You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2014/04/30 18:46:51 UTC
svn commit: r907482 - in /websites/production/cxf/content: ./ cache/
security-advisories.data/
Author: buildbot
Date: Wed Apr 30 16:46:50 2014
New Revision: 907482
Log:
Production update by buildbot for cxf
Added:
websites/production/cxf/content/security-advisories.data/CVE-2014-0034.txt.asc
websites/production/cxf/content/security-advisories.data/CVE-2014-0035.txt.asc
websites/production/cxf/content/security-advisories.data/CVE-2014-0109.txt.asc
websites/production/cxf/content/security-advisories.data/CVE-2014-0110.txt.asc
Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/security-advisories.html
Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Added: websites/production/cxf/content/security-advisories.data/CVE-2014-0034.txt.asc
==============================================================================
--- websites/production/cxf/content/security-advisories.data/CVE-2014-0034.txt.asc (added)
+++ websites/production/cxf/content/security-advisories.data/CVE-2014-0034.txt.asc Wed Apr 30 16:46:50 2014
@@ -0,0 +1,49 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+
+CVE-2014-0034: The SecurityTokenService accepts certain invalid SAML Tokens as valid
+
+Severity: Major
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+This vulnerability affects all versions of Apache CXF prior to 2.6.12
+and 2.7.9.
+
+Description:
+
+The SecurityTokenService (STS) provided as part of Apache CXF has bindings to
+issue, validate, renew and cancel tokens. The main use-case is to issue SAML
+tokens. However, a less common use-case is to use the STS to validate SAML
+tokens. The vulnerability is that there are certain circumstances in which the
+STS will accept an invalid SAML token as valid if caching is enabled.
+
+This has been fixed in revisions:
+
+http://svn.apache.org/viewvc?view=revision&revision=1551228
+
+Migration:
+
+Although this vulnerability has been fixed in CXF 2.6.12 and 2.7.9, due to
+other security advisories it is recommended to upgrade to the following
+releases:
+
+CXF 2.6.x users should upgrade to 2.6.14 or later as soon as possible.
+CXF 2.7.x users should upgrade to 2.7.11 or later as soon as possible.
+
+References: http://cxf.apache.org/security-advisories.html
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.14 (GNU/Linux)
+
+iQEcBAEBAgAGBQJTPq+DAAoJEGe/gLEK1TmDkYIH/jZzuSAA43eI/MhFRuFDEpIJ
+/xI7xCk1jzFxoWNY9wBYdleYsI67Fwg6IZ6wyLuATicZRJxR+XVOMtglT7NLU4hd
+ucml3AU8ahUNANebttK8/uJMXVmGRYq5YrcQivkz+D2Z57GFLYP4xD16RlSRoQ8u
+14f47wgoDw3P6S1daRGnJTG03A1re+iTADPuFvB4njMCGHQN2a0+3KzD15NZHEhF
+owN0BEj7T2tAVAOBgLqy9n9XbnmmXIUgKXaqyfYmZOi4wy7oCHYC+yPt5fiaAhvL
+TtzE7SjiPw6GAzC5NMSpjJYoPp8t1CaCwvnG8R0vOKgKtz6B6xT5rNBPNctkO8A=
+=b4dY
+-----END PGP SIGNATURE-----
Added: websites/production/cxf/content/security-advisories.data/CVE-2014-0035.txt.asc
==============================================================================
--- websites/production/cxf/content/security-advisories.data/CVE-2014-0035.txt.asc (added)
+++ websites/production/cxf/content/security-advisories.data/CVE-2014-0035.txt.asc Wed Apr 30 16:46:50 2014
@@ -0,0 +1,48 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+
+CVE-2014-0035: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy
+
+Severity: Major
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+This vulnerability affects all versions of Apache CXF prior to 2.6.13
+and 2.7.10.
+
+Description:
+
+UsernameTokens are sent in plaintext, i.e. not encrypted, by a CXF client that
+uses a SymmetricBinding with EncryptBeforeSigning enabled, and a UsernameToken
+policy that is a *EncryptedSupportingToken. No other binding is affected, and
+SignBeforeEncrypting is not affected either.
+
+This has been fixed in revisions:
+
+http://svn.apache.org/viewvc?view=revision&revision=1564724
+
+Migration:
+
+Although this vulnerability has been fixed in CXF 2.6.13 and 2.7.10, due to
+other security advisories it is recommended to upgrade to the following
+releases:
+
+CXF 2.6.x users should upgrade to 2.6.14 or later as soon as possible.
+CXF 2.7.x users should upgrade to 2.7.11 or later as soon as possible.
+
+References: http://cxf.apache.org/security-advisories.html
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.14 (GNU/Linux)
+
+iQEcBAEBAgAGBQJTPq+aAAoJEGe/gLEK1TmDr+YH/2444g2JjtGPNO3vOD3VQPQU
+9O19UYQEhIuCw/fupz443Jgbk7UFBD7YbcgOTx/5j0n7WKsPHSJ4p7U5vjOQ0jKQ
+t+8azHqaD/OvkVTfz/gi58BwD77vAzSc/yrKgjuZl+3Yc6+Sljehi2CsLFXOzlH+
+C353baE/4uCTgW9varZGcFc3b7yi4GA47D9oz8vU7sTVJMzWC67+rQs9GCSp61El
+eOyN+4PE4gpFUbiuQqiprwNIb4y52JrY7ew94QbzDhLi+dJdH4w1FlOUUX6MXqqX
+nBC56gEyuqImiRdfGqfwQd5G53/SEhZEsGl3XchixKFEzyIIwu+0FuOpMQ4/RwE=
+=DEQg
+-----END PGP SIGNATURE-----
Added: websites/production/cxf/content/security-advisories.data/CVE-2014-0109.txt.asc
==============================================================================
--- websites/production/cxf/content/security-advisories.data/CVE-2014-0109.txt.asc (added)
+++ websites/production/cxf/content/security-advisories.data/CVE-2014-0109.txt.asc Wed Apr 30 16:46:50 2014
@@ -0,0 +1,49 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+
+CVE-2014-0109: HTML content posted to SOAP endpoint could cause OOM errors
+
+Severity: Major
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+This vulnerability affects all versions of Apache CXF prior to 2.6.14
+and 2.7.11.
+
+Description:
+
+If content is posted to a SOAP endpoint with Content-Type text/html, CXF
+creates an error message based on the input. This could potentially cause a
+Out Of Memory (OOM) error on a large input, leading to a possible Denial of
+Service attack.
+
+This has been fixed in revisions:
+
+https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=f8ed98e684c1a67a77ae8726db05a04a4978a445
+
+Migration:
+
+CXF 2.6.x users should upgrade to 2.6.14 or later as soon as possible.
+CXF 2.7.x users should upgrade to 2.7.11 or later as soon as possible.
+
+References: http://cxf.apache.org/security-advisories.html
+
+Credits:
+
+We would like to thank Giancarlo Pellegrino and Davide Balzarotti for
+reporting this issue.
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.14 (GNU/Linux)
+
+iQEcBAEBAgAGBQJTPtOJAAoJEGe/gLEK1TmDIJoIAKfpcrSBFlqCzjjEbRD179WM
+lATyKYZTSDOeZ0oF+Qvs13y1nNXxjAt60krKmkYaTov460kKcnlTA07UXcKh4PBl
+5YeKJkm8COtc73uA2paMUFi2YJHP5m1NG3FML59364JJ4QgbJibrCOnLxdNM8LSF
+KCvOyZ0CL5ua4MLpU3NisH9BUcBr5LI1agD2jycZZSmAAds2umRPj0hEa2g50Yuq
+Zk43/5p/GBqQZDddu1ZM2GZmheFIsCFEgtceqFoBxQCiYi1hGnXgd78dI66jgzlO
+QmsOzuZ2noISMKo5zxo2TSjxeverKRGeLNlGptNdWzLXqyOsUzUQTjccMDCc/jA=
+=aGbT
+-----END PGP SIGNATURE-----
Added: websites/production/cxf/content/security-advisories.data/CVE-2014-0110.txt.asc
==============================================================================
--- websites/production/cxf/content/security-advisories.data/CVE-2014-0110.txt.asc (added)
+++ websites/production/cxf/content/security-advisories.data/CVE-2014-0110.txt.asc Wed Apr 30 16:46:50 2014
@@ -0,0 +1,49 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+
+CVE-2014-0110: Large invalid content could cause temporary space to fill
+
+Severity: Major
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+This vulnerability affects all versions of Apache CXF prior to 2.6.14
+and 2.7.11.
+
+Description:
+
+If a SOAP message generates a fault on parsing or processing, but is not
+fully consumed, it is possible to cause the server to read all of the remaining
+data and to save it to a temp file. By dynamically creating data, you can
+cause the entire /tmp directory to fill.
+
+This has been fixed in revisions:
+
+https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=8f4799b5bc5ed0fe62d6e018c45d960e3652373e
+
+Migration:
+
+CXF 2.6.x users should upgrade to 2.6.14 or later as soon as possible.
+CXF 2.7.x users should upgrade to 2.7.11 or later as soon as possible.
+
+References: http://cxf.apache.org/security-advisories.html
+
+Credits:
+
+We would like to thank Giancarlo Pellegrino and Davide Balzarotti for
+reporting this issue.
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.14 (GNU/Linux)
+
+iQEcBAEBAgAGBQJTWjoYAAoJEGe/gLEK1TmDmWgIAJVPFiIzfem+iruFllyxYzqP
+0GOxYHq/ASUcBF3xXKM6hWU7RuNYloR2xIuG1En4IRtcCbxCuCjTHaqe7FBvGuW6
+emcwd9vWKl3RGi7PRXCQAeVmvWR1Du+NqorGulG5K1IuiUm1EW9ae9jC/3/OXUhx
+UPa1DZTdSNWHpCwDjCWz/cG30oa9jQwZO/59kJXJFpp9ard348W0ksGZzewRUwDs
+uWZ7dsL6TcatuX/Z3oUB7HlwUXSxG4pPUdmnXuJyIA4x5QVO/YQLrN+4kKneSxsB
+l4lHEHdj0BlcItJhl8ry2WHiw6u3O+dqPveOy7b07SR3osyb+jTlFTUa16aM1hM=
+=gBGp
+-----END PGP SIGNATURE-----
Modified: websites/production/cxf/content/security-advisories.html
==============================================================================
--- websites/production/cxf/content/security-advisories.html (original)
+++ websites/production/cxf/content/security-advisories.html Wed Apr 30 16:46:50 2014
@@ -99,20 +99,7 @@ Apache CXF -- Security Advisories
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent">
-<h3 id="SecurityAdvisories-2013">2013</h3>
-
-<ul><li><a shape="rect" href="security-advisories.data/CVE-2013-2160.txt.asc?version=1&modificationDate=1372324301000&api=v2">CVE-2013-2160</a> - Denial of Service Attacks on Apache CXF</li><li><a shape="rect" href="cve-2012-5575.html">Note on CVE-2012-5575</a> - XML Encryption backwards compatibility attack on Apache CXF.</li><li><a shape="rect" href="cve-2013-0239.html">CVE-2013-0239</a> - Authentication bypass in the case of WS-SecurityPolicy enabled plaintext UsernameTokens.</li></ul>
-
-
-<h3 id="SecurityAdvisories-2012">2012</h3>
-
-<ul><li><a shape="rect" href="cve-2012-5633.html">CVE-2012-5633</a> - WSS4JInInterceptor always allows HTTP Get requests from browser.</li><li><a shape="rect" href="note-on-cve-2011-2487.html">Note on CVE-2011-2487</a> - Bleichenbacher attack against distributed symmetric key in WS-Security.</li><li><a shape="rect" href="cve-2012-3451.html">CVE-2012-3451</a> - Apache CXF is vulnerable to SOAP Action spoofing attacks on Document Literal web services.</li><li><a shape="rect" href="cve-2012-2379.html">CVE-2012-2379</a> - Apache CXF does not verify that elements were signed or encrypted by a particular Supporting Token.</li><li><a shape="rect" href="cve-2012-2378.html">CVE-2012-2378</a> - Apache CXF does not pick up some child policies of WS-SecurityPolicy 1.1 SupportingToken policy assertions on the client side.</li><li><a shape="rect" href="note-on-cve-2011-1096.html">Note on CVE-2011-1096</a> - XML Encryption flaw / Character pattern encoding attack.</li><li><a shape="rect" href="cve
-2012-0803.html">CVE-2012-0803</a> - Apache CXF does not validate UsernameToken policies correctly.</li></ul>
-
-
-<h3 id="SecurityAdvisories-2010">2010</h3>
-
-<ul><li><a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf">CVE-2010-2076</a> - DTD based XML attacks.</li></ul></div>
+<div id="ConfluenceContent"><h3 id="SecurityAdvisories-2014">2014</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2014-0109.txt.asc?version=1&modificationDate=1398873370740&api=v2">CVE-2014-0109</a>: HTML content posted to SOAP endpoint could cause OOM errors</li><li><a shape="rect" href="security-advisories.data/CVE-2014-0110.txt.asc?version=1&modificationDate=1398873378628&api=v2">CVE-2014-0110</a>: Large invalid content could cause temporary space to fill</li><li><a shape="rect" href="security-advisories.data/CVE-2014-0034.txt.asc?version=1&modificationDate=1398873385252&api=v2">CVE-2014-0034</a>: The SecurityTokenService accepts certain invalid SAML Tokens as valid</li><li><a shape="rect" href="security-advisories.data/CVE-2014-0035.txt.asc?version=1&modificationDate=1398873391788&api=v2">CVE-2014-0035</a>: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy</li></ul><h3 id="SecurityAdvisories-2013">201
3</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2013-2160.txt.asc?version=1&modificationDate=1372324301000&api=v2">CVE-2013-2160</a> - Denial of Service Attacks on Apache CXF</li><li><a shape="rect" href="cve-2012-5575.html">Note on CVE-2012-5575</a> - XML Encryption backwards compatibility attack on Apache CXF.</li><li><a shape="rect" href="cve-2013-0239.html">CVE-2013-0239</a> - Authentication bypass in the case of WS-SecurityPolicy enabled plaintext UsernameTokens.</li></ul><h3 id="SecurityAdvisories-2012">2012</h3><ul><li><a shape="rect" href="cve-2012-5633.html">CVE-2012-5633</a> - WSS4JInInterceptor always allows HTTP Get requests from browser.</li><li><a shape="rect" href="note-on-cve-2011-2487.html">Note on CVE-2011-2487</a> - Bleichenbacher attack against distributed symmetric key in WS-Security.</li><li><a shape="rect" href="cve-2012-3451.html">CVE-2012-3451</a> - Apache CXF is vulnerable to SOAP Action spoofing attacks on Document Literal web serv
ices.</li><li><a shape="rect" href="cve-2012-2379.html">CVE-2012-2379</a> - Apache CXF does not verify that elements were signed or encrypted by a particular Supporting Token.</li><li><a shape="rect" href="cve-2012-2378.html">CVE-2012-2378</a> - Apache CXF does not pick up some child policies of WS-SecurityPolicy 1.1 SupportingToken policy assertions on the client side.</li><li><a shape="rect" href="note-on-cve-2011-1096.html">Note on CVE-2011-1096</a> - XML Encryption flaw / Character pattern encoding attack.</li><li><a shape="rect" href="cve-2012-0803.html">CVE-2012-0803</a> - Apache CXF does not validate UsernameToken policies correctly.</li></ul><h3 id="SecurityAdvisories-2010">2010</h3><ul><li><a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf">CVE-2010-2076</a> - DTD based XML attacks.</li></ul></div>
</div>
<!-- Content -->
</td>