Author: ilgrosso
Date: Mon Jul 7 11:09:33 2014
New Revision: 1608410
URL: http://svn.apache.org/r1608410
Log:
Publising updated security page
Modified:
syncope/site/security.html
Modified: syncope/site/security.html
URL:
http://svn.apache.org/viewvc/syncope/site/security.html?rev=1608410&r1=1608409&r2=1608410&view=diff
==============================================================================
--- syncope/site/security.html (original)
+++ syncope/site/security.html Mon Jul 7 11:09:33 2014
@@ -8,7 +8,7 @@
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="author" content="Apache Syncope Documentation Team" />
- <meta name="Date-Revision-yyyymmdd" content="20140703" />
+ <meta name="Date-Revision-yyyymmdd" content="20140707" />
<meta http-equiv="Content-Language" content="en" />
<title>Apache Syncope -
Security Advisories</title>
@@ -143,7 +143,7 @@
<iframe
src="http://www.facebook.com/plugins/like.php?href=http://syncope.apache.org/&send=false&layout=button_count&show-faces=false&action=like&colorscheme=dark";
scrolling="no" frameborder="0"
- style="border:none; width:100px; height:20px; margin-top: 10px;"
class="pull-right" ></iframe>
+ style="border:none; width:80px; height:20px; margin-top: 10px;"
class="pull-right" ></iframe>
<script type="text/javascript"
src="https://apis.google.com/js/plusone.js";></script>
@@ -238,38 +238,83 @@ under the License. -->
<div class="section">
-<h3>CVE-2014-0111: Remote code execution by an authenticated administrator<a
name="CVE-2014-0111:_Remote_code_execution_by_an_authenticated_administrator"></a></h3>
-
-<p>In the various places in which Apache Commons JEXL expressions are allowed
(derived schema definition, user / role templates, account links of resource
mappings) a malicious administrator can inject Java code that can be executed
remotely by the JEE container running the Apache Syncope core.</p>
+<h3>CVE-2014-3503: Insecure Random implementations used to generate
passwords<a
name="CVE-2014-3503:_Insecure_Random_implementations_used_to_generate_passwords"></a></h3>
+
+<p>A password is generated for a user in Apache Syncope under certain
circumstances, when no existing password
+ is found. However, the password generation code is relying on
insecure Random implementations, which means
+ that an attacker could attempt to guess a generated password.</p>
+
+<p>
+ <b>Affects</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
+<li>Releases 1.1.0 to 1.1.7</li>
+ </ul>
+
-
-<p><b>Affects</b></p>
-
+
<p>
- </p>
+ <b>Fixed in</b>
+ </p>
+
+<p>
+ </p>
<ul>
-
+
+<li>Revision <a class="externalLink"
href="http://svn.apache.org/viewvc?view=revision&revision=r1596537";>1596537</a></li>
+
+<li>Release 1.1.8</li>
+ </ul>
+
+
+
+<p>Read the <a class="externalLink"
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3503";>full CVE
advisory</a>.</p>
+ </div>
+
+
+<div class="section">
+<h3>CVE-2014-0111: Remote code execution by an authenticated administrator<a
name="CVE-2014-0111:_Remote_code_execution_by_an_authenticated_administrator"></a></h3>
+
+<p>In the various places in which Apache Commons JEXL expressions are allowed
(derived schema definition,
+ user / role templates, account links of resource mappings) a
malicious administrator can inject Java code
+ that can be executed remotely by the JEE container running the
Apache Syncope core.</p>
+
+
+<p>
+ <b>Affects</b>
+ </p>
+
+<p>
+ </p>
+<ul>
+
<li>Releases 1.0.0 to 1.0.8</li>
-
+
<li>Releases 1.1.0 to 1.1.6</li>
- </ul>
-
+ </ul>
+
-
-<p><b>Fixed in</b></p>
-
+
+<p>
+ <b>Fixed in</b>
+ </p>
+
<p>
- </p>
+ </p>
<ul>
-
+
<li>Revisions <a class="externalLink"
href="http://svn.apache.org/viewvc?view=revision&revision=r1586349";>1586349</a>
/ <a class="externalLink"
href="http://svn.apache.org/viewvc?view=revision&revision=r1586317";>1586317</a></li>
-
+
<li>Releases 1.0.9 / 1.1.7</li>
- </ul>
-
+ </ul>
+
-
+
<p>Read the <a class="externalLink"
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0111";>full CVE
advisory</a>.</p>
</div>
</div>
