[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Orekit Developers] Orekit 7.2.1, 8.0.1, and 9.0.1 released

The Orekit team has released version 7.2.1, 8.0.1, and 9.0.1 of Orekit
to fix a security vulnerability.

Orekit versions 5.0, 6.0, 6.1, 7.0, 7.1, 7.2, 8.0, and 9.0 are
vulnerable to a XML External Entity (XXE) attack when loading XML
format Earth Orientation Parameters (EOP) or Tracking Data Messages
(TDM) from an untrusted source, possibly resulting in denial of service
or data theft. For more on the mechanism and possible exploitations of
XXEs see [1].

The Orekit team recommends that all users update to one of the newly
released versions as quickly as possible.

Security fix versions were not released for the 5.x and 6.x series
because these versions are considered to be obsolete. If you cannot
upgrade from these obsolete version please email the Orekit developers
(orekit-developers@orekit.org) to discuss creating a security fix

A CVE number has been requested.

The new version can be downloaded from [2] or from maven.

Best Regards,

Evan Ward, on behalf of the Orekit team

[1] https://www.vsecurity.com//download/papers/XMLDTDEntityAttacks.pdf
[2] https://www.orekit.org/forge/projects/orekit/files