On Jul 6, 2010, at 12:46 PM, Mike Rheinheimer wrote: > The Wink team recently discovered a security issue that may allow an > attacker to carry out denial of service attacks and to read arbitrary > files on the file system of the node where Wink runs. Details of the > vulnerability are described in the following advisory: > > https://svn.apache.org/repos/asf/incubator/wink/trunk/security/CVE-2010-2245.docx > > This vulnerability may potentially be exploited on any Wink > installation that receives XML messages from untrusted sources. We > strongly recommend to all users who manage this type of installation > to follow the instructions in the above advisory in order to mitigate > the security risk caused by this vulnerability. > > -- The Wink team
Hi Mike, Thanks! One minor point -- the general practice at apache projects is to review an advisory, like this, on either the projects private mailing list or a security mailing list (if the project has one). This gives the PMC (PPMC) a chance to review the advisory, make editorial updates, change document format types, etc. --kevan
