| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA1 |
| |
| |
| CVE-2015-5175: Apache CXF Fediz application plugins are vulnerable to Denial of Service (DoS) attacks |
| |
| Severity: Major |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: |
| |
| This vulnerability affects all versions of Apache CXF Fediz prior to 1.2.1 and |
| 1.1.3. |
| |
| Description: |
| |
| Apache CXF Fediz is a subproject of Apache CXF which implements the |
| WS-Federation Passive Requestor Profile for SSO specification. It provides a |
| number of container based plugins to enable SSO for Relying Party applications. |
| These plugins are potentially vulnerable to DoS attacks due to the fact that |
| support for Document Type Declarations (DTDs) is not disabled when parsing |
| the response from the Identity Provider (IdP). |
| |
| This has been fixed in revision: |
| |
| https://git-wip-us.apache.org/repos/asf?p=cxf-fediz.git;a=commit;h=f65c961ea31e3c1851daba8e7e49fc37bbf77b19 |
| |
| Migration: |
| |
| Fediz 1.1.x users should upgrade to 1.1.3 or later as soon as possible. |
| Fediz 1.2.x users should upgrade to 1.2.1 or later as soon as possible. |
| |
| References: http://cxf.apache.org/security-advisories.html |
| -----BEGIN PGP SIGNATURE----- |
| Version: GnuPG v1 |
| |
| iQEcBAEBAgAGBQJV3IHcAAoJEGe/gLEK1TmDFSEH/04dyMI4uZPOMc/xI1D/4Jf2 |
| GmtJFzkEDeNVGEUBx3nZW8PwO6zuQ1n7puQpWNNXLyiBY3SRb1rl56WgflgXoJCA |
| Ma302BWP3ONVKfTZepwuzIXCLw8WfsXK9yjZKbP38PrURoZJNlgO/KFC4YCK5L+F |
| oe09JIpv3412HMGt5RxJQ2c0szBoMEQzQEFpETex9IMCNuLvFmLTRFjGUpYMiFvh |
| v/OaOIjUwADJEQyAQlJ0Vr0OROKaApB/nsqnGn1MViRW5qOzJdA0wTi9ic0lZt7F |
| OKnptVKFwaICKiNKO/QRkESmbXyxQCrkiXp5urjog7/c0cFzCLeBtNlJ1v+0swI= |
| =uJn7 |
| -----END PGP SIGNATURE----- |
