Author: ilgrosso
Date: Mon Mar 19 11:15:02 2018
New Revision: 1827186
URL: http://svn.apache.org/viewvc?rev=1827186&view=rev
Log:
Keep security advisories sorted by date
Modified:
syncope/site/security.html
Modified: syncope/site/security.html
URL:
http://svn.apache.org/viewvc/syncope/site/security.html?rev=1827186&r1=1827185&r2=1827186&view=diff
==============================================================================
--- syncope/site/security.html (original)
+++ syncope/site/security.html Mon Mar 19 11:15:02 2018
@@ -1,6 +1,6 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8
+ | Generated by Apache Maven Doxia Site Renderer 1.8
| Rendered using Apache Maven Fluido Skin 1.5
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
@@ -15,15 +15,15 @@
<link rel="stylesheet" href="./css/site.css" />
<link rel="stylesheet" href="./css/print.css" media="print" />
-
+
<script type="text/javascript"
src="./js/apache-maven-fluido-1.5.min.js"></script>
</head>
<body class="topBarDisabled">
-
-
-
-
+
+
+
+
<div class="container-fluid">
<div id="banner">
<div class="pull-left">
@@ -37,7 +37,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
-
+
<li class="">
<a href="http://www.apache.org/"; class="externalLink"
title="Apache">
Apache</a>
@@ -49,192 +49,192 @@
<span class="divider">/</span>
</li>
<li class="active ">Security Advisories</li>
-
-
-
+
+
+
</ul>
</div>
-
+
<div class="row-fluid">
<div id="leftColumn" class="span2">
<div class="well sidebar-nav">
-
+
<ul class="nav nav-list">
<li class="nav-header">Apache Syncopeâ¢</li>
-
+
<li>
-
+
<a href="iam-scenario.html" title="IAM Scenario">
<span class="none"></span>
IAM Scenario</a>
</li>
-
+
<li>
-
+
<a href="architecture.html" title="Architecture">
<span class="none"></span>
Architecture</a>
</li>
-
+
<li>
-
+
<a href="demo.html" title="Demo">
<span class="none"></span>
Demo</a>
</li>
-
+
<li>
-
+
<a href="downloads.html" title="Downloads">
<span class="none"></span>
Downloads</a>
</li>
-
+
<li class="active">
-
+
<a href="#"><span class="none"></span>Security Advisories</a>
</li>
-
+
<li>
-
+
<a href="docs/index.html" title="Documentation">
<span class="none"></span>
Documentation</a>
</li>
-
+
<li>
-
+
<a href="mailing-lists.html" title="Mailing Lists">
<span class="none"></span>
Mailing Lists</a>
</li>
-
+
<li>
-
+
<a href="team-list.html" title="Project Team">
<span class="none"></span>
Project Team</a>
</li>
-
+
<li>
-
+
<a href="license.html" title="License">
<span class="none"></span>
License</a>
</li>
-
+
<li>
-
+
<a href="professional-services.html"
title="Professional Services">
<span class="none"></span>
Professional Services</a>
</li>
<li class="nav-header">Development</li>
-
+
<li>
-
+
<a
href="http://cwiki.apache.org/confluence/display/SYNCOPE/Roadmap";
class="externalLink" title="Roadmap">
<span class="none"></span>
Roadmap</a>
</li>
-
+
<li>
-
+
<a href="contributing.html" title="How to
contribute?">
<span class="none"></span>
How to contribute?</a>
</li>
-
+
<li>
-
+
<a href="source-repository.html" title="Source
Repository">
<span class="none"></span>
Source Repository</a>
</li>
-
+
<li>
-
+
<a href="integration.html" title="Continuous
Integration">
<span class="none"></span>
Continuous Integration</a>
</li>
-
+
<li>
-
+
<a href="issue-tracking.html" title="Issue Tracking">
<span class="none"></span>
Issue Tracking</a>
</li>
-
+
<li>
-
+
<a href="building.html" title="Building">
<span class="none"></span>
Building</a>
</li>
-
+
<li>
-
+
<a href="release-process.html" title="Release
Process">
<span class="none"></span>
Release Process</a>
</li>
<li class="nav-header">ASF</li>
-
+
<li>
-
+
<a
href="http://www.apache.org/foundation/how-it-works.html"; class="externalLink"
title="How Apache Works">
<span class="none"></span>
How Apache Works</a>
</li>
-
+
<li>
-
+
<a href="http://www.apache.org/foundation/";
class="externalLink" title="Foundation">
<span class="none"></span>
Foundation</a>
</li>
-
+
<li>
-
+
<a
href="http://www.apache.org/foundation/sponsorship.html"; class="externalLink"
title="Sponsoring Apache">
<span class="none"></span>
Sponsoring Apache</a>
</li>
-
+
<li>
-
+
<a
href="http://www.apache.org/foundation/thanks.html"; class="externalLink"
title="Thanks">
<span class="none"></span>
Thanks</a>
</li>
</ul>
-
-
+
+
<hr />
<div id="poweredBy">
-
+
<script type="text/javascript"
src="https://apis.google.com/js/plusone.js";></script>
-
+
<div class="g-plusone" data-href="http://syncope.apache.org/";
data-size="tall" ></div>
<div class="clear"></div>
-
-
-
-
+
+
+
+
<iframe
src="https://www.facebook.com/plugins/like.php?href=http://syncope.apache.org/&send=false&layout=box_count&show-faces=false&action=like&colorscheme=light";
scrolling="no" frameborder="0"
style="border:none; width:71px; height:63px; margin-top: 10px;"
></iframe>
<div class="clear"></div>
-
-
-
+
+
+
<div id="twitter">
-
+
<a href="https://twitter.com/syncopeidm"; class="twitter-follow-button"
data-show-count="false" data-align="left" data-size="medium"
data-show-screen-name="true" data-lang="en">Follow syncopeidm</a>
<script type="text/javascript">!function(d,s,id){var
js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
@@ -247,252 +247,250 @@
</div>
</div>
</div>
-
-
+
+
<div id="bodyColumn" class="span10" >
-
-
-
+
+
+
<div class="section">
<h2><a name="Security_Advisories"></a>Security Advisories</h2>
-
+
<p>This page lists all security vulnerabilities fixed in released versions of
Apache Syncope.</p>
-
+
<p>Please note that binary patches are never provided. If you need to apply a
source code patch, use the <a href="building.html">building instructions</a> or
<a href="docs/getting-started.html#create-project">re-generate your Maven
project</a> from published archetype.</p>
-
+
<p>If you want to report a vulnerability, please follow <a
class="externalLink" href="http://www.apache.org/security/";>the
procedure</a>.</p>
-
+
<div class="section">
-<h3><a
name="CVE-2018-1321:_Remote_code_execution_by_administrators_with_report_and_template_entitlements"></a>CVE-2018-1321:
Remote code execution by administrators with report and template
entitlements</h3>
-
-<p>An administrator with report and template entitlements can use XSL
Transformations (XSLT) to perform
- malicious operations, including but not limited to file read, file
write, and code execution.</p>
+<h3><a
name="CVE-2018-1322:_Information_disclosure_via_FIQL_and_ORDER_BY_sorting"></a>CVE-2018-1322:
Information disclosure via FIQL and ORDER BY sorting</h3>
+
+<p>An administrator with user search entitlements can recover sensitive
security values using the
+ <tt>fiql</tt> and <tt>orderby</tt> parameters.</p>
+
-
<p>
<b>Severity</b>
</p>
-
+
<p>Medium</p>
-
+
<p>
<b>Affects</b>
</p>
-
+
<p>
</p>
<ul>
-
+
<li>Releases prior to 1.2.11</li>
-
+
<li>Releases prior to 2.0.8</li>
</ul>
-
-
+
+
<p>The unsupported Releases 1.0.x, 1.1.x may be also affected.</p>
-
+
<p>
<b>Solution</b>
</p>
-
-<p>
- </p>
-<ul>
-
-<li>Syncope 1.2.x users should upgrade to 1.2.11</li>
-
-<li>Syncope 2.0.x users should upgrade to 2.0.8</li>
- </ul>
-
-
-
-<p>
- <b>Mitigation</b>
- </p>
-
-<p>Do not assign report and template entitlements to any administrator.</p>
-
-<p>
- <b>Fixed in</b>
- </p>
-
<p>
</p>
<ul>
-
-<li>Release 1.2.11</li>
-
-<li>Release 2.0.8</li>
- </ul>
-
-
-<p>Read the <a class="externalLink"
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1321";>full CVE
advisory</a>.</p>
- </div>
+<li>Syncope 1.2.x users should upgrade to 1.2.11</li>
-
-<div class="section">
-<h3><a
name="CVE-2018-1322:_Information_disclosure_via_FIQL_and_ORDER_BY_sorting"></a>CVE-2018-1322:
Information disclosure via FIQL and ORDER BY sorting</h3>
-
-<p>An administrator with user search entitlements can recover sensitive
security values using the
- <tt>fiql</tt> and <tt>orderby</tt> parameters.</p>
+<li>Syncope 2.0.x users should upgrade to 2.0.8</li>
+ </ul>
-
-<p>
- <b>Severity</b>
- </p>
-
-<p>Medium</p>
-
-<p>
- <b>Affects</b>
- </p>
-
-<p>
- </p>
-<ul>
-
-<li>Releases prior to 1.2.11</li>
-
-<li>Releases prior to 2.0.8</li>
- </ul>
-
-
-<p>The unsupported Releases 1.0.x, 1.1.x may be also affected.</p>
-
-<p>
- <b>Solution</b>
- </p>
-
-<p>
- </p>
-<ul>
-
-<li>Syncope 1.2.x users should upgrade to 1.2.11</li>
-
-<li>Syncope 2.0.x users should upgrade to 2.0.8</li>
- </ul>
-
-
-
<p>
<b>Mitigation</b>
</p>
-
+
<p>Do not assign user search entitlements to any administrator.</p>
-
+
<p>
<b>Fixed in</b>
</p>
-
+
<p>
</p>
<ul>
-
+
<li>Release 1.2.11</li>
-
+
<li>Release 2.0.8</li>
</ul>
-
-
+
+
<p>Read the <a class="externalLink"
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1322";>full CVE
advisory</a>.</p>
</div>
-
+ <div class="section">
+ <h3><a
name="CVE-2018-1321:_Remote_code_execution_by_administrators_with_report_and_template_entitlements"></a>CVE-2018-1321:
Remote code execution by administrators with report and template
entitlements</h3>
+
+ <p>An administrator with report and template entitlements can use XSL
Transformations (XSLT) to perform
+ malicious operations, including but not limited to file read,
file write, and code execution.</p>
+
+
+ <p>
+ <b>Severity</b>
+ </p>
+
+ <p>Medium</p>
+
+
+ <p>
+ <b>Affects</b>
+ </p>
+
+ <p>
+ </p>
+ <ul>
+
+ <li>Releases prior to 1.2.11</li>
+
+ <li>Releases prior to 2.0.8</li>
+ </ul>
+
+
+ <p>The unsupported Releases 1.0.x, 1.1.x may be also affected.</p>
+
+
+ <p>
+ <b>Solution</b>
+ </p>
+
+ <p>
+ </p>
+ <ul>
+
+ <li>Syncope 1.2.x users should upgrade to 1.2.11</li>
+
+ <li>Syncope 2.0.x users should upgrade to 2.0.8</li>
+ </ul>
+
+
+
+ <p>
+ <b>Mitigation</b>
+ </p>
+
+ <p>Do not assign report and template entitlements to any
administrator.</p>
+
+
+ <p>
+ <b>Fixed in</b>
+ </p>
+
+ <p>
+ </p>
+ <ul>
+
+ <li>Release 1.2.11</li>
+
+ <li>Release 2.0.8</li>
+ </ul>
+
+
+
+ <p>Read the <a class="externalLink"
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1321";>full CVE
advisory</a>.</p>
+ </div>
+
<div class="section">
-<h3><a
name="CVE-2014-3503:_Insecure_Random_implementations_used_to_generate_passwords"></a>CVE-2014-3503:
Insecure Random implementations used to generate passwords</h3>
-
-<p>A password is generated for a user in Apache Syncope under certain
circumstances, when no existing password
- is found. However, the password generation code is relying on
insecure Random implementations, which means
+<h3><a
name="CVE-2014-3503:_Insecure_Random_implementations_used_to_generate_passwords"></a>CVE-2014-3503:
Insecure Random implementations used to generate passwords</h3>
+
+<p>A password is generated for a user in Apache Syncope under certain
circumstances, when no existing password
+ is found. However, the password generation code is relying on
insecure Random implementations, which means
that an attacker could attempt to guess a generated password.</p>
-
+
<p>
<b>Affects</b>
</p>
-
+
<p>
</p>
<ul>
-
+
<li>Releases 1.1.0 to 1.1.7</li>
</ul>
-
-
+
+
<p>
<b>Fixed in</b>
</p>
-
+
<p>
</p>
<ul>
-
+
<li>Revision <a class="externalLink"
href="http://svn.apache.org/viewvc?view=revision&revision=r1596537";>1596537</a></li>
-
+
<li>Release 1.1.8</li>
</ul>
-
-
+
+
<p>Read the <a class="externalLink"
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3503";>full CVE
advisory</a>.</p>
</div>
-
+
<div class="section">
-<h3><a
name="CVE-2014-0111:_Remote_code_execution_by_an_authenticated_administrator"></a>CVE-2014-0111:
Remote code execution by an authenticated administrator</h3>
-
-<p>In the various places in which Apache Commons JEXL expressions are allowed
(derived schema definition,
- user / group templates, connObjectLinks of resource mappings) a
malicious administrator can inject Java code
+<h3><a
name="CVE-2014-0111:_Remote_code_execution_by_an_authenticated_administrator"></a>CVE-2014-0111:
Remote code execution by an authenticated administrator</h3>
+
+<p>In the various places in which Apache Commons JEXL expressions are allowed
(derived schema definition,
+ user / group templates, connObjectLinks of resource mappings) a
malicious administrator can inject Java code
that can be executed remotely by the Java EE container running the
Apache Syncope core.</p>
-
+
<p>
<b>Affects</b>
</p>
-
+
<p>
</p>
<ul>
-
+
<li>Releases 1.0.0 to 1.0.8</li>
-
+
<li>Releases 1.1.0 to 1.1.6</li>
</ul>
-
-
+
+
<p>
<b>Fixed in</b>
</p>
-
+
<p>
</p>
<ul>
-
+
<li>Revisions <a class="externalLink"
href="http://svn.apache.org/viewvc?view=revision&revision=r1586349";>1586349</a>
/ <a class="externalLink"
href="http://svn.apache.org/viewvc?view=revision&revision=r1586317";>1586317</a></li>
-
+
<li>Releases 1.0.9 / 1.1.7</li>
</ul>
-
-
+
+
<p>Read the <a class="externalLink"
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0111";>full CVE
advisory</a>.</p>
</div>
</div>
-
+
</div>
</div>
@@ -504,7 +502,7 @@
<div class="container-fluid">
<div class="row-fluid">
Apache, Syncope, Apache Syncope, the Apache feather
logo and the Apache Syncope project logo are trademarks of The Apache Software
Foundation. All other marks mentioned may be trademarks or registered
trademarks of their respective owners.
-
+
<div class="pull-right">
<script type="text/javascript"
src="https://www.ohloh.net/p/syncope/widgets/project_thin_badge.js";></script>
<a href="https://bestpractices.coreinfrastructure.org/projects/154";>
@@ -522,7 +520,7 @@
</div>
</div>
-
+
</div>
</footer>
</body>
