From user-return-1787-archive-asf-public=cust-asf.ponee.io@olingo.apache.org Wed Dec 4 05:23:53 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id DA322180629 for ; Wed, 4 Dec 2019 06:23:52 +0100 (CET) Received: (qmail 74250 invoked by uid 500); 4 Dec 2019 05:23:51 -0000 Mailing-List: contact user-help@olingo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@olingo.apache.org Delivered-To: mailing list user@olingo.apache.org Received: (qmail 74224 invoked by uid 99); 4 Dec 2019 05:23:50 -0000 Received: from Unknown (HELO mailrelay1-lw-us.apache.org) (10.10.3.159) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Dec 2019 05:23:50 +0000 Received: from mail-ed1-f50.google.com (mail-ed1-f50.google.com [209.85.208.50]) by mailrelay1-lw-us.apache.org (ASF Mail Server at mailrelay1-lw-us.apache.org) with ESMTPSA id 0A316AD25 for ; Wed, 4 Dec 2019 05:23:50 +0000 (UTC) Received: by mail-ed1-f50.google.com with SMTP id j17so5480628edp.3 for ; Tue, 03 Dec 2019 21:23:49 -0800 (PST) X-Gm-Message-State: APjAAAVrApaL8DRPf2KHdZAhlu0JfnMnKooOzi+ixF5J28wPD2R5TJcK OdegGBei0ssstFWZeGsTxL8kQbhkwN27srFFoyg= X-Google-Smtp-Source: APXvYqxtl8x3x5j3ogQeb7h68hCuExlRWX3lKXhplrGA6gKEdGuhkCPFDZ+f+HkRblW7I0BKY/fw9i4NMPdFABwV7as= X-Received: by 2002:a05:6402:799:: with SMTP id d25mr2005385edy.221.1575437029211; Tue, 03 Dec 2019 21:23:49 -0800 (PST) MIME-Version: 1.0 Reply-To: user@olingo.apache.org From: mibo Date: Wed, 4 Dec 2019 06:23:38 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: [SECURITY] CVE-2019-17554: XML External Entity resolution attack To: announce@apache.org, user@olingo.apache.org, security@apache.org Content-Type: text/plain; charset="UTF-8" CVE-2019-17554: XML External Entity resolution attack Severity: Important Vendor: The Apache Software Foundation Versions Affected: Olingo 4.0.0 to 4.6.0 The OData v2 versions of Olingo 2.x are not affected Description: The XML content type entity deserializer is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks. Mitigation: 4.x.x users should upgrade to 4.7.0 Credit: This issue was discovered by Archibald Haddock of Compass Security Schweiz AG. Links: https://issues.apache.org/jira/browse/OLINGO-1409