ode-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthieu Riou <matthieu.r...@gmail.com>
Subject Re: No Apache ODE 1.3.3 in Maven repos
Date Tue, 18 Aug 2009 16:14:43 GMT
On Mon, Aug 17, 2009 at 7:17 AM, Matthieu Riou <matthieu.riou@gmail.com>wrote:

> On Mon, Aug 17, 2009 at 2:20 AM, Nowakowski, Mateusz <
> Mateusz.Nowakowski@sabre-holdings.com> wrote:
>
>> Is it so difficult to populate the newest ODE to maven repos?
>> :)
>>
>
> Ah sorry, it's not difficult, I just need some time to do it. Hopefully
> later today.
>

It's uploaded and mirrored now:

http://repo1.maven.org/maven2/org/apache/ode/


>
> Matthieu
>
>
>>
>> --
>>
>> Regards
>> Mateusz Nowakowski
>>
>> -----Original Message-----
>> From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com]
>> Sent: Thursday, August 13, 2009 10:22 AM
>> To: dev@ode.apache.org; user@ode.apache.org
>> Subject: RE: [ANNOUNCE] Apache ODE 1.3.3
>>
>> Any update on that?
>>
>> I'm trying to find for example ODE 1.3.3 here:
>> http://repo1.maven.org/maven2/org/apache/ode/ode-jbi/
>> but the newest version is 1.3.2.
>>
>> --
>> Regards
>> Mateusz Nowakowski
>> -----Original Message-----
>> From: Nowakowski, Mateusz [mailto:Mateusz.Nowakowski@sabre-holdings.com]
>> Sent: Tuesday, August 11, 2009 5:32 PM
>> To: dev@ode.apache.org
>> Subject: RE: [ANNOUNCE] Apache ODE 1.3.3 -
>>
>> Hi,
>>
>> I couldn't find ODE 1.3.3 in the main maven repository.
>> Could you place it there?
>>
>> Thanks
>>
>> --
>> Regards
>> Mateusz Nowakowski
>>
>> -----Original Message-----
>> From: matthieu.riou@gmail.com [mailto:matthieu.riou@gmail.com] On Behalf
>> Of Matthieu Riou
>> Sent: Saturday, August 08, 2009 6:41 AM
>> To: security@apache.org; full-disclosure@lists.grok.org.uk;
>> bugtraq@securityfocus.com; dev@ode.apache.org; user@ode.apache.org; Marc
>> Schoenefeld; announce@apache.org
>> Subject: [ANNOUNCE] Apache ODE 1.3.3
>>
>> Hi,
>>
>> I'm pleased to announce the release of ODE 1.3.3, a security release of
>> Apache ODE. It fixes a vulnerability in the process deployment that
>> allowed,
>> using a forged message, to create, overwrite or delete files on the server
>> file system. See the full vulnerability announcement below.
>>
>> Apache ODE is a WS-BPEL compliant web service orchestration engine. It
>> organizes web services calls following a process description written in
>> the
>> BPEL XML grammar. Another way to describe it would be a web-service
>> capable
>> workflow engine.
>>
>> This new release also includes new features, bug fixes and improvements
>> See
>> the release notes for an exhaustive list for
>> details.<https://issues.apache.org/jira/browse/ODE/fixforversion/12313906
>> >
>>
>> For more information, check the Apache ODE website:
>> http://ode.apache.org/
>>
>> Apache ODE is an open source project released under a business-friendly
>> license (Apache License v2.0), as such we welcome your help and
>> contributions. To participate and get involved, our mailing lists are the
>> best resources to start from:
>> http://ode.apache.org/mailing-lists.html
>>
>> Thank you,
>> The Apache ODE Team
>>
>> ------
>>
>> CVE-2008-2370: Apache ODE information disclosure vulnerability
>>
>> Severity: Medium
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected: ODE 1.0-incubating to ODE 1.3.2. The unsupported ODE
>> 2.0-beta1 and 2.0-beta2 are also affected.
>>
>> Description: The process deployment web service was sensible to deployment
>> messages with forged names. Using a path for the name was allowing
>> directory
>> traversal, resulting in the potential writing of files under unwanted
>> locations (like a new WAR under a webapp deployment directory), the
>> overwriting of existing files or their deletion.
>>
>> Mitigation: 1.x users should upgrade to 1.3.3. 2.0-betaX users should
>> obtain
>> the latest source from svn or apply the patch published under
>> http://people.apache.org/~mriou/CVE-2008-2370-patch.txt<http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>
>> <http://people.apache.org/%7Emriou/CVE-2008-2370-patch.txt>.
>>
>>
>> Example: Deleting a file /tmp/blabla using undeploy by sending the
>> following
>> message to the deployment service:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <soapenv:Envelope xmlns:soapenv="
>> http://schemas.xmlsoap.org/soap/envelope/"
>> xmlns:pmap="http://www.apache.org/ode/pmapi">
>>  <soapenv:Header/>
>>  <soapenv:Body>
>>     <pmap:undeploy>
>>
>> <packageName>../../../../../../../../../../../../../../tmp/blabla</packageName>
>>     </pmap:undeploy>
>>  </soapenv:Body>
>> </soapenv:Envelope>
>> Credit: This issue was discovered by ´╗┐Marc Schoenefeld of Red Hat.
>>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message