You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@archiva.apache.org by br...@apache.org on 2013/01/11 04:39:44 UTC
svn commit: r1431866 - in /archiva/site-content: download.html security.html

Author: brett
Date: Fri Jan 11 03:39:44 2013
New Revision: 1431866

URL: http://svn.apache.org/viewvc?rev=1431866&view=rev
Log:
Apache Archiva Main site deployment

Modified:
    archiva/site-content/download.html
    archiva/site-content/security.html

Modified: archiva/site-content/download.html
URL: http://svn.apache.org/viewvc/archiva/site-content/download.html?rev=1431866&r1=1431865&r2=1431866&view=diff
==============================================================================
--- archiva/site-content/download.html (original)
+++ archiva/site-content/download.html Fri Jan 11 03:39:44 2013
@@ -304,6 +304,7 @@ under the License. -->
           </p><ul>
             <li><a href="./docs/1.3.6/release-notes.html">Release Notes</a></li>
             <li><a href="./known-issues.html">Known Issues and Errata</a></li>
+              <li><a href="./security.html">Security Reports</a></li>
           </ul>
         
         <p>
@@ -359,6 +360,7 @@ under the License. -->
             </p><ul>
               <li><a href="./docs/1.4-M3/release-notes.html">Release Notes</a></li>
               <li><a href="./known-issues.html">Known Issues and Errata</a></li>
+              <li><a href="./security.html">Security Reports</a></li>
             </ul>
             
             <p>

Modified: archiva/site-content/security.html
URL: http://svn.apache.org/viewvc/archiva/site-content/security.html?rev=1431866&r1=1431865&r2=1431866&view=diff
==============================================================================
--- archiva/site-content/security.html (original)
+++ archiva/site-content/security.html Fri Jan 11 03:39:44 2013
@@ -212,7 +212,7 @@ pageTracker._trackPageview();</script>
                 
         <div id="bodyColumn" >
                                   
-            <!-- Licensed to the Apache Software Foundation (ASF) under one --><!-- or more contributor license agreements.  See the NOTICE file --><!-- distributed with this work for additional information --><!-- regarding copyright ownership.  The ASF licenses this file --><!-- to you under the Apache License, Version 2.0 (the --><!-- "License"); you may not use this file except in compliance --><!-- with the License.  You may obtain a copy of the License at --><!--  --><!-- http://www.apache.org/licenses/LICENSE-2.0 --><!--  --><!-- Unless required by applicable law or agreed to in writing, --><!-- software distributed under the License is distributed on an --><!-- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY --><!-- KIND, either express or implied.  See the License for the --><!-- specific language governing permissions and limitations --><!-- under the License. --><!-- NOTE: For help with the syntax of this file, see: --><!-- http://maven.apache.org/guides/mi
 ni/guide-apt-format.html --><div class="section"><h2>Security Vulnerabilities<a name="Security_Vulnerabilities"></a></h2><p>Please note that binary patches are not produced for individual vulnerabilities. To obtain the binary fix for a particular vulnerability you should upgrade to an Apache Archiva version where that vulnerability has been fixed.</p><p>For more information about reporting vulnerabilities, see the <a class="externalLink" href="http://www.apache.org/security/"> Apache Security Team</a> page.</p><div class="section"><h3>CVE-2010-1870: Struts2 remote commands execution<a name="CVE-2010-1870:_Struts2_remote_commands_execution"></a></h3><p>Apache Archiva is affected by a vulnerability in the version of the Struts library being used, which allows a malicious user to run code on the server remotely. More details about the vulnerability can be found at <a class="externalLink" href="http://struts.apache.org/2.2.1/docs/s2-005.html">http://struts.apache.org/2.2.1/docs/
 s2-005.html</a>.</p><p>Versions Affected:</p><ul><li>Archiva 1.2 to Archiva 1.3.5</li></ul><p>All users are recommended to upgrade to <a href="./download.cgi"> Archiva 1.3.6</a>, which configures Struts in such a way that it is not affected by this issue.</p><p>Archiva 1.4-M3 and later is not affected by this issue.</p></div><div class="section"><h3>CVE-2011-1077: Multiple XSS issues<a name="CVE-2011-1077:_Multiple_XSS_issues"></a></h3><p>Apache Archiva is vulnerable to multiple XSS issues, both stored (persistent) and reflected (non-persistent). Javascript which might contain malicious code can be appended in a request parameter or stored as a value in a submitted form, and get executed.</p><p>Versions Affected:</p><ul><li>Archiva 1.3 - 1.3.4</li><li>The unsupported versions Archiva 1.0 - 1.2.2 are also affected.</li></ul></div><div class="section"><h3>CVE-2011-1026: Multiple CSRF issues<a name="CVE-2011-1026:_Multiple_CSRF_issues"></a></h3><p>An attacker can build a simple
  html page containing a hidden Image tag (eg: <tt>&lt;img src=vulnurl width=0 height=0 /</tt>&gt;) and entice the administrator to access the page.</p><p>Versions Affected:</p><ul><li>Archiva 1.3 - 1.3.4</li><li>The unsupported versions Archiva 1.0 - 1.2.2 are also affected.</li></ul></div><div class="section"><h3>CVE-2011-0533: Apache Archiva cross-site scripting vulnerability<a name="CVE-2011-0533:_Apache_Archiva_cross-site_scripting_vulnerability"></a></h3><p>A request that included a specially crafted request parameter could be used to inject arbitrary HTML or Javascript into the Archiva user management page. This fix is available in version <a href="./download.html"> 1.3.4</a> of Apache Archiva. All users must upgrade to this version (or higher).</p><p>Versions Affected:</p><ul><li>Archiva 1.3 - 1.3.3</li><li>The unsupported versions Archiva 1.0 - 1.2.2 are also affected.</li></ul></div><div class="section"><h3>CVE-2010-3449: Apache Archiva CSRF Vulnerability<a name="CV
 E-2010-3449:_Apache_Archiva_CSRF_Vulnerability"></a></h3><p>Apache Archiva doesn't check which form sends credentials. An attacker can create a specially crafted page and force archiva administrators to view it and change their credentials. To fix this, a referrer check was added to the security interceptor for all secured actions. A prompt for the administrator's password when changing a user account was also set in place. This fix is available in version <a href="./download.html"> 1.3.2</a> of Apache Archiva. All users must upgrade to this version (or higher).</p><p>Versions Affected:</p><ul><li>Archiva 1.3 to 1.3.1</li><li>Archiva 1.2 to 1.2.2 (end of life)</li><li>Archiva 1.1 to 1.1.4 (end of life)</li><li>Archiva 1.0 to 1.0.3 (end of life)</li></ul></div></div>
+            <!-- Licensed to the Apache Software Foundation (ASF) under one --><!-- or more contributor license agreements.  See the NOTICE file --><!-- distributed with this work for additional information --><!-- regarding copyright ownership.  The ASF licenses this file --><!-- to you under the Apache License, Version 2.0 (the --><!-- "License"); you may not use this file except in compliance --><!-- with the License.  You may obtain a copy of the License at --><!--  --><!-- http://www.apache.org/licenses/LICENSE-2.0 --><!--  --><!-- Unless required by applicable law or agreed to in writing, --><!-- software distributed under the License is distributed on an --><!-- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY --><!-- KIND, either express or implied.  See the License for the --><!-- specific language governing permissions and limitations --><!-- under the License. --><!-- NOTE: For help with the syntax of this file, see: --><!-- http://maven.apache.org/guides/mi
 ni/guide-apt-format.html --><div class="section"><h2>Security Vulnerabilities<a name="Security_Vulnerabilities"></a></h2><p>Please note that binary patches are not produced for individual vulnerabilities. To obtain the binary fix for a particular vulnerability you should upgrade to an Apache Archiva version where that vulnerability has been fixed.</p><p>For more information about reporting vulnerabilities, see the <a class="externalLink" href="http://www.apache.org/security/"> Apache Security Team</a> page.</p><div class="section"><h3>CVE-2010-1870: Struts2 remote commands execution<a name="CVE-2010-1870:_Struts2_remote_commands_execution"></a></h3><p>Apache Archiva is affected by a vulnerability in the version of the Struts library being used, which allows a malicious user to run code on the server remotely. More details about the vulnerability can be found at <a class="externalLink" href="http://struts.apache.org/2.2.1/docs/s2-005.html">http://struts.apache.org/2.2.1/docs/
 s2-005.html</a>.</p><p>Versions Affected:</p><ul><li>Archiva 1.3 to Archiva 1.3.5</li></ul><ul><li>The unsupported versions Archiva 1.2 to 1.2.2 are also affected.</li></ul><p>All users are recommended to upgrade to <a href="./download.cgi"> Archiva 1.3.6</a>, which configures Struts in such a way that it is not affected by this issue.</p><p>Archiva 1.4-M3 and later is not affected by this issue.</p></div><div class="section"><h3>CVE-2011-1077: Multiple XSS issues<a name="CVE-2011-1077:_Multiple_XSS_issues"></a></h3><p>Apache Archiva is vulnerable to multiple XSS issues, both stored (persistent) and reflected (non-persistent). Javascript which might contain malicious code can be appended in a request parameter or stored as a value in a submitted form, and get executed.</p><p>Versions Affected:</p><ul><li>Archiva 1.3 to 1.3.4</li><li>The unsupported versions Archiva 1.0 to 1.2.2 are also affected.</li></ul></div><div class="section"><h3>CVE-2011-1026: Multiple CSRF issues<a n
 ame="CVE-2011-1026:_Multiple_CSRF_issues"></a></h3><p>An attacker can build a simple html page containing a hidden Image tag (eg: <tt>&lt;img src=vulnurl width=0 height=0 /</tt>&gt;) and entice the administrator to access the page.</p><p>Versions Affected:</p><ul><li>Archiva 1.3 to 1.3.4</li><li>The unsupported versions Archiva 1.0 to 1.2.2 are also affected.</li></ul></div><div class="section"><h3>CVE-2011-0533: Apache Archiva cross-site scripting vulnerability<a name="CVE-2011-0533:_Apache_Archiva_cross-site_scripting_vulnerability"></a></h3><p>A request that included a specially crafted request parameter could be used to inject arbitrary HTML or Javascript into the Archiva user management page. This fix is available in version <a href="./download.html"> 1.3.4</a> of Apache Archiva. All users must upgrade to this version (or higher).</p><p>Versions Affected:</p><ul><li>Archiva 1.3 to 1.3.3</li><li>The unsupported versions Archiva 1.0 to 1.2.2 are also affected.</li></ul></
 div><div class="section"><h3>CVE-2010-3449: Apache Archiva CSRF Vulnerability<a name="CVE-2010-3449:_Apache_Archiva_CSRF_Vulnerability"></a></h3><p>Apache Archiva doesn't check which form sends credentials. An attacker can create a specially crafted page and force archiva administrators to view it and change their credentials. To fix this, a referrer check was added to the security interceptor for all secured actions. A prompt for the administrator's password when changing a user account was also set in place. This fix is available in version <a href="./download.html"> 1.3.2</a> of Apache Archiva. All users must upgrade to this version (or higher).</p><p>Versions Affected:</p><ul><li>Archiva 1.3 to 1.3.1</li><li>Archiva 1.2 to 1.2.2 (end of life)</li><li>Archiva 1.1 to 1.1.4 (end of life)</li><li>Archiva 1.0 to 1.0.3 (end of life)</li></ul></div></div>
                   </div>
           </div>