nexus-release-process-%281.2.x-2.1.x%29.html

-Jeremy


On Thu, Jun 13, 2013 at 1:33 AM, Mark Struberg <struberg@yahoo.de> wrote:

> +1
>
> LieGrue,
> strub
>
>
>
>
> ----- Original Message -----
> > From: Romain Manni-Bucau <rmannibucau@gmail.com>
> > To: dev@openjpa.apache.org
> > Cc:
> > Sent: Wednesday, 12 June 2013, 23:15
> > Subject: Re: [CVE-2013-1768] Apache OpenJPA security vulnerability
> >
> > Hi
> >
> > TomEE trunk relies on openjpa snapshot
> >
> > With such an issue wonder of an early release (maybe a beta?)
> >
> > Wdyt?
> > Le 12 juin 2013 21:33, "Jeremy Bauer" <jrbauer@apache.org> a
> > écrit :
> >
> >>
> >>  -----BEGIN PGP SIGNED MESSAGE-----
> >>  Hash: SHA1
> >>
> >>  CVE-2013-1768: Apache OpenJPA security vulnerability
> >>
> >>  Severity: Important
> >>
> >>  Vendor: The Apache Software Foundation
> >>
> >>  Versions Affected:
> >>
> >>  OpenJPA 1.0.0 to 1.0.4
> >>  OpenJPA 1.1.0
> >>  OpenJPA 1.3.0
> >>  OpenJPA 1.2.0 to 1.2.2
> >>  OpenJPA 2.0.0 to 2.0.1
> >>  OpenJPA 2.1.0 to 2.1.1
> >>  OpenJPA 2.2.0 to 2.2.1
> >>
> >>  Description: Deserialization of a maliciously crafted OpenJPA object
> can
> >>  result in an executable file being written to the file system. An
> >>  attacker needs to discover an unprotected server program to exploit the
> >>  vulnerability.  It then needs to exploit another unprotected server
> >>  program to execute the file and gain access to the system.  OpenJPA
> >>  usage by itself does not introduce the vulnerability.
> >>
> >>  Mitigation: Users of OpenJPA using a release based upon the JPA 1.0
> >>  specification level should upgrade to the OpenJPA 1.2.3 release.  Users
> >>  of OpenJPA using a release based upon the JPA 2.0 specification level
> >>  should upgrade to the OpenJPA 2.2.2 release.  Users needing to stay on
> >>  their current release should get the latest code from svn for the
> >>  corresponding branch level or apply a source patch and build a new
> >>  binary package.  Nightly snapshots of the latest source builds are also
> >>  available for many branches.
> >>
> >>  OpenJPA release branch levels and corresponding fix revisions:
> >>
> >>  OpenJPA 1.0.x revision 1462558:
> >>  http://svn.apache.org/viewvc?view=revision&revision=1462558
> >>  OpenJPA 1.1.x revision 1462512:
> >>  http://svn.apache.org/viewvc?view=revision&revision=1462512
> >>  OpenJPA 1.2.x revision 1462488:
> >>  http://svn.apache.org/viewvc?view=revision&revision=1462488
> >>  OpenJPA 1.3.x revision 1462328:
> >>  http://svn.apache.org/viewvc?view=revision&revision=1462328
> >>  OpenJPA 2.0.x revision 1462318:
> >>  http://svn.apache.org/viewvc?view=revision&revision=1462318
> >>  OpenJPA 2.1.x revision 1462268:
> >>  http://svn.apache.org/viewvc?view=revision&revision=1462268
> >>  OpenJPA 2.2.1.x revision 1462225:
> >>  http://svn.apache.org/viewvc?view=revision&revision=1462225
> >>  OpenJPA 2.2.x revision 1462076:
> >>  http://svn.apache.org/viewvc?view=revision&revision=1462076
> >>
> >>  Example: An attacker creates a customized serialization of an OpenJPA
> >>  object.  The attacker exploits an unprotected server program to execute
> >>  the object.  The object includes logic that results in malicious trace
> >>  being written to a file, such as a JSP.  The file containing malicious
> >>  commands is written to a potentially vulnerable area of the system.
> The
> >>  attacker exploits a second unprotected server program to execute the
> >>  file and gain access to the system.
> >>
> >>  Credit: This issue was discovered by Pierre Ernst of IBM Corporation.
> >>  -----BEGIN PGP SIGNATURE-----
> >>  Version: GnuPG v2.0.20 (MingW32)
> >>  Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >>
> >>  iQIcBAEBAgAGBQJRuMz9AAoJEALD36U3PPjRdzMQAKYkGuFQ/jT6Txy5UemN7oC3
> >>  bAUsJRlAsV11uZTnTNo4hgtZVA9Q9fN2NbswjcWFS+/U1MljgrF9lqHspm/SV9o5
> >>  Yi4S39AtMKva0eBMGaRGBpARhu7QbMOxD7D9dqp79bHcgxfZROG71bwx4dTL3q3Z
> >>  3dxOEnkqPUM9vZFm3zrMKF4Hy3q/TuMIJtFtj/B5KuNtlJFXUe908wzoQyQjm9Al
> >>  M7xZhWGdGnVwD1ynlrG5exWZ8xlQ5W4TGeK/h3zJ05kYQHXIwhgiympApNfIYCQZ
> >>  1zexnGv7pWQI/NVXPv8XaxtZ6HYUn+1GpZ8ipF4nCoXy0KTfLJmd9wcpxU8b+4c1
> >>  tguzC8rYbol7TxkMy/HpAgHTavIfDXFZyjl5/z2X6e+s6YtP+TRCN8Jy7fpg0AuU
> >>  OFQp+LoY06vFJmoJiL0+TiNeotcZuH1l8OL6PuvXHF/4saAUfADNHqJIR5xBTdPY
> >>  rIy8gtS06IM6aOhSbCrJphIpSOk5qQQV5Uhzfo5NXFeglBxP+YEPFq5sBmVIPEOG
> >>  IL6u6CAclmMKg+vqXUeY1EsmV2lrhqshyBh7umTSSm7YWNgoQJJxUn/8phxATJ3K
> >>  DlaZWId//mmnz36349m9HF2hc5iPea01MDcWHUwe2a0d0Wmwz6CXlvWuBNtTmZoV
> >>  7iGIxMiN7yJ14RZoDsKw
> >>  =LVgy
> >>  -----END PGP SIGNATURE-----
> >>
> >>
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message