Author: veithen
Date: Wed Dec 15 22:01:07 2010
New Revision: 1049728
URL: http://svn.apache.org/viewvc?rev=1049728&view=rev
Log:
Updated the security advisory for CVE-2010-1632 with the latest available
information.
Modified:
axis/axis2/java/core/security/CVE-2010-1632.pdf
axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml
Modified: axis/axis2/java/core/security/CVE-2010-1632.pdf
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/security/CVE-2010-1632.pdf?rev=1049728&r1=1049727&r2=1049728&view=diff
==============================================================================
Binary files - no diff available.
Modified:
axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml?rev=1049728&r1=1049727&r2=1049728&view=diff
==============================================================================
---
axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml
(original)
+++
axis/axis2/java/core/security/advisory-cve-2010-1632/src/docbkx/CVE-2010-1632.xml
Wed Dec 15 22:01:07 2010
@@ -27,7 +27,7 @@
<surname>Veithen</surname>
<email>veit...@apache.org</email>
</author>
- <releaseinfo>First version: May 16, 2010 ⢠First published: June 13,
2010 ⢠Last updated: July 21, 2010</releaseinfo>
+ <releaseinfo>First version: May 16, 2010 ⢠First published: June 13,
2010 ⢠Last updated: Dec 15, 2010</releaseinfo>
</articleinfo>
<section>
<title>Description</title>
@@ -110,7 +110,7 @@
<title>Axis2 deployments</title>
<para>
As shown in <xref linkend="solutions"/>, all Axis2
installations with versions
- prior to 1.6 are to some extend vulnerable. The most
vulnerable installations
+ prior to 1.5.2 are to some extend vulnerable. The most
vulnerable installations
are those on which at least one service is deployed that has
an HTTP binding
accepting messages with content type
<literal>application/xml</literal>, i.e.
for which the <literal>disableREST</literal> parameter is set
to <literal>false</literal>.
@@ -143,9 +143,10 @@
<para>
Axis2 is used by the Synapse, ODE, Tuscany and
Geronimo projects
from the ASF. The vulnerability has been confirmed by
the Geronimo
- project (see GERONIMO-5383 for more details). Specific
instructions for
+ project (see GERONIMO-5383 for more details). Specific
instructions
for patching Geronimo 2.1.x are available at
<ulink
url="http://geronimo.apache.org/geronimo-21x-cve-2010-1632-patch-instructions.html"/>.
+ The security fix has been included in Geronimo 2.2.1.
It is expected that
all other projects in this list are vulnerable as well.
</para>
@@ -227,8 +228,8 @@
The security issue described in this advisory is fixed in
Axis2 1.5.2 and 1.6.
These releases forbid document type declarations even for
<literal>application/xml</literal> documents. Therefore
upgrading to one of
- these versions is the best solution. Note that at the date of
writing,
- neither Axis2 1.5.2 nor Axis2 1.6 has been released yet.
However,
+ these versions is the best solution. Axis2 1.5.2 was released
in September 2010.
+ At the date of writing, Axis2 1.6 has not been released yet.
However,
snapshot versions are available.
</para>
</section>
