svn commit: r1534423 - /shindig/site/trunk/cms/trunk/content/security.mdtext

Mon, 21 Oct 2013 17:13:50 -0700 

Author: rbaxter85
Date: Tue Oct 22 00:13:16 2013
New Revision: 1534423

URL: http://svn.apache.org/r1534423
Log:
Updated with 2.5.0 vulnerabilities

Modified:
    shindig/site/trunk/cms/trunk/content/security.mdtext

Modified: shindig/site/trunk/cms/trunk/content/security.mdtext
URL: 
http://svn.apache.org/viewvc/shindig/site/trunk/cms/trunk/content/security.mdtext?rev=1534423&r1=1534422&r2=1534423&view=diff
==============================================================================
--- shindig/site/trunk/cms/trunk/content/security.mdtext (original)
+++ shindig/site/trunk/cms/trunk/content/security.mdtext Tue Oct 22 00:13:16 
2013
@@ -18,4 +18,27 @@ Notice:    Licensed to the Apache Softwa
 
 # Shindig Security Issues
 
-This page contains of resolved security issues from Apache Shindig.
+Please note that, except in rare circumstances, binary patches are not 
produced for individual vulnerabilities. To obtain the binary fix for a 
particular 
+vulnerability you should upgrade to an Apache Shindig version where that 
vulnerability has been fixed.
+
+Source patches, usually in the form of references to SVN commits, may be 
provided in either in a vulnerability announcement and/or the vulnerability 
+details listed on these pages. These source patches may be used by users 
wishing to build their own local version of Shindig with just that security 
+patch rather than upgrade.
+
+### Shindig 2.5.0 Vulnerabilities
+
+<b>Information disclosure 
[CVE-2013-4295](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-4295)</b>
+
+The gadget renderer in the PHP version of Apache Shindig
+is subject to an XML External Entity (XXE) Injection attack.  The
+vulnerability allows a malicious gadget author to construct paths to
+content on the gadget rendering server which in turn will display the
+content in the gadget iframe.
+
+This was fixed in revision 
[1526307](http://svn.apache.org/viewvc?view=revision&revision=1526307).
+
+This issue was discovered by Kousuke Ebihara on 12 Aug 2013 and made public on 
21 Oct 2013.
+
+Affects: 2.5.0 (PHP)
+
+Fixed In: 2.5.0-update1

Reply via email to