You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-commits@axis.apache.org by ve...@apache.org on 2010/12/15 23:01:08 UTC
svn commit: r1049728 - in /axis/axis2/java/core/security: CVE-2010-1632.pdf
advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml
Author: veithen
Date: Wed Dec 15 22:01:07 2010
New Revision: 1049728
URL: http://svn.apache.org/viewvc?rev=1049728&view=rev
Log:
Updated the security advisory for CVE-2010-1632 with the latest available information.
Modified:
axis/axis2/java/core/security/CVE-2010-1632.pdf
axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml
Modified: axis/axis2/java/core/security/CVE-2010-1632.pdf
URL: http://svn.apache.org/viewvc/axis/axis2/java/core/security/CVE-2010-1632.pdf?rev=1049728&r1=1049727&r2=1049728&view=diff
==============================================================================
Binary files - no diff available.
Modified: axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml
URL: http://svn.apache.org/viewvc/axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml?rev=1049728&r1=1049727&r2=1049728&view=diff
==============================================================================
--- axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml (original)
+++ axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml Wed Dec 15 22:01:07 2010
@@ -27,7 +27,7 @@
<surname>Veithen</surname>
<email>veithen@apache.org</email>
</author>
- <releaseinfo>First version: May 16, 2010 ⢠First published: June 13, 2010 ⢠Last updated: July 21, 2010</releaseinfo>
+ <releaseinfo>First version: May 16, 2010 ⢠First published: June 13, 2010 ⢠Last updated: Dec 15, 2010</releaseinfo>
</articleinfo>
<section>
<title>Description</title>
@@ -110,7 +110,7 @@
<title>Axis2 deployments</title>
<para>
As shown in <xref linkend="solutions"/>, all Axis2 installations with versions
- prior to 1.6 are to some extend vulnerable. The most vulnerable installations
+ prior to 1.5.2 are to some extend vulnerable. The most vulnerable installations
are those on which at least one service is deployed that has an HTTP binding
accepting messages with content type <literal>application/xml</literal>, i.e.
for which the <literal>disableREST</literal> parameter is set to <literal>false</literal>.
@@ -143,9 +143,10 @@
<para>
Axis2 is used by the Synapse, ODE, Tuscany and Geronimo projects
from the ASF. The vulnerability has been confirmed by the Geronimo
- project (see GERONIMO-5383 for more details). Specific instructions for
+ project (see GERONIMO-5383 for more details). Specific instructions
for patching Geronimo 2.1.x are available at
<ulink url="http://geronimo.apache.org/geronimo-21x-cve-2010-1632-patch-instructions.html"/>.
+ The security fix has been included in Geronimo 2.2.1.
It is expected that
all other projects in this list are vulnerable as well.
</para>
@@ -227,8 +228,8 @@
The security issue described in this advisory is fixed in Axis2 1.5.2 and 1.6.
These releases forbid document type declarations even for
<literal>application/xml</literal> documents. Therefore upgrading to one of
- these versions is the best solution. Note that at the date of writing,
- neither Axis2 1.5.2 nor Axis2 1.6 has been released yet. However,
+ these versions is the best solution. Axis2 1.5.2 was released in September 2010.
+ At the date of writing, Axis2 1.6 has not been released yet. However,
snapshot versions are available.
</para>
</section>