security announcement CVE-2017-5643

akka-docs/src/main/paradox/scala/security/2017-08-09-camel.md

@@ -0,0 +1,31 @@
+# Camel Dependency, Fixed in Akka 2.5.4
+
+### Date
+
+9 August 2017
+
+### Description of Vulnerability
+
+Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE, as described in [CVE-2017-5643](https://nvd.nist.gov/vuln/detail/CVE-2017-5643)
+
+To protect against such attacks the system should be updated to Akka *2.4.20*, *2.5.4* or later. Dependencies to Camel libraries should be updated to version 2.17.7.
+
+### Severity
+
+The [CVSS](https://en.wikipedia.org/wiki/CVSS) score of this vulnerability is 7.4 (High), according to [CVE-2017-5643](https://nvd.nist.gov/vuln/detail/CVE-2017-5643).
+
+### Affected Versions
+
+ * Akka *2.4.19* and prior
+ * Akka *2.5.3* and prior
+
+### Fixed Versions
+
+We have prepared patches for the affected versions, and have released the following versions which resolve the issue: 
+
+ * Akka *2.4.20* (Scala 2.11, 2.12)
+ * Akka *2.5.4* (Scala 2.11, 2.12)
+
+### Acknowledgements
+
+We would like to thank Thomas Szymanski for bringing this issue to our attention.

akka-docs/src/main/paradox/scala/security/index.md

@@ -29,5 +29,6 @@ to ensure that a fix can be provided without delay.
 @@@ index
 
 * [2017-02-10-java-serialization](2017-02-10-java-serialization.md)
+* [2017-08-09-camel](2017-08-09-camel.md)
 
 @@@