This is an automated email from the ASF dual-hosted git repository.
acosentino pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/camel-website.git
The following commit(s) were added to refs/heads/master by this push:
new 89c238b Added CVE-2020-11973 (#365)
89c238b is described below
commit 89c238bc7fbeb863b667d1cbf49f857238c57647
Author: Andrea Cosentino <anco...@gmail.com>
AuthorDate: Thu May 14 15:23:22 2020 +0200
Added CVE-2020-11973 (#365)
---
content/security/CVE-2020-11973.md | 18 ++++++++++++++++++
content/security/CVE-2020-11973.txt.asc | 27 +++++++++++++++++++++++++++
2 files changed, 45 insertions(+)
diff --git a/content/security/CVE-2020-11973.md
b/content/security/CVE-2020-11973.md
new file mode 100644
index 0000000..b7052d0
--- /dev/null
+++ b/content/security/CVE-2020-11973.md
@@ -0,0 +1,18 @@
+---
+title: "Apache Camel Security Advisory - CVE-2020-11973"
+date: 2020-05-14T14:47:42+02:00
+url: /security/CVE-2020-11973.html
+draft: false
+type: security-advisory
+cve: CVE-2020-11973
+severity: MEDIUM
+summary: "Apache Camel Netty enables Java deserialization by default"
+description: "Apache Camel Netty enables Java deserialization by default"
+mitigation: "2.x users should upgrade to 2.25.1, 3.x users should upgrade to
3.2.0"
+credit: "This issue was discovered by Colm O. HEigeartaigh <coheigea at apache
dot org> from Apache Software Foundation"
+affected: 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0
+fixed: 2.25.1, 3.2.0
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-14477 refers to
the various commits that resovoled the issue, and have more details.
+
diff --git a/content/security/CVE-2020-11973.txt.asc
b/content/security/CVE-2020-11973.txt.asc
new file mode 100644
index 0000000..d2a0285
--- /dev/null
+++ b/content/security/CVE-2020-11973.txt.asc
@@ -0,0 +1,27 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+CVE-2020-11973: Apache Camel Netty enables Java deserialization by default
+
+Severity: MEDIUM
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: Camel 2.25.0, Camel 3.0.0 to 3.1.0. The unsupported Camel
2.x (2.24 and earlier) versions may be also affected.
+
+Description: Apache Camel Netty enables Java deserialization by default
+
+Mitigation: 2.x users should upgrade to 2.25.1, 3.x users should upgrade to
3.2.0 The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-14447
refers to the various commits that resovoled the issue, and have more details.
+
+Credit: This issue was discovered by Colm O. HEigeartaigh <coheigea at apache
dot org> from Apache Software Foundation
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+iQEcBAEBAgAGBQJevUX3AAoJEONOnzgC/0EANycIAJD8FSGAr+HGQPBig7wvTR3D
+NAOCQjjPrC3KiLrBTW82JBU/0n/tWYTx9hSa1DmafKa4Cu/yO3SWaKbH/V6pT5QC
+NJZPn/bOIEyfNErRKIVuLmf9/I0Cwd2rb3CJVN3OhQv0xvE8PcyXQ0F/wDYVXlbR
+Lu3HR5dWaNVUC9bs/DCrC2SKI9XKq17JhSYu+W6hHGWrYSIcMvgxV8wOK5gigjLf
+Yih+gO378cI1kuq5anf2xAiRxGmDL41uuwQXC+lmrG61UM7ozZe+Tz8/QdBJc4hZ
+sxD40oW1UXRqAnmcUkJEpEdSqa740XSWcVVgSOCCn78YAOHm96pcSN0S6JZf1f8=
+=Ks1J
+-----END PGP SIGNATURE-----
