Security announcement for Deployit 3.9.x, XL Deploy 4.0.x and XL Deploy 4.5.x


XebiaLabs Support -

Dear XL Deploy community,

During a recent security audit by XebiaLabs, a number of vulnerabilities were discovered in libraries that XL Deploy uses. As a precaution, and to prevent any future vulnerability, we have upgraded or replaced those libraries.

Please upgrade your installation to one of the following versions:

* XL Deploy 4.5.1
* XL Deploy 4.0.2
* Deployit 3.9.5

The following potential vulnerabilities have been addressed:

* CVE-2009-2625 Xerces: DoS vulnerability via malformed XML input
* CVE-2009-4269 Apache Derby: Weak password hash generation algorithm
* CVE-2013-0248 Apache Commons FileUpload: Symlink attack vulnerability
* CVE-2013-7315 Spring Framework: XML External Entity (XXE) injection flaw
* CVE-2013-7285 XStream: Remote code execution due to insecure XML deserialization
* CVE-2014-0050 Apache Commons FileUpload: DoS vulnerability via crafted Content-Type header
* CVE-2014-0079 Spring Framework: Empty passwords may bypass authentication
* JCR-3630 Jackrabbit: XSS in DirListingExportHandler