tomee.mdtext

rmannibucau Tue, 05 Apr 2016 04:40:15 -0700

Author: rmannibucau
Date: Tue Apr  5 11:39:26 2016
New Revision: 1737824

URL: http://svn.apache.org/viewvc?rev=1737824&view=rev
Log:
mentionning CVE-2015-8581, thanks Robert Panzer for the patch


Modified:
    tomee/site/trunk/content/security/tomee.mdtext

Modified: tomee/site/trunk/content/security/tomee.mdtext
URL: 
http://svn.apache.org/viewvc/tomee/site/trunk/content/security/tomee.mdtext?rev=1737824&r1=1737823&r2=1737824&view=diff
==============================================================================
--- tomee/site/trunk/content/security/tomee.mdtext (original)
+++ tomee/site/trunk/content/security/tomee.mdtext Tue Apr  5 11:39:26 2016
@@ -29,7 +29,11 @@ that even if fixed in 7.0.0-M2 we recomm
 This issue only affects you if you rely on EJBd protocol (proprietary remote 
EJB protocol). This one one is not activated by default on the 7.x series
 but it was on the 1.x ones.
 
-The related CVE number is 
[CVE-2016-0779](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0779): 
the EJBd protocol provided by TomEE can exploit the 0-day vulnerability.
+The related CVE numbers are:
+
+* 
[CVE-2016-0779](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0779): 
The EJBd protocol provided by TomEE can exploit the 0-day vulnerability.
+* 
[CVE-2015-8581](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8581): 
The EjbObjectInputStream class in Apache TomEE allows remote attackers to 
execute arbitrary commands via a serialized Java stream.
+
 This has been fixed in commit 58cdbbef9c77ab2b44870f9d606593b49cde76d9.
 
 Check [properties configuration](/properties-listing.html) and [Ejbd 
transport](/ejbd-transport.html) for more details (tomee.serialization.class.* 
and tomee.remote.support).

svn commit: r1737824 - /tomee/site/trunk/content/security/tomee.mdtext

Reply via email to