Am 07.06.2016 um 11:46 schrieb Maruan Sahyoun:
Hi,
Am 07.06.2016 um 11:42 schrieb Andreas Lehmkühler <[email protected]>:
Hi,
Maruan Sahyoun <[email protected]> hat am 6. Juni 2016 um 12:40
geschrieben:
Hi,
Am 06.06.2016 um 11:41 schrieb Simon Steiner <[email protected]>:
Hi,
Should this be on the pdfbox homepage.
I'll let Andreas decide on that
What should we add, just a news posting or adding a new security section as
other projects like Tomcat?
a new post schould do.
Done
BR
Andreas
BR
Andreas
The homepage has http://pdfbox.apache.org/download.cgi but its not
clickable.
done - thanks for letting us know.
Maruan
Thanks
-----Original Message-----
From: Andreas Lehmkuehler [mailto:[email protected]]
Sent: 27 May 2016 07:03
To: [email protected]; [email protected]; [email protected];
[email protected]; [email protected];
[email protected]
Subject: [CVE-2016-2175] Apache PDFBox XML External Entity vulnerability
CVE-2016-2175: Apache PDFBox XML External Entity vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache PDFBox 1.8.0 to 1.8.11
Apache PDFBox 2.0.0
Earlier, unsupported Apache PDFBox versions may be affected as well
Description:
Apache PDFBox parses different XML data within PDF files such as XMP and the
initialization of the XML parsers did not protect against XML External
Entity
(XXE) vulnerabilities. According to www.owasp.org [1]: "This attack may lead
to the disclosure of confidential data, denial of service, server side
request forgery, port scanning from the perspective of the machine where the
parser is located, and other system impacts."
Mitigation:
Upgrade to Apache PDFBox 1.8.12 respectively 2.0.1
Credit:
This issue was discovered by Arthur Khashaev (https://khashaev.ru), Seulgi
Kim, Mesut Timur and Microsoft Vulnerability Research.
[1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected] For additional
commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
