This is an automated email from the ASF dual-hosted git repository. acosentino pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/camel.git
commit b9205b5212151d575cfe578b690aeab9fec31aeb Author: Andrea Cosentino <[email protected]> AuthorDate: Wed Sep 12 13:41:39 2018 +0200 Security Advisories: Porting to docs --- .../en/security-advisories/CVE-2015-5348.txt.asc | 37 ++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/docs/user-manual/en/security-advisories/CVE-2015-5348.txt.asc b/docs/user-manual/en/security-advisories/CVE-2015-5348.txt.asc new file mode 100644 index 0000000..e68d46c --- /dev/null +++ b/docs/user-manual/en/security-advisories/CVE-2015-5348.txt.asc @@ -0,0 +1,37 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +CVE-2015-5348: Apache Camel medium disclosure vulnerability + +Severity: MEDIUM + +Vendor: The Apache Software Foundation + +Versions Affected: Camel 2.15.0 to 2.15.4, Camel 2.16.0 +The unsupported Camel 2.6.x, 2.7.x, 2.8.x, 2.9.x, 2.10.x, 2.11.x, 2.12.x, 2.13.x, and 2.14.x are also affected. + +Description: Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability + +If using camel-jetty, or camel-servlet as a consumer in Camel routes, then Camel will automatic de-serialize HTTP requests that uses the content-header: application/x-java-serialized-object. + +Mitigation: 2.15.x users should upgrade to 2.15.5, 2.16.0 users should upgrade to 2.16.1. +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-9309 refers to the various commits that resovoled the issue. + +Credit: This issue was discovered by Sim Yih Tsern. +-----BEGIN PGP SIGNATURE----- +Comment: GPGTools - https://gpgtools.org + +iQIcBAEBCgAGBQJWcnDDAAoJEN1wUKdrQA9pc2IQANO6MRTi2J5xjWrNJ9vFGMEK +5Mm6SXnn0KAYp/ET2WxBfe7D9V+WpcmGejost+7zhixKZ6sqo9uaQ45JRd5Ce6vg +gOfcJVEp0tJWtfR3Tgzpe9x8iL76zrRHlFlUFlo3w09AfA3H/ogeV+jE7in6P/Fu +JNlDWdbmV/WbflaqU643uo6/kScuE5Nzmhdon7QLnztirCzkFSXgx9t9+2mc9X+t +FfliGvIxM54nZ/RR13SeE0BFh4KS2+kEZRivB3fyRMl3pwWzU3pYxYJt81AsupJb +razSEon5281M2G1zaZK8ng/6P3bHACHkOYK6ivsdkQ4zg4YKnShU1nkX2BBBXXrd +dhn5ilcmA65R4jq7Vzk9D3QwwN9Io+0OPdca1WeT79qLpCqlkMOuJQFE6hIfVoQe +sTmz5QIoPyQIWP1tPQS+QzSDx+zNlqte4t48wRkTqXuja/sfi5JzuXtDJwBjGt+L +FO1oA2CEoaiCzOdCVthvZrNBsgYCig7dmeKaYzVRCm1oYHkwd7hCvsg261uOSTHJ +glZrmn3FT/G7qx6MaNLXQD6UZ5XMwx5ToSnILCORDf2UH8sEtyJfkJtIOIQxTeh4 ++vV9GYDxNOV/rpqfxcYzyIcfcGK2R4MaoAdLx4RSJoZSz88N2372pTs4pZGAmS7K +cXFnb/HjMssv62nffgkE +=Qn8/ +-----END PGP SIGNATURE-----
