Author: solomax Date: Thu Mar 24 17:36:23 2016 New Revision: 1736472 URL: http://svn.apache.org/viewvc?rev=1736472&view=rev Log: 3.1.1 Release preparation: documentation update
Modified: openmeetings/application/branches/3.1.x/CHANGELOG openmeetings/application/branches/3.1.x/README openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/NewsArchive.xml openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/ReleaseGuide.xml openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/downloads.xml openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/index.xml openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/security.xml openmeetings/application/trunk/CHANGELOG openmeetings/application/trunk/README openmeetings/application/trunk/openmeetings-server/src/site/xdoc/CallForLogo.xml openmeetings/application/trunk/openmeetings-server/src/site/xdoc/NewsArchive.xml openmeetings/application/trunk/openmeetings-server/src/site/xdoc/ReleaseGuide.xml openmeetings/application/trunk/openmeetings-server/src/site/xdoc/downloads.xml openmeetings/application/trunk/openmeetings-server/src/site/xdoc/index.xml openmeetings/application/trunk/openmeetings-server/src/site/xdoc/security.xml Modified: openmeetings/application/branches/3.1.x/CHANGELOG URL: http://svn.apache.org/viewvc/openmeetings/application/branches/3.1.x/CHANGELOG?rev=1736472&r1=1736471&r2=1736472&view=diff ============================================================================== --- openmeetings/application/branches/3.1.x/CHANGELOG (original) +++ openmeetings/application/branches/3.1.x/CHANGELOG Thu Mar 24 17:36:23 2016 @@ -1,6 +1,31 @@ Apache OpenMeetings Change Log See http://issues.apache.org/jira/browse/OPENMEETINGS-* (where * is the number of the issue below) +See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-* (where * is the number of CVE below) + +Release Notes - Openmeetings - Version 3.1.1 +================================================================================================================ +** Vulnerability + * CVE-2016-0783 - Predictable password reset token + * CVE-2016-0784 - ZIP file path traversal + * CVE-2016-2164 - Arbitrary file read via SOAP API + * CVE-2016-2163 - Stored Cross Site Scripting in Event description + +** Bug + * [OPENMEETINGS-1328] - ConfirmAjaxCallListener should be changed on standard wicket dialog in the MessagesContactsPanel + * [OPENMEETINGS-1339] - Poll results shows uncorrectly + * [OPENMEETINGS-1341] - White page is shown when user try to reset password + * [OPENMEETINGS-1343] - Release signatures should be created automatically + * [OPENMEETINGS-1346] - Error while import a backup from OM version 3.0.2 + * [OPENMEETINGS-1347] - missing sort functionality in administration view + * [OPENMEETINGS-1348] - Backup import with LDAP users from 2.1.0 fails + * [OPENMEETINGS-1351] - Call for Logo page does not say where to send contributions + * [OPENMEETINGS-1354] - Backup zip is being extracted without necessary checks + * [OPENMEETINGS-1355] - random UUID should be user to generate password reset hash + +** Improvement + * [OPENMEETINGS-1337] - Library versions should be updated (3.1.1) + Release Notes - Openmeetings - Version 3.1.0 ================================================================================================================ Modified: openmeetings/application/branches/3.1.x/README URL: http://svn.apache.org/viewvc/openmeetings/application/branches/3.1.x/README?rev=1736472&r1=1736471&r2=1736472&view=diff ============================================================================== --- openmeetings/application/branches/3.1.x/README (original) +++ openmeetings/application/branches/3.1.x/README Thu Mar 24 17:36:23 2016 @@ -8,6 +8,21 @@ Apache Openmeetings provides video confe collaborative document editing and other groupware tools using API functions of the Red5 Streaming Server for Remoting and Streaming. +Release Notes 3.1.1 +============= +see CHANGELOG file for detailed log + +Service release 1 for 3.1.0, provides security fixes: +* CVE-2016-0783 - Predictable password reset token +* CVE-2016-0784 - ZIP file path traversal +* CVE-2016-2164 - Arbitrary file read via SOAP API +* CVE-2016-2163 - Stored Cross Site Scripting in Event description + +Please update to this release from any previous OpenMeetings release + +Other minor fixes. + + Release Notes 3.1.0 ============= see CHANGELOG file for detailed log Modified: openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/NewsArchive.xml URL: http://svn.apache.org/viewvc/openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/NewsArchive.xml?rev=1736472&r1=1736471&r2=1736472&view=diff ============================================================================== --- openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/NewsArchive.xml (original) +++ openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/NewsArchive.xml Thu Mar 24 17:36:23 2016 @@ -22,8 +22,62 @@ <body> <section name="News"> <div class="bs-callout bs-callout-info"> + <b>Version 3.1.0 released!</b> + <div>SOAP/REST API was implemented using CXF (Axis2 was removed from the stack)<br/> + Build system is now maven (not ant), SWF client is improved + <br/> + SOAP/REST:<br/> + <ul> + <li>CXF is now used instead of Axis2</li> + <li>API was improved: methods are simplified, API is more powerful now</li> + <li>junit tests are added</li> + </ul><br/> + <br/> + Room client:<br/> + <ul> + <li>swf8 client is removed</li> + <li>calls via LocalConnection are removed</li> + <li>room dialogs are based on wicket-jquery-ui dialogs</li> + </ul><br/> + <br/> + Other fixes in admin, localization, installer, invitations, room etc.<br/> + </div> + <span> + 77 issues are fixed please check + <a href="http://archive.apache.org/dist/openmeetings/3.1.0/CHANGELOG">CHANGELOG</a> and + <a href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12333397">Detailed list</a> + </span> + <span class="bs-callout bs-callout-danger">please NOTE this release contains screen-sharing application signed be self-signed certificate due to <a href="https://issues.apache.org/jira/browse/INFRA-11384">INFRA-11384</a>. + to use screen-sharing application with modern Java, please add OM site to the list of java security exceptions by running $JAVA_HOME/bin/ControlPanel. + </span> + <span> See <a href="http://archive.apache.org/dist/openmeetings/3.1.0">Archived download</a>.</span> + <span class="date">(2016-03-06)</span> + </div> + <div class="bs-callout bs-callout-info"> + <b>Version 3.0.7 released!</b> + <div>Service release 7 for 3.0.0 contains following improvements and bug fixes:<br/> + <br/> + <ul> + <li>Clustering was tested and fixed, now it works as expected both in OM and plugins</li> + <li>Moderator able to restrict video in restricted room from now on</li> + <li>Private messages with room booking are now works as expected</li> + <li>Crashes in admin are fixed</li> + <li>LDAP: group import</li> + </ul><br/> + <br/> + Other fixes<br/> + </div> + <span> + 20 issues are fixed please check + <a href="http://archive.apache.org/dist/openmeetings/3.0.7/CHANGELOG">CHANGELOG</a> and + <a href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12332443">Detailed list</a> + </span> + <span> See <a href="http://archive.apache.org/dist/openmeetings/3.0.7">Archived download</a>.</span> + <span class="date">(2015-09-29)</span> + </div> + <div class="bs-callout bs-callout-info"> <b>Version 3.0.6 released!</b> - <span>Service release 6 for 3.0.0 contains following improvements and bug fixes:<br/> + <div>Service release 6 for 3.0.0 contains following improvements and bug fixes:<br/> <br/> Invitation:<br/> <ul> @@ -33,15 +87,15 @@ </ul><br/> <br/> Other fixes<br/> + </div> + <span>7 issues are fixed please check <a href="http://archive.apache.org/dist/openmeetings/3.0.6/CHANGELOG">CHANGELOG</a> for details </span> - <span>7 issues are fixed please check <a href="https://www.apache.org/dist/openmeetings/3.0.6/CHANGELOG">CHANGELOG</a> for details - </span> - <span> See <a href="downloads.html">Downloads page</a>.</span> + <span> See <a href="http://archive.apache.org/dist/openmeetings/3.0.6">Archived download</a>.</span> <span class="date">(2015-05-25)</span> </div> <div class="bs-callout bs-callout-info"> <b>Version 3.0.5 released!</b> - <span>Service release 5 for 3.0.0 contains following improvements and bug fixes:<br/> + <div>Service release 5 for 3.0.0 contains following improvements and bug fixes:<br/> <br/> Installer:<br/> <ul> @@ -58,15 +112,15 @@ </ul> <br/> Other fixes in SOAP, localizations, invitations etc.:<br/> + </div> + <span>18 issues are fixed please check <a href="http://archive.apache.org/dist/openmeetings/3.0.5/CHANGELOG">CHANGELOG</a> for details </span> - <span>18 issues are fixed please check <a href="https://www.apache.org/dist/openmeetings/3.0.5/CHANGELOG">CHANGELOG</a> for details - </span> - <span> See <a href="downloads.html">Downloads page</a>.</span> + <span> See <a href="http://archive.apache.org/dist/openmeetings/3.0.5">Archived download</a>.</span> <span class="date">(2015-04-26)</span> </div> <div class="bs-callout bs-callout-info"> <b>Version 3.0.4 released!</b> - <span>Service release 4 for 3.0.0 contains following improvements and bug fixes:<br/> + <div>Service release 4 for 3.0.0 contains following improvements and bug fixes:<br/> <br/> Screen-Sharing:<br/> <ol> @@ -89,19 +143,19 @@ <ol> <li>Time zone support is greatly improved</li> </ol> + </div> + <span>67 issues are fixed please check <a href="http://archive.apache.org/dist/openmeetings/3.0.4/CHANGELOG">CHANGELOG</a> for details </span> - <span>67 issues are fixed please check <a href="https://www.apache.org/dist/openmeetings/3.0.4/CHANGELOG">CHANGELOG</a> for details - </span> - <span> See <a href="downloads.html">Downloads page</a>.</span> + <span> See <a href="http://archive.apache.org/dist/openmeetings/3.0.4">Archived download</a>.</span> <span class="date">(2015-02-15)</span> </div> <div class="bs-callout bs-callout-info"> <b>Version 3.0.3 released!</b> <span>Service release 3 for 3.0.0, no new features were added, <br/> More than 60 issues are fixed, recordings stability is improved, LDAP support is enhanced<br/> - please check <a href="https://www.apache.org/dist/openmeetings/3.0.3/CHANGELOG">CHANGELOG</a> for details + please check <a href="http://archive.apache.org/dist/openmeetings/3.0.3/CHANGELOG">CHANGELOG</a> for details </span> - <span> See <a href="downloads.html">Downloads page</a>.</span> + <span> See <a href="http://archive.apache.org/dist/openmeetings/3.0.3">Archived download</a>.</span> <span class="alert alert-error">please <b>NOTE</b> Java7 is required on both client and server from now on</span> <span class="date">(2014-09-05)</span> </div> Modified: openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/ReleaseGuide.xml URL: http://svn.apache.org/viewvc/openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/ReleaseGuide.xml?rev=1736472&r1=1736471&r2=1736472&view=diff ============================================================================== --- openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/ReleaseGuide.xml (original) +++ openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/ReleaseGuide.xml Thu Mar 24 17:36:23 2016 @@ -30,16 +30,13 @@ <p>To build a binary release of OpenMeetings you need: </p> <ul> <li>Sun JDK7</li> - <li>Apache ANT (minimum) 1.8.3</li> + <li>Apache Maven 3.3.9</li> <li> SVN Command line client (Subversion 1.7 required!) - <a href="http://subversion.apache.org/packages.html" target="_blank" - rel="nofollow">http://subversion.apache.org/packages.html</a> + <a href="http://subversion.apache.org/packages.html" target="_blank" rel="nofollow">http://subversion.apache.org/packages.html</a> </li> <li>A text editor</li> - <li>You need to be online! The build process actively downloads - needed libraries and dependencies. - </li> + <li>You need to be online! The build process actively downloads needed libraries and dependencies.</li> <li>Valid certficate to be able to enter <a href="https://securesigning.websecurity.symantec.com/csportal/">https://securesigning.websecurity.symantec.com/csportal/</a> Please ask INFRA in case you need one. </li> Modified: openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/downloads.xml URL: http://svn.apache.org/viewvc/openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/downloads.xml?rev=1736472&r1=1736471&r2=1736472&view=diff ============================================================================== --- openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/downloads.xml (original) +++ openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/downloads.xml Thu Mar 24 17:36:23 2016 @@ -26,8 +26,8 @@ <section name="Downloads"> <p> All downloads can be verified using the Apache OpenMeetings code - signing <a href="https://www.apache.org/dist/openmeetings/3.0.7/KEYS">KEYS</a>, changes: <a - href="https://www.apache.org/dist/openmeetings/3.0.7/CHANGELOG">CHANGELOG</a>. + signing <a href="https://www.apache.org/dist/openmeetings/3.1.1/KEYS">KEYS</a>, changes: <a + href="https://www.apache.org/dist/openmeetings/3.1.1/CHANGELOG">CHANGELOG</a>. </p> <p> All are available for download as source and binary. @@ -35,21 +35,21 @@ <subsection name="Latest Official Release"> <p> - Apache Openmeetings 3.0.7 + Apache Openmeetings 3.1.1 </p> <ul> <li> Binaries: <ul> <li> - <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.zip">apache-openmeetings-3.0.7.zip</a> - <a href="http://www.apache.org/dist/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.zip.asc">[SIG]</a> - <a href="http://www.apache.org/dist/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.zip.md5">[MD5]</a> + <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.zip">apache-openmeetings-3.1.1.zip</a> + <a href="http://www.apache.org/dist/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.zip.asc">[SIG]</a> + <a href="http://www.apache.org/dist/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.zip.sha256">[SHA256]</a> </li> <li> - <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.tar.gz">apache-openmeetings-3.0.7.tar.gz</a> - <a href="http://www.apache.org/dist/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.tar.gz.asc">[SIG]</a> - <a href="http://www.apache.org/dist/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.tar.gz.md5">[MD5]</a> + <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.tar.gz">apache-openmeetings-3.1.1.tar.gz</a> + <a href="http://www.apache.org/dist/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.tar.gz.asc">[SIG]</a> + <a href="http://www.apache.org/dist/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.tar.gz.sha256">[SHA256]</a> </li> </ul> </li> @@ -57,14 +57,14 @@ Sources: <ul> <li> - <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.zip">apache-openmeetings-3.0.7-src.zip</a> - <a href="http://www.apache.org/dist/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.zip.asc">[SIG]</a> - <a href="http://www.apache.org/dist/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.zip.md5">[MD5]</a> + <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.zip">apache-openmeetings-3.1.1-src.zip</a> + <a href="http://www.apache.org/dist/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.zip.asc">[SIG]</a> + <a href="http://www.apache.org/dist/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.zip.sha256">[SHA256]</a> </li> <li> - <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.tar.gz">apache-openmeetings-3.0.7-src.tar.gz</a> - <a href="http://www.apache.org/dist/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.tar.gz.asc">[SIG]</a> - <a href="http://www.apache.org/dist/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.tar.gz.md5">[MD5]</a> + <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.tar.gz">apache-openmeetings-3.1.1-src.tar.gz</a> + <a href="http://www.apache.org/dist/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.tar.gz.asc">[SIG]</a> + <a href="http://www.apache.org/dist/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.tar.gz.sha256">[SHA256]</a> </li> </ul> </li> Modified: openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/index.xml URL: http://svn.apache.org/viewvc/openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/index.xml?rev=1736472&r1=1736471&r2=1736472&view=diff ============================================================================== --- openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/index.xml (original) +++ openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/index.xml Thu Mar 24 17:36:23 2016 @@ -93,43 +93,39 @@ <a class="carousel-control right" href="#slider">›</a> </div> - <p> Openmeetings provides video conferencing, instant messaging, white board, collaborative document editing and other groupware tools using API functions of the Red5 Streaming Server for Remoting and Streaming. </p> - <p> OpenMeetings is a project of the Apache, the old project website at <a href="http://code.google.com/p/openmeetings/" target="_blank">GoogleCode</a> will receive no updates anymore. The website at Apache is the only place that receives updates. </p> - </section> - <section name="News"> <div class="bs-callout bs-callout-danger"> - <b>Version 3.0.7 released!</b> - <span>Service release 7 for 3.0.0 contains following improvements and bug fixes:<br/> + <b>Version 3.1.1 released!</b> + <div>Service release 1 for 3.1.0 contains following improvements and bug fixes:<br/> <br/> - <ul> - <li>Clustering was tested and fixed, now it works as expected both in OM and plugins</li> - <li>Moderator able to restrict video in restricted room from now on</li> - <li>Private messages with room booking are now works as expected</li> - <li>Crashes in admin are fixed</li> - <li>LDAP: group import</li> - </ul><br/> + <span class="bs-callout bs-callout-danger"> + Multiple security vulnerabilities (CVE-2016-0783, CVE-2016-0784, CVE-2016-2163, CVE-2016-2164) were fixed, + please check <a href="security.html">Security Page</a><br/> + </span> <br/> Other fixes<br/> - </span> + </div> <span> - 20 issues are fixed please check - <a href="https://www.apache.org/dist/openmeetings/3.0.7/CHANGELOG">CHANGELOG</a> and - <a href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12332443">Detailed list</a> + 8 issues are fixed please check <br/> + <a href="https://www.apache.org/dist/openmeetings/3.1.1/CHANGELOG">CHANGELOG</a> and + <a href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12334656">Detailed list</a> + </span> + <span class="bs-callout bs-callout-danger">please NOTE this release contains screen-sharing application signed be self-signed certificate due to <a href="https://issues.apache.org/jira/browse/INFRA-11384">INFRA-11384</a>. + to use screen-sharing application with modern Java, please add OM site to the list of java security exceptions by running $JAVA_HOME/bin/ControlPanel. </span> <span> See <a href="downloads.html">Downloads page</a>.</span> - <span class="date">(2015-09-29)</span> + <span class="date">(2016-03-24)</span> </div> <div class="bs-callout bs-callout-info"> <span class="date"><a href="NewsArchive.html">You can find older news here</a></span> Modified: openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/security.xml URL: http://svn.apache.org/viewvc/openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/security.xml?rev=1736472&r1=1736471&r2=1736472&view=diff ============================================================================== --- openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/security.xml (original) +++ openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/security.xml Thu Mar 24 17:36:23 2016 @@ -37,5 +37,60 @@ Please NOTE: only security issues should be reported to this list. </p> </section> + <section name="CVE-2016-0783 - Predictable password reset token"> + <p>Severity: Critical</p> + <p>Vendor: The Apache Software Foundation</p> + <p>Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0</p> + <p>Description: The hash generated by the external password reset function is generated by concatenating the user + name and the current system time, and then hashing it using MD5. This is highly predictable and + can be cracked in seconds by an attacker with knowledge of the user name of an OpenMeetings + user.<br/> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0783">CVE-2016-0783</a> + </p> + <p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p> + <p>Credit: This issue was identified by Andreas Lindh</p> + </section> + <section name="CVE-2016-0784 - ZIP file path traversal"> + <p>Severity: Moderate</p> + <p>Vendor: The Apache Software Foundation</p> + <p>Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0</p> + <p>Description: The Import/Export System Backups functionality in the OpenMeetings Administration menu + (http://domain:5080/openmeetings/#admin/backup) is vulnerable to path traversal via specially + crafted file names within ZIP archives. By uploading an archive containing a file named + ../../../public/hello.txt will write the file âhello.txtâ to the http://domain:5080/openmeetings/public/ + directory. This could be used to, for example, overwrite the /usr/bin/convert file (or any other 3 rd + party integrated executable) with a shell script, which would be executed the next time an image file + is uploaded and imagemagick is invoked.<br/> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0784">CVE-2016-0784</a> + </p> + <p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p> + <p>Credit: This issue was identified by Andreas Lindh</p> + </section> + <section name="CVE-2016-2163 - Stored Cross Site Scripting in Event description"> + <p>Severity: Moderate</p> + <p>Vendor: The Apache Software Foundation</p> + <p>Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7</p> + <p>Description: When creating an event, it is possible to create clickable URL links in the event description. These + links will be present inside the event details once a participant enters the room via the event. It is + possible to create a link like "javascript:alert('xss')", which will execute once the link is clicked. As + the link is placed within an <a> tag, the actual link is not visible to the end user which makes it hard + to tell if the link is legit or not.<br/> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2163">CVE-2016-2163</a> + </p> + <p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p> + <p>Credit: This issue was identified by Andreas Lindh</p> + </section> + <section name="CVE-2016-2164 - Arbitrary file read via SOAP API"> + <p>Severity: Critical</p> + <p>Vendor: The Apache Software Foundation</p> + <p>Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7</p> + <p>Description: When attempting to upload a file via the API using the importFileByInternalUserId or importFile + methods in the FileService, it is possible to read arbitrary files from the system. This is due to that + Java's URL class is used without checking what protocol handler is specified in the API call.<br/> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2164">CVE-2016-2164</a> + </p> + <p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p> + <p>Credit: This issue was identified by Andreas Lindh</p> + </section> </body> </document> Modified: openmeetings/application/trunk/CHANGELOG URL: http://svn.apache.org/viewvc/openmeetings/application/trunk/CHANGELOG?rev=1736472&r1=1736471&r2=1736472&view=diff ============================================================================== --- openmeetings/application/trunk/CHANGELOG (original) +++ openmeetings/application/trunk/CHANGELOG Thu Mar 24 17:36:23 2016 @@ -1,6 +1,31 @@ Apache OpenMeetings Change Log See http://issues.apache.org/jira/browse/OPENMEETINGS-* (where * is the number of the issue below) +See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-* (where * is the number of CVE below) + +Release Notes - Openmeetings - Version 3.1.1 +================================================================================================================ +** Vulnerability + * CVE-2016-0783 - Predictable password reset token + * CVE-2016-0784 - ZIP file path traversal + * CVE-2016-2164 - Arbitrary file read via SOAP API + * CVE-2016-2163 - Stored Cross Site Scripting in Event description + +** Bug + * [OPENMEETINGS-1328] - ConfirmAjaxCallListener should be changed on standard wicket dialog in the MessagesContactsPanel + * [OPENMEETINGS-1339] - Poll results shows uncorrectly + * [OPENMEETINGS-1341] - White page is shown when user try to reset password + * [OPENMEETINGS-1343] - Release signatures should be created automatically + * [OPENMEETINGS-1346] - Error while import a backup from OM version 3.0.2 + * [OPENMEETINGS-1347] - missing sort functionality in administration view + * [OPENMEETINGS-1348] - Backup import with LDAP users from 2.1.0 fails + * [OPENMEETINGS-1351] - Call for Logo page does not say where to send contributions + * [OPENMEETINGS-1354] - Backup zip is being extracted without necessary checks + * [OPENMEETINGS-1355] - random UUID should be user to generate password reset hash + +** Improvement + * [OPENMEETINGS-1337] - Library versions should be updated (3.1.1) + Release Notes - Openmeetings - Version 3.1.0 ================================================================================================================ Modified: openmeetings/application/trunk/README URL: http://svn.apache.org/viewvc/openmeetings/application/trunk/README?rev=1736472&r1=1736471&r2=1736472&view=diff ============================================================================== --- openmeetings/application/trunk/README (original) +++ openmeetings/application/trunk/README Thu Mar 24 17:36:23 2016 @@ -8,6 +8,21 @@ Apache Openmeetings provides video confe collaborative document editing and other groupware tools using API functions of the Red5 Streaming Server for Remoting and Streaming. +Release Notes 3.1.1 +============= +see CHANGELOG file for detailed log + +Service release 1 for 3.1.0, provides security fixes: +* CVE-2016-0783 - Predictable password reset token +* CVE-2016-0784 - ZIP file path traversal +* CVE-2016-2164 - Arbitrary file read via SOAP API +* CVE-2016-2163 - Stored Cross Site Scripting in Event description + +Please update to this release from any previous OpenMeetings release + +Other minor fixes. + + Release Notes 3.1.0 ============= see CHANGELOG file for detailed log Modified: openmeetings/application/trunk/openmeetings-server/src/site/xdoc/CallForLogo.xml URL: http://svn.apache.org/viewvc/openmeetings/application/trunk/openmeetings-server/src/site/xdoc/CallForLogo.xml?rev=1736472&r1=1736471&r2=1736472&view=diff ============================================================================== --- openmeetings/application/trunk/openmeetings-server/src/site/xdoc/CallForLogo.xml (original) +++ openmeetings/application/trunk/openmeetings-server/src/site/xdoc/CallForLogo.xml Thu Mar 24 17:36:23 2016 @@ -32,7 +32,7 @@ Unfortunately we have no suitable logo for this :(<br/><br/> This page is designed to test all proposed logo and choose the best one - </p> + </p> <p> Please send your logos and opinions to <a href="mail-lists.html">user@ mail list</a> (you need to subscribe first)<br/> Thanks in advance :) Modified: openmeetings/application/trunk/openmeetings-server/src/site/xdoc/NewsArchive.xml URL: http://svn.apache.org/viewvc/openmeetings/application/trunk/openmeetings-server/src/site/xdoc/NewsArchive.xml?rev=1736472&r1=1736471&r2=1736472&view=diff ============================================================================== --- openmeetings/application/trunk/openmeetings-server/src/site/xdoc/NewsArchive.xml (original) +++ openmeetings/application/trunk/openmeetings-server/src/site/xdoc/NewsArchive.xml Thu Mar 24 17:36:23 2016 @@ -22,8 +22,62 @@ <body> <section name="News"> <div class="bs-callout bs-callout-info"> + <b>Version 3.1.0 released!</b> + <div>SOAP/REST API was implemented using CXF (Axis2 was removed from the stack)<br/> + Build system is now maven (not ant), SWF client is improved + <br/> + SOAP/REST:<br/> + <ul> + <li>CXF is now used instead of Axis2</li> + <li>API was improved: methods are simplified, API is more powerful now</li> + <li>junit tests are added</li> + </ul><br/> + <br/> + Room client:<br/> + <ul> + <li>swf8 client is removed</li> + <li>calls via LocalConnection are removed</li> + <li>room dialogs are based on wicket-jquery-ui dialogs</li> + </ul><br/> + <br/> + Other fixes in admin, localization, installer, invitations, room etc.<br/> + </div> + <span> + 77 issues are fixed please check + <a href="http://archive.apache.org/dist/openmeetings/3.1.0/CHANGELOG">CHANGELOG</a> and + <a href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12333397">Detailed list</a> + </span> + <span class="bs-callout bs-callout-danger">please NOTE this release contains screen-sharing application signed be self-signed certificate due to <a href="https://issues.apache.org/jira/browse/INFRA-11384">INFRA-11384</a>. + to use screen-sharing application with modern Java, please add OM site to the list of java security exceptions by running $JAVA_HOME/bin/ControlPanel. + </span> + <span> See <a href="http://archive.apache.org/dist/openmeetings/3.1.0">Archived download</a>.</span> + <span class="date">(2016-03-06)</span> + </div> + <div class="bs-callout bs-callout-info"> + <b>Version 3.0.7 released!</b> + <div>Service release 7 for 3.0.0 contains following improvements and bug fixes:<br/> + <br/> + <ul> + <li>Clustering was tested and fixed, now it works as expected both in OM and plugins</li> + <li>Moderator able to restrict video in restricted room from now on</li> + <li>Private messages with room booking are now works as expected</li> + <li>Crashes in admin are fixed</li> + <li>LDAP: group import</li> + </ul><br/> + <br/> + Other fixes<br/> + </div> + <span> + 20 issues are fixed please check + <a href="http://archive.apache.org/dist/openmeetings/3.0.7/CHANGELOG">CHANGELOG</a> and + <a href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12332443">Detailed list</a> + </span> + <span> See <a href="http://archive.apache.org/dist/openmeetings/3.0.7">Archived download</a>.</span> + <span class="date">(2015-09-29)</span> + </div> + <div class="bs-callout bs-callout-info"> <b>Version 3.0.6 released!</b> - <span>Service release 6 for 3.0.0 contains following improvements and bug fixes:<br/> + <div>Service release 6 for 3.0.0 contains following improvements and bug fixes:<br/> <br/> Invitation:<br/> <ul> @@ -33,15 +87,15 @@ </ul><br/> <br/> Other fixes<br/> + </div> + <span>7 issues are fixed please check <a href="http://archive.apache.org/dist/openmeetings/3.0.6/CHANGELOG">CHANGELOG</a> for details </span> - <span>7 issues are fixed please check <a href="https://www.apache.org/dist/openmeetings/3.0.6/CHANGELOG">CHANGELOG</a> for details - </span> - <span> See <a href="downloads.html">Downloads page</a>.</span> + <span> See <a href="http://archive.apache.org/dist/openmeetings/3.0.6">Archived download</a>.</span> <span class="date">(2015-05-25)</span> </div> <div class="bs-callout bs-callout-info"> <b>Version 3.0.5 released!</b> - <span>Service release 5 for 3.0.0 contains following improvements and bug fixes:<br/> + <div>Service release 5 for 3.0.0 contains following improvements and bug fixes:<br/> <br/> Installer:<br/> <ul> @@ -58,15 +112,15 @@ </ul> <br/> Other fixes in SOAP, localizations, invitations etc.:<br/> + </div> + <span>18 issues are fixed please check <a href="http://archive.apache.org/dist/openmeetings/3.0.5/CHANGELOG">CHANGELOG</a> for details </span> - <span>18 issues are fixed please check <a href="https://www.apache.org/dist/openmeetings/3.0.5/CHANGELOG">CHANGELOG</a> for details - </span> - <span> See <a href="downloads.html">Downloads page</a>.</span> + <span> See <a href="http://archive.apache.org/dist/openmeetings/3.0.5">Archived download</a>.</span> <span class="date">(2015-04-26)</span> </div> <div class="bs-callout bs-callout-info"> <b>Version 3.0.4 released!</b> - <span>Service release 4 for 3.0.0 contains following improvements and bug fixes:<br/> + <div>Service release 4 for 3.0.0 contains following improvements and bug fixes:<br/> <br/> Screen-Sharing:<br/> <ol> @@ -89,19 +143,19 @@ <ol> <li>Time zone support is greatly improved</li> </ol> + </div> + <span>67 issues are fixed please check <a href="http://archive.apache.org/dist/openmeetings/3.0.4/CHANGELOG">CHANGELOG</a> for details </span> - <span>67 issues are fixed please check <a href="https://www.apache.org/dist/openmeetings/3.0.4/CHANGELOG">CHANGELOG</a> for details - </span> - <span> See <a href="downloads.html">Downloads page</a>.</span> + <span> See <a href="http://archive.apache.org/dist/openmeetings/3.0.4">Archived download</a>.</span> <span class="date">(2015-02-15)</span> </div> <div class="bs-callout bs-callout-info"> <b>Version 3.0.3 released!</b> <span>Service release 3 for 3.0.0, no new features were added, <br/> More than 60 issues are fixed, recordings stability is improved, LDAP support is enhanced<br/> - please check <a href="https://www.apache.org/dist/openmeetings/3.0.3/CHANGELOG">CHANGELOG</a> for details + please check <a href="http://archive.apache.org/dist/openmeetings/3.0.3/CHANGELOG">CHANGELOG</a> for details </span> - <span> See <a href="downloads.html">Downloads page</a>.</span> + <span> See <a href="http://archive.apache.org/dist/openmeetings/3.0.3">Archived download</a>.</span> <span class="alert alert-error">please <b>NOTE</b> Java7 is required on both client and server from now on</span> <span class="date">(2014-09-05)</span> </div> Modified: openmeetings/application/trunk/openmeetings-server/src/site/xdoc/ReleaseGuide.xml URL: http://svn.apache.org/viewvc/openmeetings/application/trunk/openmeetings-server/src/site/xdoc/ReleaseGuide.xml?rev=1736472&r1=1736471&r2=1736472&view=diff ============================================================================== --- openmeetings/application/trunk/openmeetings-server/src/site/xdoc/ReleaseGuide.xml (original) +++ openmeetings/application/trunk/openmeetings-server/src/site/xdoc/ReleaseGuide.xml Thu Mar 24 17:36:23 2016 @@ -30,16 +30,13 @@ <p>To build a binary release of OpenMeetings you need: </p> <ul> <li>Sun JDK7</li> - <li>Apache ANT (minimum) 1.8.3</li> + <li>Apache Maven 3.3.9</li> <li> SVN Command line client (Subversion 1.7 required!) - <a href="http://subversion.apache.org/packages.html" target="_blank" - rel="nofollow">http://subversion.apache.org/packages.html</a> + <a href="http://subversion.apache.org/packages.html" target="_blank" rel="nofollow">http://subversion.apache.org/packages.html</a> </li> <li>A text editor</li> - <li>You need to be online! The build process actively downloads - needed libraries and dependencies. - </li> + <li>You need to be online! The build process actively downloads needed libraries and dependencies.</li> <li>Valid certficate to be able to enter <a href="https://securesigning.websecurity.symantec.com/csportal/">https://securesigning.websecurity.symantec.com/csportal/</a> Please ask INFRA in case you need one. </li> Modified: openmeetings/application/trunk/openmeetings-server/src/site/xdoc/downloads.xml URL: http://svn.apache.org/viewvc/openmeetings/application/trunk/openmeetings-server/src/site/xdoc/downloads.xml?rev=1736472&r1=1736471&r2=1736472&view=diff ============================================================================== --- openmeetings/application/trunk/openmeetings-server/src/site/xdoc/downloads.xml (original) +++ openmeetings/application/trunk/openmeetings-server/src/site/xdoc/downloads.xml Thu Mar 24 17:36:23 2016 @@ -26,8 +26,8 @@ <section name="Downloads"> <p> All downloads can be verified using the Apache OpenMeetings code - signing <a href="https://www.apache.org/dist/openmeetings/3.0.7/KEYS">KEYS</a>, changes: <a - href="https://www.apache.org/dist/openmeetings/3.0.7/CHANGELOG">CHANGELOG</a>. + signing <a href="https://www.apache.org/dist/openmeetings/3.1.1/KEYS">KEYS</a>, changes: <a + href="https://www.apache.org/dist/openmeetings/3.1.1/CHANGELOG">CHANGELOG</a>. </p> <p> All are available for download as source and binary. @@ -35,21 +35,21 @@ <subsection name="Latest Official Release"> <p> - Apache Openmeetings 3.0.7 + Apache Openmeetings 3.1.1 </p> <ul> <li> Binaries: <ul> <li> - <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.zip">apache-openmeetings-3.0.7.zip</a> - <a href="http://www.apache.org/dist/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.zip.asc">[SIG]</a> - <a href="http://www.apache.org/dist/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.zip.md5">[MD5]</a> + <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.zip">apache-openmeetings-3.1.1.zip</a> + <a href="http://www.apache.org/dist/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.zip.asc">[SIG]</a> + <a href="http://www.apache.org/dist/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.zip.sha256">[SHA256]</a> </li> <li> - <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.tar.gz">apache-openmeetings-3.0.7.tar.gz</a> - <a href="http://www.apache.org/dist/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.tar.gz.asc">[SIG]</a> - <a href="http://www.apache.org/dist/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.tar.gz.md5">[MD5]</a> + <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.tar.gz">apache-openmeetings-3.1.1.tar.gz</a> + <a href="http://www.apache.org/dist/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.tar.gz.asc">[SIG]</a> + <a href="http://www.apache.org/dist/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.tar.gz.sha256">[SHA256]</a> </li> </ul> </li> @@ -57,14 +57,14 @@ Sources: <ul> <li> - <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.zip">apache-openmeetings-3.0.7-src.zip</a> - <a href="http://www.apache.org/dist/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.zip.asc">[SIG]</a> - <a href="http://www.apache.org/dist/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.zip.md5">[MD5]</a> + <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.zip">apache-openmeetings-3.1.1-src.zip</a> + <a href="http://www.apache.org/dist/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.zip.asc">[SIG]</a> + <a href="http://www.apache.org/dist/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.zip.sha256">[SHA256]</a> </li> <li> - <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.tar.gz">apache-openmeetings-3.0.7-src.tar.gz</a> - <a href="http://www.apache.org/dist/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.tar.gz.asc">[SIG]</a> - <a href="http://www.apache.org/dist/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.tar.gz.md5">[MD5]</a> + <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.tar.gz">apache-openmeetings-3.1.1-src.tar.gz</a> + <a href="http://www.apache.org/dist/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.tar.gz.asc">[SIG]</a> + <a href="http://www.apache.org/dist/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.tar.gz.sha256">[SHA256]</a> </li> </ul> </li> Modified: openmeetings/application/trunk/openmeetings-server/src/site/xdoc/index.xml URL: http://svn.apache.org/viewvc/openmeetings/application/trunk/openmeetings-server/src/site/xdoc/index.xml?rev=1736472&r1=1736471&r2=1736472&view=diff ============================================================================== --- openmeetings/application/trunk/openmeetings-server/src/site/xdoc/index.xml (original) +++ openmeetings/application/trunk/openmeetings-server/src/site/xdoc/index.xml Thu Mar 24 17:36:23 2016 @@ -93,43 +93,39 @@ <a class="carousel-control right" href="#slider">›</a> </div> - <p> Openmeetings provides video conferencing, instant messaging, white board, collaborative document editing and other groupware tools using API functions of the Red5 Streaming Server for Remoting and Streaming. </p> - <p> OpenMeetings is a project of the Apache, the old project website at <a href="http://code.google.com/p/openmeetings/" target="_blank">GoogleCode</a> will receive no updates anymore. The website at Apache is the only place that receives updates. </p> - </section> - <section name="News"> <div class="bs-callout bs-callout-danger"> - <b>Version 3.0.7 released!</b> - <span>Service release 7 for 3.0.0 contains following improvements and bug fixes:<br/> + <b>Version 3.1.1 released!</b> + <div>Service release 1 for 3.1.0 contains following improvements and bug fixes:<br/> <br/> - <ul> - <li>Clustering was tested and fixed, now it works as expected both in OM and plugins</li> - <li>Moderator able to restrict video in restricted room from now on</li> - <li>Private messages with room booking are now works as expected</li> - <li>Crashes in admin are fixed</li> - <li>LDAP: group import</li> - </ul><br/> + <span class="bs-callout bs-callout-danger"> + Multiple security vulnerabilities (CVE-2016-0783, CVE-2016-0784, CVE-2016-2163, CVE-2016-2164) were fixed, + please check <a href="security.html">Security Page</a><br/> + </span> <br/> Other fixes<br/> - </span> + </div> <span> - 20 issues are fixed please check - <a href="https://www.apache.org/dist/openmeetings/3.0.7/CHANGELOG">CHANGELOG</a> and - <a href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12332443">Detailed list</a> + 8 issues are fixed please check <br/> + <a href="https://www.apache.org/dist/openmeetings/3.1.1/CHANGELOG">CHANGELOG</a> and + <a href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12334656">Detailed list</a> + </span> + <span class="bs-callout bs-callout-danger">please NOTE this release contains screen-sharing application signed be self-signed certificate due to <a href="https://issues.apache.org/jira/browse/INFRA-11384">INFRA-11384</a>. + to use screen-sharing application with modern Java, please add OM site to the list of java security exceptions by running $JAVA_HOME/bin/ControlPanel. </span> <span> See <a href="downloads.html">Downloads page</a>.</span> - <span class="date">(2015-09-29)</span> + <span class="date">(2016-03-24)</span> </div> <div class="bs-callout bs-callout-info"> <span class="date"><a href="NewsArchive.html">You can find older news here</a></span> Modified: openmeetings/application/trunk/openmeetings-server/src/site/xdoc/security.xml URL: http://svn.apache.org/viewvc/openmeetings/application/trunk/openmeetings-server/src/site/xdoc/security.xml?rev=1736472&r1=1736471&r2=1736472&view=diff ============================================================================== --- openmeetings/application/trunk/openmeetings-server/src/site/xdoc/security.xml (original) +++ openmeetings/application/trunk/openmeetings-server/src/site/xdoc/security.xml Thu Mar 24 17:36:23 2016 @@ -37,5 +37,60 @@ Please NOTE: only security issues should be reported to this list. </p> </section> + <section name="CVE-2016-0783 - Predictable password reset token"> + <p>Severity: Critical</p> + <p>Vendor: The Apache Software Foundation</p> + <p>Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0</p> + <p>Description: The hash generated by the external password reset function is generated by concatenating the user + name and the current system time, and then hashing it using MD5. This is highly predictable and + can be cracked in seconds by an attacker with knowledge of the user name of an OpenMeetings + user.<br/> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0783">CVE-2016-0783</a> + </p> + <p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p> + <p>Credit: This issue was identified by Andreas Lindh</p> + </section> + <section name="CVE-2016-0784 - ZIP file path traversal"> + <p>Severity: Moderate</p> + <p>Vendor: The Apache Software Foundation</p> + <p>Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0</p> + <p>Description: The Import/Export System Backups functionality in the OpenMeetings Administration menu + (http://domain:5080/openmeetings/#admin/backup) is vulnerable to path traversal via specially + crafted file names within ZIP archives. By uploading an archive containing a file named + ../../../public/hello.txt will write the file âhello.txtâ to the http://domain:5080/openmeetings/public/ + directory. This could be used to, for example, overwrite the /usr/bin/convert file (or any other 3 rd + party integrated executable) with a shell script, which would be executed the next time an image file + is uploaded and imagemagick is invoked.<br/> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0784">CVE-2016-0784</a> + </p> + <p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p> + <p>Credit: This issue was identified by Andreas Lindh</p> + </section> + <section name="CVE-2016-2163 - Stored Cross Site Scripting in Event description"> + <p>Severity: Moderate</p> + <p>Vendor: The Apache Software Foundation</p> + <p>Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7</p> + <p>Description: When creating an event, it is possible to create clickable URL links in the event description. These + links will be present inside the event details once a participant enters the room via the event. It is + possible to create a link like "javascript:alert('xss')", which will execute once the link is clicked. As + the link is placed within an <a> tag, the actual link is not visible to the end user which makes it hard + to tell if the link is legit or not.<br/> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2163">CVE-2016-2163</a> + </p> + <p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p> + <p>Credit: This issue was identified by Andreas Lindh</p> + </section> + <section name="CVE-2016-2164 - Arbitrary file read via SOAP API"> + <p>Severity: Critical</p> + <p>Vendor: The Apache Software Foundation</p> + <p>Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7</p> + <p>Description: When attempting to upload a file via the API using the importFileByInternalUserId or importFile + methods in the FileService, it is possible to read arbitrary files from the system. This is due to that + Java's URL class is used without checking what protocol handler is specified in the API call.<br/> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2164">CVE-2016-2164</a> + </p> + <p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p> + <p>Credit: This issue was identified by Andreas Lindh</p> + </section> </body> </document>