You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by sc...@apache.org on 2011/09/10 03:46:47 UTC
svn commit: r1167433 - in /tomcat/site/trunk/docs: security-5.html
security-6.html security-7.html
Author: schultz
Date: Sat Sep 10 01:46:47 2011
New Revision: 1167433
URL: http://svn.apache.org/viewvc?rev=1167433&view=rev
Log:
Update description of CVE-2011-3190 to include mitigation options.
Modified:
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/docs/security-7.html
Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1167433&r1=1167432&r2=1167433&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Sat Sep 10 01:46:47 2011
@@ -473,7 +473,14 @@
<p>This was reported publicly on 20th August 2011.</p>
<p>Affects: 5.5.0-5.5.33</p>
-
+
+ <p>Mitigation options:</p>
+ <ul>
+ <li>Upgrade to Tomcat 5.5.34</li>
+ <li>Apply the appropriate <a href=" http://svn.apache.org/viewvc?rev=1162960&view=rev">patch</a></li>
+ <li>Configure both Tomcat and the reverse proxy to use a shared secret ("request.secret" attribute in <Connector>; "worker.<i>workername</i>.secret" for mod_jk; mod_proxy_ajp currently does not support shared secrets)</li>
+ <li>Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector</li>
+ </ul>
</blockquote>
</p>
</td>
Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1167433&r1=1167432&r2=1167433&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Sat Sep 10 01:46:47 2011
@@ -365,6 +365,13 @@
<p>Affects: 6.0.0-6.0.33</p>
+ <p>Mitigation options:</p>
+ <ul>
+ <li>Upgrade to Tomcat 6.0.34</li>
+ <li>Apply the appropriate <a href="http://svn.apache.org/viewvc?rev=1162959&view=rev">patch</a></li>
+ <li>Configure both Tomcat and the reverse proxy to use a shared secret ("request.secret" attribute in <Connector>; "worker.<i>workername</i>.secret" for mod_jk; mod_proxy_ajp currently does not support shared secrets)</li>
+ <li>Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector</li>
+ </ul>
</blockquote>
</p>
</td>
Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1167433&r1=1167432&r2=1167433&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Sat Sep 10 01:46:47 2011
@@ -350,7 +350,13 @@
<p>This was reported publicly on 20th August 2011.</p>
<p>Affects: 7.0.0-7.0.20</p>
-
+
+ <p>Mitigation options:</p>
+ <ul>
+ <li>Upgrade to Tomcat 7.0.21</li>
+ <li>Apply the appropriate <a href="http://svn.apache.org/viewvc?rev=1162958&view=rev">patch</a></li>
+ <li>Configure both Tomcat and the reverse proxy to use a shared secret ("request.secret" attribute in <Connector>; "worker.<i>workername</i>.secret" for mod_jk; mod_proxy_ajp currently does not support shared secrets)</li>
+ </ul>
</blockquote>
</p>
</td>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org