Hi, > Maruan Sahyoun <sahy...@fileaffairs.de> hat am 6. Juni 2016 um 12:40 > geschrieben: > > > Hi, > > > Am 06.06.2016 um 11:41 schrieb Simon Steiner <simonsteiner1...@gmail.com>: > > > > Hi, > > > > Should this be on the pdfbox homepage. > > I'll let Andreas decide on that What should we add, just a news posting or adding a new security section as other projects like Tomcat?
BR Andreas > > The homepage has http://pdfbox.apache.org/download.cgi but its not > > clickable. > > done - thanks for letting us know. > > Maruan > > > > > Thanks > > > > -----Original Message----- > > From: Andreas Lehmkuehler [mailto:le...@apache.org] > > Sent: 27 May 2016 07:03 > > To: annou...@apache.org; dev@pdfbox.apache.org; us...@pdfbox.apache.org; > > secur...@apache.org; oss-secur...@lists.openwall.com; > > bugt...@securityfocus.com > > Subject: [CVE-2016-2175] Apache PDFBox XML External Entity vulnerability > > > > CVE-2016-2175: Apache PDFBox XML External Entity vulnerability > > > > Severity: Important > > > > > > Vendor: > > The Apache Software Foundation > > > > Versions Affected: > > Apache PDFBox 1.8.0 to 1.8.11 > > Apache PDFBox 2.0.0 > > Earlier, unsupported Apache PDFBox versions may be affected as well > > > > Description: > > Apache PDFBox parses different XML data within PDF files such as XMP and the > > initialization of the XML parsers did not protect against XML External > > Entity > > (XXE) vulnerabilities. According to www.owasp.org [1]: "This attack may lead > > to the disclosure of confidential data, denial of service, server side > > request forgery, port scanning from the perspective of the machine where the > > parser is located, and other system impacts." > > > > > > Mitigation: > > Upgrade to Apache PDFBox 1.8.12 respectively 2.0.1 > > > > Credit: > > This issue was discovered by Arthur Khashaev (https://khashaev.ru), Seulgi > > Kim, Mesut Timur and Microsoft Vulnerability Research. > > > > [1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org For additional > > commands, e-mail: dev-h...@pdfbox.apache.org > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org > > For additional commands, e-mail: dev-h...@pdfbox.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org > For additional commands, e-mail: dev-h...@pdfbox.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org For additional commands, e-mail: dev-h...@pdfbox.apache.org
