Return-Path: X-Original-To: apmail-roller-dev-archive@www.apache.org Delivered-To: apmail-roller-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 24AA91046E for ; Sat, 11 Jan 2014 22:13:08 +0000 (UTC) Received: (qmail 93496 invoked by uid 500); 11 Jan 2014 22:13:02 -0000 Delivered-To: apmail-roller-dev-archive@roller.apache.org Received: (qmail 93312 invoked by uid 500); 11 Jan 2014 22:12:55 -0000 Mailing-List: contact dev-help@roller.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@roller.apache.org Delivered-To: mailing list dev@roller.apache.org Received: (qmail 93283 invoked by uid 99); 11 Jan 2014 22:12:49 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 11 Jan 2014 22:12:49 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of snoopdave@gmail.com designates 209.85.219.51 as permitted sender) Received: from [209.85.219.51] (HELO mail-oa0-f51.google.com) (209.85.219.51) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 11 Jan 2014 22:12:44 +0000 Received: by mail-oa0-f51.google.com with SMTP id m1so6514550oag.24 for ; Sat, 11 Jan 2014 14:12:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=MGkNZn5hIuRedv4osZLhjj8OFOQaxdIa9hd4iTXooZk=; b=ToO8WMHogvqgI+7Qr1xpoApyINqvvv2/HrWdAhADgqhSAEPLg5oinXcLJizkvsAsKC dJVQSsozZEt6Dzi1lj9A2h20I4NPq4+QDBFbgI8L9BgvNDyw/fcS7+3vszIUIxUA6WiO wP7ihpVmCS17D4U6fSrQtGflILWxBoXMtxsJu2iVnKegM2VpNKYklQscHuosyv04RWRw rQ3gWGLdqISHCBSgsb+xd4c74zIX1mue2Q8VxFtjWOucRlRsCx3PQFyexvVWjFhVqDy/ iKHc8wCvjAIFopS2/7cpxCRZ/iJ0ZYkCsg0WxgbW2Q8GKTfgKfLJntUoxyDrj/fGYrDi SdIA== MIME-Version: 1.0 X-Received: by 10.182.2.170 with SMTP id 10mr14239052obv.50.1389478343632; Sat, 11 Jan 2014 14:12:23 -0800 (PST) Received: by 10.182.72.7 with HTTP; Sat, 11 Jan 2014 14:12:23 -0800 (PST) Date: Sat, 11 Jan 2014 17:12:23 -0500 Message-ID: Subject: CVE-2014-0030 Apache Roller XML-RPC susceptible to XML Entended Entity attacks From: Dave To: dev@roller.apache.org, user@roller.apache.org Content-Type: multipart/alternative; boundary=f46d0444ea99186c4804efb923a4 X-Virus-Checked: Checked by ClamAV on apache.org --f46d0444ea99186c4804efb923a4 Content-Type: text/plain; charset=ISO-8859-1 Severity: important Vendor: The Apache Software Foundation Versions Affected: Roller 4.0.0 and 4.0.1 Roller 5.0, 5.0.1 and 5.0.2 The unsupported Roller 3.1 release is also affected Description: Roller's XML-RPC protocol support was susceptible to XML Extended Entity based attacks. This vulnerability exists even if XML-RPC is disabled via the Roller Admin Console. Mitigation Roller 4.0 and 4.0.1 users should upgrade to Roller 5.0.3 Roller 5.0, 5.0.1 and 5.0.2 users should upgrade to Roller 5.0.3 Roller 3.1 users should upgrade to Roller 5.0.3 Credit: Adam Baldwin --f46d0444ea99186c4804efb923a4--