From f8fd3c6488a2f53d0e02b9cf5a51642416beb7b6 Mon Sep 17 00:00:00 2001
From: Patrik Nordwall <patrik.nordwall@gmail.com>
Date: Wed, 9 Aug 2017 12:55:27 +0200
Subject: [PATCH] security announcement CVE-2017-5643

---
 .../scala/security/2017-08-09-camel.md        | 31 +++++++++++++++++++
 .../src/main/paradox/scala/security/index.md  |  1 +
 2 files changed, 32 insertions(+)
 create mode 100644 akka-docs/src/main/paradox/scala/security/2017-08-09-camel.md

diff --git a/akka-docs/src/main/paradox/scala/security/2017-08-09-camel.md b/akka-docs/src/main/paradox/scala/security/2017-08-09-camel.md
new file mode 100644
index 0000000000..d01ede83fc
--- /dev/null
+++ b/akka-docs/src/main/paradox/scala/security/2017-08-09-camel.md
@@ -0,0 +1,31 @@
+# Camel Dependency, Fixed in Akka 2.5.4
+
+### Date
+
+9 August 2017
+
+### Description of Vulnerability
+
+Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE, as described in [CVE-2017-5643](https://nvd.nist.gov/vuln/detail/CVE-2017-5643)
+
+To protect against such attacks the system should be updated to Akka *2.4.20*, *2.5.4* or later. Dependencies to Camel libraries should be updated to version 2.17.7.
+
+### Severity
+
+The [CVSS](https://en.wikipedia.org/wiki/CVSS) score of this vulnerability is 7.4 (High), according to [CVE-2017-5643](https://nvd.nist.gov/vuln/detail/CVE-2017-5643).
+
+### Affected Versions
+
+ * Akka *2.4.19* and prior
+ * Akka *2.5.3* and prior
+
+### Fixed Versions
+
+We have prepared patches for the affected versions, and have released the following versions which resolve the issue: 
+
+ * Akka *2.4.20* (Scala 2.11, 2.12)
+ * Akka *2.5.4* (Scala 2.11, 2.12)
+
+### Acknowledgements
+
+We would like to thank Thomas Szymanski for bringing this issue to our attention.
diff --git a/akka-docs/src/main/paradox/scala/security/index.md b/akka-docs/src/main/paradox/scala/security/index.md
index ab38599ff2..6e536ede39 100644
--- a/akka-docs/src/main/paradox/scala/security/index.md
+++ b/akka-docs/src/main/paradox/scala/security/index.md
@@ -29,5 +29,6 @@ to ensure that a fix can be provided without delay.
 @@@ index
 
 * [2017-02-10-java-serialization](2017-02-10-java-serialization.md)
+* [2017-08-09-camel](2017-08-09-camel.md)
 
 @@@