Author: buildbot
Date: Sun Nov 9 14:46:47 2014
New Revision: 928502
Log:
Production update by buildbot for cxf
Added:
websites/production/cxf/content/cve-2014-3566.html
Modified:
websites/production/cxf/content/cache/main.pageCache
Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Added: websites/production/cxf/content/cve-2014-3566.html
==============================================================================
--- websites/production/cxf/content/cve-2014-3566.html (added)
+++ websites/production/cxf/content/cve-2014-3566.html Sun Nov 9 14:46:47 2014
@@ -0,0 +1,149 @@
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd";>
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<html>
+ <head>
+
+<link type="text/css" rel="stylesheet" href="/resources/site.css">
+<script src='/resources/space.js'></script>
+
+<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
+<meta name="keywords" content="business integration, EAI, SOA, Service
Oriented Architecture, web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic
Data Interchange, standards support, integration standards, application
integration, middleware, software, solutions, services, CXF, open source">
+<meta name="description" content="Apache CXF, Services Framework -
CVE-2014-3566">
+
+
+
+
+ <title>
+Apache CXF -- CVE-2014-3566
+ </title>
+ </head>
+<body onload="init()">
+
+
+<table width="100%" cellpadding="0" cellspacing="0">
+ <tr>
+ <td id="cell-0-0" colspan="2"> </td>
+ <td id="cell-0-1"> </td>
+ <td id="cell-0-2" colspan="2"> </td>
+ </tr>
+ <tr>
+ <td id="cell-1-0"> </td>
+ <td id="cell-1-1"> </td>
+ <td id="cell-1-2">
+ <!-- Banner -->
+<div class="banner" id="banner"><div><table border="0" cellpadding="0"
cellspacing="0" width="100%"><tr><td align="left" colspan="1" nowrap>
+<a shape="rect" href="http://cxf.apache.org/"; title="Apache CXF"><span
style="font-weight: bold; font-size: 170%; color: white">Apache CXF</span></a>
+</td><td align="right" colspan="1" nowrap>
+<a shape="rect" href="http://www.apache.org/"; title="The Apache Software
Foundation"><img border="0" alt="ASF Logo"
src="http://cxf.apache.org/images/asf-logo.png";></a>
+</td></tr></table></div></div>
+ <!-- Banner -->
+ <div id="top-menu">
+ <table border="0" cellpadding="1" cellspacing="0" width="100%">
+ <tr>
+ <td>
+ <div align="left">
+ <!-- Breadcrumbs -->
+<a href="index.html">Index</a> > <a
href="cve-2014-3566.html">CVE-2014-3566</a>
+ <!-- Breadcrumbs -->
+ </div>
+ </td>
+ <td>
+ <div align="right">
+ <!-- Quicklinks -->
+<div id="quicklinks"><p><a shape="rect" href="download.html">Download</a> | <a
shape="rect"
href="http://cxf.apache.org/docs/index.html";>Documentation</a></p></div>
+ <!-- Quicklinks -->
+ </div>
+ </td>
+ </tr>
+ </table>
+ </div>
+ </td>
+ <td id="cell-1-3"> </td>
+ <td id="cell-1-4"> </td>
+ </tr>
+ <tr>
+ <td id="cell-2-0" colspan="2"> </td>
+ <td id="cell-2-1">
+ <table>
+ <tr valign="top">
+ <td height="100%">
+ <div id="wrapper-menu-page-right">
+ <div id="wrapper-menu-page-top">
+ <div id="wrapper-menu-page-bottom">
+ <div id="menu-page">
+ <!-- NavigationBar -->
+<div id="navigation"><h3 id="Navigation-ApacheCXF"><a shape="rect"
href="index.html">Apache CXF</a></h3><ul class="alternate"><li><a shape="rect"
href="index.html">Home</a></li><li><a shape="rect"
href="download.html">Download</a></li><li><a shape="rect"
href="people.html">People</a></li><li><a shape="rect"
href="project-status.html">Project Status</a></li><li><a shape="rect"
href="roadmap.html">Roadmap</a></li><li><a shape="rect"
href="mailing-lists.html">Mailing Lists</a></li><li><a shape="rect"
class="external-link" href="http://issues.apache.org/jira/browse/CXF";>Issue
Reporting</a></li><li><a shape="rect" href="special-thanks.html">Special
Thanks</a></li><li><a shape="rect" class="external-link"
href="http://www.apache.org/licenses/";>License</a></li><li><a shape="rect"
href="security-advisories.html">Security Advisories</a></li></ul><h3
id="Navigation-Users">Users</h3><ul class="alternate"><li><a shape="rect"
href="http://cxf.apache.org/docs/index.html";>User's Guide</a></li><li>
<a shape="rect" href="support.html">Support</a></li><li><a shape="rect"
href="faq.html">FAQ</a></li><li><a shape="rect"
href="resources-and-articles.html">Resources and Articles</a></li></ul><h3
id="Navigation-Search">Search</h3><form
enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box"
action="http://www.google.com/cse";><div> <input type="hidden" name="cx"
value="002890367768291051730:o99qiwa09y4"> <input type="hidden" name="ie"
value="UTF-8"> <input type="text" name="q" size="21"> <input type="submit"
name="sa" value="Search"> </div> </form> <script type="text/javascript"
src="http://www.google.com/cse/brand?form=cse-search-box&lang=en";></script>
<h3 id="Navigation-Developers">Developers</h3><ul class="alternate"><li><a
shape="rect"
href="http://cxf.apache.org/docs/cxf-architecture.html";>Architecture
Guide</a></li><li><a shape="rect" href="source-repository.html">Source
Repository</a></li><li><a shape="rect"
href="building.html">Building</a></li><li><a
shape="rect" href="automated-builds.html">Automated Builds</a></li><li><a
shape="rect" href="testing-debugging.html">Testing-Debugging</a></li><li><a
shape="rect" href="coding-guidelines.html">Coding Guidelines</a></li><li><a
shape="rect" href="getting-involved.html">Getting Involved</a></li><li><a
shape="rect" href="release-management.html">Release Management</a></li></ul><h3
id="Navigation-Subprojects">Subprojects</h3><ul class="alternate"><li><a
shape="rect" href="distributed-osgi.html">Distributed OSGi</a></li><li><a
shape="rect" href="xjc-utils.html">XJC Utils</a></li><li><a shape="rect"
href="build-utils.html">Build Utils</a></li><li><a shape="rect"
href="fediz.html">Fediz</a></li></ul><h3 id="Navigation-ASF"><a shape="rect"
class="external-link" href="http://www.apache.org";>ASF</a></h3><ul
class="alternate"><li><a shape="rect" class="external-link"
href="http://www.apache.org/foundation/how-it-works.html";>How Apache
Works</a></li><li><a shape="rect" class="external-link" href
="http://www.apache.org/foundation/";>Foundation</a></li><li><a shape="rect"
class="external-link"
href="http://www.apache.org/foundation/sponsorship.html";>Sponsor
Apache</a></li><li><a shape="rect" class="external-link"
href="http://www.apache.org/foundation/thanks.html";>Thanks</a></li><li><a
shape="rect" class="external-link"
href="http://www.apache.org/security/";>Security</a></li></ul></div>
+ <!-- NavigationBar -->
+ </div>
+ </div>
+ </div>
+ </div>
+ </td>
+ <td height="100%">
+ <!-- Content -->
+ <div class="wiki-content">
+<div id="ConfluenceContent"><p>The SSL protocol 3.0 uses non-deterministic CBC
padding, which makes it easier for man-in-the-middle attackers to obtain clear
text data via a padding-oracle attack, aka the "POODLE" issue.</p><p>Encryption
in SSL 3.0 uses either the RC4 stream cipher, or a block cipher in CBC mode.
RC4 is well known to have biases [RC4­biases],meaning that if the same
secret (such as a password or HTTP cookie) is sent over many connections and
thus encrypted with many RC4 streams, more and more information about it will
leak.</p><p>The problem with POODLE comes when the connection is downgraded to
use SSL 3.0 when higher level TLS comms fail. If an attacker in the middle of a
connection can cause this failure then they may be able to force the browser to
do exactly what it’s designed to do – fall back to SSL 3.0 and try
again.</p><p> </p><p>Problem fixed in CXF <span class="value
editable-field inactive" title="Click to edit"><span class="shorten
"> <a shape="rect" class="external-link"
href="https://issues.apache.org/jira/browse/CXF/fixforversion/12328801";
title="3.0.3 ">3.0.3</a>, <a shape="rect" class="external-link"
href="https://issues.apache.org/jira/browse/CXF/fixforversion/12328802";
title="2.7.14 ">2.7.14</a> </span></span>by disabling by default for both
clients, as well as Jetty servers configured via CXF's HTTPJ namespace: <a
shape="rect" class="external-link"
href="https://issues.apache.org/jira/browse/CXF-6086";>CXF-6086</a></p></div>
+ </div>
+ <!-- Content -->
+ </td>
+ </tr>
+ </table>
+ </td>
+ <td id="cell-2-2" colspan="2"> </td>
+ </tr>
+ <tr>
+ <td id="cell-3-0"> </td>
+ <td id="cell-3-1"> </td>
+ <td id="cell-3-2">
+ <div id="footer">
+ <!-- Footer -->
+ <div id="site-footer">
+ <a href="http://cxf.apache.org/privacy-policy.html";>Privacy
Policy</a> -
+ (<a
href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=48202431";>edit
page</a>)
+ (<a
href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=48202431&showComments=true&showCommentArea=true#addcomment";>add
comment</a>)<br>
+ Apache CXF, CXF, Apache, the Apache feather logo are trademarks of The
Apache Software Foundation.<br>
+ All other marks mentioned may be trademarks or registered trademarks
of their respective owners.
+ </div>
+ <!-- Footer -->
+ </div>
+ </td>
+ <td id="cell-3-3"> </td>
+ <td id="cell-3-4"> </td>
+ </tr>
+ <tr>
+ <td id="cell-4-0" colspan="2"> </td>
+ <td id="cell-4-1"> </td>
+ <td id="cell-4-2" colspan="2"> </td>
+ </tr>
+</table>
+
+<script type="text/javascript">
+var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl."; :
"http://www.";);
+document.write(unescape("%3Cscript src='" + gaJsHost +
"google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
+</script>
+<script type="text/javascript">
+try {
+var pageTracker = _gat._getTracker("UA-4458903-1");
+pageTracker._trackPageview();
+} catch(err) {}</script>
+
+</body>
+</html>
+
![http://cxf.apache.org/images/asf-logo.png"](http://cxf.apache.org/images/asf-logo.png"){kind=link}