svn commit: r958350 - in /axis/axis2/java/core/security: CVE-2010-1632.pdf advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml

[ve...@apache.org]

Author: veithen
Date: Sun Jun 27 08:39:37 2010
New Revision: 958350

URL: http://svn.apache.org/viewvc?rev=958350&view=rev
Log:
CVE-2010-1632: Updated the advisory with current information about vulnerable products and third party references.

Modified:
    axis/axis2/java/core/security/CVE-2010-1632.pdf
    axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml

Modified: axis/axis2/java/core/security/CVE-2010-1632.pdf
URL: http://svn.apache.org/viewvc/axis/axis2/java/core/security/CVE-2010-1632.pdf?rev=958350&r1=958349&r2=958350&view=diff
==============================================================================
Binary files - no diff available.

Modified: axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml
URL: http://svn.apache.org/viewvc/axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml?rev=958350&r1=958349&r2=958350&view=diff
==============================================================================
--- axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml (original)
+++ axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml Sun Jun 27 08:39:37 2010
@@ -27,7 +27,7 @@
             <surname>Veithen</surname>
             <email>veithen@apache.org</email>
         </author>
-        <releaseinfo>First version: May 16, 2010 • First published: June 13, 2010 • Last updated: June 13, 2010</releaseinfo>
+        <releaseinfo>First version: May 16, 2010 • First published: June 13, 2010 • Last updated: June 27, 2010</releaseinfo>
     </articleinfo>
     <section>
         <title>Description</title>
@@ -134,17 +134,51 @@
         <section>
             <title>Other products</title>
             <para>
-                Axis2 is used in (or as the basis for) other products. This includes the Synapse,
-                ODE, Tuscany and Geronimo projects from the ASF, as well as several commercial
-                products. It is likely that these products are vulnerable as well.
+                Axis2 is used in (or as the basis for) other Open Source projects and
+                commercial products. It is likely that these products are vulnerable as well.
+                At the time of writing, the following information is available:
             </para>
+            <itemizedlist>
+                <listitem>
+                    <para>
+                        Axis2 is used by the Synapse, ODE, Tuscany and Geronimo projects
+                        from the ASF and it is expected that all these projects are
+                        vulnerable.
+                    </para>
+                </listitem>
+                <listitem>
+                    <para>
+                        Axis2 is used as the JAX-WS implementation in WebSphere Application
+                        Server 7.0 and in the Feature Pack for Web Services for WAS 6.1.
+                        Both are vulnerable. See
+                        <ulink url="http://www-01.ibm.com/support/docview.wss?uid=swg21433581"/>
+                        for details about the affected versions.
+                    </para>
+                </listitem>
+            </itemizedlist>
             <para>
                 It is possible that Web service frameworks other than Axis2 are affected by
-                similar vulnerabilities.
+                similar vulnerabilities. At the time of writing, the following information
+                is available:
             </para>
+            <itemizedlist>
+                <listitem>
+                    <para>
+                        Axis 1.4 is not vulnerable and immediately rejects any request
+                        containing a DOCTYPE declaration.
+                    </para>
+                </listitem>
+                <listitem>
+                    <para>
+                        A similar vulnerability exists in Apache CXF. Please refer to
+                        CVE-2010-2076 for more details.
+                    </para>
+                </listitem>
+            </itemizedlist>
             <para>
-                The exploits described in <xref linkend="exploits"/> may be used to check
-                whether a given product is vulnerable.
+                For projects and products not listed above or for which no information
+                is available, the exploits described in <xref linkend="exploits"/> may be
+                used to check for vulnerability.
             </para>
         </section>
     </section>
@@ -466,6 +500,31 @@ expected a '&lt;' to start a directive
             initially described in JIRA report
             AXIS2-4450<footnote><para><ulink url="https://issues.apache.org/jira/browse/AXIS2-4450"/></para></footnote>.
         </para>
+        <para>
+            The issue is tracked by third parties with the following references:
+        </para>
+        <itemizedlist>
+            <listitem>
+                <para>
+                    <ulink url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1632">CVE-2010-1632</ulink>
+                </para>
+            </listitem>
+            <listitem>
+                <para>
+                    <ulink url="http://secunia.com/advisories/40252">Secunia Advisory SA40252</ulink>
+                </para>
+            </listitem>
+            <listitem>
+                <para>
+                    <ulink url="http://www.vupen.com/english/advisories/2010/1528">VUPEN/ADV-2010-1528</ulink>
+                </para>
+            </listitem>
+            <listitem>
+                <para>
+                    <ulink url="https://bugzilla.redhat.com/show_bug.cgi?id=607118">Red Hat Bugzilla – Bug 607118</ulink>
+                </para>
+            </listitem>
+        </itemizedlist>
     </section>
     <section>
         <title>Contact</title>