You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2010/02/11 12:42:53 UTC
svn commit: r908937 - in /tomcat/site/trunk: docs/security-5.html
docs/security-6.html xdocs/security-5.xml xdocs/security-6.xml
Author: markt
Date: Thu Feb 11 11:42:48 2010
New Revision: 908937
URL: http://svn.apache.org/viewvc?rev=908937&view=rev
Log:
Fix svn revs for CVE-2009-3555
Make wording more consistent with outher entries
Modified:
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/xdocs/security-5.xml
tomcat/site/trunk/xdocs/security-6.xml
Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=908937&r1=908936&r2=908937&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Thu Feb 11 11:42:48 2010
@@ -1212,8 +1212,7 @@
To workaround this until a fix is available in JSSE, a new connector
attribute <code>allowUnsafeLegacyRenegotiation</code> has been added to
the BIO connector. It should be set to <code>false</code> (the default)
- to protect against this vulnerability. The attribute will be available in
- Tomcat 5.5.29 onwards.</p>
+ to protect against this vulnerability.</p>
<p>The NIO connector is not vulnerable as it does not support
renegotiation.</p>
@@ -1227,9 +1226,10 @@
renegotiation may result in some clients being unable to access the
application.</p>
- <p>This was worked-around in
- <a href="http://svn.eu.apache.org/viewvc?view=revision&revision=904851">
- revision 881774</a>.</p>
+ <p>A workaround was implemented in
+ <a href="http://svn.apache.org/viewvc?view=revision&revision=904851">
+ revision 904851</a> that provided the new allowUnsafeLegacyRenegotiation
+ attribute. This work around will be included in Tomcat 5.5.29 onwards.</p>
<p>
<strong>JavaMail information disclosure</strong>
Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=908937&r1=908936&r2=908937&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Thu Feb 11 11:42:48 2010
@@ -925,8 +925,7 @@
To workaround this until a fix is available in JSSE, a new connector
attribute <code>allowUnsafeLegacyRenegotiation</code> has been added to
the BIO connector. It should be set to <code>false</code> (the default)
- to protect against this vulnerability. The attribute will be available in
- Tomcat 6.0.21 onwards.</p>
+ to protect against this vulnerability.</p>
<p>The NIO connector is not vulnerable as it does not support
renegotiation.</p>
@@ -940,9 +939,12 @@
renegotiation may result in some clients being unable to access the
application.</p>
- <p>This was worked-around in
+ <p>A workaround was implemented in
+ <a href="http://svn.apache.org/viewvc?rev=881774&view=rev">
+ revision 881774</a> and
<a href="http://svn.apache.org/viewvc?rev=891292&view=rev">
- revision 881774</a>.</p>
+ revision 891292</a> that provided the new allowUnsafeLegacyRenegotiation
+ attribute. This work around is included in Tomcat 6.0.21 onwards.</p>
<p>
<strong>important: Directory traversal</strong>
Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=908937&r1=908936&r2=908937&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Thu Feb 11 11:42:48 2010
@@ -581,8 +581,7 @@
To workaround this until a fix is available in JSSE, a new connector
attribute <code>allowUnsafeLegacyRenegotiation</code> has been added to
the BIO connector. It should be set to <code>false</code> (the default)
- to protect against this vulnerability. The attribute will be available in
- Tomcat 5.5.29 onwards.</p>
+ to protect against this vulnerability.</p>
<p>The NIO connector is not vulnerable as it does not support
renegotiation.</p>
@@ -596,9 +595,10 @@
renegotiation may result in some clients being unable to access the
application.</p>
- <p>This was worked-around in
- <a href="http://svn.eu.apache.org/viewvc?view=revision&revision=904851">
- revision 881774</a>.</p>
+ <p>A workaround was implemented in
+ <a href="http://svn.apache.org/viewvc?view=revision&revision=904851">
+ revision 904851</a> that provided the new allowUnsafeLegacyRenegotiation
+ attribute. This work around will be included in Tomcat 5.5.29 onwards.</p>
<p><strong>JavaMail information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1754">
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=908937&r1=908936&r2=908937&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Thu Feb 11 11:42:48 2010
@@ -476,8 +476,7 @@
To workaround this until a fix is available in JSSE, a new connector
attribute <code>allowUnsafeLegacyRenegotiation</code> has been added to
the BIO connector. It should be set to <code>false</code> (the default)
- to protect against this vulnerability. The attribute will be available in
- Tomcat 6.0.21 onwards.</p>
+ to protect against this vulnerability.</p>
<p>The NIO connector is not vulnerable as it does not support
renegotiation.</p>
@@ -491,9 +490,12 @@
renegotiation may result in some clients being unable to access the
application.</p>
- <p>This was worked-around in
+ <p>A workaround was implemented in
+ <a href="http://svn.apache.org/viewvc?rev=881774&view=rev">
+ revision 881774</a> and
<a href="http://svn.apache.org/viewvc?rev=891292&view=rev">
- revision 881774</a>.</p>
+ revision 891292</a> that provided the new allowUnsafeLegacyRenegotiation
+ attribute. This work around is included in Tomcat 6.0.21 onwards.</p>
<p><strong>important: Directory traversal</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org