From user-return-8104-archive-asf-public=cust-asf.ponee.io@uima.apache.org Wed May 1 14:54:14 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 4BA10180629 for ; Wed, 1 May 2019 16:54:14 +0200 (CEST) Received: (qmail 28257 invoked by uid 500); 1 May 2019 14:54:12 -0000 Mailing-List: contact user-help@uima.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@uima.apache.org Delivered-To: mailing list user@uima.apache.org Received: (qmail 28236 invoked by uid 99); 1 May 2019 14:54:12 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 01 May 2019 14:54:12 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 46B15C17D3; Wed, 1 May 2019 14:54:12 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.972 X-Spam-Level: X-Spam-Status: No, score=0.972 tagged_above=-999 required=6.31 tests=[RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.972] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id omLDXpkami6w; Wed, 1 May 2019 14:54:10 +0000 (UTC) Received: from dnvrco-cmomta03.email.rr.com (dnvrco-outbound-snat.email.rr.com [107.14.73.232]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 745675F56E; Wed, 1 May 2019 14:45:30 +0000 (UTC) Received: from [192.168.86.204] ([98.122.171.97]) by cmsmtp with ESMTPA id LqU4hjK3sWnTiLqU7h3SpX; Wed, 01 May 2019 14:45:23 +0000 Reply-To: cwiklik@apache.org To: uima-user@apache.org, uima-dev@apache.org From: Jerry Cwiklik Subject: [ANNOUNCE] CVE-2018-8035: Apache UIMA DUCC webserver cross-site scripting (XSS) vulnerability fix Organization: Apache Message-ID: Date: Wed, 1 May 2019 10:45:22 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-CMAE-Envelope: MS4wfPUFNwQIMm3Zz5dPcYs+7S8QxDomKYby2NEdhvh5MtoIowXl2PwklbTPg+pXxON2Pb+LrwakIFkN27+mi37V80mcdpDh6u4coJdEvEyr9ucomqJbYI9o RKo/XfWQw0ian002WbKQVUTmFwwb+wqJ3B/ML0m2Ip7XLZcoUx/fmvUlvxbjtm2eRNZec232mytnTsDbBsTFDt+Ot/CMdU5zaHg= CVE-2018-8035: Apache UIMA DUCC webserver cross-site scripting (XSS) vulnerability due to unintended execution of user supplied javascript code. Severity: Important Vendor: The Apache Software Foundation Versions Affected:   - Apache UIMA DUCC releases including and prior to 2.2.2 Description. The details of this vulnerability were reported to the Apache UIMA Private mailing list. This  vulnerability relates to the user's browser processing of DUCC web page input data. The javascript comprising Apache UIMA DUCC which runs in the user's browser does not sufficiently filter user supplied inputs, which may result in unintended execution of user supplied javascript code. Mitigation: Users are advised to upgrade these UIMA components to the following levels:   - Apache UIMA DUCC: upgrade to 3.0.0 or later Credit: Marshall Schor Jerry Cwiklik, on behalf of the Apache UIMA Team