You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by ch...@apache.org on 2017/09/27 12:22:42 UTC
svn commit: r1809835 - in /commons/proper/jelly/trunk/xdocs: changes.xml
download_jelly.xml navigation.xml security-reports.xml
Author: chtompki
Date: Wed Sep 27 12:22:42 2017
New Revision: 1809835
URL: http://svn.apache.org/viewvc?rev=1809835&view=rev
Log:
Trunk updates for commons-jelly-1.0.1
Added:
commons/proper/jelly/trunk/xdocs/security-reports.xml
Modified:
commons/proper/jelly/trunk/xdocs/changes.xml
commons/proper/jelly/trunk/xdocs/download_jelly.xml
commons/proper/jelly/trunk/xdocs/navigation.xml
Modified: commons/proper/jelly/trunk/xdocs/changes.xml
URL: http://svn.apache.org/viewvc/commons/proper/jelly/trunk/xdocs/changes.xml?rev=1809835&r1=1809834&r2=1809835&view=diff
==============================================================================
--- commons/proper/jelly/trunk/xdocs/changes.xml (original)
+++ commons/proper/jelly/trunk/xdocs/changes.xml Wed Sep 27 12:22:42 2017
@@ -29,7 +29,7 @@
<action dev="proyal" type="fix">Restored JellyContext.isCacheTags and its behavior for backwards compatibility</action>
<action dev="polx" type="fix">Moved to dom4j 1.6.1 and jaxen 1.1-beta-8</action>
</release>
- <release version="1.0.1" date="TBD">
+ <release version="1.0.1" date="2017-09-25">
<action dev="chtompki" type="fix" issue="JELLY-293">Accommodate toggling off DTD external entities.</action>
</release>
<release version="1.0" date="2005-06-12">
Modified: commons/proper/jelly/trunk/xdocs/download_jelly.xml
URL: http://svn.apache.org/viewvc/commons/proper/jelly/trunk/xdocs/download_jelly.xml?rev=1809835&r1=1809834&r2=1809835&view=diff
==============================================================================
--- commons/proper/jelly/trunk/xdocs/download_jelly.xml (original)
+++ commons/proper/jelly/trunk/xdocs/download_jelly.xml Wed Sep 27 12:22:42 2017
@@ -95,6 +95,36 @@ limitations under the License.
</p>
</subsection>
</section>
+ <section name="Commons Jelly 1.0.1 ">
+ <subsection name="Binaries">
+ <table>
+ <tr>
+ <td><a href="[preferred]/commons/jelly/binaries/commons-jelly-1.0.1.tar.gz">commons-jelly-1.0.1.tar.gz</a></td>
+ <td><a href="http://www.apache.org/dist/commons/jelly/binaries/commons-jelly-1.0.1.tar.gz.md5">md5</a></td>
+ <td><a href="http://www.apache.org/dist/commons/jelly/binaries/commons-jelly-1.0.1.tar.gz.asc">pgp</a></td>
+ </tr>
+ <tr>
+ <td><a href="[preferred]/commons/jelly/binaries/commons-jelly-1.0.1.zip">commons-jelly-1.0.1.zip</a></td>
+ <td><a href="http://www.apache.org/dist/commons/jelly/binaries/commons-jelly-1.0.1.zip.md5">md5</a></td>
+ <td><a href="http://www.apache.org/dist/commons/jelly/binaries/commons-jelly-1.0.1.zip.asc">pgp</a></td>
+ </tr>
+ </table>
+ </subsection>
+ <subsection name="Source">
+ <table>
+ <tr>
+ <td><a href="[preferred]/commons/jelly/source/commons-jelly-1.0-src.tar.gz">commons-jelly-1.0-src.tar.gz</a></td>
+ <td><a href="http://www.apache.org/dist/commons/jelly/source/commons-jelly-1.0-src.tar.gz.md5">md5</a></td>
+ <td><a href="http://www.apache.org/dist/commons/jelly/source/commons-jelly-1.0-src.tar.gz.asc">pgp</a></td>
+ </tr>
+ <tr>
+ <td><a href="[preferred]/commons/jelly/source/commons-jelly-1.0-src.zip">commons-jelly-1.0-src.zip</a></td>
+ <td><a href="http://www.apache.org/dist/commons/jelly/source/commons-jelly-1.0-src.zip.md5">md5</a></td>
+ <td><a href="http://www.apache.org/dist/commons/jelly/source/commons-jelly-1.0-src.zip.asc">pgp</a></td>
+ </tr>
+ </table>
+ </subsection>
+ </section>
<section name="Commons Jelly 1.0 ">
<subsection name="Binaries">
<table>
Modified: commons/proper/jelly/trunk/xdocs/navigation.xml
URL: http://svn.apache.org/viewvc/commons/proper/jelly/trunk/xdocs/navigation.xml?rev=1809835&r1=1809834&r2=1809835&view=diff
==============================================================================
--- commons/proper/jelly/trunk/xdocs/navigation.xml (original)
+++ commons/proper/jelly/trunk/xdocs/navigation.xml Wed Sep 27 12:22:42 2017
@@ -29,6 +29,7 @@
<item name="Detail" href="/overview.html"/>
<item name="JellyDoc" href="/jellydoc.html"/>
<item name="Download" href="http://commons.apache.org/jelly/download_jelly.cgi" />
+ <item name="Security Reports" href="/security-reports.html" />
<item name="Tag Reference" href="/tag-reference/index.html" collapse="true">
<item name="All tags" href="/tag-reference/all.html" collapse="true">
<item name="ant:ant" href="/tag-reference/ant_ant.html"/>
Added: commons/proper/jelly/trunk/xdocs/security-reports.xml
URL: http://svn.apache.org/viewvc/commons/proper/jelly/trunk/xdocs/security-reports.xml?rev=1809835&view=auto
==============================================================================
--- commons/proper/jelly/trunk/xdocs/security-reports.xml (added)
+++ commons/proper/jelly/trunk/xdocs/security-reports.xml Wed Sep 27 12:22:42 2017
@@ -0,0 +1,111 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<document>
+
+ <properties>
+ <title>Security Reports</title>
+ <author email="dev@commons.apache.org">Apache Commons Development Team</author>
+ </properties>
+
+ <body>
+
+ <section name="Apache Commons Jelly Security Vulnerabilities">
+ <p>
+ This page lists all security vulnerabilities fixed in released versions of Apache Commons Jelly. Each
+ vulnerability is given a security impact rating by the development team - please note that this rating may
+ vary from platform to platform. We also list the versions of Commons Jelly the flaw is known to affect,
+ and where a flaw has not been verified list the version with a question mark.
+ </p>
+ <p>
+ Please note that binary patches are never provided. If you need to apply a source code patch, use the
+ building instructions for the Commons Jelly version that you are using.
+ </p>
+ <p>
+ If you need help on building Commons Jelly or other help on following the instructions to mitigate the
+ known vulnerabilities listed here, please send your questions to the public
+ <a href="http://commons.apache.org/mail-lists.html">Commons Users mailing list</a>.
+ </p>
+ <p>
+ If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security
+ impact, or if the descriptions here are incomplete, please report them privately to the Apache Security Team.
+ Thank you.
+ </p>
+ <p>
+ For information about reporting or asking questions about security problems, please see the
+ <a href="http://commons.apache.org/security.html">security page of the Apache Commons project</a>.
+ </p>
+ </section>
+
+ <section name="Fixed in Apache Commons Jelly 1.0.1">
+ <p>
+ <strong><em>CVE-2017-12621.</em></strong> Apache Commons Jelly connects to url with certain custom doctype definitions.
+ </p>
+ <p>
+ <strong>Severity:</strong> Medium
+ </p>
+ <p>
+ <strong>Vendor:</strong>
+ The Apache Software Foundation
+ </p>
+ <p>
+ <strong>Versions Affected:</strong>
+ commons-jelly-1.0 (core), namely commons-jelly-1.0.jar
+ </p>
+ <p>
+ <strong>Description:</strong>
+ During jelly (xml) file parsing with xerces, if a custom doctype entity is declared with a âSYSTEMâ entity with a url and that entity is used in the body of the jelly file, during parser instantiation the parser will attempt to connect to said url. This could be a cross site scripting concern. The Open Web Application Security Project suggests that the fix be https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#XMLReader
+ </p>
+ <p>
+ <strong>Mitigation:</strong>
+ 1.0 users should migrate to 1.0.1.
+ </p>
+ <p>
+ <strong>Credit:</strong>
+ This was discovered by Luca Carettoni of Doyensec.
+ </p>
+ <p>
+ <strong>Example:</strong>
+ </p>
+ <em>example.jelly</em>
+ <div class="source"><pre><?xml version="1.0"?>
+<!DOCTYPE r [
+ <!ELEMENT r ANY >
+ <!ENTITY sp SYSTEM "http://127.0.0.1:4444/">
+ ]>
+<r>&sp;</r>
+<j:jelly trim="false" xmlns:j="jelly:core"
+ xmlns:x="jelly:xml"
+ xmlns:html="jelly:html">
+</j:jelly></pre></div>
+
+ <em>ExampleParser.java</em>
+ <div class="source"><pre>public class ExampleParser {
+ public static void main(String[] args) throws JellyException, IOException,
+ NoSuchMethodException, IllegalAccessException,IllegalArgumentException,
+ InvocationTargetException {
+ JellyContext context = new JellyContext();
+ context.runScript("example.jelly", null);
+ }
+}</pre></div>
+ </section>
+
+
+ </body>
+
+</document>
\ No newline at end of file