Author: buildbot
Date: Tue Dec 16 14:47:32 2014
New Revision: 932978
Log:
Production update by buildbot for cxf
Added:
websites/production/cxf/content/security-advisories.data/CVE-2014-3566.txt.asc
Removed:
websites/production/cxf/content/cve-2014-3566.html
Modified:
websites/production/cxf/content/cache/main.pageCache
websites/production/cxf/content/security-advisories.html
Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Added:
websites/production/cxf/content/security-advisories.data/CVE-2014-3566.txt.asc
==============================================================================
---
websites/production/cxf/content/security-advisories.data/CVE-2014-3566.txt.asc
(added)
+++
websites/production/cxf/content/security-advisories.data/CVE-2014-3566.txt.asc
Tue Dec 16 14:47:32 2014
@@ -0,0 +1,37 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+
+Note on CVE-2014-3566 - SSL 3.0 support in Apache CXF, aka the "POODLE" attack:
+
+The SSL protocol 3.0 uses non-deterministic CBC padding, which makes it easier
+for man-in-the-middle attackers to obtain clear text data via a padding-oracle
+attack, aka the "POODLE" issue: https://access.redhat.com/articles/1232123
+
+The problem with POODLE comes when the connection is downgraded to use SSL 3.0
+when higher level TLS comms fail. If an attacker in the middle of a connection
+can cause this failure then they may be able to force the browser to do
+exactly what itâs designed to do â fall back to SSL 3.0 and try again.
+
+Apache CXF disables support for SSLv3 by default for both clients, as well as
+Jetty servers configured via CXF's HTTPJ namespace, from the 3.0.3 and 2.7.14
+releases. To support SSLv3 it is necessary to specify "SSLv3" for the
+"secureSocketProtocol" attribute, see the tls configuration link below.
+
+References:
+
+http://cxf.apache.org/security-advisories.html
+https://issues.apache.org/jira/browse/CXF-6086
+http://cxf.apache.org/docs/tls-configuration.html
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQEcBAEBAgAGBQJUkELkAAoJEGe/gLEK1TmDeCcH/RxLLkEr+oEcgWrYa4rKrMPq
+Sw+62Hzpswi5zYHIH5p2pKuMN9WhvxqsBZKT6SoSHfJ28yvcbiBG78o49O/nLois
+spUFTMSZAkdHAvg6G0gr5ODXCOxZyCQS9Tjf7cWfkne9sepIveP3RdHs75V+0C9u
+bxMzkEYRc58ZUD6xDzoGsLhnm0jiIfkCg7sjKH/3j6eG3LV7Blj578GZZmAkRK4E
+rNxGDX9X7LksdDXi4wB0RW5n3GKRj5WSf7rWgxJQOJ0Zde3WdNALyPxLW9+MN5NK
+ZuXZ6SvJKKB33/cbyTBlti4PaFpG9D0T6KRvNwsqP42e9MPk/6V+ywR3aa4PU94=
+=XS57
+-----END PGP SIGNATURE-----
Modified: websites/production/cxf/content/security-advisories.html
==============================================================================
--- websites/production/cxf/content/security-advisories.html (original)
+++ websites/production/cxf/content/security-advisories.html Tue Dec 16
14:47:32 2014
@@ -99,7 +99,7 @@ Apache CXF -- Security Advisories
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><h3
id="SecurityAdvisories-2014">2014</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2014-3623.txt.asc?version=1&modificationDate=1414169368341&api=v2">CVE-2014-3623</a>:
Apache CXF does not properly enforce the security semantics of SAML
SubjectConfirmation methods when used with the TransportBinding</li><li><a
shape="rect"
href="security-advisories.data/CVE-2014-3584.txt.asc?version=1&modificationDate=1414169326347&api=v2">CVE-2014-3584</a>:
Apache CXF JAX-RS SAML handling is vulnerable to a Denial of Service (DoS)
attack</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-0109.txt.asc?version=1&modificationDate=1398873370000&api=v2">CVE-2014-0109</a>:
HTML content posted to SOAP endpoint could cause OOM errors</li><li><a
shape="rect"
href="security-advisories.data/CVE-2014-0110.txt.asc?version=1&modificationDate=1398873378000&api=v2">CVE-2014-0110</a>:
Large invalid content could cause tempora
ry space to fill</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-0034.txt.asc?version=1&modificationDate=1398873385000&api=v2">CVE-2014-0034</a>:
The SecurityTokenService accepts certain invalid SAML Tokens as
valid</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-0035.txt.asc?version=1&modificationDate=1398873391000&api=v2">CVE-2014-0035</a>:
UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning
policy</li></ul><h3 id="SecurityAdvisories-2013">2013</h3><ul><li><a
shape="rect"
href="security-advisories.data/CVE-2013-2160.txt.asc?version=1&modificationDate=1372324301000&api=v2">CVE-2013-2160</a>
- Denial of Service Attacks on Apache CXF</li><li><a shape="rect"
href="cve-2012-5575.html">Note on CVE-2012-5575</a> - XML Encryption backwards
compatibility attack on Apache CXF.</li><li><a shape="rect"
href="cve-2013-0239.html">CVE-2013-0239</a> - Authentication bypass in the case
of WS-SecurityPolicy enabled plain
text UsernameTokens.</li></ul><h3
id="SecurityAdvisories-2012">2012</h3><ul><li><a shape="rect"
href="cve-2012-5633.html">CVE-2012-5633</a> - WSS4JInInterceptor always allows
HTTP Get requests from browser.</li><li><a shape="rect"
href="note-on-cve-2011-2487.html">Note on CVE-2011-2487</a> - Bleichenbacher
attack against distributed symmetric key in WS-Security.</li><li><a
shape="rect" href="cve-2012-3451.html">CVE-2012-3451</a> - Apache CXF is
vulnerable to SOAP Action spoofing attacks on Document Literal web
services.</li><li><a shape="rect" href="cve-2012-2379.html">CVE-2012-2379</a> -
Apache CXF does not verify that elements were signed or encrypted by a
particular Supporting Token.</li><li><a shape="rect"
href="cve-2012-2378.html">CVE-2012-2378</a> - Apache CXF does not pick up some
child policies of WS-SecurityPolicy 1.1 SupportingToken policy assertions on
the client side.</li><li><a shape="rect" href="note-on-cve-2011-1096.html">Note
on CVE-2011-1096</a> - XML Encryption fla
w / Character pattern encoding attack.</li><li><a shape="rect"
href="cve-2012-0803.html">CVE-2012-0803</a> - Apache CXF does not validate
UsernameToken policies correctly.</li></ul><h3
id="SecurityAdvisories-2010">2010</h3><ul><li><a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf";>CVE-2010-2076</a>
- DTD based XML attacks.</li></ul></div>
+<div id="ConfluenceContent"><h3
id="SecurityAdvisories-2014">2014</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2014-3566.txt.asc?version=1&modificationDate=1418740474042&api=v2">Note
on CVE-2014-3566</a>: SSL 3.0 support in Apache CXF, aka the "POODLE"
attack.</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-3623.txt.asc?version=1&modificationDate=1414169368000&api=v2">CVE-2014-3623</a>:
Apache CXF does not properly enforce the security semantics of SAML
SubjectConfirmation methods when used with the TransportBinding</li><li><a
shape="rect"
href="security-advisories.data/CVE-2014-3584.txt.asc?version=1&modificationDate=1414169326000&api=v2">CVE-2014-3584</a>:
Apache CXF JAX-RS SAML handling is vulnerable to a Denial of Service (DoS)
attack</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-0109.txt.asc?version=1&modificationDate=1398873370000&api=v2">CVE-2014-0109</a>:
HTML content posted to SOAP endpoint
could cause OOM errors</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-0110.txt.asc?version=1&modificationDate=1398873378000&api=v2">CVE-2014-0110</a>:
Large invalid content could cause temporary space to fill</li><li><a
shape="rect"
href="security-advisories.data/CVE-2014-0034.txt.asc?version=1&modificationDate=1398873385000&api=v2">CVE-2014-0034</a>:
The SecurityTokenService accepts certain invalid SAML Tokens as
valid</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-0035.txt.asc?version=1&modificationDate=1398873391000&api=v2">CVE-2014-0035</a>:
UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning
policy</li></ul><h3 id="SecurityAdvisories-2013">2013</h3><ul><li><a
shape="rect"
href="security-advisories.data/CVE-2013-2160.txt.asc?version=1&modificationDate=1372324301000&api=v2">CVE-2013-2160</a>
- Denial of Service Attacks on Apache CXF</li><li><a shape="rect"
href="cve-2012-5575.html">Note on CV
E-2012-5575</a> - XML Encryption backwards compatibility attack on Apache
CXF.</li><li><a shape="rect" href="cve-2013-0239.html">CVE-2013-0239</a> -
Authentication bypass in the case of WS-SecurityPolicy enabled plaintext
UsernameTokens.</li></ul><h3 id="SecurityAdvisories-2012">2012</h3><ul><li><a
shape="rect" href="cve-2012-5633.html">CVE-2012-5633</a> - WSS4JInInterceptor
always allows HTTP Get requests from browser.</li><li><a shape="rect"
href="note-on-cve-2011-2487.html">Note on CVE-2011-2487</a> - Bleichenbacher
attack against distributed symmetric key in WS-Security.</li><li><a
shape="rect" href="cve-2012-3451.html">CVE-2012-3451</a> - Apache CXF is
vulnerable to SOAP Action spoofing attacks on Document Literal web
services.</li><li><a shape="rect" href="cve-2012-2379.html">CVE-2012-2379</a> -
Apache CXF does not verify that elements were signed or encrypted by a
particular Supporting Token.</li><li><a shape="rect"
href="cve-2012-2378.html">CVE-2012-2378</a> - Apache CXF doe
s not pick up some child policies of WS-SecurityPolicy 1.1 SupportingToken
policy assertions on the client side.</li><li><a shape="rect"
href="note-on-cve-2011-1096.html">Note on CVE-2011-1096</a> - XML Encryption
flaw / Character pattern encoding attack.</li><li><a shape="rect"
href="cve-2012-0803.html">CVE-2012-0803</a> - Apache CXF does not validate
UsernameToken policies correctly.</li></ul><h3
id="SecurityAdvisories-2010">2010</h3><ul><li><a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf";>CVE-2010-2076</a>
- DTD based XML attacks.</li></ul></div>
</div>
<!-- Content -->
</td>
