Author: buildbot
Date: Thu Jun 27 09:47:52 2013
New Revision: 867613
Log:
Production update by buildbot for cxf
Added:
websites/production/cxf/content/security-advisories.data/
websites/production/cxf/content/security-advisories.data/CVE-2013-2160.txt.asc
Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/security-advisories.html
Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Added:
websites/production/cxf/content/security-advisories.data/CVE-2013-2160.txt.asc
==============================================================================
---
websites/production/cxf/content/security-advisories.data/CVE-2013-2160.txt.asc
(added)
+++
websites/production/cxf/content/security-advisories.data/CVE-2013-2160.txt.asc
Thu Jun 27 09:47:52 2013
@@ -0,0 +1,53 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+
+CVE-2013-2160: Denial of Service Attacks on Apache CXF
+
+Severity: Critical
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+This vulnerability affects all versions of Apache CXF prior to 2.5.10, 2.6.7
+and 2.7.4.
+
+Description:
+
+It is possible to execute Denial of Service attacks on Apache CXF, exploiting
+the fact that the streaming XML parser does not put limits on things like the
+number of elements, number of attributes, the nested structure of the document
+received, etc. The effects of these attacks can vary from causing high CPU
+usage, to causing the JVM to run out of memory.
+
+Apache CXF 2.5.10, 2.6.7 and 2.7.4 onwards pick up Woodstox 4.2.0 as the
+streaming XML parser, which enforces appropriate limits to prevent these
+attacks.
+
+This has been fixed in revisions:
+
+http://svn.apache.org/viewvc?view=revision&revision=1460428
+
+Migration:
+
+CXF 2.5.x users should upgrade to 2.5.10 or later as soon as possible.
+CXF 2.6.x users should upgrade to 2.6.7 or later as soon as possible.
+CXF 2.7.x users should upgrade to 2.7.4 or later as soon as possible.
+
+Credit: This issue was reported by Andreas Falkenberg of SEC Consult
+Deutschland GmbH, and Christian Mainka, Juraj Somorovsky and Joerg Schwenk of
+Ruhr-University Bochum.
+
+References: http://cxf.apache.org/security-advisories.html
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.12 (GNU/Linux)
+
+iQEcBAEBAgAGBQJRzAEPAAoJEGe/gLEK1TmDX+IH/jAVBIlf4Gri4oqTe46/Un8I
+Qc297NQT+aBe9NRftrfv5zAQLPIE8UTAyecr/RILE9Fr5O0OkyR++/AO0V/x0QqL
+Bf2DHuwNN1UZfsjaO8osbUJAVVJLbt5ab4IsVrJNe0EuTEC2X/oQHBMtLr/Vn4Dm
+0YiXUjBRsIz1sGCXJ9ptQasfc4FQaBTRNlhWSoJhsix9EcfhZh3GaewbyXPsOGTU
++zfYsRRWjg+m8GT3b01gsxBRqUNvGw3M0g1Z96raDJSEzW7YRXUpwvrlUkBGvr1c
+drWZ6YqPqYJS7hZru7DbrLky9utR8qJCaPLFNLPA77auTDB9wLyKAslNL/6GhPI=
+=R9Kh
+-----END PGP SIGNATURE-----
Modified: websites/production/cxf/content/security-advisories.html
==============================================================================
--- websites/production/cxf/content/security-advisories.html (original)
+++ websites/production/cxf/content/security-advisories.html Thu Jun 27
09:47:52 2013
@@ -132,7 +132,20 @@ Apache CXF -- Security Advisories
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><ul><li><a shape="rect" href="cve-2012-5575.html"
title="CVE-2012-5575">Note on CVE-2012-5575</a> - XML Encryption backwards
compatibility attack on Apache CXF.</li><li><a shape="rect"
href="cve-2013-0239.html" title="CVE-2013-0239">CVE-2013-0239</a> -
Authentication bypass in the case of WS-SecurityPolicy enabled plaintext
UsernameTokens.</li><li><a shape="rect" href="cve-2012-5633.html"
title="CVE-2012-5633">CVE-2012-5633</a> - WSS4JInInterceptor always allows HTTP
Get requests from browser.</li><li><a shape="rect"
href="note-on-cve-2011-2487.html" title="Note on CVE-2011-2487">Note on
CVE-2011-2487</a> - Bleichenbacher attack against distributed symmetric key in
WS-Security.</li><li><a shape="rect" href="cve-2012-3451.html"
title="CVE-2012-3451">CVE-2012-3451</a> - Apache CXF is vulnerable to SOAP
Action spoofing attacks on Document Literal web services.</li><li><a
shape="rect" href="cve-2012-2379.html" title="CVE-2012-2379">CVE-2012-2379</a> -
Apache CXF does not verify that elements were signed or encrypted by a
particular Supporting Token.</li><li><a shape="rect" href="cve-2012-2378.html"
title="CVE-2012-2378">CVE-2012-2378</a> - Apache CXF does not pick up some
child policies of WS-SecurityPolicy 1.1 SupportingToken policy assertions on
the client side.</li><li><a shape="rect" href="note-on-cve-2011-1096.html"
title="Note on CVE-2011-1096">Note on CVE-2011-1096</a> - XML Encryption flaw /
Character pattern encoding attack.</li><li><a shape="rect"
href="cve-2012-0803.html" title="CVE-2012-0803">CVE-2012-0803</a> - Apache CXF
does not validate UsernameToken policies correctly.</li><li><a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf";>CVE-2010-2076</a>
- DTD based XML attacks.</li></ul>
+<div id="ConfluenceContent">
+<h3><a shape="rect" name="SecurityAdvisories-2013"></a>2013</h3>
+
+<ul><li><a shape="rect"
href="security-advisories.data/CVE-2013-2160.txt.asc?version=1&modificationDate=1372324301037">CVE-2013-2160</a>
- Denial of Service Attacks on Apache CXF</li><li><a shape="rect"
href="cve-2012-5575.html" title="CVE-2012-5575">Note on CVE-2012-5575</a> - XML
Encryption backwards compatibility attack on Apache CXF.</li><li><a
shape="rect" href="cve-2013-0239.html" title="CVE-2013-0239">CVE-2013-0239</a>
- Authentication bypass in the case of WS-SecurityPolicy enabled plaintext
UsernameTokens.</li></ul>
+
+
+<h3><a shape="rect" name="SecurityAdvisories-2012"></a>2012</h3>
+
+<ul><li><a shape="rect" href="cve-2012-5633.html"
title="CVE-2012-5633">CVE-2012-5633</a> - WSS4JInInterceptor always allows HTTP
Get requests from browser.</li><li><a shape="rect"
href="note-on-cve-2011-2487.html" title="Note on CVE-2011-2487">Note on
CVE-2011-2487</a> - Bleichenbacher attack against distributed symmetric key in
WS-Security.</li><li><a shape="rect" href="cve-2012-3451.html"
title="CVE-2012-3451">CVE-2012-3451</a> - Apache CXF is vulnerable to SOAP
Action spoofing attacks on Document Literal web services.</li><li><a
shape="rect" href="cve-2012-2379.html" title="CVE-2012-2379">CVE-2012-2379</a>
- Apache CXF does not verify that elements were signed or encrypted by a
particular Supporting Token.</li><li><a shape="rect" href="cve-2012-2378.html"
title="CVE-2012-2378">CVE-2012-2378</a> - Apache CXF does not pick up some
child policies of WS-SecurityPolicy 1.1 SupportingToken policy assertions on
the client side.</li><li><a shape="rect" href="note-on-cve-2011-109
6.html" title="Note on CVE-2011-1096">Note on CVE-2011-1096</a> - XML
Encryption flaw / Character pattern encoding attack.</li><li><a shape="rect"
href="cve-2012-0803.html" title="CVE-2012-0803">CVE-2012-0803</a> - Apache CXF
does not validate UsernameToken policies correctly.</li></ul>
+
+
+<h3><a shape="rect" name="SecurityAdvisories-2010"></a>2010</h3>
+
+<ul><li><a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf";>CVE-2010-2076</a>
- DTD based XML attacks.</li></ul>
</div>
</div>
<!-- Content -->
