Return-Path: <dev-return-8334-archive-asf-public=cust-asf.ponee.io@openmeetings.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id C53A4200CED
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu, 13 Jul 2017 18:28:29 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id C496C16BD92; Thu, 13 Jul 2017 16:28:29 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 5050E16BDA8
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 13 Jul 2017 18:28:29 +0200 (CEST)
Received: (qmail 81799 invoked by uid 500); 13 Jul 2017 16:28:26 -0000
Mailing-List: contact dev-help@openmeetings.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@openmeetings.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@openmeetings.apache.org>
List-Post: <mailto:dev@openmeetings.apache.org>
List-Id: <dev.openmeetings.apache.org>
Reply-To: dev@openmeetings.apache.org
Delivered-To: mailing list dev@openmeetings.apache.org
Received: (qmail 81749 invoked by uid 99); 13 Jul 2017 16:28:26 -0000
Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Jul 2017 16:28:26 +0000
Received: from mail-pf0-f179.google.com (mail-pf0-f179.google.com [209.85.192.179])
	by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 36C121A0A4E;
	Thu, 13 Jul 2017 16:28:26 +0000 (UTC)
Received: by mail-pf0-f179.google.com with SMTP id e7so31933128pfk.0;
        Thu, 13 Jul 2017 09:28:26 -0700 (PDT)
X-Gm-Message-State: AIVw110JMygRFVMFrmudnGHGigFJDA3Ip9NvPzj/oOIhqllLWsiW5bNX
	6JTTKoagFPFw+zBgmAH+14hxBPlx8g==
X-Received: by 10.98.8.93 with SMTP id c90mr400848pfd.213.1499963305947; Thu,
 13 Jul 2017 09:28:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.151.2 with HTTP; Thu, 13 Jul 2017 09:28:25 -0700 (PDT)
From: Maxim Solodovnik <solomax@apache.org>
Date: Thu, 13 Jul 2017 23:28:25 +0700
X-Gmail-Original-Message-ID: <CAJmbs8jn7_27k=uH17L8_a8fHHtYLs-K-TVhrah2ym7Z33O_LA@mail.gmail.com>
Message-ID: <CAJmbs8jn7_27k=uH17L8_a8fHHtYLs-K-TVhrah2ym7Z33O_LA@mail.gmail.com>
Subject: CVE-2017-7685 - Apache OpenMeetings - Insecure HTTP Methods
To: Openmeetings user-list <user@openmeetings.apache.org>, dev <dev@openmeetings.apache.org>,
	security@openmeetings.apache.org,
	Joe Basirico <jbasirico@securityinnovation.com>,
	Sharath Unni <sunni@securityinnovation.com>,
	Dinesh Shetty <dshetty@securityinnovation.com>, oss-security@lists.openwall.com,
	bugtraq@securityfocus.com
Content-Type: text/plain; charset="UTF-8"
archived-at: Thu, 13 Jul 2017 16:28:29 -0000

Severity: Lowest

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings 1.0.0

Description: Apache OpenMeetingsrespond to the following insecure HTTP
Methods: PUT, DELETE, HEAD, and PATCH.
CVE-2017-7685

The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0

Credit: This issue was identified by Security Innovation