Return-Path: X-Original-To: apmail-openjpa-dev-archive@www.apache.org Delivered-To: apmail-openjpa-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4BC7FC1C5 for ; Thu, 13 Jun 2013 14:29:08 +0000 (UTC) Received: (qmail 98823 invoked by uid 500); 13 Jun 2013 14:29:08 -0000 Delivered-To: apmail-openjpa-dev-archive@openjpa.apache.org Received: (qmail 98764 invoked by uid 500); 13 Jun 2013 14:29:03 -0000 Mailing-List: contact dev-help@openjpa.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@openjpa.apache.org Delivered-To: mailing list dev@openjpa.apache.org Received: (qmail 98747 invoked by uid 99); 13 Jun 2013 14:29:01 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Jun 2013 14:29:01 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of techhusky@gmail.com designates 209.85.214.54 as permitted sender) Received: from [209.85.214.54] (HELO mail-bk0-f54.google.com) (209.85.214.54) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Jun 2013 14:28:55 +0000 Received: by mail-bk0-f54.google.com with SMTP id it16so3243530bkc.13 for ; Thu, 13 Jun 2013 07:28:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=duyneorplOFW/8qUo7JKP5WdvLp8ZoVBxSz0ec66OYI=; b=xeELC2wdvjF7lZmi6ITeoR2lI1R0PCo5U3h9e7H15cyAZVT0wPVvDKJYnOu7WZ/m2s 2VQyBseLpOkNgXisM5O/Vzl4VPkKiUJn4yI04K2WunxdoSB1v0ZX+vd5ESSbwhuZie6J l1Oekf2hfdhPnHFW6tF+y7GULkwEl5dEFVYmAjjI+ejFREF8do646EOllCxFWqvpHD4d yD6MfI6pW30yNAkiMMY+6Sd/0bQwDFXa6+MtYWLEtpdw4oTUxgAQFYUy2GmCsRxhm7ED c63BepYFka51ihKzZO7d+thF5TUY/amaWegGqT6UF1MxuDguf6UHIkSP/Sb3GQaFFnxG Jcyg== MIME-Version: 1.0 X-Received: by 10.205.75.3 with SMTP id yy3mr183315bkb.80.1371133715246; Thu, 13 Jun 2013 07:28:35 -0700 (PDT) Received: by 10.204.225.200 with HTTP; Thu, 13 Jun 2013 07:28:35 -0700 (PDT) In-Reply-To: <1371105208.49434.YahooMailNeo@web28903.mail.ir2.yahoo.com> References: <51B8CCFD.1040805@apache.org> <1371105208.49434.YahooMailNeo@web28903.mail.ir2.yahoo.com> Date: Thu, 13 Jun 2013 09:28:35 -0500 Message-ID: Subject: Re: [CVE-2013-1768] Apache OpenJPA security vulnerability From: Jeremy Bauer To: dev@openjpa.apache.org, Mark Struberg Content-Type: multipart/alternative; boundary=f46d04103adf09a16304df09f24f X-Virus-Checked: Checked by ClamAV on apache.org --f46d04103adf09a16304df09f24f Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable The CVE post doesn't state it, but trunk implicitly does have the fix, so you if you grab a recent snapshot (revision >=3D 1461876) you'll have it. Cutting a new release from trunk was considered when deciding which official releases to provide, but the decision was to use the 2.2.x stream since it is the very latest stable branch on the JPA 2.0 spec level and has had plenty of time to bake. Cutting a new release from trunk requires creating a new branch, which may result in additional maintenance (if maintained), and a branch owner. Mark - if you are interested, you could cut 2.3.0 release. It is a time consuming process, but our instructions are very good and recently updated. One of the other committers might be willing to do the release, but may not want to own the 2.3.x branch if it needs to be maintained. http://openjpa.apache.org/apache-nexus-release-process-%281.2.x-2.1.x%29.ht= ml -Jeremy On Thu, Jun 13, 2013 at 1:33 AM, Mark Struberg wrote: > +1 > > LieGrue, > strub > > > > > ----- Original Message ----- > > From: Romain Manni-Bucau > > To: dev@openjpa.apache.org > > Cc: > > Sent: Wednesday, 12 June 2013, 23:15 > > Subject: Re: [CVE-2013-1768] Apache OpenJPA security vulnerability > > > > Hi > > > > TomEE trunk relies on openjpa snapshot > > > > With such an issue wonder of an early release (maybe a beta?) > > > > Wdyt? > > Le 12 juin 2013 21:33, "Jeremy Bauer" a > > =E9crit : > > > >> > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> CVE-2013-1768: Apache OpenJPA security vulnerability > >> > >> Severity: Important > >> > >> Vendor: The Apache Software Foundation > >> > >> Versions Affected: > >> > >> OpenJPA 1.0.0 to 1.0.4 > >> OpenJPA 1.1.0 > >> OpenJPA 1.3.0 > >> OpenJPA 1.2.0 to 1.2.2 > >> OpenJPA 2.0.0 to 2.0.1 > >> OpenJPA 2.1.0 to 2.1.1 > >> OpenJPA 2.2.0 to 2.2.1 > >> > >> Description: Deserialization of a maliciously crafted OpenJPA object > can > >> result in an executable file being written to the file system. An > >> attacker needs to discover an unprotected server program to exploit t= he > >> vulnerability. It then needs to exploit another unprotected server > >> program to execute the file and gain access to the system. OpenJPA > >> usage by itself does not introduce the vulnerability. > >> > >> Mitigation: Users of OpenJPA using a release based upon the JPA 1.0 > >> specification level should upgrade to the OpenJPA 1.2.3 release. Use= rs > >> of OpenJPA using a release based upon the JPA 2.0 specification level > >> should upgrade to the OpenJPA 2.2.2 release. Users needing to stay o= n > >> their current release should get the latest code from svn for the > >> corresponding branch level or apply a source patch and build a new > >> binary package. Nightly snapshots of the latest source builds are al= so > >> available for many branches. > >> > >> OpenJPA release branch levels and corresponding fix revisions: > >> > >> OpenJPA 1.0.x revision 1462558: > >> http://svn.apache.org/viewvc?view=3Drevision&revision=3D1462558 > >> OpenJPA 1.1.x revision 1462512: > >> http://svn.apache.org/viewvc?view=3Drevision&revision=3D1462512 > >> OpenJPA 1.2.x revision 1462488: > >> http://svn.apache.org/viewvc?view=3Drevision&revision=3D1462488 > >> OpenJPA 1.3.x revision 1462328: > >> http://svn.apache.org/viewvc?view=3Drevision&revision=3D1462328 > >> OpenJPA 2.0.x revision 1462318: > >> http://svn.apache.org/viewvc?view=3Drevision&revision=3D1462318 > >> OpenJPA 2.1.x revision 1462268: > >> http://svn.apache.org/viewvc?view=3Drevision&revision=3D1462268 > >> OpenJPA 2.2.1.x revision 1462225: > >> http://svn.apache.org/viewvc?view=3Drevision&revision=3D1462225 > >> OpenJPA 2.2.x revision 1462076: > >> http://svn.apache.org/viewvc?view=3Drevision&revision=3D1462076 > >> > >> Example: An attacker creates a customized serialization of an OpenJPA > >> object. The attacker exploits an unprotected server program to execu= te > >> the object. The object includes logic that results in malicious trac= e > >> being written to a file, such as a JSP. The file containing maliciou= s > >> commands is written to a potentially vulnerable area of the system. > The > >> attacker exploits a second unprotected server program to execute the > >> file and gain access to the system. > >> > >> Credit: This issue was discovered by Pierre Ernst of IBM Corporation. > >> -----BEGIN PGP SIGNATURE----- > >> Version: GnuPG v2.0.20 (MingW32) > >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > >> > >> iQIcBAEBAgAGBQJRuMz9AAoJEALD36U3PPjRdzMQAKYkGuFQ/jT6Txy5UemN7oC3 > >> bAUsJRlAsV11uZTnTNo4hgtZVA9Q9fN2NbswjcWFS+/U1MljgrF9lqHspm/SV9o5 > >> Yi4S39AtMKva0eBMGaRGBpARhu7QbMOxD7D9dqp79bHcgxfZROG71bwx4dTL3q3Z > >> 3dxOEnkqPUM9vZFm3zrMKF4Hy3q/TuMIJtFtj/B5KuNtlJFXUe908wzoQyQjm9Al > >> M7xZhWGdGnVwD1ynlrG5exWZ8xlQ5W4TGeK/h3zJ05kYQHXIwhgiympApNfIYCQZ > >> 1zexnGv7pWQI/NVXPv8XaxtZ6HYUn+1GpZ8ipF4nCoXy0KTfLJmd9wcpxU8b+4c1 > >> tguzC8rYbol7TxkMy/HpAgHTavIfDXFZyjl5/z2X6e+s6YtP+TRCN8Jy7fpg0AuU > >> OFQp+LoY06vFJmoJiL0+TiNeotcZuH1l8OL6PuvXHF/4saAUfADNHqJIR5xBTdPY > >> rIy8gtS06IM6aOhSbCrJphIpSOk5qQQV5Uhzfo5NXFeglBxP+YEPFq5sBmVIPEOG > >> IL6u6CAclmMKg+vqXUeY1EsmV2lrhqshyBh7umTSSm7YWNgoQJJxUn/8phxATJ3K > >> DlaZWId//mmnz36349m9HF2hc5iPea01MDcWHUwe2a0d0Wmwz6CXlvWuBNtTmZoV > >> 7iGIxMiN7yJ14RZoDsKw > >> =3DLVgy > >> -----END PGP SIGNATURE----- > >> > >> > > > --f46d04103adf09a16304df09f24f--