You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openmeetings.apache.org by so...@apache.org on 2018/01/11 10:10:16 UTC

openmeetings git commit: no jira: security page is updated with CVE-2017-5878 details

Repository: openmeetings
Updated Branches:
  refs/heads/4.0.x c384a4a0e -> f95b6321d


no jira: security page is updated with CVE-2017-5878 details


Project: http://git-wip-us.apache.org/repos/asf/openmeetings/repo
Commit: http://git-wip-us.apache.org/repos/asf/openmeetings/commit/f95b6321
Tree: http://git-wip-us.apache.org/repos/asf/openmeetings/tree/f95b6321
Diff: http://git-wip-us.apache.org/repos/asf/openmeetings/diff/f95b6321

Branch: refs/heads/4.0.x
Commit: f95b6321d7dc5dd14cfb48871b16fc80c858e25a
Parents: c384a4a
Author: Maxim Solodovnik <so...@gmail.com>
Authored: Thu Jan 11 17:10:06 2018 +0700
Committer: Maxim Solodovnik <so...@gmail.com>
Committed: Thu Jan 11 17:10:06 2018 +0700

----------------------------------------------------------------------
 openmeetings-server/src/site/xdoc/security.xml | 13 +++++++++++++
 1 file changed, 13 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/openmeetings/blob/f95b6321/openmeetings-server/src/site/xdoc/security.xml
----------------------------------------------------------------------
diff --git a/openmeetings-server/src/site/xdoc/security.xml b/openmeetings-server/src/site/xdoc/security.xml
index be1d7f3..cc09e75 100644
--- a/openmeetings-server/src/site/xdoc/security.xml
+++ b/openmeetings-server/src/site/xdoc/security.xml
@@ -173,6 +173,19 @@
 				All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
 			<p>Credit: This issue was identified by Security Innovation</p>
 		</section>
+		<section name="CVE-2017-5878 - RED5/AMF Unmarshalling RCE">
+			<p>Severity: Critical</p>
+			<p>Vendor: Red5</p>
+			<p>Versions Affected: Apache OpenMeetings 3.1.3 and earlier</p>
+			<p>Description: The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the
+				classes for which it performs deserialization, which allows remote attackers to execute
+				arbitrary code via crafted serialized Java data.<br/>
+				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5878">CVE-2017-5878</a>
+			</p>
+			<p>The issue was fixed in 3.1.4<br/>
+				All users are recommended to upgrade to Apache OpenMeetings 3.1.4</p>
+			<p>Credit: This issue was identified by Moritz Bechler</p>
+		</section>
 		<section name="CVE-2016-8736 - Apache Openmeetings RMI Registry Java Deserialization RCE">
 			<p>Severity: Moderate</p>
 			<p>Vendor: The Apache Software Foundation</p>