Thanks! -- Regards Mateusz Nowakowski -----Original Message----- From: Matthieu Riou [mailto:[email protected]] Sent: Tuesday, August 18, 2009 6:15 PM To: [email protected] Cc: [email protected] Subject: Re: No Apache ODE 1.3.3 in Maven repos
On Mon, Aug 17, 2009 at 7:17 AM, Matthieu Riou <[email protected]>wrote: > On Mon, Aug 17, 2009 at 2:20 AM, Nowakowski, Mateusz < > [email protected]> wrote: > >> Is it so difficult to populate the newest ODE to maven repos? >> :) >> > > Ah sorry, it's not difficult, I just need some time to do it. Hopefully > later today. > It's uploaded and mirrored now: http://repo1.maven.org/maven2/org/apache/ode/ > > Matthieu > > >> >> -- >> >> Regards >> Mateusz Nowakowski >> >> -----Original Message----- >> From: Nowakowski, Mateusz [mailto:[email protected]] >> Sent: Thursday, August 13, 2009 10:22 AM >> To: [email protected]; [email protected] >> Subject: RE: [ANNOUNCE] Apache ODE 1.3.3 >> >> Any update on that? >> >> I'm trying to find for example ODE 1.3.3 here: >> http://repo1.maven.org/maven2/org/apache/ode/ode-jbi/ >> but the newest version is 1.3.2. >> >> -- >> Regards >> Mateusz Nowakowski >> -----Original Message----- >> From: Nowakowski, Mateusz [mailto:[email protected]] >> Sent: Tuesday, August 11, 2009 5:32 PM >> To: [email protected] >> Subject: RE: [ANNOUNCE] Apache ODE 1.3.3 - >> >> Hi, >> >> I couldn't find ODE 1.3.3 in the main maven repository. >> Could you place it there? >> >> Thanks >> >> -- >> Regards >> Mateusz Nowakowski >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf >> Of Matthieu Riou >> Sent: Saturday, August 08, 2009 6:41 AM >> To: [email protected]; [email protected]; >> [email protected]; [email protected]; [email protected]; Marc >> Schoenefeld; [email protected] >> Subject: [ANNOUNCE] Apache ODE 1.3.3 >> >> Hi, >> >> I'm pleased to announce the release of ODE 1.3.3, a security release of >> Apache ODE. It fixes a vulnerability in the process deployment that >> allowed, >> using a forged message, to create, overwrite or delete files on the server >> file system. See the full vulnerability announcement below. >> >> Apache ODE is a WS-BPEL compliant web service orchestration engine. It >> organizes web services calls following a process description written in >> the >> BPEL XML grammar. Another way to describe it would be a web-service >> capable >> workflow engine. >> >> This new release also includes new features, bug fixes and improvements >> See >> the release notes for an exhaustive list for >> details.<https://issues.apache.org/jira/browse/ODE/fixforversion/12313906 >> > >> >> For more information, check the Apache ODE website: >> http://ode.apache.org/ >> >> Apache ODE is an open source project released under a business-friendly >> license (Apache License v2.0), as such we welcome your help and >> contributions. To participate and get involved, our mailing lists are the >> best resources to start from: >> http://ode.apache.org/mailing-lists.html >> >> Thank you, >> The Apache ODE Team >> >> ------ >> >> CVE-2008-2370: Apache ODE information disclosure vulnerability >> >> Severity: Medium >> >> Vendor: The Apache Software Foundation >> >> Versions Affected: ODE 1.0-incubating to ODE 1.3.2. The unsupported ODE >> 2.0-beta1 and 2.0-beta2 are also affected. >> >> Description: The process deployment web service was sensible to deployment >> messages with forged names. Using a path for the name was allowing >> directory >> traversal, resulting in the potential writing of files under unwanted >> locations (like a new WAR under a webapp deployment directory), the >> overwriting of existing files or their deletion. >> >> Mitigation: 1.x users should upgrade to 1.3.3. 2.0-betaX users should >> obtain >> the latest source from svn or apply the patch published under >> http://people.apache.org/~mriou/CVE-2008-2370-patch.txt<http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt> >> <http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>. >> >> >> Example: Deleting a file /tmp/blabla using undeploy by sending the >> following >> message to the deployment service: >> >> <?xml version="1.0" encoding="UTF-8"?> >> <soapenv:Envelope xmlns:soapenv=" >> http://schemas.xmlsoap.org/soap/envelope/"; >> xmlns:pmap="http://www.apache.org/ode/pmapi";> >> <soapenv:Header/> >> <soapenv:Body> >> <pmap:undeploy> >> >> <packageName>../../../../../../../../../../../../../../tmp/blabla</packageName> >> </pmap:undeploy> >> </soapenv:Body> >> </soapenv:Envelope> >> Credit: This issue was discovered by Marc Schoenefeld of Red Hat. >> > >
