Author: ilgrosso
Date: Tue Apr 15 07:42:17 2014
New Revision: 1587462
URL: http://svn.apache.org/r1587462
Log:
Publishing security page
Added:
syncope/site/security.html (with props)
Added: syncope/site/security.html
URL:
http://svn.apache.org/viewvc/syncope/site/security.html?rev=1587462&view=auto
==============================================================================
--- syncope/site/security.html (added)
+++ syncope/site/security.html Tue Apr 15 07:42:17 2014
@@ -0,0 +1,313 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia
+ | Rendered using Apache Maven Fluido Skin 1.3.1
+-->
+<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
+ <head>
+ <meta charset="UTF-8" />
+ <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+ <meta name="author" content="Apache Syncope Documentation Team" />
+ <meta name="Date-Revision-yyyymmdd" content="20140415" />
+ <meta http-equiv="Content-Language" content="en" />
+ <title>Apache Syncope -
+ Security Advisories</title>
+ <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.1.min.css" />
+ <link rel="stylesheet" href="./css/site.css" />
+ <link rel="stylesheet" href="./css/print.css" media="print" />
+
+
+ <script type="text/javascript"
src="./js/apache-maven-fluido-1.3.1.min.js"></script>
+
+
+ </head>
+ <body class="topBarEnabled">
+
+
+
+
+
+
+ <a href="http://github.com/apache/syncope";>
+ <img style="position: absolute; top: 0; left: 0; border: 0; z-index:
10000;"
+
src="https://s3.amazonaws.com/github/ribbons/forkme_left_red_aa0000.png";
+ alt="Fork me on GitHub">
+ </a>
+
+
+
+
+
+ <div id="topbar" class="navbar navbar-fixed-top ">
+ <div class="navbar-inner">
+ <div class="container"><div
class="nav-collapse">
+
+
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b
class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="features.html"
title="Features">Features</a>
+</li>
+
+ <li> <a href="architecture.html"
title="Architecture">Architecture</a>
+</li>
+
+ <li> <a href="downloads.html"
title="Downloads">Downloads</a>
+</li>
+
+ <li> <a href="security.html" title="Security
Advisories">Security Advisories</a>
+</li>
+
+ <li class="dropdown-submenu">
+ <a href="apidocs/1.1/index.html"
title="API Docs">API Docs</a>
+ <ul class="dropdown-menu">
+ <li> <a href="apidocs/1.1/index.html"
title="Javadocs 1.1">Javadocs 1.1</a>
+</li>
+ <li> <a href="apidocs/1.0/index.html"
title="Javadocs 1.0">Javadocs 1.0</a>
+</li>
+ </ul>
+ </li>
+
+ <li> <a href="license.html"
title="License">License</a>
+</li>
+
+ <li> <a href="professional-services.html"
title="Professional Services">Professional Services</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Community
<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="mail-lists.html" title="Mailing
Lists">Mailing Lists</a>
+</li>
+
+ <li> <a href="team-list.html" title="Project
Team">Project Team</a>
+</li>
+
+ <li> <a
href="http://cwiki.apache.org/confluence/display/SYNCOPE/Roadmap";
title="Roadmap">Roadmap</a>
+</li>
+
+ <li> <a
href="http://cwiki.apache.org/confluence/display/SYNCOPE/Index";
title="Documentation">Documentation</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Development
<b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="contributing.html" title="How to
contribute?">How to contribute?</a>
+</li>
+
+ <li> <a href="source-repository.html"
title="Source Repository">Source Repository</a>
+</li>
+
+ <li> <a href="integration.html" title="Continuous
Integration">Continuous Integration</a>
+</li>
+
+ <li> <a href="issue-tracking.html" title="Issue
Tracking">Issue Tracking</a>
+</li>
+
+ <li> <a href="building.html"
title="Building">Building</a>
+</li>
+
+ <li> <a href="release-process.html" title="Release
Process">Release Process</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">ASF <b
class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a
href="http://www.apache.org/foundation/how-it-works.html"; title="How Apache
Works">How Apache Works</a>
+</li>
+
+ <li> <a href="http://www.apache.org/foundation/";
title="Foundation">Foundation</a>
+</li>
+
+ <li> <a
href="http://www.apache.org/foundation/sponsorship.html"; title="Sponsoring
Apache">Sponsoring Apache</a>
+</li>
+
+ <li> <a
href="http://www.apache.org/foundation/thanks.html"; title="Thanks">Thanks</a>
+</li>
+ </ul>
+ </li>
+ </ul>
+
+
+
+
+
+
+ <iframe
src="http://www.facebook.com/plugins/like.php?href=http://syncope.apache.org/&send=false&layout=button_count&show-faces=false&action=like&colorscheme=dark";
+ scrolling="no" frameborder="0"
+ style="border:none; width:100px; height:20px; margin-top: 10px;"
class="pull-right" ></iframe>
+
+ <script type="text/javascript"
src="https://apis.google.com/js/plusone.js";></script>
+
+ <ul class="nav pull-right"><li style="margin-top: 10px;">
+
+ <div class="g-plusone" data-href="http://syncope.apache.org/";
data-size="medium" width="60px" align="right" ></div>
+
+ </li></ul>
+
+
+
+ <ul class="nav pull-right"><li>
+
+ <a href="https://twitter.com/syncopeidm"; class="twitter-follow-button"
data-show-count="false" data-align="right" data-size="large"
data-show-screen-name="true" data-lang="en">Follow syncopeidm</a>
+ <script type="text/javascript">!function(d,s,id){var
js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
+
+ </li></ul>
+
+
+ </div>
+
+ </div>
+ </div>
+ </div>
+
+ <div class="container">
+ <div id="banner">
+ <div class="pull-left">
+ <div id="bannerLeft">
+ <h2>Apache Syncope</h2>
+ </div>
+ </div>
+ <div class="pull-right"> </div>
+ <div class="clear"><hr/></div>
+ </div>
+
+ <div id="breadcrumbs">
+ <ul class="breadcrumb">
+
+
+ <li class="">
+ <a href="http://www.apache.org/"; class="externalLink"
title="Apache">
+ Apache</a>
+ <span class="divider">/</span>
+ </li>
+ <li class="">
+ <a href="./" title="Apache Syncope">
+ Apache Syncope</a>
+ <span class="divider">/</span>
+ </li>
+ <li class="active ">
+ Security Advisories</li>
+
+
+
+
+ </ul>
+ </div>
+
+
+
+ <div id="bodyColumn" >
+
+ <!-- Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License. -->
+
+
+
+ <div class="section">
+<h2>Security Advisories<a name="Security_Advisories"></a></h2>
+
+<p>This page lists all security vulnerabilities fixed in released versions of
Apache Syncope.</p>
+
+<p>Please note that binary patches are never provided. If you need to apply a
source code patch, use the <a href="building.html">building instructions</a> or
<a class="externalLink"
href="https://cwiki.apache.org/confluence/display/SYNCOPE/Create+a+new+Syncope+project";>re-generate
your Maven project</a> from published archetype.</p>
+
+
+<p>If you want to report a vulnerability, please follow <a
class="externalLink" href="http://www.apache.org/security/";>the
procedure</a>.</p>
+
+
+<div class="section">
+<h3>CVE-2014-0111: Remote code execution by an authenticated administrator<a
name="CVE-2014-0111:_Remote_code_execution_by_an_authenticated_administrator"></a></h3>
+
+<p>In the various places in which Apache Commons JEXL expressions are allowed
(derived schema definition, user / role templates, account links of resource
mappings) a malicious administrator can inject Java code that can be executed
remotely by the JEE container running the Apache Syncope core.</p>
+
+
+
+<p><b>Affects</b></p>
+
+<p>
+ </p>
+<ul>
+
+<li>Releases 1.0.0 to 1.0.8</li>
+
+<li>Releases 1.1.0 to 1.1.6</li>
+ </ul>
+
+
+
+<p><b>Fixed in</b></p>
+
+<p>
+ </p>
+<ul>
+
+<li>Revisions <a class="externalLink"
href="http://svn.apache.org/viewvc?view=revision&revision=r1586349";>1586349</a>
/ <a class="externalLink"
href="http://svn.apache.org/viewvc?view=revision&revision=r1586317";>1586317</a></li>
+
+<li>Releases 1.0.9 / 1.1.7</li>
+ </ul>
+
+
+
+<p>Read the <a class="externalLink"
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0111";>full CVE
advisory</a>.</p>
+ </div>
+ </div>
+
+
+
+ </div>
+ </div>
+
+ <hr/>
+
+ <footer>
+ <div class="container">
+ <div class="row">
+ <p >Copyright ©
2010–2014
+ <a href="http://www.apache.org/";>The Apache Software
Foundation</a>.
+ All rights reserved.
+
+ </p>
+ </div>
+
+
+<div class="row">Apache, Syncope, Apache Syncope, the Apache feather logo and
the Apache Syncope project logo are trademarks of The Apache Software
Foundation. All other marks mentioned may be trademarks or registered
trademarks of their respective owners.</div>
+
+ <p id="poweredBy" class="pull-right">
+ <a href="http://maven.apache.org/"; title="Built by
Maven" class="poweredBy">
+ <img class="builtBy" alt="Built by Maven"
src="./images/logos/maven-feather.png" />
+ </a>
+ </p>
+
+
+
+
+
+ <div id="ohloh" class="pull-right">
+ <script type="text/javascript"
src="http://www.ohloh.net/p/syncope/widgets/project_thin_badge.js";></script>
+ </div>
+ </div>
+ </footer>
+ </body>
+</html>
Propchange: syncope/site/security.html
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: syncope/site/security.html
------------------------------------------------------------------------------
svn:keywords = Date Revision Author HeadURL Id
Propchange: syncope/site/security.html
------------------------------------------------------------------------------
svn:mime-type = text/html
![https://s3.amazonaws.com/github/ribbons/forkme_left_red_aa0000.png"](https://s3.amazonaws.com/github/ribbons/forkme_left_red_aa0000.png"){kind=link}