You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2009/04/08 06:12:30 UTC
svn commit: r762948 - in /tomcat/site/trunk: docs/security-jk.html
xdocs/security-jk.xml
Author: markt
Date: Tue Apr 7 20:39:58 2009
New Revision: 762948
URL: http://svn.apache.org/viewvc?rev=762948&view=rev
Log:
Update site with details of CVE-2008-5519
Modified:
tomcat/site/trunk/docs/security-jk.html
tomcat/site/trunk/xdocs/security-jk.xml
Modified: tomcat/site/trunk/docs/security-jk.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-jk.html?rev=762948&r1=762947&r2=762948&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-jk.html (original)
+++ tomcat/site/trunk/docs/security-jk.html Tue Apr 7 20:39:58 2009
@@ -218,6 +218,49 @@
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat JK Connector 1.2.27">
+<strong>Fixed in Apache Tomcat JK Connector 1.2.27</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+ <p>
+<strong>important: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5519">
+ CVE-2008-5519</a>
+</p>
+
+ <p>Situations where faulty clients set Content-Length without providing
+ data, or where a user submits repeated requests very quickly, may permit
+ one user to view the response associated with a different user's request.
+ </p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=702540&view=rev">
+ revision 702540</a>.</p>
+
+ <p>Affects: JK 1.2.0-1.2.26<br/>
+ Source shipped with Tomcat 4.0.0-4.0.6, 4.1.0-4.1.36, 5.0.0-5.0.30,
+ 5.5.0-5.5.27</p>
+
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat JK Connector 1.2.23">
<strong>Fixed in Apache Tomcat JK Connector 1.2.23</strong>
</a>
@@ -263,7 +306,7 @@
</p>
<p>Affects: JK 1.2.0-1.2.22 (httpd mod_jk module only)<br/>
- Source shipped with Tomcat 4.0.1-4.0.6, 4.1.0-4.1.36, 5.0.0-5.0.30,
+ Source shipped with Tomcat 4.0.0-4.0.6, 4.1.0-4.1.36, 5.0.0-5.0.30,
5.5.0-5.5.23</p>
</blockquote>
@@ -291,14 +334,14 @@
<p>
<blockquote>
<p>
-<strong>critical: Arbitary code execution and denial of service</strong>
+<strong>critical: Arbitrary code execution and denial of service</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0774">
CVE-2007-0774</a>
</p>
<p>An unsafe memory copy in the URI handler for the native JK connector
- could result in a stackoverflow condition which could be leveraged to
- execute arbitary code or crash the web server.</p>
+ could result in a stack overflow condition which could be leveraged to
+ execute arbitrary code or crash the web server.</p>
<p>Affects: JK 1.2.19-1.2.20<br/>
Source shipped with: Tomcat 4.1.34, 5.5.20</p>
@@ -339,7 +382,7 @@
reveal sensitive memory information to a client.</p>
<p>Affects: JK 1.2.0-1.2.15<br/>
- Source shipped with: Tomcat 4.0.1-4.0.6, 4.1.0-4.1.32, 5.0.0-5.0.30,
+ Source shipped with: Tomcat 4.0.0-4.0.6, 4.1.0-4.1.32, 5.0.0-5.0.30,
5.5.0-5.5.16</p>
</blockquote>
Modified: tomcat/site/trunk/xdocs/security-jk.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-jk.xml?rev=762948&r1=762947&r2=762948&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-jk.xml (original)
+++ tomcat/site/trunk/xdocs/security-jk.xml Tue Apr 7 20:39:58 2009
@@ -24,6 +24,26 @@
</section>
+ <section name="Fixed in Apache Tomcat JK Connector 1.2.27">
+ <p><strong>important: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5519">
+ CVE-2008-5519</a></p>
+
+ <p>Situations where faulty clients set Content-Length without providing
+ data, or where a user submits repeated requests very quickly, may permit
+ one user to view the response associated with a different user's request.
+ </p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=702540&view=rev">
+ revision 702540</a>.</p>
+
+ <p>Affects: JK 1.2.0-1.2.26<br/>
+ Source shipped with Tomcat 4.0.0-4.0.6, 4.1.0-4.1.36, 5.0.0-5.0.30,
+ 5.5.0-5.5.27</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat JK Connector 1.2.23">
<p><strong>important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860">
@@ -58,19 +78,19 @@
</p>
<p>Affects: JK 1.2.0-1.2.22 (httpd mod_jk module only)<br/>
- Source shipped with Tomcat 4.0.1-4.0.6, 4.1.0-4.1.36, 5.0.0-5.0.30,
+ Source shipped with Tomcat 4.0.0-4.0.6, 4.1.0-4.1.36, 5.0.0-5.0.30,
5.5.0-5.5.23</p>
</section>
<section name="Fixed in Apache Tomcat JK Connector 1.2.21">
- <p><strong>critical: Arbitary code execution and denial of service</strong>
+ <p><strong>critical: Arbitrary code execution and denial of service</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0774">
CVE-2007-0774</a></p>
<p>An unsafe memory copy in the URI handler for the native JK connector
- could result in a stackoverflow condition which could be leveraged to
- execute arbitary code or crash the web server.</p>
+ could result in a stack overflow condition which could be leveraged to
+ execute arbitrary code or crash the web server.</p>
<p>Affects: JK 1.2.19-1.2.20<br/>
Source shipped with: Tomcat 4.1.34, 5.5.20</p>
@@ -88,7 +108,7 @@
reveal sensitive memory information to a client.</p>
<p>Affects: JK 1.2.0-1.2.15<br/>
- Source shipped with: Tomcat 4.0.1-4.0.6, 4.1.0-4.1.32, 5.0.0-5.0.30,
+ Source shipped with: Tomcat 4.0.0-4.0.6, 4.1.0-4.1.32, 5.0.0-5.0.30,
5.5.0-5.5.16</p>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org