Hi, > Am 07.06.2016 um 11:42 schrieb Andreas Lehmkühler <[email protected]>: > > Hi, > >> Maruan Sahyoun <[email protected]> hat am 6. Juni 2016 um 12:40 >> geschrieben: >> >> >> Hi, >> >>> Am 06.06.2016 um 11:41 schrieb Simon Steiner <[email protected]>: >>> >>> Hi, >>> >>> Should this be on the pdfbox homepage. >> >> I'll let Andreas decide on that > What should we add, just a news posting or adding a new security section as > other projects like Tomcat?
a new post schould do. > > BR > Andreas >>> The homepage has http://pdfbox.apache.org/download.cgi but its not >>> clickable. >> >> done - thanks for letting us know. >> >> Maruan >> >>> >>> Thanks >>> >>> -----Original Message----- >>> From: Andreas Lehmkuehler [mailto:[email protected]] >>> Sent: 27 May 2016 07:03 >>> To: [email protected]; [email protected]; [email protected]; >>> [email protected]; [email protected]; >>> [email protected] >>> Subject: [CVE-2016-2175] Apache PDFBox XML External Entity vulnerability >>> >>> CVE-2016-2175: Apache PDFBox XML External Entity vulnerability >>> >>> Severity: Important >>> >>> >>> Vendor: >>> The Apache Software Foundation >>> >>> Versions Affected: >>> Apache PDFBox 1.8.0 to 1.8.11 >>> Apache PDFBox 2.0.0 >>> Earlier, unsupported Apache PDFBox versions may be affected as well >>> >>> Description: >>> Apache PDFBox parses different XML data within PDF files such as XMP and the >>> initialization of the XML parsers did not protect against XML External >>> Entity >>> (XXE) vulnerabilities. According to www.owasp.org [1]: "This attack may lead >>> to the disclosure of confidential data, denial of service, server side >>> request forgery, port scanning from the perspective of the machine where the >>> parser is located, and other system impacts." >>> >>> >>> Mitigation: >>> Upgrade to Apache PDFBox 1.8.12 respectively 2.0.1 >>> >>> Credit: >>> This issue was discovered by Arthur Khashaev (https://khashaev.ru), Seulgi >>> Kim, Mesut Timur and Microsoft Vulnerability Research. >>> >>> [1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] For additional >>> commands, e-mail: [email protected] >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
