You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2010/01/18 19:36:10 UTC
svn commit: r900501 - in /tomcat/site/trunk: docs/security-native.html
docs/security.html xdocs/security-native.xml xdocs/security.xml
Author: markt
Date: Mon Jan 18 18:36:09 2010
New Revision: 900501
URL: http://svn.apache.org/viewvc?rev=900501&view=rev
Log:
Add a security page for the APR/native connector
Added:
tomcat/site/trunk/docs/security-native.html
tomcat/site/trunk/xdocs/security-native.xml
Modified:
tomcat/site/trunk/docs/security.html
tomcat/site/trunk/xdocs/security.xml
Added: tomcat/site/trunk/docs/security-native.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-native.html?rev=900501&view=auto
==============================================================================
--- tomcat/site/trunk/docs/security-native.html (added)
+++ tomcat/site/trunk/docs/security-native.html Mon Jan 18 18:36:09 2010
@@ -0,0 +1,287 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html>
+<head>
+<title>Apache Tomcat - Apache Tomcat APR/native Connector vulnerabilities</title>
+<meta name="author" content="Apache Tomcat Project"/>
+<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet"/>
+<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet" media="print"/>
+</head>
+<body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76">
+<table border="0" width="100%" cellspacing="0">
+<!--PAGE HEADER-->
+<tr>
+<td>
+<!--PROJECT LOGO-->
+<a href="http://tomcat.apache.org/">
+<img src="./images/tomcat10.jpg" align="left" alt="Tomcat Logo" border="0"/>
+</a>
+</td>
+<td>
+<font face="arial,helvetica,sanserif">
+<h1>Apache Tomcat</h1>
+</font>
+</td>
+<td>
+<!--APACHE LOGO-->
+<a href="http://www.apache.org/">
+<img src="http://www.apache.org/images/asf-logo.gif" align="right" alt="Apache Logo" border="0"/>
+</a>
+</td>
+</tr>
+</table>
+<div class="searchbox noPrint">
+<form action="http://www.google.com/search" method="get">
+<input value="tomcat.apache.org" name="sitesearch" type="hidden"/>
+<input value="Search the Site" size="25" name="q" id="query" type="text"/>
+<input name="Search" value="Search Site" type="submit"/>
+</form>
+</div>
+<table border="0" width="100%" cellspacing="4">
+<!--HEADER SEPARATOR-->
+<tr>
+<td colspan="2">
+<hr noshade="" size="1"/>
+</td>
+</tr>
+<tr>
+<!--LEFT SIDE NAVIGATION-->
+<td width="20%" valign="top" nowrap="true" class="noPrint">
+<p>
+<strong>Apache Tomcat</strong>
+</p>
+<ul>
+<li>
+<a href="./index.html">Home</a>
+</li>
+<li>
+<a href="./taglibs/">Taglibs</a>
+</li>
+</ul>
+<p>
+<strong>Download</strong>
+</p>
+<ul>
+<li>
+<a href="./whichversion.html">Which version?</a>
+</li>
+<li>
+<a href="./download-60.cgi">Tomcat 6.x</a>
+</li>
+<li>
+<a href="./download-55.cgi">Tomcat 5.5</a>
+</li>
+<li>
+<a href="./download-connectors.cgi">Tomcat Connectors</a>
+</li>
+<li>
+<a href="./download-native.cgi">Tomcat Native</a>
+</li>
+<li>
+<a href="http://archive.apache.org/dist/tomcat">Archives</a>
+</li>
+</ul>
+<p>
+<strong>Documentation</strong>
+</p>
+<ul>
+<li>
+<a href="./tomcat-6.0-doc/index.html">Tomcat 6.0</a>
+</li>
+<li>
+<a href="./tomcat-5.5-doc/index.html">Tomcat 5.5</a>
+</li>
+<li>
+<a href="./connectors-doc">Tomcat Connectors</a>
+</li>
+<li>
+<a href="./native-doc">Tomcat Native</a>
+</li>
+<li>
+<a href="./migration.html">Migration Guide</a>
+</li>
+</ul>
+<p>
+<strong>Problems?</strong>
+</p>
+<ul>
+<li>
+<a href="./security.html">Security Reports</a>
+</li>
+<li>
+<a href="./findhelp.html">Find help</a>
+</li>
+<li>
+<a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a>
+</li>
+<li>
+<a href="./lists.html">Mailing Lists</a>
+</li>
+<li>
+<a href="./bugreport.html">Bug Database</a>
+</li>
+<li>
+<a href="./irc.html">IRC</a>
+</li>
+</ul>
+<p>
+<strong>Get Involved</strong>
+</p>
+<ul>
+<li>
+<a href="./getinvolved.html">Overview</a>
+</li>
+<li>
+<a href="./svn.html">SVN Repositories</a>
+</li>
+<li>
+<a href="./lists.html">Mailing Lists</a>
+</li>
+<li>
+<a href="http://wiki.apache.org/tomcat">Wiki</a>
+</li>
+</ul>
+<p>
+<strong>Misc</strong>
+</p>
+<ul>
+<li>
+<a href="./whoweare.html">Who We Are</a>
+</li>
+<li>
+<a href="./heritage.html">Heritage</a>
+</li>
+<li>
+<a href="http://www.apache.org">Apache Home</a>
+</li>
+<li>
+<a href="./resources.html">Resources</a>
+</li>
+<li>
+<a href="./contact.html">Contact</a>
+</li>
+<li>
+<a href="./legal.html">Legal</a>
+</li>
+<li>
+<a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a>
+</li>
+<li>
+<a href="http://www.apache.org/foundation/thanks.html">Thanks</a>
+</li>
+</ul>
+</td>
+<!--RIGHT SIDE MAIN BODY-->
+<td width="80%" valign="top" align="left" id="mainBody">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Apache Tomcat APR/native Connector vulnerabilities">
+<strong>Apache Tomcat APR/native Connector vulnerabilities</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+ <p>This page lists all security vulnerabilities fixed in released versions
+ of Apache Tomcat APR/native Connector. Each vulnerability is given a
+ <a href="security-impact.html">security impact rating</a> by the Apache
+ Tomcat security team - please note that this rating may vary from
+ platform to platform. We also list the versions of Apache Tomcat APR/native
+ Connectors the flaw is known to affect, and where a flaw has not been
+ verified list the version with a question mark.</p>
+
+ <p>This page has been created from a review of the Apache Tomcat archives
+ and the CVE list. Please send comments or corrections for these
+ vulnerabilities to the <a href="mailto:security@tomcat.apache.org">Tomcat
+ Security Team</a>.</p>
+
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Not a vulnerability in the Apache Tomcat APR/native Connector">
+<strong>Not a vulnerability in the Apache Tomcat APR/native Connector</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+ <p>
+<strong>TLS SSL Man In The Middle</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
+ CVE-2009-3555</a>
+</p>
+
+ <p>A vulnerability exists in the TLS protocol that allows an attacker to
+ inject arbitrary requests into an TLS stream during renegotiation.</p>
+
+ <p>The TLS implementation used by Tomcat varies with connector. The
+ APR/native connector uses OpenSSL.</p>
+
+ <p>The APR/native connector is vulnerable if the OpenSSL version used is
+ vulnerable. Note: Building with OpenSSL 0.9.8l will disable all
+ renegotiation and protect against this vulnerability.</p>
+
+ <p>From 1.1.18 onwards, client initiated renegotiations are rejected to
+ provide partial protection against this vulnerability with any OpenSSL
+ version.</p>
+
+ <p>Users should be aware that the impact of disabling renegotiation will
+ vary with both application and client. In some circumstances disabling
+ renegotiation may result in some clients being unable to access the
+ application.</p>
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+</td>
+</tr>
+<!--FOOTER SEPARATOR-->
+<tr>
+<td colspan="2">
+<hr noshade="" size="1"/>
+</td>
+</tr>
+<!--PAGE FOOTER-->
+<tr>
+<td colspan="2">
+<div align="center">
+<font color="#525D76" size="-1">
+<em>
+ Copyright © 1999-2010, The Apache Software Foundation
+ <br/>
+ "Apache", the Apache feather, and the Apache Tomcat logo are
+ trademarks of the Apache Software Foundation for our open source
+ software.
+ </em>
+</font>
+</div>
+</td>
+</tr>
+</table>
+</body>
+</html>
Modified: tomcat/site/trunk/docs/security.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security.html?rev=900501&r1=900500&r2=900501&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security.html (original)
+++ tomcat/site/trunk/docs/security.html Mon Jan 18 18:36:09 2010
@@ -220,6 +220,10 @@
<a href="security-jk.html">Apache Tomcat JK Connectors Security
Vulnerabilitites</a>
</li>
+ <li>
+<a href="security-native.html">Apache Tomcat APR/native Connector Security
+ Vulnerabilitites</a>
+</li>
</ul>
<p>Lists of security problems fixed in versions of Apache Tomcat that may
Added: tomcat/site/trunk/xdocs/security-native.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-native.xml?rev=900501&view=auto
==============================================================================
--- tomcat/site/trunk/xdocs/security-native.xml (added)
+++ tomcat/site/trunk/xdocs/security-native.xml Mon Jan 18 18:36:09 2010
@@ -0,0 +1,54 @@
+<?xml version="1.0"?>
+<document>
+
+ <properties>
+ <author>Apache Tomcat Project</author>
+ <title>Apache Tomcat APR/native Connector vulnerabilities</title>
+ </properties>
+
+<body>
+
+ <section name="Apache Tomcat APR/native Connector vulnerabilities">
+ <p>This page lists all security vulnerabilities fixed in released versions
+ of Apache Tomcat APR/native Connector. Each vulnerability is given a
+ <a href="security-impact.html">security impact rating</a> by the Apache
+ Tomcat security team - please note that this rating may vary from
+ platform to platform. We also list the versions of Apache Tomcat APR/native
+ Connectors the flaw is known to affect, and where a flaw has not been
+ verified list the version with a question mark.</p>
+
+ <p>This page has been created from a review of the Apache Tomcat archives
+ and the CVE list. Please send comments or corrections for these
+ vulnerabilities to the <a href="mailto:security@tomcat.apache.org">Tomcat
+ Security Team</a>.</p>
+
+ </section>
+
+ <section name="Not a vulnerability in the Apache Tomcat APR/native Connector">
+ <p><strong>TLS SSL Man In The Middle</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
+ CVE-2009-3555</a></p>
+
+ <p>A vulnerability exists in the TLS protocol that allows an attacker to
+ inject arbitrary requests into an TLS stream during renegotiation.</p>
+
+ <p>The TLS implementation used by Tomcat varies with connector. The
+ APR/native connector uses OpenSSL.</p>
+
+ <p>The APR/native connector is vulnerable if the OpenSSL version used is
+ vulnerable. Note: Building with OpenSSL 0.9.8l will disable all
+ renegotiation and protect against this vulnerability.</p>
+
+ <p>From 1.1.18 onwards, client initiated renegotiations are rejected to
+ provide partial protection against this vulnerability with any OpenSSL
+ version.</p>
+
+ <p>Users should be aware that the impact of disabling renegotiation will
+ vary with both application and client. In some circumstances disabling
+ renegotiation may result in some clients being unable to access the
+ application.</p>
+ </section>
+
+</body>
+</document>
+
Modified: tomcat/site/trunk/xdocs/security.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security.xml?rev=900501&r1=900500&r2=900501&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security.xml (original)
+++ tomcat/site/trunk/xdocs/security.xml Mon Jan 18 18:36:09 2010
@@ -33,6 +33,8 @@
</a></li>
<li><a href="security-jk.html">Apache Tomcat JK Connectors Security
Vulnerabilitites</a></li>
+ <li><a href="security-native.html">Apache Tomcat APR/native Connector Security
+ Vulnerabilitites</a></li>
</ul>
<p>Lists of security problems fixed in versions of Apache Tomcat that may
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org