You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shindig.apache.org by bu...@apache.org on 2013/10/22 02:13:22 UTC
svn commit: r883649 - in /websites/staging/shindig/trunk/content: ./
security.html
Author: buildbot
Date: Tue Oct 22 00:13:22 2013
New Revision: 883649
Log:
Staging update by buildbot for shindig
Modified:
websites/staging/shindig/trunk/content/ (props changed)
websites/staging/shindig/trunk/content/security.html
Propchange: websites/staging/shindig/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Oct 22 00:13:22 2013
@@ -1 +1 @@
-1534416
+1534423
Modified: websites/staging/shindig/trunk/content/security.html
==============================================================================
--- websites/staging/shindig/trunk/content/security.html (original)
+++ websites/staging/shindig/trunk/content/security.html Tue Oct 22 00:13:22 2013
@@ -179,7 +179,22 @@
<div class="container">
<h1 id="shindig-security-issues">Shindig Security Issues</h1>
-<p>This page contains of resolved security issues from Apache Shindig.</p>
+<p>Please note that, except in rare circumstances, binary patches are not produced for individual vulnerabilities. To obtain the binary fix for a particular
+vulnerability you should upgrade to an Apache Shindig version where that vulnerability has been fixed.</p>
+<p>Source patches, usually in the form of references to SVN commits, may be provided in either in a vulnerability announcement and/or the vulnerability
+details listed on these pages. These source patches may be used by users wishing to build their own local version of Shindig with just that security
+patch rather than upgrade.</p>
+<h3 id="shindig-250-vulnerabilities">Shindig 2.5.0 Vulnerabilities</h3>
+<p><b>Information disclosure <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-4295">CVE-2013-4295</a></b></p>
+<p>The gadget renderer in the PHP version of Apache Shindig
+is subject to an XML External Entity (XXE) Injection attack. The
+vulnerability allows a malicious gadget author to construct paths to
+content on the gadget rendering server which in turn will display the
+content in the gadget iframe.</p>
+<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=revision&revision=1526307">1526307</a>.</p>
+<p>This issue was discovered by Kousuke Ebihara on 12 Aug 2013 and made public on 21 Oct 2013.</p>
+<p>Affects: 2.5.0 (PHP)</p>
+<p>Fixed In: 2.5.0-update1</p>
<hr>
<footer>