You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@portals.apache.org by ta...@apache.org on 2016/03/03 21:54:50 UTC
svn commit: r1733520 - in /portals/site/jetspeed/jetspeed-2.3/src/site:
site.xml xdoc/roadmap.xml xdoc/security-reports.xml
Author: taylor
Date: Thu Mar 3 20:54:49 2016
New Revision: 1733520
URL: http://svn.apache.org/viewvc?rev=1733520&view=rev
Log:
adding Security Reports to site. Updating Roadmap
Added:
portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/security-reports.xml
- copied, changed from r1693286, portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/roadmap.xml
Modified:
portals/site/jetspeed/jetspeed-2.3/src/site/site.xml
portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/roadmap.xml
Modified: portals/site/jetspeed/jetspeed-2.3/src/site/site.xml
URL: http://svn.apache.org/viewvc/portals/site/jetspeed/jetspeed-2.3/src/site/site.xml?rev=1733520&r1=1733519&r2=1733520&view=diff
==============================================================================
--- portals/site/jetspeed/jetspeed-2.3/src/site/site.xml (original)
+++ portals/site/jetspeed/jetspeed-2.3/src/site/site.xml Thu Mar 3 20:54:49 2016
@@ -44,6 +44,7 @@
<item name="Getting Started" href="getting-started.html" />
<!--<item name="Online Demos" href="demo.html"/>-->
<item name="Roadmap" href="roadmap.html" />
+ <item name="Security Reports" href="security-reports.html" />
</menu>
<menu name="Get Jetspeed">
Modified: portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/roadmap.xml
URL: http://svn.apache.org/viewvc/portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/roadmap.xml?rev=1733520&r1=1733519&r2=1733520&view=diff
==============================================================================
--- portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/roadmap.xml (original)
+++ portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/roadmap.xml Thu Mar 3 20:54:49 2016
@@ -17,55 +17,60 @@
-->
<document>
<properties>
- <title>Jetspeed Roadmap</title>
- <subtitle>Roadmap</subtitle>
- <authors>
- <person name="David Sean Taylor" email="taylor@apache.org" />
- </authors>
+ <title>Jetspeed Roadmap</title>
+ <subtitle>Roadmap</subtitle>
+ <authors>
+ <person name="David Sean Taylor" email="taylor@apache.org"/>
+ </authors>
</properties>
<body>
- <section name="Upcoming Releases Timeline">
+ <section name="Upcoming Releases Timeline">
<ul>
- <li>2.3.0 - July 2015</li>
- <li>2.3.1 - January 2016</li>
+ <li>2.3.1 - February 2016</li>
</ul>
</section>
- <section name="2.3.0 Release">
- <p>The theme of this release is to get back on track with the latest versions of Java, Servlet Containers, Maven</p>
- <ul>
- <li>Java 1.7 Support(JS2-1292)</li>
- <li>Jetspeed API + Generics (JS2-874)</li>
- <li>Tomcat7 and Servlet 3.0 (JS2-1274)</li>
- <li>Upgrade Dependencies, Spring (JS2-1290)</li>
- <li>New Responsive Decorators (JS2-1314)</li>
- <li>New Responsive Layout (JS2-1315)</li>
- <li>J2-Admin Angular Portlet Framework (JS2-1316)</li>
- <li>J2-Admin Core Portlets Responsive (JS2-1317)</li>
- <li>J2-Admin Chart Portlets (JS2-1320)</li>
- <li>New User Manager (JS2-1293)</li>
- <li>Preferences Performance Improvements (JS2-1325)</li>
- <li>Security Performance Improvements (JS2-1324)</li>
- <li>Upgraded Portals APA and Bridges Dependencies</li>
- </ul>
- </section>
- <section name ="2.3.1 Release">
- <p>The theme of this release is to continue to improve the user interface experience</p>
- <ul>
- <li>Continue Admin Portlets Upgrades (JS2-1282)</li>
- <li>Customization Improvements (JS2-1084)</li>
- <li>Deprecate old Decorators, Layouts. Make Responsive Default Layouts and Decorators</li>
- <li>Security Domains (JS2-1233)</li>
- <li>Maven Improvements (JS2-1291)</li>
- </ul>
+ <section name="2.3.1 Release">
+ <p>The theme of this release is to continue to improve the user interface experience</p>
+ <ul>
+ <li><a href="security-reports.html">Apache Security CVE Fixes to 2.3.0</a></li>
+ <li><a href="https://issues.apache.org/jira/browse/JS2-1348">Search Feature (JS2-1348)</a></li>
+ <li><a href="https://issues.apache.org/jira/browse/JS2-1341">Detached Portlets (JS2-1341)</a></li>
+ <li><a href="https://issues.apache.org/jira/browse/JS2-1342">Update Archetype and Tutorial (JS2-1342)</a></li>
+ <li><a href="https://issues.apache.org/jira/browse/JS2-1349">User Admin, Filter by Groups (JS2-1349)</a></li>
+ <li><a href="https://issues.apache.org/jira/browse/JS2-1346">User Admin, Edit Email field (JS2-1346)</a></li>
+ <li><a href="https://issues.apache.org/jira/browse/JS2-1345">Improve CSS in Site Manager and Constraints Admin (JS2-1345)</a></li>
+ <li><a href="https://issues.apache.org/jira/browse/JS2-1340">Improvements to Standard Portlet Decorators (JS2-1340)</a></li>
+
+<!--
+ <li>Content (JS2-)</li>
+ <li>Web Sockets (JS2-)</li>
+ <li>Backend Services</li>
+ <li>Continue Admin Portlets Upgrades (JS2-1282)</li>
+ <li>Customization Improvements (JS2-1084)</li>
+ <li>Security Domains (JS2-1233)</li>
+ <li>Maven Improvements (JS2-1291)</li>
+ <li>Jetspeed Service Annotations</li>
+ -->
+ </ul>
</section>
- <section name="Last Release">
- <p><a href='http://portals.apache.org/jetspeed-2/features.html'>2.2.2</a>- released October 2011</p>
+
+ <section name="Last Release 2.3.0">
+ <p>2.3.0 - released October 2011</p>
<ul>
- <li>Portlet Cloning</li>
- <li>Apache Solr based Search Engine</li>
- <li>Bulk Migration of DBPSML from 2.1.x to 2.2.x</li>
- <li>Admin Security and Portlet Level Security Improvements</li>
+ <li>Java 1.7 Support(JS2-1292)</li>
+ <li>Jetspeed API + Generics (JS2-874)</li>
+ <li>Tomcat7 and Servlet 3.0 (JS2-1274)</li>
+ <li>Upgrade Dependencies, Spring (JS2-1290)</li>
+ <li>New Responsive Decorators (JS2-1314)</li>
+ <li>New Responsive Layout (JS2-1315)</li>
+ <li>J2-Admin Angular Portlet Framework (JS2-1316)</li>
+ <li>J2-Admin Core Portlets Responsive (JS2-1317)</li>
+ <li>J2-Admin Chart Portlets (JS2-1320)</li>
+ <li>New User Manager (JS2-1293)</li>
+ <li>Preferences Performance Improvements (JS2-1325)</li>
+ <li>Security Performance Improvements (JS2-1324)</li>
+ <li>Upgraded Portals APA and Bridges Dependencies</li>
</ul>
</section>
Copied: portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/security-reports.xml (from r1693286, portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/roadmap.xml)
URL: http://svn.apache.org/viewvc/portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/security-reports.xml?p2=portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/security-reports.xml&p1=portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/roadmap.xml&r1=1693286&r2=1733520&rev=1733520&view=diff
==============================================================================
--- portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/roadmap.xml (original)
+++ portals/site/jetspeed/jetspeed-2.3/src/site/xdoc/security-reports.xml Thu Mar 3 20:54:49 2016
@@ -17,56 +17,139 @@
-->
<document>
<properties>
- <title>Jetspeed Roadmap</title>
- <subtitle>Roadmap</subtitle>
- <authors>
- <person name="David Sean Taylor" email="taylor@apache.org" />
- </authors>
+ <title>Jetspeed Security Reports</title>
+ <subtitle>Common Vulnerabilities and Exposures (CVE) Reports</subtitle>
+ <authors>
+ <person name="David Sean Taylor" email="taylor@apache.org"/>
+ </authors>
</properties>
<body>
- <section name="Upcoming Releases Timeline">
- <ul>
- <li>2.3.0 - July 2015</li>
- <li>2.3.1 - January 2016</li>
- </ul>
- </section>
- <section name="2.3.0 Release">
- <p>The theme of this release is to get back on track with the latest versions of Java, Servlet Containers, Maven</p>
- <ul>
- <li>Java 1.7 Support(JS2-1292)</li>
- <li>Jetspeed API + Generics (JS2-874)</li>
- <li>Tomcat7 and Servlet 3.0 (JS2-1274)</li>
- <li>Upgrade Dependencies, Spring (JS2-1290)</li>
- <li>New Responsive Decorators (JS2-1314)</li>
- <li>New Responsive Layout (JS2-1315)</li>
- <li>J2-Admin Angular Portlet Framework (JS2-1316)</li>
- <li>J2-Admin Core Portlets Responsive (JS2-1317)</li>
- <li>J2-Admin Chart Portlets (JS2-1320)</li>
- <li>New User Manager (JS2-1293)</li>
- <li>Preferences Performance Improvements (JS2-1325)</li>
- <li>Security Performance Improvements (JS2-1324)</li>
- <li>Upgraded Portals APA and Bridges Dependencies</li>
- </ul>
- </section>
-
- <section name ="2.3.1 Release">
- <p>The theme of this release is to continue to improve the user interface experience</p>
+ <section name="CVE Reports">
<ul>
- <li>Continue Admin Portlets Upgrades (JS2-1282)</li>
- <li>Customization Improvements (JS2-1084)</li>
- <li>Deprecate old Decorators, Layouts. Make Responsive Default Layouts and Decorators</li>
- <li>Security Domains (JS2-1233)</li>
- <li>Maven Improvements (JS2-1291)</li>
+ <li><a href='#CVE-2016-0709'>CVE-2016-0709: Code execution via ZIP file path traversal</a></li>
+ <li><a href='#CVE-2016-0710'>CVE-2016-0710: SQL injection in User Manager service</a></li>
+ <li><a href='#CVE-2016-0711'>CVE-2016-0711: Persistent Cross Site Scripting in links, pages and folders</a></li>
+ <li><a href='#CVE-2016-0712'>CVE-2016-0712: Reflected Cross Site Scripting in URI path</a></li>
</ul>
</section>
- <section name="Last Release">
- <p><a href='http://portals.apache.org/jetspeed-2/features.html'>2.2.2</a>- released October 2011</p>
- <ul>
- <li>Portlet Cloning</li>
- <li>Apache Solr based Search Engine</li>
- <li>Bulk Migration of DBPSML from 2.1.x to 2.2.x</li>
- <li>Admin Security and Portlet Level Security Improvements</li>
- </ul>
+ <section name="2.3.1 Release CVE Reports">
+ <a name="CVE-2016-0709"/>
+ <subsection name="CVE-2016-0709: Code execution via ZIP file path traversal">
+ <table>
+ <tr><td>Severity: </td><td>Important</td></tr>
+ <tr><td>Vendor: </td><td>The Apache Software Foundation</td></tr>
+ <tr><td>Versions Effected:</td><td> Jetspeed 2.2.0 to 2.2.2</td></tr>
+ <tr><td></td><td>Jetspeed 2.3.0</td></tr>
+ <tr><td>The unsupported Jetspeed 2.1.x versions may be also affected</td></tr>
+ <tr><td>Mitigation:</td><td>2.2.0 - 2.3.0 users should upgrade to 2.3.1</td></tr>
+ <tr><td>Credit:</td><td>This issue was discovered by Andreas Lindh</td></tr>
+ <tr><td>References:</td><td>http://tomcat.apache.org/security.html</td></tr>
+ </table>
+
+ <h4>Description:</h4>
+ <p>The Import/Export function in the Portal Site Manager, part of the Jetspeed Administrative Portlets, is vulnerable to a path traversal via specially crafted file names in ZIP archives. Any user with permission to upload files via this function can upload a file with a name like "../../../../tmp/foo" to write a file named "foo" in the /tmp directory. This is because the code that performs the unzipping of the archive does not check the validity of the file names before writing them to disk. This can be turned into code execution by uploading a .jsp file and writing it to somewhere on the file system where the web server will execute it when visited
+ </p>
+ </subsection>
+ <a name="CVE-2016-0710"/>
+ <subsection name="#CVE-2016-0710: SQL injection in User Manager service">
+ <table>
+ <tr><td>Severity: </td><td>Important</td></tr>
+ <tr><td>Vendor: </td><td>The Apache Software Foundation</td></tr>
+ <tr><td>Versions Effected:</td><td> Jetspeed 2.3.0</td></tr>
+ <tr><td>Mitigation:</td><td>2.3.0 users should upgrade to 2.3.1</td></tr>
+ <tr><td>Credit:</td><td>This issue was discovered by Andreas Lindh</td></tr>
+ <tr><td>References:</td><td>http://tomcat.apache.org/security.html</td></tr>
+ </table>
+
+ <h4>Description:</h4>
+ <p>The Jetspeed User Manager service, part of the Jetspeed Administrative Portlets, is vulnerable to SQL injection. When performing a search in these tools, the 'user' and 'role' parameters of the request can be injected to alter the logic of the subsequent SQL statement.
+ </p>
+ <p>There is also an authorization flaw at play here since the above URLs can be reached without being authenticated in Jetspeed.</p>
+ <h4>Example</h4>
+ <p>
+ Given this URL:<br/>
+ <source><![CDATA[http://192.168.2.4:8080/jetspeed/services/usermanager/users/?_type=json&results=10&start=0&sort=userName&dir=asc&name=&roles=foo%27%20]]></source>
+ The 'role' parameter contains the value "foo" which is not an existing role, but because of the injected SQL code (or '1'='1') the statement returns true anyway and all the existing users are shown.
+ </p>
+ </subsection>
+ <a name="CVE-2016-0711"/>
+ <subsection name="CVE-2016-0711: Persistent Cross Site Scripting in links, pages and folders">
+ <table>
+ <tr><td>Severity: </td><td>Important</td></tr>
+ <tr><td>Vendor: </td><td>The Apache Software Foundation</td></tr>
+ <tr><td>Versions Effected:</td><td> Jetspeed 2.2.0 to 2.2.2</td></tr>
+ <tr><td></td><td>Jetspeed 2.3.0</td></tr>
+ <tr><td>The unsupported Jetspeed 2.1.x versions may be also affected</td></tr>
+ <tr><td>Mitigation:</td><td>2.2.0 - 2.3.0 users should upgrade to 2.3.1</td></tr>
+ <tr><td>Credit:</td><td>This issue was discovered by Andreas Lindh</td></tr>
+ <tr><td>References:</td><td>http://tomcat.apache.org/security.html</td></tr>
+ </table>
+
+ <h4>Description:</h4>
+ <p>The functionality to add a link, page, or folder, is vulnerable to persistent Cross Site Scripting. This is because it is possible to include HTML tags in the object's name, such as is the example below where a page object is being renamed after creation.
+ </p>
+ <h4>Example</h4>
+ <p>
+ Given this AJAX request:<br/>
+ <source><![CDATA[
+POST /jetspeed/services/pagemanagement/info/.psml/_user/andreas/foobar.psml?
+_type=json HTTP/1.1
+Host: 192.168.2.4:8080
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:43.0) Gecko/20100101
+Firefox/43.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Referer: http://192.168.2.4:8080/jetspeed/ui/_user/andreas/foobar.psml
+Content-Length: 60
+Cookie: JSESSIONID=F95E2034A086BE172EF816FF2C853BE9;
+JS2TOOLBOX=TAB=theme&CAT=Administration
+Connection: close
+title=foobar</a></li><script>alert(document.domain)</script>
+ ]]></source>
+ </p>
+ <p>Which results in the following content in the server response:<br/>
+ <source><![CDATA[
+<meta http-equiv="content-type" content="text/html; charset=UTF-8"/>
+<title>foobar</a></li><script>alert(document.domain)</script></title>
+ ]]></source>
+ <p>Note that this code will be executed every time someone visits that space.</p>
+ </p>
+ </subsection>
+ <a name="CVE-2016-0712"/>
+ <subsection name="CVE-2016-0712: Reflected Cross Site Scripting in URI path">
+ <table>
+ <tr><td>Severity: </td><td>Important</td></tr>
+ <tr><td>Vendor: </td><td>The Apache Software Foundation</td></tr>
+ <tr><td>Versions Effected:</td><td> Jetspeed 2.2.0 to 2.2.2</td></tr>
+ <tr><td></td><td>Jetspeed 2.3.0</td></tr>
+ <tr><td>The unsupported Jetspeed 2.1.x versions may be also affected</td></tr>
+ <tr><td>Mitigation:</td><td>2.2.0 - 2.3.0 users should upgrade to 2.3.1</td></tr>
+ <tr><td>Credit:</td><td>This issue was discovered by Andreas Lindh</td></tr>
+ <tr><td>References:</td><td>http://tomcat.apache.org/security.html</td></tr>
+ </table>
+
+ <h4>Description:</h4>
+ <p>
+ The URI path directory after /portal is vulnerable to reflected Cross Site Scripting. By visiting the following URL, a JavaScript pop-up will appear when the mouse is moved over the minimize/maximize buttons (may differ for different UI versions).
+ Note this issue is only reproduced on Firefox browser.
+ </p>
+ <h4>Example</h4>
+ <p>
+ Given this URL:<br/>
+ <source><![CDATA[
+http://192.168.2.9:8080/jetspeed/portal/foo%22onmouseover%3d%22alert%281%29?URL=foo/bar
+ ]]></source>
+ </p>
+ <p>In the HTML response there is script:<br/>
+ <source><![CDATA[
+<a href="http://192.168.2.4:8080/jetspeed/portal/_ns:..._/foo"onmouseover="alert(1)"
+title="Minimize" class="action portlet-action" ><img src="/jetspeed/decorations/images/minimized.gif" alt="Minimize" border="0"/></a>
+ ]]></source>
+ </p>
+ </subsection>
</section>
</body>