Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAGB5yNn7OimVkJ_mArRWQXQ4aOOGko=uxV_Zhf7U79SONY=kGA@mail.gmail.com>
Date: Thu, 17 Dec 2015 10:27:59 +0100
From: Claus Ibsen <claus.ibsen@...il.com>
To: dev <dev@...el.apache.org>, "users@...el.apache.org" <users@...el.apache.org>, 
	oss-security@...ts.openwall.com, bugtraq@...urityfocus.com, 
	security <security@...che.org>
Subject: CVE-2015-5348 - Apache Camel medium disclosure vulnerability

Apache Camel's Jetty/Servlet usage is vulnerable to Java object
de-serialisation vulnerability

If using camel-jetty, or camel-servlet as a consumer in Camel routes,
then Camel will automatic de-serialize HTTP requests that uses the
content-header: application/x-java-serialized-object.

Please study this security vulnerability carefully!

CVE-2015-5348 - [1]

You can download the fixed Apache Camel 2.15.x and 2.16.x version from the
Apache mirrors [2] or from the Central Maven repository.


[1] http://camel.apache.org/security-advisories.data/CVE-2015-5348.txt.asc?version=1&modificationDate=1450340845000&api=v2
[2] http://camel.apache.org/download


On behalf of the Camel PMC,
Claus Ibsen

-- 
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2: https://www.manning.com/ibsen2

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.