From Secunia: A vulnerability has been reported in Echo2, which can be exploited by malicious people to disclose sensitive information. Input passed as XML to the Echo Engine is not properly verified before being used. This can be exploited to e.g. disclose arbitrary files on an affected system by sending a request containing a specially crafted entity declaration. The vulnerability is reported in version 2.1.0.rc2. Other versions may also be affected. Solution: Update to version 2.1.1.
Upstream announcement: http://echo.nextapp.com/site/node/5742
Bumped in CVS.
thanks, ~arch only.
CVE-2009-5135 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5135): The Java XML parser in Echo before 2.1.1 and 3.x before 3.0.b6 allows remote attackers to read arbitrary files via a request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
