You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by bu...@apache.org on 2018/09/12 10:21:11 UTC
svn commit: r1035025 - in /websites/production/camel/content:
cache/main.pageCache security-advisories.data/CVE-2018-8041.txt.asc
security-advisories.html
Author: buildbot
Date: Wed Sep 12 10:21:11 2018
New Revision: 1035025
Log:
Production update by buildbot for camel
Added:
websites/production/camel/content/security-advisories.data/CVE-2018-8041.txt.asc
Modified:
websites/production/camel/content/cache/main.pageCache
websites/production/camel/content/security-advisories.html
Modified: websites/production/camel/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Added: websites/production/camel/content/security-advisories.data/CVE-2018-8041.txt.asc
==============================================================================
--- websites/production/camel/content/security-advisories.data/CVE-2018-8041.txt.asc (added)
+++ websites/production/camel/content/security-advisories.data/CVE-2018-8041.txt.asc Wed Sep 12 10:21:11 2018
@@ -0,0 +1,32 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+CVE-2018-8041: Apache Camel's Mail is vulnerable to path traversal
+
+Severity: MEDIUM
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: Camel 2.20.0 to 2.20.3, Camel 2.21.0 to 2.21.1 and Camel 2.22.0
+
+The unsupported Camel 2.x (2.19 and earlier) versions may be also affected.
+
+Description: Apache Camel's Mail is vulnerable to path traversal
+
+Mitigation: 2.20.x users should upgrade to 2.20.4, 2.21.0 users should upgrade to 2.21.2 and Camel 2.22.x users should upgrade to 2.22.1
+
+The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-12630
+refers to the various commits that resovoled the issue, and have more details.
+
+Credit: This issue was discovered by Eedo Shapira <eedo dot shapira at ge dot com> from GE .
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+iQEcBAEBAgAGBQJbmOMKAAoJEONOnzgC/0EAfSkH+wdNhAyFodwWREYgmHNbxTdf
+c3JFH+jeqCpg1wiDZmGS4GpRi0f7s4W09tTIgiTtFhJINzpxJ6JOkZX8AzB43bSx
+g83RdYmAplgrYaeY4dQnjAN9LrUSHTbLxWKsG+gR0FigkmL3B3qM30jGD3T4t3WM
+AJ5PXRR87v85I9A1CzjtBgrxY6Zjn8A70Jm1AYdQ83Ywwj8dUD8Sw8qiFl/V/VBm
+P77Y6/S0PzBu6AJR5k+31dy5aZaStwts0uWuCwwZl74DfDVwgM44rj9WTRJ9aseq
+hc9T/Y3S7JKHMA3oo6Wu3MjU9kSO1PQ39CNO5/oCnjAtk4SVVSwU3wNYlXWj1t0=
+=3846
+-----END PGP SIGNATURE-----
Modified: websites/production/camel/content/security-advisories.html
==============================================================================
--- websites/production/camel/content/security-advisories.html (original)
+++ websites/production/camel/content/security-advisories.html Wed Sep 12 10:21:11 2018
@@ -78,7 +78,7 @@
<tbody>
<tr>
<td valign="top" width="100%">
-<div class="wiki-content maincontent"><h3 id="SecurityAdvisories-2018">2018</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2018-8027.txt.asc?version=4&modificationDate=1533020841000&api=v2" data-linked-resource-id="89065844" data-linked-resource-version="4" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2018-8027.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="18">CVE-2018-8027</a><a shape="rect" href="security-advisories.data/CVE-2018-8027.txt.asc?version=4&modificationDate=1533020841000&api=v2" data-linked-resource-id="89065844" data-linked-resource-version="4" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2018-8027.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-conta
iner-version="18"> </a>- Apache Camel's Core is vulnerable to XXE in XSD validation processor</li></ul><h3 id="SecurityAdvisories-2017">2017</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2017-12634.txt.asc?version=1&modificationDate=1510733922000&api=v2" data-linked-resource-id="74687198" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2017-12634.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="18">CVE-2017-12634</a> - Apache Camel's Castor unmarshalling operation is vulnerable to Remote Code Execution attacks</li><li><a shape="rect" href="security-advisories.data/CVE-2017-12633.txt.asc?version=1&modificationDate=1510733921000&api=v2" data-linked-resource-id="74687197" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-reso
urce-default-alias="CVE-2017-12633.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="18">CVE-2017-12633</a> - Apache Camel's Hessian unmarshalling operation is vulnerable to Remote Code Execution attacks</li><li><a shape="rect" href="security-advisories.data/CVE-2017-5643.txt.asc?version=1&modificationDate=1489652454000&api=v2" data-linked-resource-id="68719271" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2017-5643.txt.asc" data-linked-resource-content-type="application/pgp-encrypted" data-linked-resource-container-id="34833933" data-linked-resource-container-version="18">CVE-2017-5643</a> - Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE</li><li><a shape="rect" href="security-advisories.data/CVE-2017-3159.txt.asc?version=1&modificatio
nDate=1486565167000&api=v2" data-linked-resource-id="67641933" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2017-3159.txt.asc" data-linked-resource-content-type="application/pgp-encrypted" data-linked-resource-container-id="34833933" data-linked-resource-container-version="18">CVE-2017-3159</a> - Apache Camel's Snakeyaml unmarshalling operation is vulnerable to Remote Code Execution attacks</li></ul><h3 id="SecurityAdvisories-2016">2016</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2016-8749.txt.asc?version=2&modificationDate=1486565034000&api=v2" data-linked-resource-id="67641927" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2016-8749.txt.asc" data-linked-resource-content-type="application/pgp-encrypted" data-linked-resource-container-id="34833933" data-linked-resource-container-version="18">CVE-2016-8749</a>
60;- Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks</li></ul><h3 id="SecurityAdvisories-2015">2015</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2015-5344.txt.asc?version=1&modificationDate=1454056803000&api=v2" data-linked-resource-id="61338184" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2015-5344.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="18">CVE-2015-5344</a> - Apache Camel's XStream usage is vulnerable to Remote Code Execution attacks.</li><li><a shape="rect" href="security-advisories.data/CVE-2015-5348.txt.asc?version=1&modificationDate=1450340845000&api=v2" data-linked-resource-id="61333112" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linke
d-resource-default-alias="CVE-2015-5348.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="18">CVE-2015-5348</a> - Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability.</li><li><a shape="rect" href="security-advisories.data/CVE-2015-0264.txt.asc?version=1&modificationDate=1426539191000&api=v2" data-linked-resource-id="54165590" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2015-0264.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="18">CVE-2015-0264</a> - The XPath handling in Apache Camel for invalid XML Strings or invalid XML GenericFile objects allows remote attackers to read arbitrary files via an XML External Entity (XXE) declaration
. The XML External Entity (XXE) will be resolved before the Exception is thrown.</li><li><a shape="rect" href="security-advisories.data/CVE-2015-0263.txt.asc?version=1&modificationDate=1426539178000&api=v2" data-linked-resource-id="54165589" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2015-0263.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="18">CVE-2015-0263</a> - The XML converter setup in Apache Camel allows remote attackers to read arbitrary files via an SAXSource containing an XML External Entity (XXE) declaration.</li></ul><h3 id="SecurityAdvisories-2014">2014</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2014-0003.txt.asc?version=1&modificationDate=1393615582000&api=v2" data-linked-resource-id="40009835" data-linked-resource-version="1" data-linked-resource-t
ype="attachment" data-linked-resource-default-alias="CVE-2014-0003.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="18">CVE-2014-0003</a> - The Apache Camel XSLT component allows XSL stylesheets to perform calls to external Java methods.</li><li><a shape="rect" href="security-advisories.data/CVE-2014-0002.txt.asc?version=1&modificationDate=1393615569000&api=v2" data-linked-resource-id="40009834" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2014-0002.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="18">CVE-2014-0002</a> - The Apache Camel XSLT component will resolve entities in XML messages when transforming them using an xslt route.</li></ul><h3 id="SecurityAdvisories-2013">2
013</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2013-4330.txt.asc?version=1&modificationDate=1380633919000&api=v2" data-linked-resource-id="35192841" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2013-4330.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="18">CVE-2013-4330</a> - Writing files using FILE or FTP components, can potentially be exploited by a malicious user.</li></ul><p> </p></div>
+<div class="wiki-content maincontent"><h3 id="SecurityAdvisories-2018">2018</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2018-8041.txt.asc?version=1&modificationDate=1536746339000&api=v2" data-linked-resource-id="91554396" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2018-8041.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="19">CVE-2018-8041</a><a shape="rect" href="security-advisories.data/CVE-2018-8027.txt.asc?version=4&modificationDate=1533020841000&api=v2" data-linked-resource-id="89065844" data-linked-resource-version="4" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2018-8027.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-conta
iner-version="19"> </a>- Apache Camel's Mail is vulnerable to path traversal</li><li><a shape="rect" href="security-advisories.data/CVE-2018-8027.txt.asc?version=4&modificationDate=1533020841000&api=v2" data-linked-resource-id="89065844" data-linked-resource-version="4" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2018-8027.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="19">CVE-2018-8027</a><a shape="rect" href="security-advisories.data/CVE-2018-8027.txt.asc?version=4&modificationDate=1533020841000&api=v2" data-linked-resource-id="89065844" data-linked-resource-version="4" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2018-8027.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resourc
e-container-version="19"> </a>- Apache Camel's Core is vulnerable to XXE in XSD validation processor</li></ul><h3 id="SecurityAdvisories-2017">2017</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2017-12634.txt.asc?version=1&modificationDate=1510733922000&api=v2" data-linked-resource-id="74687198" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2017-12634.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="19">CVE-2017-12634</a> - Apache Camel's Castor unmarshalling operation is vulnerable to Remote Code Execution attacks</li><li><a shape="rect" href="security-advisories.data/CVE-2017-12633.txt.asc?version=1&modificationDate=1510733921000&api=v2" data-linked-resource-id="74687197" data-linked-resource-version="1" data-linked-resource-type="attachment" data-link
ed-resource-default-alias="CVE-2017-12633.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="19">CVE-2017-12633</a> - Apache Camel's Hessian unmarshalling operation is vulnerable to Remote Code Execution attacks</li><li><a shape="rect" href="security-advisories.data/CVE-2017-5643.txt.asc?version=1&modificationDate=1489652454000&api=v2" data-linked-resource-id="68719271" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2017-5643.txt.asc" data-linked-resource-content-type="application/pgp-encrypted" data-linked-resource-container-id="34833933" data-linked-resource-container-version="19">CVE-2017-5643</a> - Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE</li><li><a shape="rect" href="security-advisories.data/CVE-2017-3159.txt.asc?version=1&modi
ficationDate=1486565167000&api=v2" data-linked-resource-id="67641933" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2017-3159.txt.asc" data-linked-resource-content-type="application/pgp-encrypted" data-linked-resource-container-id="34833933" data-linked-resource-container-version="19">CVE-2017-3159</a> - Apache Camel's Snakeyaml unmarshalling operation is vulnerable to Remote Code Execution attacks</li></ul><h3 id="SecurityAdvisories-2016">2016</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2016-8749.txt.asc?version=2&modificationDate=1486565034000&api=v2" data-linked-resource-id="67641927" data-linked-resource-version="2" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2016-8749.txt.asc" data-linked-resource-content-type="application/pgp-encrypted" data-linked-resource-container-id="34833933" data-linked-resource-container-version="19">CVE-2016-8749
</a> - Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks</li></ul><h3 id="SecurityAdvisories-2015">2015</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2015-5344.txt.asc?version=1&modificationDate=1454056803000&api=v2" data-linked-resource-id="61338184" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2015-5344.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="19">CVE-2015-5344</a> - Apache Camel's XStream usage is vulnerable to Remote Code Execution attacks.</li><li><a shape="rect" href="security-advisories.data/CVE-2015-5348.txt.asc?version=1&modificationDate=1450340845000&api=v2" data-linked-resource-id="61333112" data-linked-resource-version="1" data-linked-resource-type="attachment" dat
a-linked-resource-default-alias="CVE-2015-5348.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="19">CVE-2015-5348</a> - Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability.</li><li><a shape="rect" href="security-advisories.data/CVE-2015-0264.txt.asc?version=1&modificationDate=1426539191000&api=v2" data-linked-resource-id="54165590" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2015-0264.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="19">CVE-2015-0264</a> - The XPath handling in Apache Camel for invalid XML Strings or invalid XML GenericFile objects allows remote attackers to read arbitrary files via an XML External Entity (XXE) decl
aration. The XML External Entity (XXE) will be resolved before the Exception is thrown.</li><li><a shape="rect" href="security-advisories.data/CVE-2015-0263.txt.asc?version=1&modificationDate=1426539178000&api=v2" data-linked-resource-id="54165589" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2015-0263.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="19">CVE-2015-0263</a> - The XML converter setup in Apache Camel allows remote attackers to read arbitrary files via an SAXSource containing an XML External Entity (XXE) declaration.</li></ul><h3 id="SecurityAdvisories-2014">2014</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2014-0003.txt.asc?version=1&modificationDate=1393615582000&api=v2" data-linked-resource-id="40009835" data-linked-resource-version="1" data-linked-res
ource-type="attachment" data-linked-resource-default-alias="CVE-2014-0003.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="19">CVE-2014-0003</a> - The Apache Camel XSLT component allows XSL stylesheets to perform calls to external Java methods.</li><li><a shape="rect" href="security-advisories.data/CVE-2014-0002.txt.asc?version=1&modificationDate=1393615569000&api=v2" data-linked-resource-id="40009834" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2014-0002.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="19">CVE-2014-0002</a> - The Apache Camel XSLT component will resolve entities in XML messages when transforming them using an xslt route.</li></ul><h3 id="SecurityAdvisories-
2013">2013</h3><ul><li><a shape="rect" href="security-advisories.data/CVE-2013-4330.txt.asc?version=1&modificationDate=1380633919000&api=v2" data-linked-resource-id="35192841" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="CVE-2013-4330.txt.asc" data-nice-type="Text File" data-linked-resource-content-type="text/plain" data-linked-resource-container-id="34833933" data-linked-resource-container-version="19">CVE-2013-4330</a> - Writing files using FILE or FTP components, can potentially be exploited by a malicious user.</li></ul><p> </p></div>
</td>
<td valign="top">
<div class="navigation">