svn commit: r1842754 [5/5] - in /tomcat/site/trunk: docs/index.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml

[ma...@apache.org]

Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1842754&r1=1842753&r2=1842754&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Wed Oct  3 19:49:05 2018
@@ -50,6 +50,25 @@
 
   </section>
 
+  <section name="Fixed in Apache Tomcat 7.0.91" rtext="19 September 2018">
+  
+    <p><strong>Moderate: Open Redirect</strong>
+       <cve>CVE-2018-11784</cve></p>
+
+    <p>When the default servlet returned a redirect to a directory (e.g.
+       redirecting to <code>/foo/</code> when the user requested
+       <code>/foo</code>) a specially crafted URL could be used to cause the
+       redirect to be generated to any URI of the attackers choice.</p>
+
+    <p>This was fixed in revision <revlink rev="1840057">1840057</revlink>.</p>
+
+    <p>This issue was reported to the Apache Tomcat Security Team by Sergey
+       Bobrov on 28 August 2018 and made public on 3 October 2018.</p>
+
+    <p>Affects: 7.0.23 to 7.0.90</p>
+
+  </section>
+  
   <section name="Fixed in Apache Tomcat 7.0.90" rtext="7 July 2018">
 
     <p><strong>Low: host name verification missing in WebSocket client</strong>

Modified: tomcat/site/trunk/xdocs/security-8.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1842754&r1=1842753&r2=1842754&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-8.xml (original)
+++ tomcat/site/trunk/xdocs/security-8.xml Wed Oct  3 19:49:05 2018
@@ -50,6 +50,25 @@
 
   </section>
 
+  <section name="Fixed in Apache Tomcat 8.5.34" rtext="10 September 2018">
+  
+    <p><strong>Moderate: Open Redirect</strong>
+       <cve>CVE-2018-11784</cve></p>
+
+    <p>When the default servlet returned a redirect to a directory (e.g.
+       redirecting to <code>/foo/</code> when the user requested
+       <code>/foo</code>) a specially crafted URL could be used to cause the
+       redirect to be generated to any URI of the attackers choice.</p>
+
+    <p>This was fixed in revision <revlink rev="1840056">1840056</revlink>.</p>
+
+    <p>This issue was reported to the Apache Tomcat Security Team by Sergey
+       Bobrov on 28 August 2018 and made public on 3 October 2018.</p>
+
+    <p>Affects: 8.5.0 to 8.5.33</p>
+
+  </section>
+  
   <section name="Fixed in Apache Tomcat 8.0.53" rtext="6 July 2018">
 
     <p><strong>Low: host name verification missing in WebSocket client</strong>

Modified: tomcat/site/trunk/xdocs/security-9.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-9.xml?rev=1842754&r1=1842753&r2=1842754&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-9.xml (original)
+++ tomcat/site/trunk/xdocs/security-9.xml Wed Oct  3 19:49:05 2018
@@ -50,6 +50,25 @@
 
   </section>
 
+  <section name="Fixed in Apache Tomcat 9.0.12" rtext="10 September 2018">
+  
+    <p><strong>Moderate: Open Redirect</strong>
+       <cve>CVE-2018-11784</cve></p>
+
+    <p>When the default servlet returned a redirect to a directory (e.g.
+       redirecting to <code>/foo/</code> when the user requested
+       <code>/foo</code>) a specially crafted URL could be used to cause the
+       redirect to be generated to any URI of the attackers choice.</p>
+
+    <p>This was fixed in revision <revlink rev="1840055">1840055</revlink>.</p>
+
+    <p>This issue was reported to the Apache Tomcat Security Team by Sergey
+       Bobrov on 28 August 2018 and made public on 3 October 2018.</p>
+
+    <p>Affects: 9.0.0.M1 to 9.0.11</p>
+
+  </section>
+  
   <section name="Fixed in Apache Tomcat 9.0.10" rtext="25 June 2018">
 
     <p><strong>Low: host name verification missing in WebSocket client</strong>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org