This is an automated email from the ASF dual-hosted git repository. acosentino pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/camel.git
commit 7119b744878c698abb17b31780aa861c08031c02 Author: Andrea Cosentino <[email protected]> AuthorDate: Wed Sep 12 13:40:37 2018 +0200 Security Advisories: Porting to docs --- .../en/security-advisories/CVE-2015-0264.txt.asc | 38 ++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/docs/user-manual/en/security-advisories/CVE-2015-0264.txt.asc b/docs/user-manual/en/security-advisories/CVE-2015-0264.txt.asc new file mode 100644 index 0000000..35e100d --- /dev/null +++ b/docs/user-manual/en/security-advisories/CVE-2015-0264.txt.asc @@ -0,0 +1,38 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + + +CVE-2015-0264: Apache Camel medium disclosure vulnerability + +Severity: MEDIUM + +Vendor: The Apache Software Foundation + +Versions Affected: Camel 2.13.0 to 2.13.3, Camel 2.14.0 to 2.14.1 +The unsupported Camel 2.3.x, 2.4.x, 2.5.x, 2.6.x, 2.7.x, 2.8.x, 2.9.x, 2.10.x, 2.11.x and 2.12.x versions may be also affected. + +Description: The XPath handling in Apache Camel for invalid XML Strings or invalid XML GenericFile objects allows remote attackers to read arbitrary files via an XML External Entity (XXE) declaration. The XML External Entity (XXE) will be resolved before the Exception is thrown. + +Mitigation: 2.13.x users should upgrade to 2.13.4, 2.14.x users should upgrade to 2.14.2. This patch will be included from Camel 2.15.0: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=1df559649a96a1ca0368373387e542f46e4820da + +Credit: This issue was discovered by Stephan Siano. + +References: http://camel.apache.org/security-advisories.html +-----BEGIN PGP SIGNATURE----- +Version: GnuPG/MacGPG2 v2.0.22 (Darwin) +Comment: GPGTools - http://gpgtools.org + +iQIcBAEBAgAGBQJU/saFAAoJEImh9lEqI5wsh5MQALhKWptMPv5ktFPxVcqORosf +wXiUWvqL4MM67ZDzf4EqsOdMUWtoFB9gPD7ZUU529yji5uzEdPibrkvlPUUBkR6n +funLrsIK3/rFsY/UFWJxGpm0ZWRbp+XqS8iykU27jsACQFPZVSTeURkYHAvKbwOj +s6kAfF72y229kDGi12CP/z+r3XgL7dwrOCZ+Y+WxRUFq6TFSqECSn8+gQtRd9CN+ +/+sXjr+TBmVc2FBz06nFGbS72qVVVxKf0krdrqP8u34Ca9nV0686vozcINxH0CzC +LtGuTCcyqFP+efEbEsC29SlAtQqq0zdTVLmlJF6CmC7yB5wSr0l9BE3nWPDx6OLI +MXtoqXfdvQiOVQB8WlyP9D+c14Vl4U/ywuTERGl+e+QVSp35jdMju4UJJoMzGsM1 +2+PDm5BG7uuu5iuWQMTlwCBeJTPGhFLYrxTtwQ7zGvXZJdG7kElhzuESwDgo+gol +i1AHBVS2w800AkStpSxo6El1/RiZJtq0hp1JJI8oWyUuY4zJqKRAQXtymOgH5xae +o8BF5meg8UmidtQi9woG28o8VRxtfeZIhd/DeM6nuSWtFNdEItzV4ksm89F4Glhy +oNLR1ufk5BJlG7EPj89w7MIklX70u3Q/LWeJOk6u6TGVxPhrZzOH2k7RMALIlKoB +b4sZQjwpBaJG8hlJbvSK +=8G1w +-----END PGP SIGNATURE-----
