You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by jb...@apache.org on 2019/01/03 06:59:02 UTC

[karaf-site] branch trunk updated: Update CVE with clearsign

This is an automated email from the ASF dual-hosted git repository.

jbonofre pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/karaf-site.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 1eb9bab  Update CVE with clearsign
1eb9bab is described below

commit 1eb9bab5714c44d8ffa851e5eadd882c546c5f72
Author: Jean-Baptiste Onofré <jb...@apache.org>
AuthorDate: Thu Jan 3 07:58:51 2019 +0100

    Update CVE with clearsign
---
 src/main/webapp/documentation.html          |  4 +++
 src/main/webapp/security/cve-2014-0219.txt  | 45 +++++++++++++++++++++++++++++
 src/main/webapp/security/cve-2018-11787.txt | 19 ++++++++++++
 3 files changed, 68 insertions(+)

diff --git a/src/main/webapp/documentation.html b/src/main/webapp/documentation.html
index 3ed1e6f..10853fb 100644
--- a/src/main/webapp/documentation.html
+++ b/src/main/webapp/documentation.html
@@ -361,6 +361,10 @@
 								<p>CVE-2018-11787 : Unsecure access to Gogo shell in the webconsole.</p>
 								<a class="btn btn-outline-primary" href="security/cve-2018-11787.txt">Notes &raquo;</a>
 							</div>
+              <div class="pb-4 mb-3">
+                <p>CVE-2014-0219 : Apache Karaf enables a shutdown port on the loopback interface, which allows local users to cause a denial of service (shutdown) by sending a shutdown command to all listening high ports.</p>
+                <a class="btn btn-outline-primary" href="security/cve-2014-0219.txt">Notes &raquo;</a>
+              </div>
 
             </div><!-- /.blog-main -->
         </div>
diff --git a/src/main/webapp/security/cve-2014-0219.txt b/src/main/webapp/security/cve-2014-0219.txt
new file mode 100644
index 0000000..b26f072
--- /dev/null
+++ b/src/main/webapp/security/cve-2014-0219.txt
@@ -0,0 +1,45 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+CVE-2014-0219: Apache Karaf bind shutdown port on loopback interface
+
+Severity: Minor
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+This vulnerability affects all versions of Apache Karaf prior to 4.0.10
+
+Description:
+
+Apache Karaf enables a shutdown port on the loopback interface, which 
+allows local users to cause a denial of service (shutdown) by sending 
+a shutdown command to all listening high ports.
+
+This has been fixed in revision:
+
+https://git-wip-us.apache.org/repos/asf?p=karaf.git;h=99365a3
+
+Migration:
+
+Apache Karaf users should upgrade to 4.0.10 or later and disable the
+shutdown port.
+
+Credit: This issue was reported by Colm O hEigeartaigh of Talend.
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCAAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAlwtsiQACgkQv/LuQsgo
+LnbrIg/6ApxUUR0cY7x/n5eM6fCP3io1+vmVineUIhBwu5H97jKBvtTWkNrWoAAv
+tovNuYZVykyOpqBGu/Y4T/G5ryox1MaYV8jP7dad7I4wgqxSXFucoxRvSXr6jjAz
+zF3rxHlGw1b0aKQDZgHBv8vcbbVtw6rE6opKdjwN/C4LCDojVhQQbmSlj+oCIAJI
+JVns9NMpo8VY3btYs0OizmqTtOoKUHkmy4Jy1Fpolsv4KRZrsmvTntPoEYLrjbUy
+5xKu/fTGEstJWhOi66xtSPfM+KwDfPVbvmu8QDxQldl6mjPBAQMwhYQSzz6ubNEF
+3rN4zx80r/cPBQbflaiYnoLuJPhJzdUxgxPAuvvq//t7RCKdS+zMQ2pkxXt0W8p1
+9WVhaVhfQmZf+RoRMnrHcNlvV5EXLRyTfegRScd7+8iPESESi9qnOU2x8JuoqKWc
+K1RY94ZD9wdbLh4HqnrqsaYZFrmJ3QXusrSqlioTltjlBE8E9BOVHnvsRnv6kp+S
+2r+57iauD7SdMtuMuBPTFc9FOHR3DhTm6dYTiuLp7jdwRA8zRX67oTIh17D9zGH9
+YC9B61Rq8ofhoVoRQukfEDkhh423/Oi6IUijPmSPF0dV7nRFd27WadagFFQVfgl3
+s2ktdT89ER72fyEi99Qp4tMtY6P9bfblIlt5HyuTxhUTRjzf05k=
+=MziI
+-----END PGP SIGNATURE-----
diff --git a/src/main/webapp/security/cve-2018-11787.txt b/src/main/webapp/security/cve-2018-11787.txt
index 57ec837..93103d6 100644
--- a/src/main/webapp/security/cve-2018-11787.txt
+++ b/src/main/webapp/security/cve-2018-11787.txt
@@ -1,3 +1,6 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
 CVS-2018-11787: Apache Karaf unsecure access to Gogo shell in the webconsole
 
 Severity: Moderate
@@ -41,3 +44,19 @@ or later as soon as possible.
 JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-4993
 
 Credit: This issue was reported by Kevin Schmidt
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCAAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAlwtsoQACgkQv/LuQsgo
+LnaFTg//d5auXMS+5PBBDyNIqY6MVpBEWEqAgeir2eBBtj5vqACSRQh3+QcUFWAt
+a/nZpj6A/BNiuWDR5vYpbgmX0ywyPys7DHdJ8icoFzhqygZpm0UqTLhqKtgjHWy4
+SDBPQWbcybp5n+xXw2R6XoMvf2N3o9iGB/AjDXjPUqehMEfjUvlhfnqlJkurW0PH
+1TrgaP6IAUGk6bAijvQB7SuxUCJ1G+G6uFON7bT3J+5Ctj+kcLYUcCwKNJMFVXHg
+sbTB8GoG0U7wyA40+pTfhD4CeFAwmnT4LxXOSkJKIKNh11YNmBacxSu/7y/hQ8PS
+hRaoodHVQTnYV1kZZLsFR+W0s3uj5splfgucK37oIOIj8rvNSo/lZicgvG7k+2a+
+up0pBMja6DXJFHSFJT4HwTUQoaSbFdqdz4Oy+eZkiQfvyCGGlaaqi9EHb1uxS7ss
+/lGQbDQnKGNtIwNZgKxLtxv/Zcm95paMVGAQ7kiiIKYTnt68nMSmZGN+FJzQIWle
+HBapQAvd12HP6QHdsPACQTZKyCUkwa7sR5kM45gvyzx4jMTZqL9yaMcwK1VsBaRW
+lnlUmGBA5Zak3h01BdNrlDgK1R/iBPFtbnaWFf4UFsOfK5B4CtTClRkqGIF9N2VC
+/hcor/IbA9wSXJH7sR1mAvbt8dEGHHOAGDkPzQnpBWdCcr9j/pY=
+=1dSW
+-----END PGP SIGNATURE-----