Hi, > Am 06.06.2016 um 11:41 schrieb Simon Steiner <simonsteiner1...@gmail.com>: > > Hi, > > Should this be on the pdfbox homepage.
I'll let Andreas decide on that > The homepage has http://pdfbox.apache.org/download.cgi but its not clickable. done - thanks for letting us know. Maruan > > Thanks > > -----Original Message----- > From: Andreas Lehmkuehler [mailto:le...@apache.org] > Sent: 27 May 2016 07:03 > To: annou...@apache.org; dev@pdfbox.apache.org; us...@pdfbox.apache.org; > secur...@apache.org; oss-secur...@lists.openwall.com; > bugt...@securityfocus.com > Subject: [CVE-2016-2175] Apache PDFBox XML External Entity vulnerability > > CVE-2016-2175: Apache PDFBox XML External Entity vulnerability > > Severity: Important > > > Vendor: > The Apache Software Foundation > > Versions Affected: > Apache PDFBox 1.8.0 to 1.8.11 > Apache PDFBox 2.0.0 > Earlier, unsupported Apache PDFBox versions may be affected as well > > Description: > Apache PDFBox parses different XML data within PDF files such as XMP and the > initialization of the XML parsers did not protect against XML External Entity > (XXE) vulnerabilities. According to www.owasp.org [1]: "This attack may lead > to the disclosure of confidential data, denial of service, server side > request forgery, port scanning from the perspective of the machine where the > parser is located, and other system impacts." > > > Mitigation: > Upgrade to Apache PDFBox 1.8.12 respectively 2.0.1 > > Credit: > This issue was discovered by Arthur Khashaev (https://khashaev.ru), Seulgi > Kim, Mesut Timur and Microsoft Vulnerability Research. > > [1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org For additional > commands, e-mail: dev-h...@pdfbox.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org > For additional commands, e-mail: dev-h...@pdfbox.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org For additional commands, e-mail: dev-h...@pdfbox.apache.org
