syncope-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ilgro...@apache.org
Subject svn commit: r1608409 - in /syncope/branches/1_2_X: ./ src/site/xdoc/security.xml
Date Mon, 07 Jul 2014 11:08:29 GMT
Author: ilgrosso
Date: Mon Jul  7 11:08:29 2014
New Revision: 1608409

URL: http://svn.apache.org/r1608409
Log:
Merge from 1_1_X

Modified:
    syncope/branches/1_2_X/   (props changed)
    syncope/branches/1_2_X/src/site/xdoc/security.xml

Propchange: syncope/branches/1_2_X/
------------------------------------------------------------------------------
  Merged /syncope/branches/1_1_X:r1608366-1608408

Modified: syncope/branches/1_2_X/src/site/xdoc/security.xml
URL: http://svn.apache.org/viewvc/syncope/branches/1_2_X/src/site/xdoc/security.xml?rev=1608409&r1=1608408&r2=1608409&view=diff
==============================================================================
--- syncope/branches/1_2_X/src/site/xdoc/security.xml (original)
+++ syncope/branches/1_2_X/src/site/xdoc/security.xml Mon Jul  7 11:08:29 2014
@@ -34,27 +34,59 @@ under the License.
 
       <p>If you want to report a vulnerability, please follow <a href="http://www.apache.org/security/">the
procedure</a>.</p>
 
-      <subsection name="CVE-2014-0111: Remote code execution by an authenticated administrator">

-	<p>In the various places in which Apache Commons JEXL expressions are allowed (derived
schema definition, user / role templates, account links of resource mappings) a malicious
administrator can inject Java code that can be executed remotely by the JEE container running
the Apache Syncope core.</p>
+      <subsection name="CVE-2014-3503: Insecure Random implementations used to generate
passwords">	
+        <p>A password is generated for a user in Apache Syncope under certain  circumstances,
when no existing password 
+          is found. However, the password generation code is relying on insecure Random implementations,
which means 
+          that an attacker could attempt to guess a generated password.</p>
+
+        <p>
+          <b>Affects</b>
+        </p>
+        <p>
+          <ul>
+            <li>Releases 1.1.0 to 1.1.7</li>
+          </ul>
+        </p>
+
+        <p>
+          <b>Fixed in</b>
+        </p>
+        <p>
+          <ul>
+            <li>Revision <a href="http://svn.apache.org/viewvc?view=revision&amp;revision=r1596537">1596537</a></li>
+            <li>Release 1.1.8</li>
+          </ul>
+        </p>
 
+        <p>Read the <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3503">full
CVE advisory</a>.</p>
+      </subsection>
 
-	<p><b>Affects</b></p>
-	<p>
-	  <ul>
-	    <li>Releases 1.0.0 to 1.0.8</li>
-	    <li>Releases 1.1.0 to 1.1.6</li>
-	  </ul>
-	</p>
-
-	<p><b>Fixed in</b></p>
-	<p>
-	  <ul>
-	    <li>Revisions <a href="http://svn.apache.org/viewvc?view=revision&amp;revision=r1586349">1586349</a>
/ <a href="http://svn.apache.org/viewvc?view=revision&amp;revision=r1586317">1586317</a></li>
-	    <li>Releases 1.0.9 / 1.1.7</li>
-	  </ul>
-	</p>
+      <subsection name="CVE-2014-0111: Remote code execution by an authenticated administrator">

+        <p>In the various places in which Apache Commons JEXL expressions are allowed
(derived schema definition, 
+          user / role templates, account links of resource mappings) a malicious administrator
can inject Java code 
+          that can be executed remotely by the JEE container running the Apache Syncope core.</p>
+
+        <p>
+          <b>Affects</b>
+        </p>
+        <p>
+          <ul>
+            <li>Releases 1.0.0 to 1.0.8</li>
+            <li>Releases 1.1.0 to 1.1.6</li>
+          </ul>
+        </p>
+
+        <p>
+          <b>Fixed in</b>
+        </p>
+        <p>
+          <ul>
+            <li>Revisions <a href="http://svn.apache.org/viewvc?view=revision&amp;revision=r1586349">1586349</a>
/ <a href="http://svn.apache.org/viewvc?view=revision&amp;revision=r1586317">1586317</a></li>
+            <li>Releases 1.0.9 / 1.1.7</li>
+          </ul>
+        </p>
 
-	<p>Read the <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0111">full
CVE advisory</a>.</p>
+        <p>Read the <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0111">full
CVE advisory</a>.</p>
       </subsection>
     </section>
 



Mime
View raw message