Author: solomax
Date: Thu Mar 24 17:36:23 2016
New Revision: 1736472
URL: http://svn.apache.org/viewvc?rev=1736472&view=rev
Log:
3.1.1 Release preparation: documentation update
Modified:
openmeetings/application/branches/3.1.x/CHANGELOG
openmeetings/application/branches/3.1.x/README
openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/NewsArchive.xml
openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/ReleaseGuide.xml
openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/downloads.xml
openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/index.xml
openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/security.xml
openmeetings/application/trunk/CHANGELOG
openmeetings/application/trunk/README
openmeetings/application/trunk/openmeetings-server/src/site/xdoc/CallForLogo.xml
openmeetings/application/trunk/openmeetings-server/src/site/xdoc/NewsArchive.xml
openmeetings/application/trunk/openmeetings-server/src/site/xdoc/ReleaseGuide.xml
openmeetings/application/trunk/openmeetings-server/src/site/xdoc/downloads.xml
openmeetings/application/trunk/openmeetings-server/src/site/xdoc/index.xml
openmeetings/application/trunk/openmeetings-server/src/site/xdoc/security.xml
Modified: openmeetings/application/branches/3.1.x/CHANGELOG
URL:
http://svn.apache.org/viewvc/openmeetings/application/branches/3.1.x/CHANGELOG?rev=1736472&r1=1736471&r2=1736472&view=diff
==============================================================================
--- openmeetings/application/branches/3.1.x/CHANGELOG (original)
+++ openmeetings/application/branches/3.1.x/CHANGELOG Thu Mar 24 17:36:23 2016
@@ -1,6 +1,31 @@
Apache OpenMeetings Change Log
See http://issues.apache.org/jira/browse/OPENMEETINGS-* (where * is the number
of the issue below)
+See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-* (where * is the
number of CVE below)
+
+Release Notes - Openmeetings - Version 3.1.1
+================================================================================================================
+** Vulnerability
+ * CVE-2016-0783 - Predictable password reset token
+ * CVE-2016-0784 - ZIP file path traversal
+ * CVE-2016-2164 - Arbitrary file read via SOAP API
+ * CVE-2016-2163 - Stored Cross Site Scripting in Event description
+
+** Bug
+ * [OPENMEETINGS-1328] - ConfirmAjaxCallListener should be changed on
standard wicket dialog in the MessagesContactsPanel
+ * [OPENMEETINGS-1339] - Poll results shows uncorrectly
+ * [OPENMEETINGS-1341] - White page is shown when user try to reset password
+ * [OPENMEETINGS-1343] - Release signatures should be created automatically
+ * [OPENMEETINGS-1346] - Error while import a backup from OM version 3.0.2
+ * [OPENMEETINGS-1347] - missing sort functionality in administration view
+ * [OPENMEETINGS-1348] - Backup import with LDAP users from 2.1.0 fails
+ * [OPENMEETINGS-1351] - Call for Logo page does not say where to send
contributions
+ * [OPENMEETINGS-1354] - Backup zip is being extracted without necessary
checks
+ * [OPENMEETINGS-1355] - random UUID should be user to generate password
reset hash
+
+** Improvement
+ * [OPENMEETINGS-1337] - Library versions should be updated (3.1.1)
+
Release Notes - Openmeetings - Version 3.1.0
================================================================================================================
Modified: openmeetings/application/branches/3.1.x/README
URL:
http://svn.apache.org/viewvc/openmeetings/application/branches/3.1.x/README?rev=1736472&r1=1736471&r2=1736472&view=diff
==============================================================================
--- openmeetings/application/branches/3.1.x/README (original)
+++ openmeetings/application/branches/3.1.x/README Thu Mar 24 17:36:23 2016
@@ -8,6 +8,21 @@ Apache Openmeetings provides video confe
collaborative document editing and other groupware tools using API functions
of
the Red5 Streaming Server for Remoting and Streaming.
+Release Notes 3.1.1
+=============
+see CHANGELOG file for detailed log
+
+Service release 1 for 3.1.0, provides security fixes:
+* CVE-2016-0783 - Predictable password reset token
+* CVE-2016-0784 - ZIP file path traversal
+* CVE-2016-2164 - Arbitrary file read via SOAP API
+* CVE-2016-2163 - Stored Cross Site Scripting in Event description
+
+Please update to this release from any previous OpenMeetings release
+
+Other minor fixes.
+
+
Release Notes 3.1.0
=============
see CHANGELOG file for detailed log
Modified:
openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/NewsArchive.xml
URL:
http://svn.apache.org/viewvc/openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/NewsArchive.xml?rev=1736472&r1=1736471&r2=1736472&view=diff
==============================================================================
---
openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/NewsArchive.xml
(original)
+++
openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/NewsArchive.xml
Thu Mar 24 17:36:23 2016
@@ -22,8 +22,62 @@
<body>
<section name="News">
<div class="bs-callout bs-callout-info">
+ <b>Version 3.1.0 released!</b>
+ <div>SOAP/REST API was implemented using CXF
(Axis2 was removed from the stack)<br/>
+ Build system is now maven (not ant),
SWF client is improved
+ <br/>
+ SOAP/REST:<br/>
+ <ul>
+ <li>CXF is now used instead of
Axis2</li>
+ <li>API was improved: methods
are simplified, API is more powerful now</li>
+ <li>junit tests are added</li>
+ </ul><br/>
+ <br/>
+ Room client:<br/>
+ <ul>
+ <li>swf8 client is removed</li>
+ <li>calls via LocalConnection
are removed</li>
+ <li>room dialogs are based on
wicket-jquery-ui dialogs</li>
+ </ul><br/>
+ <br/>
+ Other fixes in admin, localization,
installer, invitations, room etc.<br/>
+ </div>
+ <span>
+ 77 issues are fixed please check
+ <a
href="http://archive.apache.org/dist/openmeetings/3.1.0/CHANGELOG";>CHANGELOG</a>
and
+ <a
href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12333397";>Detailed
list</a>
+ </span>
+ <span class="bs-callout
bs-callout-danger">please NOTE this release contains screen-sharing application
signed be self-signed certificate due to <a
href="https://issues.apache.org/jira/browse/INFRA-11384";>INFRA-11384</a>.
+ to use screen-sharing
application with modern Java, please add OM site to the list of java security
exceptions by running $JAVA_HOME/bin/ControlPanel.
+ </span>
+ <span> See <a
href="http://archive.apache.org/dist/openmeetings/3.1.0";>Archived
download</a>.</span>
+ <span class="date">(2016-03-06)</span>
+ </div>
+ <div class="bs-callout bs-callout-info">
+ <b>Version 3.0.7 released!</b>
+ <div>Service release 7 for 3.0.0 contains
following improvements and bug fixes:<br/>
+ <br/>
+ <ul>
+ <li>Clustering was tested and
fixed, now it works as expected both in OM and plugins</li>
+ <li>Moderator able to restrict
video in restricted room from now on</li>
+ <li>Private messages with room
booking are now works as expected</li>
+ <li>Crashes in admin are
fixed</li>
+ <li>LDAP: group import</li>
+ </ul><br/>
+ <br/>
+ Other fixes<br/>
+ </div>
+ <span>
+ 20 issues are fixed please check
+ <a
href="http://archive.apache.org/dist/openmeetings/3.0.7/CHANGELOG";>CHANGELOG</a>
and
+ <a
href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12332443";>Detailed
list</a>
+ </span>
+ <span> See <a
href="http://archive.apache.org/dist/openmeetings/3.0.7";>Archived
download</a>.</span>
+ <span class="date">(2015-09-29)</span>
+ </div>
+ <div class="bs-callout bs-callout-info">
<b>Version 3.0.6 released!</b>
- <span>Service release 6 for 3.0.0 contains
following improvements and bug fixes:<br/>
+ <div>Service release 6 for 3.0.0 contains
following improvements and bug fixes:<br/>
<br/>
Invitation:<br/>
<ul>
@@ -33,15 +87,15 @@
</ul><br/>
<br/>
Other fixes<br/>
+ </div>
+ <span>7 issues are fixed please check <a
href="http://archive.apache.org/dist/openmeetings/3.0.6/CHANGELOG";>CHANGELOG</a>
for details
</span>
- <span>7 issues are fixed please check <a
href="https://www.apache.org/dist/openmeetings/3.0.6/CHANGELOG";>CHANGELOG</a>
for details
- </span>
- <span> See <a href="downloads.html">Downloads
page</a>.</span>
+ <span> See <a
href="http://archive.apache.org/dist/openmeetings/3.0.6";>Archived
download</a>.</span>
<span class="date">(2015-05-25)</span>
</div>
<div class="bs-callout bs-callout-info">
<b>Version 3.0.5 released!</b>
- <span>Service release 5 for 3.0.0 contains
following improvements and bug fixes:<br/>
+ <div>Service release 5 for 3.0.0 contains
following improvements and bug fixes:<br/>
<br/>
Installer:<br/>
<ul>
@@ -58,15 +112,15 @@
</ul>
<br/>
Other fixes in SOAP, localizations,
invitations etc.:<br/>
+ </div>
+ <span>18 issues are fixed please check <a
href="http://archive.apache.org/dist/openmeetings/3.0.5/CHANGELOG";>CHANGELOG</a>
for details
</span>
- <span>18 issues are fixed please check <a
href="https://www.apache.org/dist/openmeetings/3.0.5/CHANGELOG";>CHANGELOG</a>
for details
- </span>
- <span> See <a href="downloads.html">Downloads
page</a>.</span>
+ <span> See <a
href="http://archive.apache.org/dist/openmeetings/3.0.5";>Archived
download</a>.</span>
<span class="date">(2015-04-26)</span>
</div>
<div class="bs-callout bs-callout-info">
<b>Version 3.0.4 released!</b>
- <span>Service release 4 for 3.0.0 contains
following improvements and bug fixes:<br/>
+ <div>Service release 4 for 3.0.0 contains
following improvements and bug fixes:<br/>
<br/>
Screen-Sharing:<br/>
<ol>
@@ -89,19 +143,19 @@
<ol>
<li>Time zone support is
greatly improved</li>
</ol>
+ </div>
+ <span>67 issues are fixed please check <a
href="http://archive.apache.org/dist/openmeetings/3.0.4/CHANGELOG";>CHANGELOG</a>
for details
</span>
- <span>67 issues are fixed please check <a
href="https://www.apache.org/dist/openmeetings/3.0.4/CHANGELOG";>CHANGELOG</a>
for details
- </span>
- <span> See <a href="downloads.html">Downloads
page</a>.</span>
+ <span> See <a
href="http://archive.apache.org/dist/openmeetings/3.0.4";>Archived
download</a>.</span>
<span class="date">(2015-02-15)</span>
</div>
<div class="bs-callout bs-callout-info">
<b>Version 3.0.3 released!</b>
<span>Service release 3 for 3.0.0, no new
features were added, <br/>
More than 60 issues are fixed,
recordings stability is improved, LDAP support is enhanced<br/>
- please check <a
href="https://www.apache.org/dist/openmeetings/3.0.3/CHANGELOG";>CHANGELOG</a>
for details
+ please check <a
href="http://archive.apache.org/dist/openmeetings/3.0.3/CHANGELOG";>CHANGELOG</a>
for details
</span>
- <span> See <a href="downloads.html">Downloads
page</a>.</span>
+ <span> See <a
href="http://archive.apache.org/dist/openmeetings/3.0.3";>Archived
download</a>.</span>
<span class="alert alert-error">please
<b>NOTE</b> Java7 is required on both client and server from now on</span>
<span class="date">(2014-09-05)</span>
</div>
Modified:
openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/ReleaseGuide.xml
URL:
http://svn.apache.org/viewvc/openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/ReleaseGuide.xml?rev=1736472&r1=1736471&r2=1736472&view=diff
==============================================================================
---
openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/ReleaseGuide.xml
(original)
+++
openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/ReleaseGuide.xml
Thu Mar 24 17:36:23 2016
@@ -30,16 +30,13 @@
<p>To build a binary release of
OpenMeetings you need: </p>
<ul>
<li>Sun JDK7</li>
- <li>Apache ANT (minimum)
1.8.3</li>
+ <li>Apache Maven 3.3.9</li>
<li>
SVN Command line client
(Subversion 1.7 required!)
- <a
href="http://subversion.apache.org/packages.html"; target="_blank"
-
rel="nofollow">http://subversion.apache.org/packages.html</a>
+ <a
href="http://subversion.apache.org/packages.html"; target="_blank"
rel="nofollow">http://subversion.apache.org/packages.html</a>
</li>
<li>A text editor</li>
- <li>You need to be online! The
build process actively downloads
- needed libraries and
dependencies.
- </li>
+ <li>You need to be online! The
build process actively downloads needed libraries and dependencies.</li>
<li>Valid certficate to be able
to enter <a
href="https://securesigning.websecurity.symantec.com/csportal/";>https://securesigning.websecurity.symantec.com/csportal/</a>
Please ask INFRA in
case you need one.
</li>
Modified:
openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/downloads.xml
URL:
http://svn.apache.org/viewvc/openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/downloads.xml?rev=1736472&r1=1736471&r2=1736472&view=diff
==============================================================================
---
openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/downloads.xml
(original)
+++
openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/downloads.xml
Thu Mar 24 17:36:23 2016
@@ -26,8 +26,8 @@
<section name="Downloads">
<p>
All downloads can be verified using the Apache
OpenMeetings code
- signing <a
href="https://www.apache.org/dist/openmeetings/3.0.7/KEYS";>KEYS</a>, changes:
<a
-
href="https://www.apache.org/dist/openmeetings/3.0.7/CHANGELOG";>CHANGELOG</a>.
+ signing <a
href="https://www.apache.org/dist/openmeetings/3.1.1/KEYS";>KEYS</a>, changes:
<a
+
href="https://www.apache.org/dist/openmeetings/3.1.1/CHANGELOG";>CHANGELOG</a>.
</p>
<p>
All are available for download as source and
binary.
@@ -35,21 +35,21 @@
<subsection name="Latest Official Release">
<p>
- Apache Openmeetings 3.0.7
+ Apache Openmeetings 3.1.1
</p>
<ul>
<li>
Binaries:
<ul>
<li>
- <a
href="http://www.apache.org/dyn/closer.lua/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.zip";>apache-openmeetings-3.0.7.zip</a>
- <a
href="http://www.apache.org/dist/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.zip.asc";>[SIG]</a>
- <a
href="http://www.apache.org/dist/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.zip.md5";>[MD5]</a>
+ <a
href="http://www.apache.org/dyn/closer.lua/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.zip";>apache-openmeetings-3.1.1.zip</a>
+ <a
href="http://www.apache.org/dist/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.zip.asc";>[SIG]</a>
+ <a
href="http://www.apache.org/dist/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.zip.sha256";>[SHA256]</a>
</li>
<li>
- <a
href="http://www.apache.org/dyn/closer.lua/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.tar.gz";>apache-openmeetings-3.0.7.tar.gz</a>
- <a
href="http://www.apache.org/dist/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.tar.gz.asc";>[SIG]</a>
- <a
href="http://www.apache.org/dist/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.tar.gz.md5";>[MD5]</a>
+ <a
href="http://www.apache.org/dyn/closer.lua/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.tar.gz";>apache-openmeetings-3.1.1.tar.gz</a>
+ <a
href="http://www.apache.org/dist/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.tar.gz.asc";>[SIG]</a>
+ <a
href="http://www.apache.org/dist/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.tar.gz.sha256";>[SHA256]</a>
</li>
</ul>
</li>
@@ -57,14 +57,14 @@
Sources:
<ul>
<li>
- <a
href="http://www.apache.org/dyn/closer.lua/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.zip";>apache-openmeetings-3.0.7-src.zip</a>
- <a
href="http://www.apache.org/dist/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.zip.asc";>[SIG]</a>
- <a
href="http://www.apache.org/dist/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.zip.md5";>[MD5]</a>
+ <a
href="http://www.apache.org/dyn/closer.lua/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.zip";>apache-openmeetings-3.1.1-src.zip</a>
+ <a
href="http://www.apache.org/dist/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.zip.asc";>[SIG]</a>
+ <a
href="http://www.apache.org/dist/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.zip.sha256";>[SHA256]</a>
</li>
<li>
- <a
href="http://www.apache.org/dyn/closer.lua/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.tar.gz";>apache-openmeetings-3.0.7-src.tar.gz</a>
- <a
href="http://www.apache.org/dist/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.tar.gz.asc";>[SIG]</a>
- <a
href="http://www.apache.org/dist/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.tar.gz.md5";>[MD5]</a>
+ <a
href="http://www.apache.org/dyn/closer.lua/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.tar.gz";>apache-openmeetings-3.1.1-src.tar.gz</a>
+ <a
href="http://www.apache.org/dist/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.tar.gz.asc";>[SIG]</a>
+ <a
href="http://www.apache.org/dist/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.tar.gz.sha256";>[SHA256]</a>
</li>
</ul>
</li>
Modified:
openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/index.xml
URL:
http://svn.apache.org/viewvc/openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/index.xml?rev=1736472&r1=1736471&r2=1736472&view=diff
==============================================================================
---
openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/index.xml
(original)
+++
openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/index.xml
Thu Mar 24 17:36:23 2016
@@ -93,43 +93,39 @@
<a class="carousel-control right"
href="#slider">›</a>
</div>
-
<p> Openmeetings provides video conferencing, instant
messaging,
white board, collaborative document editing and
other groupware
tools using API functions of the Red5 Streaming
Server for Remoting
and Streaming.
</p>
-
<p>
OpenMeetings is a project of the Apache, the
old project
website at <a
href="http://code.google.com/p/openmeetings/"; target="_blank">GoogleCode</a>
will receive no updates anymore. The website at
Apache is the only place that receives updates.
</p>
-
</section>
-
<section name="News">
<div class="bs-callout bs-callout-danger">
- <b>Version 3.0.7 released!</b>
- <span>Service release 7 for 3.0.0 contains
following improvements and bug fixes:<br/>
+ <b>Version 3.1.1 released!</b>
+ <div>Service release 1 for 3.1.0 contains
following improvements and bug fixes:<br/>
<br/>
- <ul>
- <li>Clustering was tested and
fixed, now it works as expected both in OM and plugins</li>
- <li>Moderator able to restrict
video in restricted room from now on</li>
- <li>Private messages with room
booking are now works as expected</li>
- <li>Crashes in admin are
fixed</li>
- <li>LDAP: group import</li>
- </ul><br/>
+ <span class="bs-callout
bs-callout-danger">
+ Multiple security
vulnerabilities (CVE-2016-0783, CVE-2016-0784, CVE-2016-2163, CVE-2016-2164)
were fixed,
+ please check <a
href="security.html">Security Page</a><br/>
+ </span>
<br/>
Other fixes<br/>
- </span>
+ </div>
<span>
- 20 issues are fixed please check
- <a
href="https://www.apache.org/dist/openmeetings/3.0.7/CHANGELOG";>CHANGELOG</a>
and
- <a
href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12332443";>Detailed
list</a>
+ 8 issues are fixed please check <br/>
+ <a
href="https://www.apache.org/dist/openmeetings/3.1.1/CHANGELOG";>CHANGELOG</a>
and
+ <a
href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12334656";>Detailed
list</a>
+ </span>
+ <span class="bs-callout
bs-callout-danger">please NOTE this release contains screen-sharing application
signed be self-signed certificate due to <a
href="https://issues.apache.org/jira/browse/INFRA-11384";>INFRA-11384</a>.
+ to use screen-sharing
application with modern Java, please add OM site to the list of java security
exceptions by running $JAVA_HOME/bin/ControlPanel.
</span>
<span> See <a href="downloads.html">Downloads
page</a>.</span>
- <span class="date">(2015-09-29)</span>
+ <span class="date">(2016-03-24)</span>
</div>
<div class="bs-callout bs-callout-info">
<span class="date"><a
href="NewsArchive.html">You can find older news here</a></span>
Modified:
openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/security.xml
URL:
http://svn.apache.org/viewvc/openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/security.xml?rev=1736472&r1=1736471&r2=1736472&view=diff
==============================================================================
---
openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/security.xml
(original)
+++
openmeetings/application/branches/3.1.x/openmeetings-server/src/site/xdoc/security.xml
Thu Mar 24 17:36:23 2016
@@ -37,5 +37,60 @@
Please NOTE: only security issues should be
reported to this list.
</p>
</section>
+ <section name="CVE-2016-0783 - Predictable password reset
token">
+ <p>Severity: Critical</p>
+ <p>Vendor: The Apache Software Foundation</p>
+ <p>Versions Affected: Apache OpenMeetings 1.9.x -
3.1.0</p>
+ <p>Description: The hash generated by the external
password reset function is generated by concatenating the user
+ name and the current system time, and then
hashing it using MD5. This is highly predictable and
+ can be cracked in seconds by an attacker with
knowledge of the user name of an OpenMeetings
+ user.<br/>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0783";>CVE-2016-0783</a>
+ </p>
+ <p>All users are recommended to upgrade to Apache
OpenMeetings 3.1.1</p>
+ <p>Credit: This issue was identified by Andreas
Lindh</p>
+ </section>
+ <section name="CVE-2016-0784 - ZIP file path traversal">
+ <p>Severity: Moderate</p>
+ <p>Vendor: The Apache Software Foundation</p>
+ <p>Versions Affected: Apache OpenMeetings 1.9.x -
3.1.0</p>
+ <p>Description: The Import/Export System Backups
functionality in the OpenMeetings Administration menu
+ (http://domain:5080/openmeetings/#admin/backup)
is vulnerable to path traversal via specially
+ crafted file names within ZIP archives. By
uploading an archive containing a file named
+ ../../../public/hello.txt will write the file
âhello.txtâ to the http://domain:5080/openmeetings/public/
+ directory. This could be used to, for example,
overwrite the /usr/bin/convert file (or any other 3 rd
+ party integrated executable) with a shell
script, which would be executed the next time an image file
+ is uploaded and imagemagick is invoked.<br/>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0784";>CVE-2016-0784</a>
+ </p>
+ <p>All users are recommended to upgrade to Apache
OpenMeetings 3.1.1</p>
+ <p>Credit: This issue was identified by Andreas
Lindh</p>
+ </section>
+ <section name="CVE-2016-2163 - Stored Cross Site Scripting in
Event description">
+ <p>Severity: Moderate</p>
+ <p>Vendor: The Apache Software Foundation</p>
+ <p>Versions Affected: Apache OpenMeetings 1.9.x -
3.0.7</p>
+ <p>Description: When creating an event, it is possible
to create clickable URL links in the event description. These
+ links will be present inside the event details
once a participant enters the room via the event. It is
+ possible to create a link like
"javascript:alert('xss')", which will execute once the link is clicked. As
+ the link is placed within an <a> tag, the
actual link is not visible to the end user which makes it hard
+ to tell if the link is legit or not.<br/>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2163";>CVE-2016-2163</a>
+ </p>
+ <p>All users are recommended to upgrade to Apache
OpenMeetings 3.1.1</p>
+ <p>Credit: This issue was identified by Andreas
Lindh</p>
+ </section>
+ <section name="CVE-2016-2164 - Arbitrary file read via SOAP
API">
+ <p>Severity: Critical</p>
+ <p>Vendor: The Apache Software Foundation</p>
+ <p>Versions Affected: Apache OpenMeetings 1.9.x -
3.0.7</p>
+ <p>Description: When attempting to upload a file via
the API using the importFileByInternalUserId or importFile
+ methods in the FileService, it is possible to
read arbitrary files from the system. This is due to that
+ Java's URL class is used without checking what
protocol handler is specified in the API call.<br/>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2164";>CVE-2016-2164</a>
+ </p>
+ <p>All users are recommended to upgrade to Apache
OpenMeetings 3.1.1</p>
+ <p>Credit: This issue was identified by Andreas
Lindh</p>
+ </section>
</body>
</document>
Modified: openmeetings/application/trunk/CHANGELOG
URL:
http://svn.apache.org/viewvc/openmeetings/application/trunk/CHANGELOG?rev=1736472&r1=1736471&r2=1736472&view=diff
==============================================================================
--- openmeetings/application/trunk/CHANGELOG (original)
+++ openmeetings/application/trunk/CHANGELOG Thu Mar 24 17:36:23 2016
@@ -1,6 +1,31 @@
Apache OpenMeetings Change Log
See http://issues.apache.org/jira/browse/OPENMEETINGS-* (where * is the number
of the issue below)
+See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-* (where * is the
number of CVE below)
+
+Release Notes - Openmeetings - Version 3.1.1
+================================================================================================================
+** Vulnerability
+ * CVE-2016-0783 - Predictable password reset token
+ * CVE-2016-0784 - ZIP file path traversal
+ * CVE-2016-2164 - Arbitrary file read via SOAP API
+ * CVE-2016-2163 - Stored Cross Site Scripting in Event description
+
+** Bug
+ * [OPENMEETINGS-1328] - ConfirmAjaxCallListener should be changed on
standard wicket dialog in the MessagesContactsPanel
+ * [OPENMEETINGS-1339] - Poll results shows uncorrectly
+ * [OPENMEETINGS-1341] - White page is shown when user try to reset password
+ * [OPENMEETINGS-1343] - Release signatures should be created automatically
+ * [OPENMEETINGS-1346] - Error while import a backup from OM version 3.0.2
+ * [OPENMEETINGS-1347] - missing sort functionality in administration view
+ * [OPENMEETINGS-1348] - Backup import with LDAP users from 2.1.0 fails
+ * [OPENMEETINGS-1351] - Call for Logo page does not say where to send
contributions
+ * [OPENMEETINGS-1354] - Backup zip is being extracted without necessary
checks
+ * [OPENMEETINGS-1355] - random UUID should be user to generate password
reset hash
+
+** Improvement
+ * [OPENMEETINGS-1337] - Library versions should be updated (3.1.1)
+
Release Notes - Openmeetings - Version 3.1.0
================================================================================================================
Modified: openmeetings/application/trunk/README
URL:
http://svn.apache.org/viewvc/openmeetings/application/trunk/README?rev=1736472&r1=1736471&r2=1736472&view=diff
==============================================================================
--- openmeetings/application/trunk/README (original)
+++ openmeetings/application/trunk/README Thu Mar 24 17:36:23 2016
@@ -8,6 +8,21 @@ Apache Openmeetings provides video confe
collaborative document editing and other groupware tools using API functions
of
the Red5 Streaming Server for Remoting and Streaming.
+Release Notes 3.1.1
+=============
+see CHANGELOG file for detailed log
+
+Service release 1 for 3.1.0, provides security fixes:
+* CVE-2016-0783 - Predictable password reset token
+* CVE-2016-0784 - ZIP file path traversal
+* CVE-2016-2164 - Arbitrary file read via SOAP API
+* CVE-2016-2163 - Stored Cross Site Scripting in Event description
+
+Please update to this release from any previous OpenMeetings release
+
+Other minor fixes.
+
+
Release Notes 3.1.0
=============
see CHANGELOG file for detailed log
Modified:
openmeetings/application/trunk/openmeetings-server/src/site/xdoc/CallForLogo.xml
URL:
http://svn.apache.org/viewvc/openmeetings/application/trunk/openmeetings-server/src/site/xdoc/CallForLogo.xml?rev=1736472&r1=1736471&r2=1736472&view=diff
==============================================================================
---
openmeetings/application/trunk/openmeetings-server/src/site/xdoc/CallForLogo.xml
(original)
+++
openmeetings/application/trunk/openmeetings-server/src/site/xdoc/CallForLogo.xml
Thu Mar 24 17:36:23 2016
@@ -32,7 +32,7 @@
Unfortunately we have no suitable logo for this
:(<br/><br/>
This page is designed to test all proposed logo
and choose the best one
- </p>
+ </p>
<p>
Please send your logos and opinions to <a
href="mail-lists.html">user@ mail list</a> (you need to subscribe first)<br/>
Thanks in advance :)
Modified:
openmeetings/application/trunk/openmeetings-server/src/site/xdoc/NewsArchive.xml
URL:
http://svn.apache.org/viewvc/openmeetings/application/trunk/openmeetings-server/src/site/xdoc/NewsArchive.xml?rev=1736472&r1=1736471&r2=1736472&view=diff
==============================================================================
---
openmeetings/application/trunk/openmeetings-server/src/site/xdoc/NewsArchive.xml
(original)
+++
openmeetings/application/trunk/openmeetings-server/src/site/xdoc/NewsArchive.xml
Thu Mar 24 17:36:23 2016
@@ -22,8 +22,62 @@
<body>
<section name="News">
<div class="bs-callout bs-callout-info">
+ <b>Version 3.1.0 released!</b>
+ <div>SOAP/REST API was implemented using CXF
(Axis2 was removed from the stack)<br/>
+ Build system is now maven (not ant),
SWF client is improved
+ <br/>
+ SOAP/REST:<br/>
+ <ul>
+ <li>CXF is now used instead of
Axis2</li>
+ <li>API was improved: methods
are simplified, API is more powerful now</li>
+ <li>junit tests are added</li>
+ </ul><br/>
+ <br/>
+ Room client:<br/>
+ <ul>
+ <li>swf8 client is removed</li>
+ <li>calls via LocalConnection
are removed</li>
+ <li>room dialogs are based on
wicket-jquery-ui dialogs</li>
+ </ul><br/>
+ <br/>
+ Other fixes in admin, localization,
installer, invitations, room etc.<br/>
+ </div>
+ <span>
+ 77 issues are fixed please check
+ <a
href="http://archive.apache.org/dist/openmeetings/3.1.0/CHANGELOG";>CHANGELOG</a>
and
+ <a
href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12333397";>Detailed
list</a>
+ </span>
+ <span class="bs-callout
bs-callout-danger">please NOTE this release contains screen-sharing application
signed be self-signed certificate due to <a
href="https://issues.apache.org/jira/browse/INFRA-11384";>INFRA-11384</a>.
+ to use screen-sharing
application with modern Java, please add OM site to the list of java security
exceptions by running $JAVA_HOME/bin/ControlPanel.
+ </span>
+ <span> See <a
href="http://archive.apache.org/dist/openmeetings/3.1.0";>Archived
download</a>.</span>
+ <span class="date">(2016-03-06)</span>
+ </div>
+ <div class="bs-callout bs-callout-info">
+ <b>Version 3.0.7 released!</b>
+ <div>Service release 7 for 3.0.0 contains
following improvements and bug fixes:<br/>
+ <br/>
+ <ul>
+ <li>Clustering was tested and
fixed, now it works as expected both in OM and plugins</li>
+ <li>Moderator able to restrict
video in restricted room from now on</li>
+ <li>Private messages with room
booking are now works as expected</li>
+ <li>Crashes in admin are
fixed</li>
+ <li>LDAP: group import</li>
+ </ul><br/>
+ <br/>
+ Other fixes<br/>
+ </div>
+ <span>
+ 20 issues are fixed please check
+ <a
href="http://archive.apache.org/dist/openmeetings/3.0.7/CHANGELOG";>CHANGELOG</a>
and
+ <a
href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12332443";>Detailed
list</a>
+ </span>
+ <span> See <a
href="http://archive.apache.org/dist/openmeetings/3.0.7";>Archived
download</a>.</span>
+ <span class="date">(2015-09-29)</span>
+ </div>
+ <div class="bs-callout bs-callout-info">
<b>Version 3.0.6 released!</b>
- <span>Service release 6 for 3.0.0 contains
following improvements and bug fixes:<br/>
+ <div>Service release 6 for 3.0.0 contains
following improvements and bug fixes:<br/>
<br/>
Invitation:<br/>
<ul>
@@ -33,15 +87,15 @@
</ul><br/>
<br/>
Other fixes<br/>
+ </div>
+ <span>7 issues are fixed please check <a
href="http://archive.apache.org/dist/openmeetings/3.0.6/CHANGELOG";>CHANGELOG</a>
for details
</span>
- <span>7 issues are fixed please check <a
href="https://www.apache.org/dist/openmeetings/3.0.6/CHANGELOG";>CHANGELOG</a>
for details
- </span>
- <span> See <a href="downloads.html">Downloads
page</a>.</span>
+ <span> See <a
href="http://archive.apache.org/dist/openmeetings/3.0.6";>Archived
download</a>.</span>
<span class="date">(2015-05-25)</span>
</div>
<div class="bs-callout bs-callout-info">
<b>Version 3.0.5 released!</b>
- <span>Service release 5 for 3.0.0 contains
following improvements and bug fixes:<br/>
+ <div>Service release 5 for 3.0.0 contains
following improvements and bug fixes:<br/>
<br/>
Installer:<br/>
<ul>
@@ -58,15 +112,15 @@
</ul>
<br/>
Other fixes in SOAP, localizations,
invitations etc.:<br/>
+ </div>
+ <span>18 issues are fixed please check <a
href="http://archive.apache.org/dist/openmeetings/3.0.5/CHANGELOG";>CHANGELOG</a>
for details
</span>
- <span>18 issues are fixed please check <a
href="https://www.apache.org/dist/openmeetings/3.0.5/CHANGELOG";>CHANGELOG</a>
for details
- </span>
- <span> See <a href="downloads.html">Downloads
page</a>.</span>
+ <span> See <a
href="http://archive.apache.org/dist/openmeetings/3.0.5";>Archived
download</a>.</span>
<span class="date">(2015-04-26)</span>
</div>
<div class="bs-callout bs-callout-info">
<b>Version 3.0.4 released!</b>
- <span>Service release 4 for 3.0.0 contains
following improvements and bug fixes:<br/>
+ <div>Service release 4 for 3.0.0 contains
following improvements and bug fixes:<br/>
<br/>
Screen-Sharing:<br/>
<ol>
@@ -89,19 +143,19 @@
<ol>
<li>Time zone support is
greatly improved</li>
</ol>
+ </div>
+ <span>67 issues are fixed please check <a
href="http://archive.apache.org/dist/openmeetings/3.0.4/CHANGELOG";>CHANGELOG</a>
for details
</span>
- <span>67 issues are fixed please check <a
href="https://www.apache.org/dist/openmeetings/3.0.4/CHANGELOG";>CHANGELOG</a>
for details
- </span>
- <span> See <a href="downloads.html">Downloads
page</a>.</span>
+ <span> See <a
href="http://archive.apache.org/dist/openmeetings/3.0.4";>Archived
download</a>.</span>
<span class="date">(2015-02-15)</span>
</div>
<div class="bs-callout bs-callout-info">
<b>Version 3.0.3 released!</b>
<span>Service release 3 for 3.0.0, no new
features were added, <br/>
More than 60 issues are fixed,
recordings stability is improved, LDAP support is enhanced<br/>
- please check <a
href="https://www.apache.org/dist/openmeetings/3.0.3/CHANGELOG";>CHANGELOG</a>
for details
+ please check <a
href="http://archive.apache.org/dist/openmeetings/3.0.3/CHANGELOG";>CHANGELOG</a>
for details
</span>
- <span> See <a href="downloads.html">Downloads
page</a>.</span>
+ <span> See <a
href="http://archive.apache.org/dist/openmeetings/3.0.3";>Archived
download</a>.</span>
<span class="alert alert-error">please
<b>NOTE</b> Java7 is required on both client and server from now on</span>
<span class="date">(2014-09-05)</span>
</div>
Modified:
openmeetings/application/trunk/openmeetings-server/src/site/xdoc/ReleaseGuide.xml
URL:
http://svn.apache.org/viewvc/openmeetings/application/trunk/openmeetings-server/src/site/xdoc/ReleaseGuide.xml?rev=1736472&r1=1736471&r2=1736472&view=diff
==============================================================================
---
openmeetings/application/trunk/openmeetings-server/src/site/xdoc/ReleaseGuide.xml
(original)
+++
openmeetings/application/trunk/openmeetings-server/src/site/xdoc/ReleaseGuide.xml
Thu Mar 24 17:36:23 2016
@@ -30,16 +30,13 @@
<p>To build a binary release of
OpenMeetings you need: </p>
<ul>
<li>Sun JDK7</li>
- <li>Apache ANT (minimum)
1.8.3</li>
+ <li>Apache Maven 3.3.9</li>
<li>
SVN Command line client
(Subversion 1.7 required!)
- <a
href="http://subversion.apache.org/packages.html"; target="_blank"
-
rel="nofollow">http://subversion.apache.org/packages.html</a>
+ <a
href="http://subversion.apache.org/packages.html"; target="_blank"
rel="nofollow">http://subversion.apache.org/packages.html</a>
</li>
<li>A text editor</li>
- <li>You need to be online! The
build process actively downloads
- needed libraries and
dependencies.
- </li>
+ <li>You need to be online! The
build process actively downloads needed libraries and dependencies.</li>
<li>Valid certficate to be able
to enter <a
href="https://securesigning.websecurity.symantec.com/csportal/";>https://securesigning.websecurity.symantec.com/csportal/</a>
Please ask INFRA in
case you need one.
</li>
Modified:
openmeetings/application/trunk/openmeetings-server/src/site/xdoc/downloads.xml
URL:
http://svn.apache.org/viewvc/openmeetings/application/trunk/openmeetings-server/src/site/xdoc/downloads.xml?rev=1736472&r1=1736471&r2=1736472&view=diff
==============================================================================
---
openmeetings/application/trunk/openmeetings-server/src/site/xdoc/downloads.xml
(original)
+++
openmeetings/application/trunk/openmeetings-server/src/site/xdoc/downloads.xml
Thu Mar 24 17:36:23 2016
@@ -26,8 +26,8 @@
<section name="Downloads">
<p>
All downloads can be verified using the Apache
OpenMeetings code
- signing <a
href="https://www.apache.org/dist/openmeetings/3.0.7/KEYS";>KEYS</a>, changes:
<a
-
href="https://www.apache.org/dist/openmeetings/3.0.7/CHANGELOG";>CHANGELOG</a>.
+ signing <a
href="https://www.apache.org/dist/openmeetings/3.1.1/KEYS";>KEYS</a>, changes:
<a
+
href="https://www.apache.org/dist/openmeetings/3.1.1/CHANGELOG";>CHANGELOG</a>.
</p>
<p>
All are available for download as source and
binary.
@@ -35,21 +35,21 @@
<subsection name="Latest Official Release">
<p>
- Apache Openmeetings 3.0.7
+ Apache Openmeetings 3.1.1
</p>
<ul>
<li>
Binaries:
<ul>
<li>
- <a
href="http://www.apache.org/dyn/closer.lua/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.zip";>apache-openmeetings-3.0.7.zip</a>
- <a
href="http://www.apache.org/dist/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.zip.asc";>[SIG]</a>
- <a
href="http://www.apache.org/dist/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.zip.md5";>[MD5]</a>
+ <a
href="http://www.apache.org/dyn/closer.lua/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.zip";>apache-openmeetings-3.1.1.zip</a>
+ <a
href="http://www.apache.org/dist/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.zip.asc";>[SIG]</a>
+ <a
href="http://www.apache.org/dist/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.zip.sha256";>[SHA256]</a>
</li>
<li>
- <a
href="http://www.apache.org/dyn/closer.lua/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.tar.gz";>apache-openmeetings-3.0.7.tar.gz</a>
- <a
href="http://www.apache.org/dist/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.tar.gz.asc";>[SIG]</a>
- <a
href="http://www.apache.org/dist/openmeetings/3.0.7/bin/apache-openmeetings-3.0.7.tar.gz.md5";>[MD5]</a>
+ <a
href="http://www.apache.org/dyn/closer.lua/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.tar.gz";>apache-openmeetings-3.1.1.tar.gz</a>
+ <a
href="http://www.apache.org/dist/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.tar.gz.asc";>[SIG]</a>
+ <a
href="http://www.apache.org/dist/openmeetings/3.1.1/bin/apache-openmeetings-3.1.1.tar.gz.sha256";>[SHA256]</a>
</li>
</ul>
</li>
@@ -57,14 +57,14 @@
Sources:
<ul>
<li>
- <a
href="http://www.apache.org/dyn/closer.lua/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.zip";>apache-openmeetings-3.0.7-src.zip</a>
- <a
href="http://www.apache.org/dist/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.zip.asc";>[SIG]</a>
- <a
href="http://www.apache.org/dist/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.zip.md5";>[MD5]</a>
+ <a
href="http://www.apache.org/dyn/closer.lua/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.zip";>apache-openmeetings-3.1.1-src.zip</a>
+ <a
href="http://www.apache.org/dist/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.zip.asc";>[SIG]</a>
+ <a
href="http://www.apache.org/dist/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.zip.sha256";>[SHA256]</a>
</li>
<li>
- <a
href="http://www.apache.org/dyn/closer.lua/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.tar.gz";>apache-openmeetings-3.0.7-src.tar.gz</a>
- <a
href="http://www.apache.org/dist/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.tar.gz.asc";>[SIG]</a>
- <a
href="http://www.apache.org/dist/openmeetings/3.0.7/src/apache-openmeetings-3.0.7-src.tar.gz.md5";>[MD5]</a>
+ <a
href="http://www.apache.org/dyn/closer.lua/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.tar.gz";>apache-openmeetings-3.1.1-src.tar.gz</a>
+ <a
href="http://www.apache.org/dist/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.tar.gz.asc";>[SIG]</a>
+ <a
href="http://www.apache.org/dist/openmeetings/3.1.1/src/apache-openmeetings-3.1.1-src.tar.gz.sha256";>[SHA256]</a>
</li>
</ul>
</li>
Modified:
openmeetings/application/trunk/openmeetings-server/src/site/xdoc/index.xml
URL:
http://svn.apache.org/viewvc/openmeetings/application/trunk/openmeetings-server/src/site/xdoc/index.xml?rev=1736472&r1=1736471&r2=1736472&view=diff
==============================================================================
--- openmeetings/application/trunk/openmeetings-server/src/site/xdoc/index.xml
(original)
+++ openmeetings/application/trunk/openmeetings-server/src/site/xdoc/index.xml
Thu Mar 24 17:36:23 2016
@@ -93,43 +93,39 @@
<a class="carousel-control right"
href="#slider">›</a>
</div>
-
<p> Openmeetings provides video conferencing, instant
messaging,
white board, collaborative document editing and
other groupware
tools using API functions of the Red5 Streaming
Server for Remoting
and Streaming.
</p>
-
<p>
OpenMeetings is a project of the Apache, the
old project
website at <a
href="http://code.google.com/p/openmeetings/"; target="_blank">GoogleCode</a>
will receive no updates anymore. The website at
Apache is the only place that receives updates.
</p>
-
</section>
-
<section name="News">
<div class="bs-callout bs-callout-danger">
- <b>Version 3.0.7 released!</b>
- <span>Service release 7 for 3.0.0 contains
following improvements and bug fixes:<br/>
+ <b>Version 3.1.1 released!</b>
+ <div>Service release 1 for 3.1.0 contains
following improvements and bug fixes:<br/>
<br/>
- <ul>
- <li>Clustering was tested and
fixed, now it works as expected both in OM and plugins</li>
- <li>Moderator able to restrict
video in restricted room from now on</li>
- <li>Private messages with room
booking are now works as expected</li>
- <li>Crashes in admin are
fixed</li>
- <li>LDAP: group import</li>
- </ul><br/>
+ <span class="bs-callout
bs-callout-danger">
+ Multiple security
vulnerabilities (CVE-2016-0783, CVE-2016-0784, CVE-2016-2163, CVE-2016-2164)
were fixed,
+ please check <a
href="security.html">Security Page</a><br/>
+ </span>
<br/>
Other fixes<br/>
- </span>
+ </div>
<span>
- 20 issues are fixed please check
- <a
href="https://www.apache.org/dist/openmeetings/3.0.7/CHANGELOG";>CHANGELOG</a>
and
- <a
href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12332443";>Detailed
list</a>
+ 8 issues are fixed please check <br/>
+ <a
href="https://www.apache.org/dist/openmeetings/3.1.1/CHANGELOG";>CHANGELOG</a>
and
+ <a
href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12334656";>Detailed
list</a>
+ </span>
+ <span class="bs-callout
bs-callout-danger">please NOTE this release contains screen-sharing application
signed be self-signed certificate due to <a
href="https://issues.apache.org/jira/browse/INFRA-11384";>INFRA-11384</a>.
+ to use screen-sharing
application with modern Java, please add OM site to the list of java security
exceptions by running $JAVA_HOME/bin/ControlPanel.
</span>
<span> See <a href="downloads.html">Downloads
page</a>.</span>
- <span class="date">(2015-09-29)</span>
+ <span class="date">(2016-03-24)</span>
</div>
<div class="bs-callout bs-callout-info">
<span class="date"><a
href="NewsArchive.html">You can find older news here</a></span>
Modified:
openmeetings/application/trunk/openmeetings-server/src/site/xdoc/security.xml
URL:
http://svn.apache.org/viewvc/openmeetings/application/trunk/openmeetings-server/src/site/xdoc/security.xml?rev=1736472&r1=1736471&r2=1736472&view=diff
==============================================================================
---
openmeetings/application/trunk/openmeetings-server/src/site/xdoc/security.xml
(original)
+++
openmeetings/application/trunk/openmeetings-server/src/site/xdoc/security.xml
Thu Mar 24 17:36:23 2016
@@ -37,5 +37,60 @@
Please NOTE: only security issues should be
reported to this list.
</p>
</section>
+ <section name="CVE-2016-0783 - Predictable password reset
token">
+ <p>Severity: Critical</p>
+ <p>Vendor: The Apache Software Foundation</p>
+ <p>Versions Affected: Apache OpenMeetings 1.9.x -
3.1.0</p>
+ <p>Description: The hash generated by the external
password reset function is generated by concatenating the user
+ name and the current system time, and then
hashing it using MD5. This is highly predictable and
+ can be cracked in seconds by an attacker with
knowledge of the user name of an OpenMeetings
+ user.<br/>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0783";>CVE-2016-0783</a>
+ </p>
+ <p>All users are recommended to upgrade to Apache
OpenMeetings 3.1.1</p>
+ <p>Credit: This issue was identified by Andreas
Lindh</p>
+ </section>
+ <section name="CVE-2016-0784 - ZIP file path traversal">
+ <p>Severity: Moderate</p>
+ <p>Vendor: The Apache Software Foundation</p>
+ <p>Versions Affected: Apache OpenMeetings 1.9.x -
3.1.0</p>
+ <p>Description: The Import/Export System Backups
functionality in the OpenMeetings Administration menu
+ (http://domain:5080/openmeetings/#admin/backup)
is vulnerable to path traversal via specially
+ crafted file names within ZIP archives. By
uploading an archive containing a file named
+ ../../../public/hello.txt will write the file
âhello.txtâ to the http://domain:5080/openmeetings/public/
+ directory. This could be used to, for example,
overwrite the /usr/bin/convert file (or any other 3 rd
+ party integrated executable) with a shell
script, which would be executed the next time an image file
+ is uploaded and imagemagick is invoked.<br/>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0784";>CVE-2016-0784</a>
+ </p>
+ <p>All users are recommended to upgrade to Apache
OpenMeetings 3.1.1</p>
+ <p>Credit: This issue was identified by Andreas
Lindh</p>
+ </section>
+ <section name="CVE-2016-2163 - Stored Cross Site Scripting in
Event description">
+ <p>Severity: Moderate</p>
+ <p>Vendor: The Apache Software Foundation</p>
+ <p>Versions Affected: Apache OpenMeetings 1.9.x -
3.0.7</p>
+ <p>Description: When creating an event, it is possible
to create clickable URL links in the event description. These
+ links will be present inside the event details
once a participant enters the room via the event. It is
+ possible to create a link like
"javascript:alert('xss')", which will execute once the link is clicked. As
+ the link is placed within an <a> tag, the
actual link is not visible to the end user which makes it hard
+ to tell if the link is legit or not.<br/>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2163";>CVE-2016-2163</a>
+ </p>
+ <p>All users are recommended to upgrade to Apache
OpenMeetings 3.1.1</p>
+ <p>Credit: This issue was identified by Andreas
Lindh</p>
+ </section>
+ <section name="CVE-2016-2164 - Arbitrary file read via SOAP
API">
+ <p>Severity: Critical</p>
+ <p>Vendor: The Apache Software Foundation</p>
+ <p>Versions Affected: Apache OpenMeetings 1.9.x -
3.0.7</p>
+ <p>Description: When attempting to upload a file via
the API using the importFileByInternalUserId or importFile
+ methods in the FileService, it is possible to
read arbitrary files from the system. This is due to that
+ Java's URL class is used without checking what
protocol handler is specified in the API call.<br/>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2164";>CVE-2016-2164</a>
+ </p>
+ <p>All users are recommended to upgrade to Apache
OpenMeetings 3.1.1</p>
+ <p>Credit: This issue was identified by Andreas
Lindh</p>
+ </section>
</body>
</document>
