On Mon, Aug 17, 2009 at 2:20 AM, Nowakowski, Mateusz < [email protected]> wrote:
> Is it so difficult to populate the newest ODE to maven repos? > :) > Ah sorry, it's not difficult, I just need some time to do it. Hopefully later today. Matthieu > > -- > Regards > Mateusz Nowakowski > > -----Original Message----- > From: Nowakowski, Mateusz [mailto:[email protected]] > Sent: Thursday, August 13, 2009 10:22 AM > To: [email protected]; [email protected] > Subject: RE: [ANNOUNCE] Apache ODE 1.3.3 > > Any update on that? > > I'm trying to find for example ODE 1.3.3 here: > http://repo1.maven.org/maven2/org/apache/ode/ode-jbi/ > but the newest version is 1.3.2. > > -- > Regards > Mateusz Nowakowski > -----Original Message----- > From: Nowakowski, Mateusz [mailto:[email protected]] > Sent: Tuesday, August 11, 2009 5:32 PM > To: [email protected] > Subject: RE: [ANNOUNCE] Apache ODE 1.3.3 - > > Hi, > > I couldn't find ODE 1.3.3 in the main maven repository. > Could you place it there? > > Thanks > > -- > Regards > Mateusz Nowakowski > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Matthieu Riou > Sent: Saturday, August 08, 2009 6:41 AM > To: [email protected]; [email protected]; > [email protected]; [email protected]; [email protected]; Marc > Schoenefeld; [email protected] > Subject: [ANNOUNCE] Apache ODE 1.3.3 > > Hi, > > I'm pleased to announce the release of ODE 1.3.3, a security release of > Apache ODE. It fixes a vulnerability in the process deployment that > allowed, > using a forged message, to create, overwrite or delete files on the server > file system. See the full vulnerability announcement below. > > Apache ODE is a WS-BPEL compliant web service orchestration engine. It > organizes web services calls following a process description written in the > BPEL XML grammar. Another way to describe it would be a web-service capable > workflow engine. > > This new release also includes new features, bug fixes and improvements See > the release notes for an exhaustive list for > details.<https://issues.apache.org/jira/browse/ODE/fixforversion/12313906> > > For more information, check the Apache ODE website: > http://ode.apache.org/ > > Apache ODE is an open source project released under a business-friendly > license (Apache License v2.0), as such we welcome your help and > contributions. To participate and get involved, our mailing lists are the > best resources to start from: > http://ode.apache.org/mailing-lists.html > > Thank you, > The Apache ODE Team > > ------ > > CVE-2008-2370: Apache ODE information disclosure vulnerability > > Severity: Medium > > Vendor: The Apache Software Foundation > > Versions Affected: ODE 1.0-incubating to ODE 1.3.2. The unsupported ODE > 2.0-beta1 and 2.0-beta2 are also affected. > > Description: The process deployment web service was sensible to deployment > messages with forged names. Using a path for the name was allowing > directory > traversal, resulting in the potential writing of files under unwanted > locations (like a new WAR under a webapp deployment directory), the > overwriting of existing files or their deletion. > > Mitigation: 1.x users should upgrade to 1.3.3. 2.0-betaX users should > obtain > the latest source from svn or apply the patch published under > http://people.apache.org/~mriou/CVE-2008-2370-patch.txt<http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt> > <http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>. > > > Example: Deleting a file /tmp/blabla using undeploy by sending the > following > message to the deployment service: > > <?xml version="1.0" encoding="UTF-8"?> > <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/ > " > xmlns:pmap="http://www.apache.org/ode/pmapi";> > <soapenv:Header/> > <soapenv:Body> > <pmap:undeploy> > > <packageName>../../../../../../../../../../../../../../tmp/blabla</packageName> > </pmap:undeploy> > </soapenv:Body> > </soapenv:Envelope> > Credit: This issue was discovered by Marc Schoenefeld of Red Hat. >
