Author: buildbot
Date: Thu Dec 17 09:19:42 2015
New Revision: 975780
Log:
Production update by buildbot for camel
Added:
websites/production/camel/content/security-advisories.data/CVE-2015-5348.txt.asc
Modified:
websites/production/camel/content/cache/main.pageCache
websites/production/camel/content/security-advisories.html
Modified: websites/production/camel/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Added:
websites/production/camel/content/security-advisories.data/CVE-2015-5348.txt.asc
==============================================================================
---
websites/production/camel/content/security-advisories.data/CVE-2015-5348.txt.asc
(added)
+++
websites/production/camel/content/security-advisories.data/CVE-2015-5348.txt.asc
Thu Dec 17 09:19:42 2015
@@ -0,0 +1,37 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+CVE-2015-5348: Apache Camel medium disclosure vulnerability
+
+Severity: MEDIUM
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: Camel 2.15.0 to 2.15.4, Camel 2.16.0
+The unsupported Camel 2.6.x, 2.7.x, 2.8.x, 2.9.x, 2.10.x, 2.11.x, 2.12.x,
2.13.x, and 2.14.x are also affected.
+
+Description: Apache Camel's Jetty/Servlet usage is vulnerable to Java object
de-serialisation vulnerability
+
+If using camel-jetty, or camel-servlet as a consumer in Camel routes, then
Camel will automatic de-serialize HTTP requests that uses the content-header:
application/x-java-serialized-object.
+
+Mitigation: 2.15.x users should upgrade to 2.15.5, 2.16.0 users should upgrade
to 2.16.1.
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-9309 refers to
the various commits that resovoled the issue.
+
+Credit: This issue was discovered by Sim Yih Tsern.
+-----BEGIN PGP SIGNATURE-----
+Comment: GPGTools - https://gpgtools.org
+
+iQIcBAEBCgAGBQJWcnDDAAoJEN1wUKdrQA9pc2IQANO6MRTi2J5xjWrNJ9vFGMEK
+5Mm6SXnn0KAYp/ET2WxBfe7D9V+WpcmGejost+7zhixKZ6sqo9uaQ45JRd5Ce6vg
+gOfcJVEp0tJWtfR3Tgzpe9x8iL76zrRHlFlUFlo3w09AfA3H/ogeV+jE7in6P/Fu
+JNlDWdbmV/WbflaqU643uo6/kScuE5Nzmhdon7QLnztirCzkFSXgx9t9+2mc9X+t
+FfliGvIxM54nZ/RR13SeE0BFh4KS2+kEZRivB3fyRMl3pwWzU3pYxYJt81AsupJb
+razSEon5281M2G1zaZK8ng/6P3bHACHkOYK6ivsdkQ4zg4YKnShU1nkX2BBBXXrd
+dhn5ilcmA65R4jq7Vzk9D3QwwN9Io+0OPdca1WeT79qLpCqlkMOuJQFE6hIfVoQe
+sTmz5QIoPyQIWP1tPQS+QzSDx+zNlqte4t48wRkTqXuja/sfi5JzuXtDJwBjGt+L
+FO1oA2CEoaiCzOdCVthvZrNBsgYCig7dmeKaYzVRCm1oYHkwd7hCvsg261uOSTHJ
+glZrmn3FT/G7qx6MaNLXQD6UZ5XMwx5ToSnILCORDf2UH8sEtyJfkJtIOIQxTeh4
++vV9GYDxNOV/rpqfxcYzyIcfcGK2R4MaoAdLx4RSJoZSz88N2372pTs4pZGAmS7K
+cXFnb/HjMssv62nffgkE
+=Qn8/
+-----END PGP SIGNATURE-----
Modified: websites/production/camel/content/security-advisories.html
==============================================================================
--- websites/production/camel/content/security-advisories.html (original)
+++ websites/production/camel/content/security-advisories.html Thu Dec 17
09:19:42 2015
@@ -75,7 +75,7 @@
<tbody>
<tr>
<td valign="top" width="100%">
-<div class="wiki-content maincontent"><h3
id="SecurityAdvisories-2015">2015</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2015-0264.txt.asc?version=1&modificationDate=1426539191000&api=v2"
data-linked-resource-id="54165590" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-0264.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="6">CVE-2015-0264</a> - The XPath
handling in Apache Camel for invalid XML Strings or invalid XML GenericFile
objects allows remote attackers to read arbitrary files via an XML External
Entity (XXE) declaration. The XML External Entity (XXE) will be resolved before
the Exception is thrown.</li><li><a shape="rect"
href="security-advisories.data/CVE-2015-0263.txt.asc?version=1&modificationDate=1426539178000&api=v2"
data-linked-resource-id="54165589"
data-linked-resource-version="1" data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-0263.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="6">CVE-2015-0263</a> - The XML
converter setup in Apache Camel allows remote attackers to read arbitrary files
via an SAXSource containing an XML External Entity (XXE)
declaration.</li></ul><h3 id="SecurityAdvisories-2014">2014</h3><ul><li><a
shape="rect"
href="security-advisories.data/CVE-2014-0003.txt.asc?version=1&modificationDate=1393615582000&api=v2"
data-linked-resource-id="40009835" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0003.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="6">CVE-2014-000
3</a> - The Apache Camel XSLT component allows XSL stylesheets to perform
calls to external Java methods.</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-0002.txt.asc?version=1&modificationDate=1393615569000&api=v2"
data-linked-resource-id="40009834" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0002.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="6">CVE-2014-0002</a> - The Apache Camel
XSLT component will resolve entities in XML messages when transforming them
using an xslt route.</li></ul><h3
id="SecurityAdvisories-2013">2013</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2013-4330.txt.asc?version=1&modificationDate=1380633919000&api=v2"
data-linked-resource-id="35192841" data-linked-resource-version="1"
data-linked-resource-type="attachment" dat
a-linked-resource-default-alias="CVE-2013-4330.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="6">CVE-2013-4330</a> - Writing files
using FILE or FTP components, can potentially be exploited by a malicious
user.</li></ul><p> </p></div>
+<div class="wiki-content maincontent"><h3
id="SecurityAdvisories-2015">2015</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2015-5348.txt.asc?version=1&modificationDate=1450340845000&api=v2"
data-linked-resource-id="61333112" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-5348.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="8">CVE-2015-5348</a> - Apache Camel's
Jetty/Servlet usage is vulnerable to Java object de-serialisation
vulnerability.</li><li><a shape="rect"
href="security-advisories.data/CVE-2015-0264.txt.asc?version=1&modificationDate=1426539191000&api=v2"
data-linked-resource-id="54165590" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-0264.txt.asc" data-nice-type="Text
File" data-linked-
resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="8">CVE-2015-0264</a> - The XPath
handling in Apache Camel for invalid XML Strings or invalid XML GenericFile
objects allows remote attackers to read arbitrary files via an XML External
Entity (XXE) declaration. The XML External Entity (XXE) will be resolved before
the Exception is thrown.</li><li><a shape="rect"
href="security-advisories.data/CVE-2015-0263.txt.asc?version=1&modificationDate=1426539178000&api=v2"
data-linked-resource-id="54165589" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-0263.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="8">CVE-2015-0263</a> - The XML
converter setup in Apache Camel allows remote attackers to read arbitrary files
via an SAXSource
containing an XML External Entity (XXE) declaration.</li></ul><h3
id="SecurityAdvisories-2014">2014</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2014-0003.txt.asc?version=1&modificationDate=1393615582000&api=v2"
data-linked-resource-id="40009835" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0003.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="8">CVE-2014-0003</a> - The Apache Camel
XSLT component allows XSL stylesheets to perform calls to external Java
methods.</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-0002.txt.asc?version=1&modificationDate=1393615569000&api=v2"
data-linked-resource-id="40009834" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0002.txt.asc" data-nice-typ
e="Text File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="8">CVE-2014-0002</a> - The Apache Camel
XSLT component will resolve entities in XML messages when transforming them
using an xslt route.</li></ul><h3
id="SecurityAdvisories-2013">2013</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2013-4330.txt.asc?version=1&modificationDate=1380633919000&api=v2"
data-linked-resource-id="35192841" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2013-4330.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="8">CVE-2013-4330</a> - Writing files
using FILE or FTP components, can potentially be exploited by a malicious
user.</li></ul><p> </p></div>
</td>
<td valign="top">
<div class="navigation">
