Author: oching
Date: Mon Nov 29 23:13:43 2010
New Revision: 1040336
URL: http://svn.apache.org/viewvc?rev=1040336&view=rev
Log:
added security page
Added:
archiva/site/src/site/apt/security.apt
Modified:
archiva/site/src/site/xdoc/index.xml
Added: archiva/site/src/site/apt/security.apt
URL:
http://svn.apache.org/viewvc/archiva/site/src/site/apt/security.apt?rev=1040336&view=auto
==============================================================================
--- archiva/site/src/site/apt/security.apt (added)
+++ archiva/site/src/site/apt/security.apt Mon Nov 29 23:13:43 2010
@@ -0,0 +1,39 @@
+ ------
+ Security Vulnerabilities
+ ------
+
+~~ Licensed to the Apache Software Foundation (ASF) under one
+~~ or more contributor license agreements. See the NOTICE file
+~~ distributed with this work for additional information
+~~ regarding copyright ownership. The ASF licenses this file
+~~ to you under the Apache License, Version 2.0 (the
+~~ "License"); you may not use this file except in compliance
+~~ with the License. You may obtain a copy of the License at
+~~
+~~ http://www.apache.org/licenses/LICENSE-2.0
+~~
+~~ Unless required by applicable law or agreed to in writing,
+~~ software distributed under the License is distributed on an
+~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+~~ KIND, either express or implied. See the License for the
+~~ specific language governing permissions and limitations
+~~ under the License.
+
+~~ NOTE: For help with the syntax of this file, see:
+~~ http://maven.apache.org/guides/mini/guide-apt-format.html
+
+
+Security Vulnerabilities
+
+ Please note that binary patches are not produced for individual
vulnerabilities. To obtain the binary fix for a particular
+ vulnerability you should upgrade to an Apache Archiva version where that
vulnerability has been fixed.
+
+* CSRF Vulnerability (CVE-2010-3449)
+
+ Apache Archiva doesn't check which form sends credentials. An attacker can
create a specially crafted page and force
+ archiva administrators to view it and change their credentials. To fix this,
a referrer check was added to the security
+ interceptor for all secured actions. A prompt for the administrator's
password when changing a user account was also set
+ in place. This fix is available in version {{{download.html} 1.3.2}} of
Apache Archiva. All users must upgrade to this
+ version (or higher).
+
+
Modified: archiva/site/src/site/xdoc/index.xml
URL:
http://svn.apache.org/viewvc/archiva/site/src/site/xdoc/index.xml?rev=1040336&r1=1040335&r2=1040336&view=diff
==============================================================================
--- archiva/site/src/site/xdoc/index.xml (original)
+++ archiva/site/src/site/xdoc/index.xml Mon Nov 29 23:13:43 2010
@@ -141,7 +141,7 @@
<span class="expand">
<!-- TODO: use velocity and property throughout -->
<img src="images/collapsed.gif" width="7" height="7" alt="" />
- <strong>Latest stable release</strong>: <a href="#">Archiva
1.3.2</a> - June 18, 2010
+ <strong>Latest stable release</strong>: <a href="#">Archiva
1.3.2</a> - November 29, 2010
</span>
<br/>
<span class="expand">
@@ -196,6 +196,9 @@
Read the <a href="docs/1.3.2/userguide/index.html">users guide</a>
and <a href="docs/1.3.2/adminguide/index.html">administration documentation</a>
<br/>
<img src="images/collapsed.gif" width="7" height="7" alt="" />
+ For security issues, read the <a href="security.html">security
vulnerabilities document</a>
+ <br/>
+ <img src="images/collapsed.gif" width="7" height="7" alt="" />
Documentation is also available for <a
href="versions.html">previous versions</a>
</p>
</div>
