---------- Forwarded message ----------
Date: Tue, Mar 24, 2015 at 7:22 PM
Subject: CVE-2015-0249: Apache Roller allows admin users to execute
arbitrary Java code
To: "[email protected]"
The Apache Software Foundation
The unsupported pre-Roller 5.1 versions may also be affected
A Roller user with Admin-level access to a weblog can edit a weblog
page template and use special Velocity syntax to execute Java code on
There are several ways you can fix this vulnerability:
1) Upgrade to the latest version of Roller, which is now 5.1.2.
2) Or, add the following line to Roller's velocity.properties file:
3) Or, disable template editing on your Roller system by un-checking
the Allow Custom Themes setting in the Server Admin -> Configuration
Theme Settings section.
This issue was discovered by Gregory Draperi.