Hi, > Am 07.06.2016 um 11:42 schrieb Andreas Lehmkühler <andr...@lehmi.de>: > > Hi, > >> Maruan Sahyoun <sahy...@fileaffairs.de> hat am 6. Juni 2016 um 12:40 >> geschrieben: >> >> >> Hi, >> >>> Am 06.06.2016 um 11:41 schrieb Simon Steiner <simonsteiner1...@gmail.com>: >>> >>> Hi, >>> >>> Should this be on the pdfbox homepage. >> >> I'll let Andreas decide on that > What should we add, just a news posting or adding a new security section as > other projects like Tomcat?
a new post schould do. > > BR > Andreas >>> The homepage has http://pdfbox.apache.org/download.cgi but its not >>> clickable. >> >> done - thanks for letting us know. >> >> Maruan >> >>> >>> Thanks >>> >>> -----Original Message----- >>> From: Andreas Lehmkuehler [mailto:le...@apache.org] >>> Sent: 27 May 2016 07:03 >>> To: annou...@apache.org; dev@pdfbox.apache.org; us...@pdfbox.apache.org; >>> secur...@apache.org; oss-secur...@lists.openwall.com; >>> bugt...@securityfocus.com >>> Subject: [CVE-2016-2175] Apache PDFBox XML External Entity vulnerability >>> >>> CVE-2016-2175: Apache PDFBox XML External Entity vulnerability >>> >>> Severity: Important >>> >>> >>> Vendor: >>> The Apache Software Foundation >>> >>> Versions Affected: >>> Apache PDFBox 1.8.0 to 1.8.11 >>> Apache PDFBox 2.0.0 >>> Earlier, unsupported Apache PDFBox versions may be affected as well >>> >>> Description: >>> Apache PDFBox parses different XML data within PDF files such as XMP and the >>> initialization of the XML parsers did not protect against XML External >>> Entity >>> (XXE) vulnerabilities. According to www.owasp.org [1]: "This attack may lead >>> to the disclosure of confidential data, denial of service, server side >>> request forgery, port scanning from the perspective of the machine where the >>> parser is located, and other system impacts." >>> >>> >>> Mitigation: >>> Upgrade to Apache PDFBox 1.8.12 respectively 2.0.1 >>> >>> Credit: >>> This issue was discovered by Arthur Khashaev (https://khashaev.ru), Seulgi >>> Kim, Mesut Timur and Microsoft Vulnerability Research. >>> >>> [1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org For additional >>> commands, e-mail: dev-h...@pdfbox.apache.org >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org >>> For additional commands, e-mail: dev-h...@pdfbox.apache.org >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org >> For additional commands, e-mail: dev-h...@pdfbox.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org > For additional commands, e-mail: dev-h...@pdfbox.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org For additional commands, e-mail: dev-h...@pdfbox.apache.org
