You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2018/03/19 11:15:02 UTC
svn commit: r1827186 - /syncope/site/security.html
Author: ilgrosso
Date: Mon Mar 19 11:15:02 2018
New Revision: 1827186
URL: http://svn.apache.org/viewvc?rev=1827186&view=rev
Log:
Keep security advisories sorted by date
Modified:
syncope/site/security.html
Modified: syncope/site/security.html
URL: http://svn.apache.org/viewvc/syncope/site/security.html?rev=1827186&r1=1827185&r2=1827186&view=diff
==============================================================================
--- syncope/site/security.html (original)
+++ syncope/site/security.html Mon Mar 19 11:15:02 2018
@@ -1,6 +1,6 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8
+ | Generated by Apache Maven Doxia Site Renderer 1.8
| Rendered using Apache Maven Fluido Skin 1.5
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
@@ -15,15 +15,15 @@
<link rel="stylesheet" href="./css/site.css" />
<link rel="stylesheet" href="./css/print.css" media="print" />
-
+
<script type="text/javascript" src="./js/apache-maven-fluido-1.5.min.js"></script>
</head>
<body class="topBarDisabled">
-
-
-
-
+
+
+
+
<div class="container-fluid">
<div id="banner">
<div class="pull-left">
@@ -37,7 +37,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
-
+
<li class="">
<a href="http://www.apache.org/" class="externalLink" title="Apache">
Apache</a>
@@ -49,192 +49,192 @@
<span class="divider">/</span>
</li>
<li class="active ">Security Advisories</li>
-
-
-
+
+
+
</ul>
</div>
-
+
<div class="row-fluid">
<div id="leftColumn" class="span2">
<div class="well sidebar-nav">
-
+
<ul class="nav nav-list">
<li class="nav-header">Apache Syncopeâ¢</li>
-
+
<li>
-
+
<a href="iam-scenario.html" title="IAM Scenario">
<span class="none"></span>
IAM Scenario</a>
</li>
-
+
<li>
-
+
<a href="architecture.html" title="Architecture">
<span class="none"></span>
Architecture</a>
</li>
-
+
<li>
-
+
<a href="demo.html" title="Demo">
<span class="none"></span>
Demo</a>
</li>
-
+
<li>
-
+
<a href="downloads.html" title="Downloads">
<span class="none"></span>
Downloads</a>
</li>
-
+
<li class="active">
-
+
<a href="#"><span class="none"></span>Security Advisories</a>
</li>
-
+
<li>
-
+
<a href="docs/index.html" title="Documentation">
<span class="none"></span>
Documentation</a>
</li>
-
+
<li>
-
+
<a href="mailing-lists.html" title="Mailing Lists">
<span class="none"></span>
Mailing Lists</a>
</li>
-
+
<li>
-
+
<a href="team-list.html" title="Project Team">
<span class="none"></span>
Project Team</a>
</li>
-
+
<li>
-
+
<a href="license.html" title="License">
<span class="none"></span>
License</a>
</li>
-
+
<li>
-
+
<a href="professional-services.html" title="Professional Services">
<span class="none"></span>
Professional Services</a>
</li>
<li class="nav-header">Development</li>
-
+
<li>
-
+
<a href="http://cwiki.apache.org/confluence/display/SYNCOPE/Roadmap" class="externalLink" title="Roadmap">
<span class="none"></span>
Roadmap</a>
</li>
-
+
<li>
-
+
<a href="contributing.html" title="How to contribute?">
<span class="none"></span>
How to contribute?</a>
</li>
-
+
<li>
-
+
<a href="source-repository.html" title="Source Repository">
<span class="none"></span>
Source Repository</a>
</li>
-
+
<li>
-
+
<a href="integration.html" title="Continuous Integration">
<span class="none"></span>
Continuous Integration</a>
</li>
-
+
<li>
-
+
<a href="issue-tracking.html" title="Issue Tracking">
<span class="none"></span>
Issue Tracking</a>
</li>
-
+
<li>
-
+
<a href="building.html" title="Building">
<span class="none"></span>
Building</a>
</li>
-
+
<li>
-
+
<a href="release-process.html" title="Release Process">
<span class="none"></span>
Release Process</a>
</li>
<li class="nav-header">ASF</li>
-
+
<li>
-
+
<a href="http://www.apache.org/foundation/how-it-works.html" class="externalLink" title="How Apache Works">
<span class="none"></span>
How Apache Works</a>
</li>
-
+
<li>
-
+
<a href="http://www.apache.org/foundation/" class="externalLink" title="Foundation">
<span class="none"></span>
Foundation</a>
</li>
-
+
<li>
-
+
<a href="http://www.apache.org/foundation/sponsorship.html" class="externalLink" title="Sponsoring Apache">
<span class="none"></span>
Sponsoring Apache</a>
</li>
-
+
<li>
-
+
<a href="http://www.apache.org/foundation/thanks.html" class="externalLink" title="Thanks">
<span class="none"></span>
Thanks</a>
</li>
</ul>
-
-
+
+
<hr />
<div id="poweredBy">
-
+
<script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
-
+
<div class="g-plusone" data-href="http://syncope.apache.org/" data-size="tall" ></div>
<div class="clear"></div>
-
-
-
-
+
+
+
+
<iframe src="https://www.facebook.com/plugins/like.php?href=http://syncope.apache.org/&send=false&layout=box_count&show-faces=false&action=like&colorscheme=light"
scrolling="no" frameborder="0"
style="border:none; width:71px; height:63px; margin-top: 10px;" ></iframe>
<div class="clear"></div>
-
-
-
+
+
+
<div id="twitter">
-
+
<a href="https://twitter.com/syncopeidm" class="twitter-follow-button" data-show-count="false" data-align="left" data-size="medium" data-show-screen-name="true" data-lang="en">Follow syncopeidm</a>
<script type="text/javascript">!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
@@ -247,252 +247,250 @@
</div>
</div>
</div>
-
-
+
+
<div id="bodyColumn" class="span10" >
-
-
-
+
+
+
<div class="section">
<h2><a name="Security_Advisories"></a>Security Advisories</h2>
-
+
<p>This page lists all security vulnerabilities fixed in released versions of Apache Syncope.</p>
-
+
<p>Please note that binary patches are never provided. If you need to apply a source code patch, use the <a href="building.html">building instructions</a> or <a href="docs/getting-started.html#create-project">re-generate your Maven project</a> from published archetype.</p>
-
+
<p>If you want to report a vulnerability, please follow <a class="externalLink" href="http://www.apache.org/security/">the procedure</a>.</p>
-
+
<div class="section">
-<h3><a name="CVE-2018-1321:_Remote_code_execution_by_administrators_with_report_and_template_entitlements"></a>CVE-2018-1321: Remote code execution by administrators with report and template entitlements</h3>
-
-<p>An administrator with report and template entitlements can use XSL Transformations (XSLT) to perform
- malicious operations, including but not limited to file read, file write, and code execution.</p>
+<h3><a name="CVE-2018-1322:_Information_disclosure_via_FIQL_and_ORDER_BY_sorting"></a>CVE-2018-1322: Information disclosure via FIQL and ORDER BY sorting</h3>
+
+<p>An administrator with user search entitlements can recover sensitive security values using the
+ <tt>fiql</tt> and <tt>orderby</tt> parameters.</p>
+
-
<p>
<b>Severity</b>
</p>
-
+
<p>Medium</p>
-
+
<p>
<b>Affects</b>
</p>
-
+
<p>
</p>
<ul>
-
+
<li>Releases prior to 1.2.11</li>
-
+
<li>Releases prior to 2.0.8</li>
</ul>
-
-
+
+
<p>The unsupported Releases 1.0.x, 1.1.x may be also affected.</p>
-
+
<p>
<b>Solution</b>
</p>
-
-<p>
- </p>
-<ul>
-
-<li>Syncope 1.2.x users should upgrade to 1.2.11</li>
-
-<li>Syncope 2.0.x users should upgrade to 2.0.8</li>
- </ul>
-
-
-
-<p>
- <b>Mitigation</b>
- </p>
-
-<p>Do not assign report and template entitlements to any administrator.</p>
-
-<p>
- <b>Fixed in</b>
- </p>
-
<p>
</p>
<ul>
-
-<li>Release 1.2.11</li>
-
-<li>Release 2.0.8</li>
- </ul>
-
-
-<p>Read the <a class="externalLink" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1321">full CVE advisory</a>.</p>
- </div>
+<li>Syncope 1.2.x users should upgrade to 1.2.11</li>
-
-<div class="section">
-<h3><a name="CVE-2018-1322:_Information_disclosure_via_FIQL_and_ORDER_BY_sorting"></a>CVE-2018-1322: Information disclosure via FIQL and ORDER BY sorting</h3>
-
-<p>An administrator with user search entitlements can recover sensitive security values using the
- <tt>fiql</tt> and <tt>orderby</tt> parameters.</p>
+<li>Syncope 2.0.x users should upgrade to 2.0.8</li>
+ </ul>
-
-<p>
- <b>Severity</b>
- </p>
-
-<p>Medium</p>
-
-<p>
- <b>Affects</b>
- </p>
-
-<p>
- </p>
-<ul>
-
-<li>Releases prior to 1.2.11</li>
-
-<li>Releases prior to 2.0.8</li>
- </ul>
-
-
-<p>The unsupported Releases 1.0.x, 1.1.x may be also affected.</p>
-
-<p>
- <b>Solution</b>
- </p>
-
-<p>
- </p>
-<ul>
-
-<li>Syncope 1.2.x users should upgrade to 1.2.11</li>
-
-<li>Syncope 2.0.x users should upgrade to 2.0.8</li>
- </ul>
-
-
-
<p>
<b>Mitigation</b>
</p>
-
+
<p>Do not assign user search entitlements to any administrator.</p>
-
+
<p>
<b>Fixed in</b>
</p>
-
+
<p>
</p>
<ul>
-
+
<li>Release 1.2.11</li>
-
+
<li>Release 2.0.8</li>
</ul>
-
-
+
+
<p>Read the <a class="externalLink" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1322">full CVE advisory</a>.</p>
</div>
-
+ <div class="section">
+ <h3><a name="CVE-2018-1321:_Remote_code_execution_by_administrators_with_report_and_template_entitlements"></a>CVE-2018-1321: Remote code execution by administrators with report and template entitlements</h3>
+
+ <p>An administrator with report and template entitlements can use XSL Transformations (XSLT) to perform
+ malicious operations, including but not limited to file read, file write, and code execution.</p>
+
+
+ <p>
+ <b>Severity</b>
+ </p>
+
+ <p>Medium</p>
+
+
+ <p>
+ <b>Affects</b>
+ </p>
+
+ <p>
+ </p>
+ <ul>
+
+ <li>Releases prior to 1.2.11</li>
+
+ <li>Releases prior to 2.0.8</li>
+ </ul>
+
+
+ <p>The unsupported Releases 1.0.x, 1.1.x may be also affected.</p>
+
+
+ <p>
+ <b>Solution</b>
+ </p>
+
+ <p>
+ </p>
+ <ul>
+
+ <li>Syncope 1.2.x users should upgrade to 1.2.11</li>
+
+ <li>Syncope 2.0.x users should upgrade to 2.0.8</li>
+ </ul>
+
+
+
+ <p>
+ <b>Mitigation</b>
+ </p>
+
+ <p>Do not assign report and template entitlements to any administrator.</p>
+
+
+ <p>
+ <b>Fixed in</b>
+ </p>
+
+ <p>
+ </p>
+ <ul>
+
+ <li>Release 1.2.11</li>
+
+ <li>Release 2.0.8</li>
+ </ul>
+
+
+
+ <p>Read the <a class="externalLink" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1321">full CVE advisory</a>.</p>
+ </div>
+
<div class="section">
-<h3><a name="CVE-2014-3503:_Insecure_Random_implementations_used_to_generate_passwords"></a>CVE-2014-3503: Insecure Random implementations used to generate passwords</h3>
-
-<p>A password is generated for a user in Apache Syncope under certain circumstances, when no existing password
- is found. However, the password generation code is relying on insecure Random implementations, which means
+<h3><a name="CVE-2014-3503:_Insecure_Random_implementations_used_to_generate_passwords"></a>CVE-2014-3503: Insecure Random implementations used to generate passwords</h3>
+
+<p>A password is generated for a user in Apache Syncope under certain circumstances, when no existing password
+ is found. However, the password generation code is relying on insecure Random implementations, which means
that an attacker could attempt to guess a generated password.</p>
-
+
<p>
<b>Affects</b>
</p>
-
+
<p>
</p>
<ul>
-
+
<li>Releases 1.1.0 to 1.1.7</li>
</ul>
-
-
+
+
<p>
<b>Fixed in</b>
</p>
-
+
<p>
</p>
<ul>
-
+
<li>Revision <a class="externalLink" href="http://svn.apache.org/viewvc?view=revision&revision=r1596537">1596537</a></li>
-
+
<li>Release 1.1.8</li>
</ul>
-
-
+
+
<p>Read the <a class="externalLink" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3503">full CVE advisory</a>.</p>
</div>
-
+
<div class="section">
-<h3><a name="CVE-2014-0111:_Remote_code_execution_by_an_authenticated_administrator"></a>CVE-2014-0111: Remote code execution by an authenticated administrator</h3>
-
-<p>In the various places in which Apache Commons JEXL expressions are allowed (derived schema definition,
- user / group templates, connObjectLinks of resource mappings) a malicious administrator can inject Java code
+<h3><a name="CVE-2014-0111:_Remote_code_execution_by_an_authenticated_administrator"></a>CVE-2014-0111: Remote code execution by an authenticated administrator</h3>
+
+<p>In the various places in which Apache Commons JEXL expressions are allowed (derived schema definition,
+ user / group templates, connObjectLinks of resource mappings) a malicious administrator can inject Java code
that can be executed remotely by the Java EE container running the Apache Syncope core.</p>
-
+
<p>
<b>Affects</b>
</p>
-
+
<p>
</p>
<ul>
-
+
<li>Releases 1.0.0 to 1.0.8</li>
-
+
<li>Releases 1.1.0 to 1.1.6</li>
</ul>
-
-
+
+
<p>
<b>Fixed in</b>
</p>
-
+
<p>
</p>
<ul>
-
+
<li>Revisions <a class="externalLink" href="http://svn.apache.org/viewvc?view=revision&revision=r1586349">1586349</a> / <a class="externalLink" href="http://svn.apache.org/viewvc?view=revision&revision=r1586317">1586317</a></li>
-
+
<li>Releases 1.0.9 / 1.1.7</li>
</ul>
-
-
+
+
<p>Read the <a class="externalLink" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0111">full CVE advisory</a>.</p>
</div>
</div>
-
+
</div>
</div>
@@ -504,7 +502,7 @@
<div class="container-fluid">
<div class="row-fluid">
Apache, Syncope, Apache Syncope, the Apache feather logo and the Apache Syncope project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.
-
+
<div class="pull-right">
<script type="text/javascript" src="https://www.ohloh.net/p/syncope/widgets/project_thin_badge.js"></script>
<a href="https://bestpractices.coreinfrastructure.org/projects/154">
@@ -522,7 +520,7 @@
</div>
</div>
-
+
</div>
</footer>
</body>