[ https://issues.apache.org/jira/browse/OOZIE-1411?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alejandro Abdelnur resolved OOZIE-1411. --------------------------------------- Resolution: Invalid misread version. the previous patch took openjpa to 2.2.2 which is not affected. > upgrade to OpenJPA 2.2.1 > ------------------------ > > Key: OOZIE-1411 > URL: https://issues.apache.org/jira/browse/OOZIE-1411 > Project: Oozie > Issue Type: Bug > Components: build > Affects Versions: trunk > Reporter: Alejandro Abdelnur > > This just came up in the openjpa alias: > CVE-2013-1768: Apache OpenJPA security vulnerability > Severity: Important > Vendor: The Apache Software Foundation > Versions Affected: > OpenJPA 1.0.0 to 1.0.4 > OpenJPA 1.1.0 > OpenJPA 1.3.0 > OpenJPA 1.2.0 to 1.2.2 > OpenJPA 2.0.0 to 2.0.1 > OpenJPA 2.1.0 to 2.1.1 > OpenJPA 2.2.0 to 2.2.1 > Description: Deserialization of a maliciously crafted OpenJPA object can > result in an executable file being written to the file system. An > attacker needs to discover an unprotected server program to exploit the > vulnerability. It then needs to exploit another unprotected server > program to execute the file and gain access to the system. OpenJPA > usage by itself does not introduce the vulnerability. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira