note security issues
Project: http://git-wip-us.apache.org/repos/asf/archiva-site/repo Commit: http://git-wip-us.apache.org/repos/asf/archiva-site/commit/81e42aca Tree: http://git-wip-us.apache.org/repos/asf/archiva-site/tree/81e42aca Diff: http://git-wip-us.apache.org/repos/asf/archiva-site/diff/81e42aca Branch: refs/heads/master Commit: 81e42acadcbc937ca671407713b75136f0a9fe46 Parents: 14bd480 Author: Brett Porter <[email protected]> Authored: Fri Apr 18 23:06:41 2014 +1000 Committer: Brett Porter <[email protected]> Committed: Fri Apr 18 23:06:41 2014 +1000 ---------------------------------------------------------------------- src/site/apt/security.apt | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/archiva-site/blob/81e42aca/src/site/apt/security.apt ---------------------------------------------------------------------- diff --git a/src/site/apt/security.apt b/src/site/apt/security.apt index 870d687..a43f882 100644 --- a/src/site/apt/security.apt +++ b/src/site/apt/security.apt @@ -31,6 +31,44 @@ Security Vulnerabilities For more information about reporting vulnerabilities, see the {{{http://www.apache.org/security/} Apache Security Team}} page. +* CVE-2013-2251: Apache Archiva Remote Command Execution + + Apache Archiva is affected by a vulnerability in the version of the Struts + library being used, which allows a malicious user to run code on the + server remotely. More details about the vulnerability can be found at + {{http://struts.apache.org/2.3.x/docs/s2-016.html}}. + + Versions Affected: + + * Archiva 1.3 to Archiva 1.3.6 + + * The unsupported versions Archiva 1.2 to 1.2.2 are also affected. + + [] + + All users are recommended to upgrade to {{{./download.cgi} Archiva 2.0.1 + or Archiva 1.3.8}}, which are not affected by this issue. + + Archiva 2.0.0 and later is not affected by this issue. + +* CVE-2013-2187: Apache Archiva Cross-Site Scripting vulnerability + + A request that included a specially crafted request parameter could be used + to inject arbitrary HTML or Javascript into the Archiva home page. + + Versions Affected: + + * Archiva 1.3 to Archiva 1.3.6 + + * The unsupported versions Archiva 1.2 to 1.2.2 are also affected. + + [] + + All users are recommended to upgrade to {{{./download.cgi} Archiva 2.0.1 + or Archiva 1.3.8}}, which are not affected by this issue. + + Archiva 2.0.0 and later is not affected by this issue. + * CVE-2010-1870: Struts2 remote commands execution Apache Archiva is affected by a vulnerability in the version of the Struts
