-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


CVE-2015-5175: Apache CXF Fediz application plugins are vulnerable to Denial of Service (DoS) attacks

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF Fediz prior to 1.2.1 and
1.1.3.

Description:

Apache CXF Fediz is a subproject of Apache CXF which implements the
WS-Federation Passive Requestor Profile for SSO specification. It provides a
number of container based plugins to enable SSO for Relying Party applications.
These plugins are potentially vulnerable to DoS attacks due to the fact that
support for Document Type Declarations (DTDs) is not disabled when parsing
the response from the Identity Provider (IdP).

This has been fixed in revision:

https://git-wip-us.apache.org/repos/asf?p=cxf-fediz.git;a=commit;h=f65c961ea31e3c1851daba8e7e49fc37bbf77b19

Migration:

Fediz 1.1.x users should upgrade to 1.1.3 or later as soon as possible.
Fediz 1.2.x users should upgrade to 1.2.1 or later as soon as possible.

References: http://cxf.apache.org/security-advisories.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJV3IHcAAoJEGe/gLEK1TmDFSEH/04dyMI4uZPOMc/xI1D/4Jf2
GmtJFzkEDeNVGEUBx3nZW8PwO6zuQ1n7puQpWNNXLyiBY3SRb1rl56WgflgXoJCA
Ma302BWP3ONVKfTZepwuzIXCLw8WfsXK9yjZKbP38PrURoZJNlgO/KFC4YCK5L+F
oe09JIpv3412HMGt5RxJQ2c0szBoMEQzQEFpETex9IMCNuLvFmLTRFjGUpYMiFvh
v/OaOIjUwADJEQyAQlJ0Vr0OROKaApB/nsqnGn1MViRW5qOzJdA0wTi9ic0lZt7F
OKnptVKFwaICKiNKO/QRkESmbXyxQCrkiXp5urjog7/c0cFzCLeBtNlJ1v+0swI=
=uJn7
-----END PGP SIGNATURE-----