Project Roller
Blogs, news and views
Blog Better! Roller is the open source Java blog server that drives Apache Software Foundation blogs and others. Read more on the about page.
Site hosted by
Quick Links
Navigation
Apache Roller 5.0.2 security fix release now available
11.03.2013 by Dave Johnson | 0 Comments
The Apache Roller project has announced the availability of a new Apache Roller 5.0.2 release. This new release is identical to Apache Roller 5.0.1 but with the addition of two security fixes: 1) fix for XSS vulnerability in Roller's search feeds 2) fix for remote code execution vulnerability.
All Roller sites are urged to upgrade to Roller 5.0.2 as soon as possible. Download Apache Roller 5.0.2 at the Roller downloads page here.
You can find a little more information about the vulnerabilities at the links below:
- The official release announcement: Apache Roller 5.0.2 available & upgrade recommended for all Roller sites
- CVE-2013-4171 Apache Roller RSS/Atom Feed templates contain XSS vulnerabilities
- CVE-2013-4212 Apache Roller contains remote code execution vulnerabilities
- This blog entry from Coverity explains the remote execution issue in more detail: Remote Code Execution in Apache Roller via OGNL Injection