Hi TomEE trunk relies on openjpa snapshot
With such an issue wonder of an early release (maybe a beta?) Wdyt? Le 12 juin 2013 21:33, "Jeremy Bauer" <[email protected]> a écrit : > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > CVE-2013-1768: Apache OpenJPA security vulnerability > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: > > OpenJPA 1.0.0 to 1.0.4 > OpenJPA 1.1.0 > OpenJPA 1.3.0 > OpenJPA 1.2.0 to 1.2.2 > OpenJPA 2.0.0 to 2.0.1 > OpenJPA 2.1.0 to 2.1.1 > OpenJPA 2.2.0 to 2.2.1 > > Description: Deserialization of a maliciously crafted OpenJPA object can > result in an executable file being written to the file system. An > attacker needs to discover an unprotected server program to exploit the > vulnerability. It then needs to exploit another unprotected server > program to execute the file and gain access to the system. OpenJPA > usage by itself does not introduce the vulnerability. > > Mitigation: Users of OpenJPA using a release based upon the JPA 1.0 > specification level should upgrade to the OpenJPA 1.2.3 release. Users > of OpenJPA using a release based upon the JPA 2.0 specification level > should upgrade to the OpenJPA 2.2.2 release. Users needing to stay on > their current release should get the latest code from svn for the > corresponding branch level or apply a source patch and build a new > binary package. Nightly snapshots of the latest source builds are also > available for many branches. > > OpenJPA release branch levels and corresponding fix revisions: > > OpenJPA 1.0.x revision 1462558: > http://svn.apache.org/viewvc?view=revision&revision=1462558 > OpenJPA 1.1.x revision 1462512: > http://svn.apache.org/viewvc?view=revision&revision=1462512 > OpenJPA 1.2.x revision 1462488: > http://svn.apache.org/viewvc?view=revision&revision=1462488 > OpenJPA 1.3.x revision 1462328: > http://svn.apache.org/viewvc?view=revision&revision=1462328 > OpenJPA 2.0.x revision 1462318: > http://svn.apache.org/viewvc?view=revision&revision=1462318 > OpenJPA 2.1.x revision 1462268: > http://svn.apache.org/viewvc?view=revision&revision=1462268 > OpenJPA 2.2.1.x revision 1462225: > http://svn.apache.org/viewvc?view=revision&revision=1462225 > OpenJPA 2.2.x revision 1462076: > http://svn.apache.org/viewvc?view=revision&revision=1462076 > > Example: An attacker creates a customized serialization of an OpenJPA > object. The attacker exploits an unprotected server program to execute > the object. The object includes logic that results in malicious trace > being written to a file, such as a JSP. The file containing malicious > commands is written to a potentially vulnerable area of the system. The > attacker exploits a second unprotected server program to execute the > file and gain access to the system. > > Credit: This issue was discovered by Pierre Ernst of IBM Corporation. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.20 (MingW32) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBAgAGBQJRuMz9AAoJEALD36U3PPjRdzMQAKYkGuFQ/jT6Txy5UemN7oC3 > bAUsJRlAsV11uZTnTNo4hgtZVA9Q9fN2NbswjcWFS+/U1MljgrF9lqHspm/SV9o5 > Yi4S39AtMKva0eBMGaRGBpARhu7QbMOxD7D9dqp79bHcgxfZROG71bwx4dTL3q3Z > 3dxOEnkqPUM9vZFm3zrMKF4Hy3q/TuMIJtFtj/B5KuNtlJFXUe908wzoQyQjm9Al > M7xZhWGdGnVwD1ynlrG5exWZ8xlQ5W4TGeK/h3zJ05kYQHXIwhgiympApNfIYCQZ > 1zexnGv7pWQI/NVXPv8XaxtZ6HYUn+1GpZ8ipF4nCoXy0KTfLJmd9wcpxU8b+4c1 > tguzC8rYbol7TxkMy/HpAgHTavIfDXFZyjl5/z2X6e+s6YtP+TRCN8Jy7fpg0AuU > OFQp+LoY06vFJmoJiL0+TiNeotcZuH1l8OL6PuvXHF/4saAUfADNHqJIR5xBTdPY > rIy8gtS06IM6aOhSbCrJphIpSOk5qQQV5Uhzfo5NXFeglBxP+YEPFq5sBmVIPEOG > IL6u6CAclmMKg+vqXUeY1EsmV2lrhqshyBh7umTSSm7YWNgoQJJxUn/8phxATJ3K > DlaZWId//mmnz36349m9HF2hc5iPea01MDcWHUwe2a0d0Wmwz6CXlvWuBNtTmZoV > 7iGIxMiN7yJ14RZoDsKw > =LVgy > -----END PGP SIGNATURE----- > >
