-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


CVE-2014-0110: Large invalid content could cause temporary space to fill

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 2.6.14
and 2.7.11.

Description:

If a SOAP message generates a fault on parsing or processing, but is not 
fully consumed, it is possible to cause the server to read all of the remaining
data and to save it to a temp file. By dynamically creating data, you can
cause the entire /tmp directory to fill.

This has been fixed in revisions:

https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=8f4799b5bc5ed0fe62d6e018c45d960e3652373e

Migration:

CXF 2.6.x users should upgrade to 2.6.14 or later as soon as possible.
CXF 2.7.x users should upgrade to 2.7.11 or later as soon as possible.

References: http://cxf.apache.org/security-advisories.html

Credits:

We would like to thank Giancarlo Pellegrino and Davide Balzarotti for
reporting this issue.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQEcBAEBAgAGBQJTWjoYAAoJEGe/gLEK1TmDmWgIAJVPFiIzfem+iruFllyxYzqP
0GOxYHq/ASUcBF3xXKM6hWU7RuNYloR2xIuG1En4IRtcCbxCuCjTHaqe7FBvGuW6
emcwd9vWKl3RGi7PRXCQAeVmvWR1Du+NqorGulG5K1IuiUm1EW9ae9jC/3/OXUhx
UPa1DZTdSNWHpCwDjCWz/cG30oa9jQwZO/59kJXJFpp9ard348W0ksGZzewRUwDs
uWZ7dsL6TcatuX/Z3oUB7HlwUXSxG4pPUdmnXuJyIA4x5QVO/YQLrN+4kKneSxsB
l4lHEHdj0BlcItJhl8ry2WHiw6u3O+dqPveOy7b07SR3osyb+jTlFTUa16aM1hM=
=gBGp
-----END PGP SIGNATURE-----