You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by jb...@apache.org on 2019/01/06 06:14:46 UTC
svn commit: r1850524 - in /karaf/site/production: archives.html
community.html documentation.html download.html index.html news.html
privacy.html projects.html security/cve-2018-11788.txt stories.html
Author: jbonofre
Date: Sun Jan 6 06:14:46 2019
New Revision: 1850524
URL: http://svn.apache.org/viewvc?rev=1850524&view=rev
Log:
[scm-publish] Updating main website contents
Added:
karaf/site/production/security/cve-2018-11788.txt
Modified:
karaf/site/production/archives.html
karaf/site/production/community.html
karaf/site/production/documentation.html
karaf/site/production/download.html
karaf/site/production/index.html
karaf/site/production/news.html
karaf/site/production/privacy.html
karaf/site/production/projects.html
karaf/site/production/stories.html
Modified: karaf/site/production/archives.html
URL: http://svn.apache.org/viewvc/karaf/site/production/archives.html?rev=1850524&r1=1850523&r2=1850524&view=diff
==============================================================================
--- karaf/site/production/archives.html (original)
+++ karaf/site/production/archives.html Sun Jan 6 06:14:46 2019
@@ -883,7 +883,7 @@
<p class="pt-2"><a class="btn btn-primary" href="documentation.html" role="button">Read Documentation »</a></p>
</div>
<p class="float-right"><a href="#">Back to top</a></p>
- <p>© 2018 <a href="https://www.apache.org">Apache Software Foundation</a> -
+ <p>© 2018-2019 <a href="https://www.apache.org">Apache Software Foundation</a> -
<a href="privacy.html">Privacy Policy</a> -
<a target="_blank" href="https://www.apache.org/events/current-event.html" title="Apache Events">Apache Events</a> -
<a target="_blank" href="https://www.apache.org/licenses/" title="Licenses">Licenses</a> -
Modified: karaf/site/production/community.html
URL: http://svn.apache.org/viewvc/karaf/site/production/community.html?rev=1850524&r1=1850523&r2=1850524&view=diff
==============================================================================
--- karaf/site/production/community.html (original)
+++ karaf/site/production/community.html Sun Jan 6 06:14:46 2019
@@ -138,7 +138,7 @@
</ul>
<p>
If you'd rather have a more gentle introduction to working on the Karaf project, try looking at the test coverage report and help us get it even more green by supplying more test cases to get us closer to 100% coverage.
- </p>
+ </p>
</div>
</div>
@@ -146,8 +146,8 @@
<div class="col">
<h4 class="pb-3 mb-4">Report bugs and feature requests</h4>
<p>Did you find a bug or want something implemented? Please report an issue in our <a href="https://issues.apache.org/jira/browse/KARAF">issue tracker</a>. When creating a bug make sure you document the steps to reproduce the issue and provide all necessary information like OS, versions your use, logs. When creating a feature request document your requirements first. Try to not directly describe the solution.</p>
-
- <p>If you want to dive into development yourself then you can also browse for open issues or features that need to be implemented. Take ownership of an issue and try fix it. Before doing a bigger change describe the concept/design of what you plan to do. If unsure if the design is good or will be accepted discuss it on the dev list.</p>
+
+ <p>If you want to dive into development yourself then you can also browse for open issues or features that need to be implemented. Take ownership of an issue and try fix it. Before doing a bigger change describe the concept/design of what you plan to do. If unsure if the design is good or will be accepted discuss it on the dev list.</p>
</div>
</div>
@@ -177,7 +177,7 @@
<li>If your PR has conflicts with the master then rebase the branch. PRs with conflicts are unlikely to be applied</li>
<li>Do not change too much in a PR. The smaller the PR the easier it is to apply and the faster it will be done</li>
<li>Sometimes PRs get lost. Do not hesitate to ask on the dev list if your PR seems to be ignored</li>
- </ul>
+ </ul>
</div>
</div>
@@ -189,7 +189,7 @@
When reviewing check if the changes are done in a clean way and are tested with a unit and possibly integration test. Check that the build does not report more test failures than before. If you are not a committer then write a comment if you recommend a merge or not. Provide good instructions for the contributor how to improve his PR if it is not yet ok. Make sure you do a review timely. By commenting that you do a review you kind of block others from applying the change.</p>
<p class="alert alert-primary" role="alert">
NB: Jenkins performs a build for each pull request. You can trigger a new build on a pull request using "retest this please" in a PR comment.
- </p>
+ </p>
</div>
</div>
@@ -197,7 +197,7 @@
<div class="col">
<h4 class="pb-3 mb-4">Apply pull requests</h4>
<p>This can obviously only be done by a committer. Do the following steps.</p>
-
+
<ul class="community">
<li>As one time config, you can rename your git remote and add apache one :<br/>
<code>> git remote add apache https://gitbox.apache.org/repos/asf/karaf.git</code><br/><br/>
@@ -214,7 +214,7 @@
<code>username git@github.com:username/karaf.git (fetch)</code><br>
<code>username git@github.com:username/karaf.git (push)</code>
</li>
-
+
<li>Checkout the PR :<br/>
<code>> git fetch --all</code><br>
<code>> git checkout -b pr-xxx github/pr/xxx</code>
@@ -229,7 +229,7 @@
<li>Make sure you document the fix in jira by adding the fix versions and resolve the jira issue.</li>
<li>You can delete the PR branch : <br>
<code>> git branch -D pr-xxx</code>.</li>
- </ul>
+ </ul>
</div>
</div>
@@ -251,7 +251,7 @@
<p>If you are experiencing problems using Karaf then please report your problem to our <a href="https://issues.apache.org/jira/browse/KARAF">issue tracker</a>.
You may also find it useful to discuss your issues with the community on the mailing lists or IRC.</p>
</div>
- </div>
+ </div>
<div class="row mb-5 mt-5">
<div class="col">
@@ -487,7 +487,7 @@
</tr>
</tbody>
</table>
- </div>
+ </div>
</main>
<!-- FOOTER -->
@@ -497,12 +497,12 @@
<p class="pt-2"><a class="btn btn-primary" href="documentation.html" role="button">Read Documentation »</a></p>
</div>
<p class="float-right"><a href="#">Back to top</a></p>
- <p>© 2018 <a href="https://www.apache.org">Apache Software Foundation</a> -
- <a href="privacy.html">Privacy Policy</a> -
- <a target="_blank" href="https://www.apache.org/events/current-event.html" title="Apache Events">Apache Events</a> -
- <a target="_blank" href="https://www.apache.org/licenses/" title="Licenses">Licenses</a> -
- <a target="_blank" href="https://www.apache.org/security/" title="Security">Security</a> -
- <a target="_blank" href="https://www.apache.org/foundation/sponsorship.html" title="Sponsorship">Sponsorship</a> -
+ <p>© 2018-2019 <a href="https://www.apache.org">Apache Software Foundation</a> -
+ <a href="privacy.html">Privacy Policy</a> -
+ <a target="_blank" href="https://www.apache.org/events/current-event.html" title="Apache Events">Apache Events</a> -
+ <a target="_blank" href="https://www.apache.org/licenses/" title="Licenses">Licenses</a> -
+ <a target="_blank" href="https://www.apache.org/security/" title="Security">Security</a> -
+ <a target="_blank" href="https://www.apache.org/foundation/sponsorship.html" title="Sponsorship">Sponsorship</a> -
<a target="_blank" href="https://www.apache.org/foundation/thanks.html" title="Thanks">Thanks</a><br/>
Apache Karaf, Karaf, Apache, the Apache feather logo, and the Apache Karaf project logo are trademarks of The Apache Software Foundation.</p>
</footer>
Modified: karaf/site/production/documentation.html
URL: http://svn.apache.org/viewvc/karaf/site/production/documentation.html?rev=1850524&r1=1850523&r2=1850524&view=diff
==============================================================================
--- karaf/site/production/documentation.html (original)
+++ karaf/site/production/documentation.html Sun Jan 6 06:14:46 2019
@@ -350,6 +350,10 @@
<h2 class="pb-3 mb-4 font-italic border-bottom"><i class="fas fa-lock"></i> Security Advisories</h2>
<div class="pb-4 mb-3">
+ <p>CVE-2014-0219 : Apache Karaf enables a shutdown port on the loopback interface, which allows local users to cause a denial of service (shutdown) by sending a shutdown command to all listening high ports.</p>
+ <a class="btn btn-outline-primary" href="security/cve-2014-0219.txt">Notes »</a>
+ </div>
+ <div class="pb-4 mb-3">
<p>CVE-2016-8750 : Apache Karaf's LDAPLoginModule is vulnerable to LDAP injection.</p>
<a class="btn btn-outline-primary" href="security/cve-2016-8750.txt">Notes »</a>
</div><!-- /.blog-post -->
@@ -361,10 +365,10 @@
<p>CVE-2018-11787 : Unsecure access to Gogo shell in the webconsole.</p>
<a class="btn btn-outline-primary" href="security/cve-2018-11787.txt">Notes »</a>
</div>
- <div class="pb-4 mb-3">
- <p>CVE-2014-0219 : Apache Karaf enables a shutdown port on the loopback interface, which allows local users to cause a denial of service (shutdown) by sending a shutdown command to all listening high ports.</p>
- <a class="btn btn-outline-primary" href="security/cve-2014-0219.txt">Notes »</a>
- </div>
+ <div class="pb-4 mb-3">
+ <p>CVE-2018-11788 : XXE vulnerability found on Apache Karaf.</p>
+ <a class="btn btn-outline-primary" href="security/cve-2018-11788.txt">Notes »</a>
+ </div>
</div><!-- /.blog-main -->
</div>
@@ -573,7 +577,7 @@
<p class="pt-2"><a class="btn btn-primary" href="documentation.html" role="button">Read Documentation »</a></p>
</div>
<p class="float-right"><a href="#">Back to top</a></p>
- <p>© 2018 <a href="https://www.apache.org">Apache Software Foundation</a> -
+ <p>© 2018-2019 <a href="https://www.apache.org">Apache Software Foundation</a> -
<a href="privacy.html">Privacy Policy</a> -
<a target="_blank" href="https://www.apache.org/events/current-event.html" title="Apache Events">Apache Events</a> -
<a target="_blank" href="https://www.apache.org/licenses/" title="Licenses">Licenses</a> -
Modified: karaf/site/production/download.html
URL: http://svn.apache.org/viewvc/karaf/site/production/download.html?rev=1850524&r1=1850523&r2=1850524&view=diff
==============================================================================
--- karaf/site/production/download.html (original)
+++ karaf/site/production/download.html Sun Jan 6 06:14:46 2019
@@ -584,7 +584,7 @@
<p class="pt-2"><a class="btn btn-primary" href="documentation.html" role="button">Read Documentation »</a></p>
</div>
<p class="float-right"><a href="#">Back to top</a></p>
- <p>© 2018 <a href="https://www.apache.org">Apache Software Foundation</a> -
+ <p>© 2018-2019 <a href="https://www.apache.org">Apache Software Foundation</a> -
<a href="privacy.html">Privacy Policy</a> -
<a target="_blank" href="https://www.apache.org/events/current-event.html" title="Apache Events">Apache Events</a> -
<a target="_blank" href="https://www.apache.org/licenses/" title="Licenses">Licenses</a> -
Modified: karaf/site/production/index.html
URL: http://svn.apache.org/viewvc/karaf/site/production/index.html?rev=1850524&r1=1850523&r2=1850524&view=diff
==============================================================================
--- karaf/site/production/index.html (original)
+++ karaf/site/production/index.html Sun Jan 6 06:14:46 2019
@@ -337,7 +337,7 @@
<p class="pt-2"><a class="btn btn-primary" href="documentation.html" role="button">Read Documentation »</a></p>
</div>
<p class="float-right"><a href="#">Back to top</a></p>
- <p>© 2018 <a href="https://www.apache.org">Apache Software Foundation</a> -
+ <p>© 2018-2019 <a href="https://www.apache.org">Apache Software Foundation</a> -
<a href="privacy.html">Privacy Policy</a> -
<a target="_blank" href="https://www.apache.org/events/current-event.html" title="Apache Events">Apache Events</a> -
<a target="_blank" href="https://www.apache.org/licenses/" title="Licenses">Licenses</a> -
Modified: karaf/site/production/news.html
URL: http://svn.apache.org/viewvc/karaf/site/production/news.html?rev=1850524&r1=1850523&r2=1850524&view=diff
==============================================================================
--- karaf/site/production/news.html (original)
+++ karaf/site/production/news.html Sun Jan 6 06:14:46 2019
@@ -1358,7 +1358,7 @@
<p class="pt-2"><a class="btn btn-primary" href="documentation.html" role="button">Read Documentation »</a></p>
</div>
<p class="float-right"><a href="#">Back to top</a></p>
- <p>© 2018 <a href="https://www.apache.org">Apache Software Foundation</a> -
+ <p>© 2018-2019 <a href="https://www.apache.org">Apache Software Foundation</a> -
<a href="privacy.html">Privacy Policy</a> -
<a target="_blank" href="https://www.apache.org/events/current-event.html" title="Apache Events">Apache Events</a> -
<a target="_blank" href="https://www.apache.org/licenses/" title="Licenses">Licenses</a> -
Modified: karaf/site/production/privacy.html
URL: http://svn.apache.org/viewvc/karaf/site/production/privacy.html?rev=1850524&r1=1850523&r2=1850524&view=diff
==============================================================================
--- karaf/site/production/privacy.html (original)
+++ karaf/site/production/privacy.html Sun Jan 6 06:14:46 2019
@@ -86,9 +86,9 @@
We use the gathered information to help us make our site more useful to visitors and to better understand how and when our site is used. We do not track or collect personally identifiable information or associate gathered data with any personally identifying information from other sources.<br/>
<br/>
By using this website, you consent to the collection of this data in the manner and for the purpose described above.
- </p>
+ </p>
</div>
- </div>
+ </div>
</main>
<!-- FOOTER -->
@@ -98,12 +98,12 @@
<p class="pt-2"><a class="btn btn-primary" href="documentation.html" role="button">Read Documentation »</a></p>
</div>
<p class="float-right"><a href="#">Back to top</a></p>
- <p>© 2018 <a href="https://www.apache.org">Apache Software Foundation</a> -
- <a href="privacy.html">Privacy Policy</a> -
- <a target="_blank" href="https://www.apache.org/events/current-event.html" title="Apache Events">Apache Events</a> -
- <a target="_blank" href="https://www.apache.org/licenses/" title="Licenses">Licenses</a> -
- <a target="_blank" href="https://www.apache.org/security/" title="Security">Security</a> -
- <a target="_blank" href="https://www.apache.org/foundation/sponsorship.html" title="Sponsorship">Sponsorship</a> -
+ <p>© 2018-2019 <a href="https://www.apache.org">Apache Software Foundation</a> -
+ <a href="privacy.html">Privacy Policy</a> -
+ <a target="_blank" href="https://www.apache.org/events/current-event.html" title="Apache Events">Apache Events</a> -
+ <a target="_blank" href="https://www.apache.org/licenses/" title="Licenses">Licenses</a> -
+ <a target="_blank" href="https://www.apache.org/security/" title="Security">Security</a> -
+ <a target="_blank" href="https://www.apache.org/foundation/sponsorship.html" title="Sponsorship">Sponsorship</a> -
<a target="_blank" href="https://www.apache.org/foundation/thanks.html" title="Thanks">Thanks</a><br/>
Apache Karaf, Karaf, Apache, the Apache feather logo, and the Apache Karaf project logo are trademarks of The Apache Software Foundation.</p>
</footer>
Modified: karaf/site/production/projects.html
URL: http://svn.apache.org/viewvc/karaf/site/production/projects.html?rev=1850524&r1=1850523&r2=1850524&view=diff
==============================================================================
--- karaf/site/production/projects.html (original)
+++ karaf/site/production/projects.html Sun Jan 6 06:14:46 2019
@@ -501,7 +501,7 @@
<p class="pt-2"><a class="btn btn-primary" href="documentation.html" role="button">Read Documentation »</a></p>
</div>
<p class="float-right"><a href="#">Back to top</a></p>
- <p>© 2018 <a href="https://www.apache.org">Apache Software Foundation</a> -
+ <p>© 2018-2019 <a href="https://www.apache.org">Apache Software Foundation</a> -
<a href="privacy.html">Privacy Policy</a> -
<a target="_blank" href="https://www.apache.org/events/current-event.html" title="Apache Events">Apache Events</a> -
<a target="_blank" href="https://www.apache.org/licenses/" title="Licenses">Licenses</a> -
Added: karaf/site/production/security/cve-2018-11788.txt
URL: http://svn.apache.org/viewvc/karaf/site/production/security/cve-2018-11788.txt?rev=1850524&view=auto
==============================================================================
--- karaf/site/production/security/cve-2018-11788.txt (added)
+++ karaf/site/production/security/cve-2018-11788.txt Sun Jan 6 06:14:46 2019
@@ -0,0 +1,33 @@
+CVS-2018-11788: XXE vulnerability found on Apache Karaf
+
+Severity: Moderate
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: all versions of Apache Karaf prior to 4.1.7, 4.2.2.
+
+Description:
+
+Apache Karaf provides a features deployer, which allows users to "hot deploy"
+a features XML by dropping the file directly in the deploy folder.
+
+The features XML is parsed by XMLInputFactory class.
+
+Apache Karaf XMLInputFactory class doesn't contain any mitigation codes
+against XXE.
+This is a potential security risk as an user can inject external XML entities.
+
+The mitigation is to prevent XXE by disabling external entities loading feature
+in XMLInputFactory and XmlUtils.
+
+This has been fixed in revision:
+
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=cc3332e
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=1ffa6d1
+
+Mitigation: Apache Karaf users should upgrade to 4.1.7, 4.2.2
+or later as soon as possible.
+
+JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-5911
+
+Credit: This issue was reported by Brian Wang.
Modified: karaf/site/production/stories.html
URL: http://svn.apache.org/viewvc/karaf/site/production/stories.html?rev=1850524&r1=1850523&r2=1850524&view=diff
==============================================================================
--- karaf/site/production/stories.html (original)
+++ karaf/site/production/stories.html Sun Jan 6 06:14:46 2019
@@ -176,7 +176,7 @@
<p class="pt-2"><a class="btn btn-primary" href="documentation.html" role="button">Read Documentation »</a></p>
</div>
<p class="float-right"><a href="#">Back to top</a></p>
- <p>© 2018 <a href="https://www.apache.org">Apache Software Foundation</a> -
+ <p>© 2018-2019 <a href="https://www.apache.org">Apache Software Foundation</a> -
<a href="privacy.html">Privacy Policy</a> -
<a target="_blank" href="https://www.apache.org/events/current-event.html" title="Apache Events">Apache Events</a> -
<a target="_blank" href="https://www.apache.org/licenses/" title="Licenses">Licenses</a> -