Return-Path: X-Original-To: apmail-portals-jetspeed-user-archive@www.apache.org Delivered-To: apmail-portals-jetspeed-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 09A0F187F1 for ; Thu, 3 Mar 2016 21:15:46 +0000 (UTC) Received: (qmail 71956 invoked by uid 500); 3 Mar 2016 21:15:45 -0000 Delivered-To: apmail-portals-jetspeed-user-archive@portals.apache.org Received: (qmail 71888 invoked by uid 500); 3 Mar 2016 21:15:45 -0000 Mailing-List: contact jetspeed-user-help@portals.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Jetspeed Users List" Delivered-To: mailing list jetspeed-user@portals.apache.org Received: (qmail 71876 invoked by uid 99); 3 Mar 2016 21:15:45 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Mar 2016 21:15:45 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id CB44BC06C5 for ; Thu, 3 Mar 2016 21:15:44 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.299 X-Spam-Level: * X-Spam-Status: No, score=1.299 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=bluesunrise-com.20150623.gappssmtp.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id n2fwxYU0HZ-N for ; Thu, 3 Mar 2016 21:15:43 +0000 (UTC) Received: from mail-pf0-f171.google.com (mail-pf0-f171.google.com [209.85.192.171]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 4A23F5F572 for ; Thu, 3 Mar 2016 21:15:43 +0000 (UTC) Received: by mail-pf0-f171.google.com with SMTP id 124so21701811pfg.0 for ; Thu, 03 Mar 2016 13:15:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bluesunrise-com.20150623.gappssmtp.com; s=20150623; h=from:subject:message-id:date:to:mime-version; bh=dh59VJr0PAHbTuurwyJslEKiBG1zJtveoaSL9sjDDK8=; b=ZNsvQg7O1AdRHI6bqX5etHjWqkuBw73eUptqM5OkPzF1e4IslNkci3Og0wT2rMOi86 DQFrmSJ8JSYSAvoNkzU4Cn0uGHOKnKQovU0s2N4j233opQmYBC1uSV3ZQFJp/K/ckrzu hRakyWo+FxGypxzyIiq7ZzZ5euf2v56pH0mwLlBoqt0t52CbD6G5gA6nFNy4iRxhNqki xB1nGzMucFiJH9L5AmqP2xqhprgoqQZGzKwLPCP9YkNTIbUk5jicRmg1hGLE1Vl65SSV qoQE+gpkprAY2xJfTZYUeSF315v2fjQxTv+hleAy+vw1ZhQa1tMN4l76Myz6J3h4ooZA JfUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:subject:message-id:date:to:mime-version; bh=dh59VJr0PAHbTuurwyJslEKiBG1zJtveoaSL9sjDDK8=; b=mZ8JkrZ6/NxrP5NB+/GiR1u7ld4MMeLNHvvd5QWlrP9DvZW745QeP4+NmmohgaZuQU XFRGR8svBFDErgzf2vlP8ppE4YLfgbY8CFsYc6x8d7BNWIaq55RuFVAiPXfWngIeQlG3 U6v4tmS2vowkBrgjtfciejySvrEGz7Mpr85wEtdv1FGRa247sECiiFByqjyYwlAk+9r0 0kx1z9bqKTvKDlGmnGOO71DIZiQa6dYsx3WRVDGttQFi3/6KTu/2nOwiNTgsO4xUH3+a FgcsbeHokwGJYZoYzFj+srtgaTPGtdCydSotSSLdCgBxT26nFcWnHSs24KfnEIas8Ivq ZlIQ== X-Gm-Message-State: AD7BkJKDsBTXPQdgGkwgf4cTJ4wNROQvvIIJcz3SE3JSzIV2ZHQWeKzz43LyfziOq98SaA== X-Received: by 10.98.75.8 with SMTP id y8mr6795986pfa.126.1457039736469; Thu, 03 Mar 2016 13:15:36 -0800 (PST) Received: from ?IPv6:2601:643:c002:8900:4470:923b:e40b:d6b6? ([2601:643:c002:8900:4470:923b:e40b:d6b6]) by smtp.gmail.com with ESMTPSA id 81sm298818pfa.12.2016.03.03.13.15.34 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 03 Mar 2016 13:15:35 -0800 (PST) From: David S Taylor Content-Type: multipart/alternative; boundary="Apple-Mail=_38B35962-B36D-42F3-9C9F-1C5D226591DD" Subject: [CVE-2016-0709] Apache Jetspeed information disclosure vulnerability Message-Id: <281D02D0-6A03-4421-9D86-E73B001C8677@bluesunrise.com> Date: Thu, 3 Mar 2016 13:16:00 -0800 To: Jetspeed Users List Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) X-Mailer: Apple Mail (2.3112) --Apple-Mail=_38B35962-B36D-42F3-9C9F-1C5D226591DD Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 CVE-2016-0709: Code execution via ZIP file path traversal Severity: Important Vendor: The Apache Software Foundation Versions Affected: Jetspeed 2.2.0 to 2.2.2 Jetspeed 2.3.0 The unsupported Jetspeed 2.1.x versions may be also affected Description: The Import/Export function in the Portal Site Manager, part of the = Jetspeed Administrative Portlets, is vulnerable to a path traversal via = specially crafted file names in ZIP archives. Any user with permission = to upload files via this function can upload a file with a name like = "../../../../tmp/foo" to write a file named "foo" in the /tmp directory. = This is because the code that performs the unzipping of the archive does = not check the validity of the file names before writing them to disk. = This can be turned into code execution by uploading a .jsp file and = writing it to somewhere on the file system where the web server will = execute it when visited Mitigation: 2.2.0 - 2.3.0 users should upgrade to 2.3.1 Credit: This issue was discovered by =EF=BB=BFAndreas Lindh References: http://tomcat.apache.org/security.html = --Apple-Mail=_38B35962-B36D-42F3-9C9F-1C5D226591DD--