From commits-return-65085-archive-asf-public=cust-asf.ponee.io@camel.apache.org Wed Sep 12 13:47:35 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id A172E18077B for ; Wed, 12 Sep 2018 13:47:34 +0200 (CEST) Received: (qmail 38142 invoked by uid 500); 12 Sep 2018 11:47:33 -0000 Mailing-List: contact commits-help@camel.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@camel.apache.org Delivered-To: mailing list commits@camel.apache.org Received: (qmail 37823 invoked by uid 99); 12 Sep 2018 11:47:33 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 12 Sep 2018 11:47:33 +0000 Received: by gitbox.apache.org (ASF Mail Server at gitbox.apache.org, from userid 33) id C392A82B91; Wed, 12 Sep 2018 11:47:32 +0000 (UTC) Date: Wed, 12 Sep 2018 11:47:34 +0000 To: "commits@camel.apache.org" Subject: [camel] 02/14: Security Advisories: Porting to docs MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit From: acosentino@apache.org In-Reply-To: <153675285228.27708.10424769041751758570@gitbox.apache.org> References: <153675285228.27708.10424769041751758570@gitbox.apache.org> X-Git-Host: gitbox.apache.org X-Git-Repo: camel X-Git-Refname: refs/heads/master X-Git-Reftype: branch X-Git-Rev: a530bf117653574b9a1c9a5e373b37a0684f853b X-Git-NotificationType: diff X-Git-Multimail-Version: 1.5.dev Auto-Submitted: auto-generated Message-Id: <20180912114732.C392A82B91@gitbox.apache.org> This is an automated email from the ASF dual-hosted git repository. acosentino pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/camel.git commit a530bf117653574b9a1c9a5e373b37a0684f853b Author: Andrea Cosentino AuthorDate: Wed Sep 12 13:38:57 2018 +0200 Security Advisories: Porting to docs --- .../en/security-advisories/CVE-2014-0002.txt.asc | 46 ++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/docs/user-manual/en/security-advisories/CVE-2014-0002.txt.asc b/docs/user-manual/en/security-advisories/CVE-2014-0002.txt.asc new file mode 100644 index 0000000..252af8d --- /dev/null +++ b/docs/user-manual/en/security-advisories/CVE-2014-0002.txt.asc @@ -0,0 +1,46 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +CVE-2014-0002: Apache Camel critical disclosure vulnerability + +Severity: Critical + +Vendor: The Apache Software Foundation + +Versions Affected: Camel 2.11.0 to 2.11.3, Camel 2.12.0 to 2.12.2 +The unsupported Camel 2.3.x, 2.4.x, 2.5.x, 2.6.x, 2.7.x, 2.8.x, 2.9.x and 2.10.x versions may be also affected. + +Description: The Apache Camel XSLT component will resolve entities in XML messages when transforming them using an xslt route. A remote attacker able to submit messages to an xslt route could use this flaw to read files accessible to the running application server and potentially perform other more advanced XXE attacks. + +Mitigation: 2.11.x users should upgrade to 2.11.4, 2.12.x users should upgrade to 2.12.3. This patch will be included from Camel 2.13.0: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=341d4e6cca71c53c90962d1c3d45fc9e05cc50c6 + +Example: Create a simple route which receives an HTTP request, apply a (safe) stylesheet and store the result in a file: + + + + + + +If an attacker is able to submit a message to this route, they can provide a message that is an XML document containing external entities. These entities will be resolved, and their contents included in the output of the transformation performed by the xslt route. + +Credit: This issue was discovered by David Jorm. + +References: http://camel.apache.org/security-advisories.html +-----BEGIN PGP SIGNATURE----- +Version: GnuPG/MacGPG2 v2.0.22 (Darwin) +Comment: GPGTools - http://gpgtools.org + +iQIcBAEBAgAGBQJTENZhAAoJEImh9lEqI5wsukkP/2q4Tr9N2NMWYu9+5YYrpSST +TWnhcE7QGVOu3ITRp0WslzzJoa6Dl1q1XB7NRiV9CrHrUAk/GMaMo0M51ezaYUOq ++8HfiHpVbU+frk67bbTCceSug1xLsCb1upD0LUvM28siimMme2lmZtZuzKwYws2o +dG3gqIIgBYxl6Z6tKb7BIqQobsiK/50q5iZ1Z7PLT1hNrJvnBh0N6wgqfSPM0CLj +1NBN1xLJufcooT5pMYSXq8UAKvp9x7CymUTk/b/xbTGE5e8T/XNKAuXoe1/XRfMO +mETrN11hQdrEtflK9uOwHhDOu2SvsBBjBmDGY90K/Da1d1Hjued2Uaz3qGf4nQ9F +SVVLKfB4Z6VZkNqyjZ8JZjdJGWtrLMeixUxoGLKp8S2SXHG9HTfxh0a9GD7g3vfj +hO10B3qJKeWcVnBru4tRy/lmPfmCw28gizR4KEej4YFiPDFp60Z2Rxxsz5dHyOq6 +fUkOcCsMmLUoj1i3YoIcFDos8ZPl6Zuu1xkmOxq+hslixaT9ROUwfuIkV8lRofgT +c1A2Ao5FZu0UK7uR81TNflbTCy+4q7Wojfs6LMydU9VjcGkCl+ES2q9mtv3BE6rN +r69g5lba6ooyZEqPNvDGwTznQVUiHM5roaEooDYnTSU4FhT56isTANqaGncIXCnZ +t3sXFGy7PXvfxxpeKHTb +=VJ0D +-----END PGP SIGNATURE-----