ode-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nowakowski, Mateusz" <Mateusz.Nowakow...@sabre-holdings.com>
Subject RE: No Apache ODE 1.3.3 in Maven repos
Date Mon, 17 Aug 2009 15:31:11 GMT
Thanks!

I took nearly a week to any answer :)

-- 
Regards
Mateusz Nowakowski

-----Original Message-----
From: Matthieu Riou [mailto:matthieu.riou@gmail.com] 
Sent: Monday, August 17, 2009 4:17 PM
To: dev@ode.apache.org
Cc: user@ode.apache.org
Subject: Re: No Apache ODE 1.3.3 in Maven repos

On Mon, Aug 17, 2009 at 2:20 AM, Nowakowski, Mateusz <
Mateusz.Nowakowski@sabre-holdings.com> wrote:

> Is it so difficult to populate the newest ODE to maven repos?
> :)
>

Ah sorry, it's not difficult, I just need some time to do it. Hopefully
later today.

Matthieu


>
> --
> Regards
> Mateusz Nowakowski
>
> -----Original Message-----
> From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com]
> Sent: Thursday, August 13, 2009 10:22 AM
> To: dev@ode.apache.org; user@ode.apache.org
> Subject: RE: [ANNOUNCE] Apache ODE 1.3.3
>
> Any update on that?
>
> I'm trying to find for example ODE 1.3.3 here:
> http://repo1.maven.org/maven2/org/apache/ode/ode-jbi/
> but the newest version is 1.3.2.
>
> --
> Regards
> Mateusz Nowakowski
> -----Original Message-----
> From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com]
> Sent: Tuesday, August 11, 2009 5:32 PM
> To: dev@ode.apache.org
> Subject: RE: [ANNOUNCE] Apache ODE 1.3.3 -
>
> Hi,
>
> I couldn't find ODE 1.3.3 in the main maven repository.
> Could you place it there?
>
> Thanks
>
> --
> Regards
> Mateusz Nowakowski
>
> -----Original Message-----
> From: matthieu.riou@gmail.com [mailto:matthieu.riou@gmail.com] On Behalf
> Of Matthieu Riou
> Sent: Saturday, August 08, 2009 6:41 AM
> To: security@apache.org; full-disclosure@lists.grok.org.uk;
> bugtraq@securityfocus.com; dev@ode.apache.org; user@ode.apache.org; Marc
> Schoenefeld; announce@apache.org
> Subject: [ANNOUNCE] Apache ODE 1.3.3
>
> Hi,
>
> I'm pleased to announce the release of ODE 1.3.3, a security release of
> Apache ODE. It fixes a vulnerability in the process deployment that
> allowed,
> using a forged message, to create, overwrite or delete files on the server
> file system. See the full vulnerability announcement below.
>
> Apache ODE is a WS-BPEL compliant web service orchestration engine. It
> organizes web services calls following a process description written in the
> BPEL XML grammar. Another way to describe it would be a web-service capable
> workflow engine.
>
> This new release also includes new features, bug fixes and improvements See
> the release notes for an exhaustive list for
> details.<https://issues.apache.org/jira/browse/ODE/fixforversion/12313906>
>
> For more information, check the Apache ODE website:
> http://ode.apache.org/
>
> Apache ODE is an open source project released under a business-friendly
> license (Apache License v2.0), as such we welcome your help and
> contributions. To participate and get involved, our mailing lists are the
> best resources to start from:
> http://ode.apache.org/mailing-lists.html
>
> Thank you,
> The Apache ODE Team
>
> ------
>
> CVE-2008-2370: Apache ODE information disclosure vulnerability
>
> Severity: Medium
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: ODE 1.0-incubating to ODE 1.3.2. The unsupported ODE
> 2.0-beta1 and 2.0-beta2 are also affected.
>
> Description: The process deployment web service was sensible to deployment
> messages with forged names. Using a path for the name was allowing
> directory
> traversal, resulting in the potential writing of files under unwanted
> locations (like a new WAR under a webapp deployment directory), the
> overwriting of existing files or their deletion.
>
> Mitigation: 1.x users should upgrade to 1.3.3. 2.0-betaX users should
> obtain
> the latest source from svn or apply the patch published under
> http://people.apache.org/~mriou/CVE-2008-2370-patch.txt<http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>
> <http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>.
>
>
> Example: Deleting a file /tmp/blabla using undeploy by sending the
> following
> message to the deployment service:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/
> "
> xmlns:pmap="http://www.apache.org/ode/pmapi">
>  <soapenv:Header/>
>  <soapenv:Body>
>     <pmap:undeploy>
>
> <packageName>../../../../../../../../../../../../../../tmp/blabla</packageName>
>     </pmap:undeploy>
>  </soapenv:Body>
> </soapenv:Envelope>
> Credit: This issue was discovered by ´╗┐Marc Schoenefeld of Red Hat.
>
Mime
View raw message