Author: buildbot
Date: Wed Feb 8 15:20:29 2017
New Revision: 1006409
Log:
Production update by buildbot for camel
Added:
websites/production/camel/content/security-advisories.data/CVE-2016-8749.txt.asc
websites/production/camel/content/security-advisories.data/CVE-2017-3159.txt.asc
Modified:
websites/production/camel/content/cache/main.pageCache
websites/production/camel/content/security-advisories.html
Modified: websites/production/camel/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Added:
websites/production/camel/content/security-advisories.data/CVE-2016-8749.txt.asc
==============================================================================
---
websites/production/camel/content/security-advisories.data/CVE-2016-8749.txt.asc
(added)
+++
websites/production/camel/content/security-advisories.data/CVE-2016-8749.txt.asc
Wed Feb 8 15:20:29 2017
@@ -0,0 +1,35 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+CVE-2016-8749: Apache Camel's Jackson and JacksonXML unmarshalling operation
are vulnerable
+to Remote Code Execution attacks
+
+Severity: MEDIUM
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: Camel 2.16.0 to 2.16.4, Camel 2.17.0 to 2.17.4, Camel
2.18.0 to 2.18.1
+The unsupported Camel 2.x (2.14 and earlier) versions may be also affected.
+
+Description: Apache Camel's camel-jackson and camel-jacksonxml components are
vulnerable to Java object
+de-serialisation vulnerability. Camel allows to specify such a type through
the 'CamelJacksonUnmarshalType'
+property. De-serializing untrusted data can lead to security flaws as
demonstrated in various similar reports about Java de-serialization issues.
+
+Mitigation: 2.16.x users should upgrade to 2.16.5, 2.17.x users should upgrade
to 2.17.5, 2.18.x users should
+upgrade to 2.18.2.
+
+The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-10567 and
https://issues.apache.org/jira/browse/CAMEL-10604
+refers to the various commits that resovoled the issue, and have more details.
+
+Credit: This issue was discovered by Moritz Bechler from AgNO3 GmbH & Co.
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+iQEcBAEBAgAGBQJYmy0QAAoJEONOnzgC/0EABM0H/2hA/LOWlYB9iatYjg054mqZ
+BxMgMrDbvapoTr/ga7FPgm48nTlWlI2Xw0chOV3ZMg1fgH/rCEAhaMQnEgyd4Aor
+tVl8GW43bKwiYv+QrTWmQLXeK4PJHtR8DP0LG7f2EDvwsFcRSo0yE5MmsrQFiWjM
+rXEZINqe56s60pgrdFU0aqsf37iciI9A/UYnOZeBHLQf9QaZv38AMVrTz1awRoX7
+R6b3RvYh0qjGcyYMVH7RDTZ8BS+XdX3GZVKTFPFTZgMjKofA/XDJiOsMJsE2rT+1
+eSOd3Gr2LTIgXAhX1BH1FBghoHXV7hxKmwYo1yT7Dqw2xpdANUtlaEhtTP/Dl9I=
+=/6Ky
+-----END PGP SIGNATURE-----
Added:
websites/production/camel/content/security-advisories.data/CVE-2017-3159.txt.asc
==============================================================================
---
websites/production/camel/content/security-advisories.data/CVE-2017-3159.txt.asc
(added)
+++
websites/production/camel/content/security-advisories.data/CVE-2017-3159.txt.asc
Wed Feb 8 15:20:29 2017
@@ -0,0 +1,33 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+CVE-2017-3159: Apache Camel's Snakeyaml unmarshalling operation is vulnerable
+to Remote Code Execution attacks
+
+Severity: MEDIUM
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: Camel 2.17.0 to 2.17.4, Camel 2.18.0 to 2.18.1
+The unsupported Camel 2.x (2.14 and earlier) versions may be also affected.
+
+Description: Apache Camel's camel-snakeyaml component is vulnerable to Java
object
+de-serialisation vulnerability. De-serializing untrusted data can lead to
security flaws.
+
+Mitigation: 2.17.x users should upgrade to 2.17.5, 2.18.x users should upgrade
to 2.18.2.
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-10575
+refers to the various commits that resovoled the issue, and have more details.
+
+Credit: This issue was discovered by Moritz Bechler from AgNO3 GmbH & Co.
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+iQEcBAEBAgAGBQJYmy8MAAoJEONOnzgC/0EAujYIAI7eOnnkKE7wcHXjMeqUUDrb
+EyqEFaWuUWenUhx5PoVu2zQ0m9m1uRC3vzRQTJzZpN83WOlkDUlcXcJzLAWDy1AW
+W9dHgDTaP2zbUIPKo4Zjy+pur9afirAMRasCS0NAWAETHVi54ZBpCFQVkxk72xdO
+pLxAAnvTQfxbCfqEgTlzttU0ovaG4DOvAteQfpHZyjPxGaY3T15pAGK0ZOBvmd0T
+jATx/Nk3CoSuC8n6ECAbBcenRtycRh6HwvA6HFDFpgR3EI/FOq2/ikG4bLyJdgTW
+VsTmanwq4zKtlhQAAyQvfSJcr/7EoRL1k4Ui0D2oZvMat1fQnwOR13QQQmb73RU=
+=U+u3
+-----END PGP SIGNATURE-----
Modified: websites/production/camel/content/security-advisories.html
==============================================================================
--- websites/production/camel/content/security-advisories.html (original)
+++ websites/production/camel/content/security-advisories.html Wed Feb 8
15:20:29 2017
@@ -75,7 +75,7 @@
<tbody>
<tr>
<td valign="top" width="100%">
-<div class="wiki-content maincontent"><h3
id="SecurityAdvisories-2015">2015</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2015-5344.txt.asc?version=1&modificationDate=1454056803000&api=v2"
data-linked-resource-id="61338184" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-5344.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="9">CVE-2015-5344</a> - Apache
Camel's XStream usage is vulnerable to Remote Code Execution
attacks.</li><li><a shape="rect"
href="security-advisories.data/CVE-2015-5348.txt.asc?version=1&modificationDate=1450340845000&api=v2"
data-linked-resource-id="61333112" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-5348.txt.asc" data-nice-type="Text
File" data-linked-reso
urce-content-type="text/plain" data-linked-resource-container-id="34833933"
data-linked-resource-container-version="9">CVE-2015-5348</a> - Apache Camel's
Jetty/Servlet usage is vulnerable to Java object de-serialisation
vulnerability.</li><li><a shape="rect"
href="security-advisories.data/CVE-2015-0264.txt.asc?version=1&modificationDate=1426539191000&api=v2"
data-linked-resource-id="54165590" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-0264.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="9">CVE-2015-0264</a> - The XPath
handling in Apache Camel for invalid XML Strings or invalid XML GenericFile
objects allows remote attackers to read arbitrary files via an XML External
Entity (XXE) declaration. The XML External Entity (XXE) will be resolved before
the Exception is thrown.</li><li><a sh
ape="rect"
href="security-advisories.data/CVE-2015-0263.txt.asc?version=1&modificationDate=1426539178000&api=v2"
data-linked-resource-id="54165589" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-0263.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="9">CVE-2015-0263</a> - The XML
converter setup in Apache Camel allows remote attackers to read arbitrary files
via an SAXSource containing an XML External Entity (XXE)
declaration.</li></ul><h3 id="SecurityAdvisories-2014">2014</h3><ul><li><a
shape="rect"
href="security-advisories.data/CVE-2014-0003.txt.asc?version=1&modificationDate=1393615582000&api=v2"
data-linked-resource-id="40009835" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0003.txt.asc" data-nice-type="Tex
t File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="9">CVE-2014-0003</a> - The Apache Camel
XSLT component allows XSL stylesheets to perform calls to external Java
methods.</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-0002.txt.asc?version=1&modificationDate=1393615569000&api=v2"
data-linked-resource-id="40009834" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0002.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="9">CVE-2014-0002</a> - The Apache Camel
XSLT component will resolve entities in XML messages when transforming them
using an xslt route.</li></ul><h3
id="SecurityAdvisories-2013">2013</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2013-4330.txt.asc?version=1&am
p;modificationDate=1380633919000&api=v2"
data-linked-resource-id="35192841" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2013-4330.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="9">CVE-2013-4330</a> - Writing files
using FILE or FTP components, can potentially be exploited by a malicious
user.</li></ul><p> </p></div>
+<div class="wiki-content maincontent"><h3
id="SecurityAdvisories-2017">2017</h3><ul><li><p><a shape="rect"
href="security-advisories.data/CVE-2017-3159.txt.asc?version=1&modificationDate=1486565167000&api=v2"
data-linked-resource-id="67641933" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2017-3159.txt.asc"
data-linked-resource-content-type="application/pgp-encrypted"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="12">CVE-2017-3159</a> - Apache Camel's
Snakeyaml unmarshalling operation is vulnerable to Remote Code Execution
attacks</p></li></ul><h3 id="SecurityAdvisories-2016">2016</h3><ul><li><p><a
shape="rect"
href="security-advisories.data/CVE-2016-8749.txt.asc?version=2&modificationDate=1486565034000&api=v2"
data-linked-resource-id="67641927" data-linked-resource-version="2"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2016-874
9.txt.asc" data-linked-resource-content-type="application/pgp-encrypted"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="12">CVE-2016-8749</a> - Apache
Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote
Code Execution attacks</p></li></ul><h3
id="SecurityAdvisories-2015">2015</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2015-5344.txt.asc?version=1&modificationDate=1454056803000&api=v2"
data-linked-resource-id="61338184" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-5344.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="12">CVE-2015-5344</a> - Apache
Camel's XStream usage is vulnerable to Remote Code Execution
attacks.</li><li><a shape="rect" href="security-advisories.data/CVE-2015-5348.t
xt.asc?version=1&modificationDate=1450340845000&api=v2"
data-linked-resource-id="61333112" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-5348.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="12">CVE-2015-5348</a> - Apache Camel's
Jetty/Servlet usage is vulnerable to Java object de-serialisation
vulnerability.</li><li><a shape="rect"
href="security-advisories.data/CVE-2015-0264.txt.asc?version=1&modificationDate=1426539191000&api=v2"
data-linked-resource-id="54165590" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-0264.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="12">CVE-2015-0264</a> - The X
Path handling in Apache Camel for invalid XML Strings or invalid XML
GenericFile objects allows remote attackers to read arbitrary files via an XML
External Entity (XXE) declaration. The XML External Entity (XXE) will be
resolved before the Exception is thrown.</li><li><a shape="rect"
href="security-advisories.data/CVE-2015-0263.txt.asc?version=1&modificationDate=1426539178000&api=v2"
data-linked-resource-id="54165589" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2015-0263.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="12">CVE-2015-0263</a> - The XML
converter setup in Apache Camel allows remote attackers to read arbitrary files
via an SAXSource containing an XML External Entity (XXE)
declaration.</li></ul><h3 id="SecurityAdvisories-2014">2014</h3><ul><li><a
shape="rect" href="security-advi
sories.data/CVE-2014-0003.txt.asc?version=1&modificationDate=1393615582000&api=v2"
data-linked-resource-id="40009835" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0003.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="12">CVE-2014-0003</a> - The Apache
Camel XSLT component allows XSL stylesheets to perform calls to external Java
methods.</li><li><a shape="rect"
href="security-advisories.data/CVE-2014-0002.txt.asc?version=1&modificationDate=1393615569000&api=v2"
data-linked-resource-id="40009834" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2014-0002.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="
12">CVE-2014-0002</a> - The Apache Camel XSLT component will resolve entities
in XML messages when transforming them using an xslt route.</li></ul><h3
id="SecurityAdvisories-2013">2013</h3><ul><li><a shape="rect"
href="security-advisories.data/CVE-2013-4330.txt.asc?version=1&modificationDate=1380633919000&api=v2"
data-linked-resource-id="35192841" data-linked-resource-version="1"
data-linked-resource-type="attachment"
data-linked-resource-default-alias="CVE-2013-4330.txt.asc" data-nice-type="Text
File" data-linked-resource-content-type="text/plain"
data-linked-resource-container-id="34833933"
data-linked-resource-container-version="12">CVE-2013-4330</a> - Writing files
using FILE or FTP components, can potentially be exploited by a malicious
user.</li></ul><p> </p></div>
</td>
<td valign="top">
<div class="navigation">
