[syncope] branch 2_1_X updated: Upgrading site

Mon, 14 Sep 2020 02:57:10 -0700 

This is an automated email from the ASF dual-hosted git repository.

ilgrosso pushed a commit to branch 2_1_X
in repository https://gitbox.apache.org/repos/asf/syncope.git


The following commit(s) were added to refs/heads/2_1_X by this push:
     new bc2513f  Upgrading site
bc2513f is described below

commit bc2513f22542050b521468f5cb1d52035480afc0
Author: Francesco Chicchiriccò <[email protected]>
AuthorDate: Mon Sep 14 11:56:32 2020 +0200

    Upgrading site
---
 src/site/xdoc/release-process.xml |  2 +-
 src/site/xdoc/security.xml        | 39 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/src/site/xdoc/release-process.xml 
b/src/site/xdoc/release-process.xml
index fc79d41..d765612 100644
--- a/src/site/xdoc/release-process.xml
+++ b/src/site/xdoc/release-process.xml
@@ -588,7 +588,7 @@ svn commit -m "Promoting the staging site"]]></source>
           </li>
           <li>
             Deploy the updated Docker images to <a 
href="https://hub.docker.com/";>DockerHub</a> by adjusting the GIT tag
-            name then running the <a 
href="https://builds.apache.org/job/Syncope-Release-Docker";>dedicated Jenkins 
job</a>.
+            name then running the <a 
href="https://ci-builds.apache.org./job/Syncope/job/Syncope-Release-Docker/";>dedicated
 Jenkins job</a>.
           </li>
         </ol>
       </subsection>
diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml
index d1f1048..e0be46c 100644
--- a/src/site/xdoc/security.xml
+++ b/src/site/xdoc/security.xml
@@ -34,6 +34,45 @@ under the License.
 
       <p>If you want to report a vulnerability, please follow <a 
href="http://www.apache.org/security/";>the procedure</a>.</p>
 
+      <subsection name="CVE-2020-11977: Remote Code Execution via Flowable 
workflow definition">
+        <p>When the Flowable extension is enabled, an administrator with 
workflow entitlements can use Shell Service Tasks to perform malicious 
operations, including but not limited
+           to file read, file write, and code execution.</p>
+
+        <p>
+          <b>Severity</b>
+        </p>
+        <p>Low</p>
+
+        <p>
+          <b>Affects</b>
+        </p>
+        <p>
+          <ul>
+            <li>2.1.X releases prior to 2.1.7</li>
+          </ul>
+        </p>
+
+        <p>
+          <b>Solution</b>
+        </p>
+        <p>
+          <ul>
+            <li>2.1.X users should upgrade to 2.1.7</li>
+          </ul>
+        </p>
+
+        <p>
+          <b>Fixed in</b>
+        </p>
+        <p>
+          <ul>
+            <li>Release 2.1.7</li>
+          </ul>
+        </p>
+
+        <p>Read the <a 
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11977";>full CVE 
advisory</a>.</p>
+      </subsection>
+
       <subsection name="CVE-2020-1961: Server-Side Template Injection on mail 
templates">
         <p>Vulnerability to Server-Side Template Injection on Mail templates 
enabling attackers to inject arbitrary JEXL
            expressions, leading to Remote Code Execution (RCE) was 
discovered.</p>

Reply via email to