Author: jbonofre
Date: Sat Jan 24 06:26:19 2026
New Revision: 1931499
Log:
[scm-publish] Updating main website contents
Added:
karaf/site/production/security/cve-2026-24656.txt
Modified:
karaf/site/production/documentation.html
karaf/site/production/feed.xml
Modified: karaf/site/production/documentation.html
==============================================================================
--- karaf/site/production/documentation.html Sat Jan 24 04:20:04 2026
(r1931498)
+++ karaf/site/production/documentation.html Sat Jan 24 06:26:19 2026
(r1931499)
@@ -471,6 +471,10 @@
<p>CVE-2024-34365: Cave SSRF and arbitrary file access</p>
<a class="btn btn-outline-primary"
href="/security/cve-2024-34365.txt">Notes »</a>
</div>
+ <div class="pb-4 mb-3">
+ <p>CVE-2026-24656: Decanter log socket collector:
Deserialization of Untrusted Data</p>
+ <a class="btn btn-outline-primary"
href="/security/cve-2026-24656.txt">Notes »</a>
+ </div>
</div><!-- /.blog-main -->
</div>
Modified: karaf/site/production/feed.xml
==============================================================================
--- karaf/site/production/feed.xml Sat Jan 24 04:20:04 2026
(r1931498)
+++ karaf/site/production/feed.xml Sat Jan 24 06:26:19 2026
(r1931499)
@@ -1 +1 @@
-<?xml version="1.0" encoding="utf-8"?><feed
xmlns="http://www.w3.org/2005/Atom"; ><generator uri="https://jekyllrb.com/";
version="4.0.1">Jekyll</generator><link
href="https://karaf.apache.org/feed.xml"; rel="self" type="application/atom+xml"
/><link href="https://karaf.apache.org/"; rel="alternate" type="text/html"
/><updated>2025-12-15T02:50:01-06:00</updated><id>https://karaf.apache.org/feed.xml</id><title
type="html">Apache Karaf - The modulith runtime</title><subtitle>Karaf
provides modulith runtime for the enterprise, running on premise or on cloud.
Focus on your business code and applications, Apache Karaf deals with the
rest.</subtitle></feed>
\ No newline at end of file
+<?xml version="1.0" encoding="utf-8"?><feed
xmlns="http://www.w3.org/2005/Atom"; ><generator uri="https://jekyllrb.com/";
version="4.0.1">Jekyll</generator><link
href="https://karaf.apache.org/feed.xml"; rel="self" type="application/atom+xml"
/><link href="https://karaf.apache.org/"; rel="alternate" type="text/html"
/><updated>2026-01-24T00:25:08-06:00</updated><id>https://karaf.apache.org/feed.xml</id><title
type="html">Apache Karaf - The modulith runtime</title><subtitle>Karaf
provides modulith runtime for the enterprise, running on premise or on cloud.
Focus on your business code and applications, Apache Karaf deals with the
rest.</subtitle></feed>
\ No newline at end of file
Added: karaf/site/production/security/cve-2026-24656.txt
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ karaf/site/production/security/cve-2026-24656.txt Sat Jan 24 06:26:19
2026 (r1931499)
@@ -0,0 +1,47 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+CVE-2026-24656: Apache Karaf Decanter: Deserialization of Untrusted Data
Vulnerability
+
+Severity: important
+
+Affected versions:
+
+- - Apache Karaf Decanter, versions before 2.12.0
+
+Description:
+
+The Decanter log socket collector exposes the port 4560, without
authentication.
+
+If the collector exposes allowed classes property, this configuration can be
bypassed.
+It means that the log socket collector is vulnerable to deserialization of
untrusted data, eventually causing DoS.
+
+NB: Decanter log socket collector is not installed by default. Users who have
not installed Decanter log socket are not impacted by this issue.
+
+This issue affects Apache Karaf Decanter before 2.12.0
+.Users are recommended to upgrade to version 2.12.0, which fixes the issue.
+
+Credit:
+
+r00t4dm (finder)
+
+References:
+
+https://karaf.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-24656
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCAAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAml0Y90ACgkQv/LuQsgo
+LnbDvQ/+Mj+1F1UnYqr2LR2XVlecQxUX+ldyh6Qqzy3599T6y/s7CwVr3C/J3p8T
+Hjx5smd4fjSRaq6QpPCf0uqsIKhlQwh0gWcuAAf0Msi43qyfRdlDJj1py+Qdeoqb
+IrhRDJvyVIvMwN38CKQfqrw25HJZxAArj1kETNQIRq5daKInnP2hMmIudrWLMEXH
+k/TJZnVGLZnOgUZW0Kb2JICzbH9aS5AmSjOeYGiHqk/VX3ba95i/ozd+3ZGksIil
+lQzpPgF9jtKiZ1lt0PzolJB/X11ggvJzsWHsQbzAjOWxbuBc+2EsHSOj3UkHyuQs
+NLy5C1YunjHj0b/EKmSneE8V1yfG+ms64JtB+719Ap9AWGQE/5zdwmJn8lEc0jDQ
+0IGBOLlnp3Kz50ZNV5Wob83lm1RApeZA3PtimCq5gWtXtS2TX72vxrfbbLOoA9tK
+CrPWJtAvXsReSMTAkUeejRxtE2v2FVUSXe89jmd1O5gZRXcAoOhl3Jj6w+OwBHii
+bm4iv88ZZAiUTcy5xpmzcs8cUI4VNHwVJkbprRIRJA0Fjc2mKSkjfdnoKk4AgUIj
+Czl7o+ee+gvtIZVRrkmg3IclG5PNrXJyRILSvdCBtQmZeTKez5GsCeA0+fNMKuaz
+Me+jXUv2oJawvAB+GiRMZbgf6Hq/fekG6KrGpiunCLq95CGQxJQ=
+=00dQ
+-----END PGP SIGNATURE-----
