You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by kk...@apache.org on 2011/09/13 03:04:36 UTC
svn commit: r1169992 - in /tomcat/site/trunk: docs/security-7.html
xdocs/security-7.xml xdocs/stylesheets/tomcat-site.xsl
Author: kkolinko
Date: Tue Sep 13 01:04:36 2011
New Revision: 1169992
URL: http://svn.apache.org/viewvc?rev=1169992&view=rev
Log:
tomcat-site.xsl:
Copy <rev> and <bug> tags from tomcat-docs.xls.
Add <cve> tag for links to CVE pages.
security-7.xml:
Simplify markup.
Modified:
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/xdocs/security-7.xml
tomcat/site/trunk/xdocs/stylesheets/tomcat-site.xsl
Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1169992&r1=1169991&r2=1169992&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Tue Sep 13 01:04:36 2011
@@ -343,9 +343,7 @@
</ul>
</p>
- <p>This was fixed in revision
- <a href="http://svn.apache.org/viewvc?rev=1162958&view=rev">
- 1162958</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1162958">revision 1162958</a>.</p>
<p>This was reported publicly on 20th August 2011.</p>
@@ -354,7 +352,7 @@
<p>Mitigation options:</p>
<ul>
<li>Upgrade to Tomcat 7.0.21</li>
- <li>Apply the appropriate <a href="http://svn.apache.org/viewvc?rev=1162958&view=rev">patch</a>
+ <li>Apply the appropriate <a href="http://svn.apache.org/viewvc?view=rev&rev=1162958">patch</a>
</li>
<li>Configure both Tomcat and the reverse proxy to use a shared secret
("requiredSecret" attribute in
@@ -410,9 +408,7 @@
this vulnerability.
</p>
- <p>This was fixed in revision
- <a href="http://svn.apache.org/viewvc?rev=1153379&view=rev">
- 1153379</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1153379">revision 1153379</a>.</p>
<p>This was identified by Wilfried Weissmann on 20 July 2011 and made public
on 12 August 2011.</p>
@@ -476,16 +472,11 @@
</p>
<p>This was fixed in revisions
- <a href="http://svn.apache.org/viewvc?rev=1145383&view=rev">
- 1145383</a>,
- <a href="http://svn.apache.org/viewvc?rev=1145489&view=rev">
- 1145489</a>,
- <a href="http://svn.apache.org/viewvc?rev=1145571&view=rev">
- 1145571</a>,
- <a href="http://svn.apache.org/viewvc?rev=1145694&view=rev">
- 1145694</a> and
- <a href="http://svn.apache.org/viewvc?rev=1146005&view=rev">
- 1146005</a>.</p>
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1145383">1145383</a>,
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1145489">1145489</a>,
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1145571">1145571</a>,
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1145694">1145694</a> and
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1146005">1146005</a>.</p>
<p>This was identified by the Tomcat security team on 7 July 2011 and
made public on 13 July 2011.</p>
@@ -514,9 +505,7 @@
do not have these permissions but are able to read log files may be able
to discover a user's password.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=1140070&view=rev">
- revision 1140070</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1140070">revision 1140070</a>.</p>
<p>This was identified by Polina Genova on 14 June 2011 and
made public on 27 June 2011.</p>
@@ -529,8 +518,8 @@
</p>
<p>The re-factoring of XML validation for Tomcat 7.0.x re-introduced the
- vulnerability previously reported as
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783" rel="nofollow">CVE-2009-0783</a>. This was initially
+ vulnerability previously reported as <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783" rel="nofollow">CVE-2009-0783</a>.
+ This was initially
<a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=51395">
reported</a> as a memory leak. If a web application is the first web
application loaded, this bugs allows that web application to potentially
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1169992&r1=1169991&r2=1169992&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Tue Sep 13 01:04:36 2011
@@ -29,8 +29,7 @@
<p><strong>Important: Authentication bypass and information disclosure
</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3190"
- rel="nofollow">CVE-2011-3190</a></p>
+ <cve>CVE-2011-3190</cve></p>
<p>Apache Tomcat supports the AJP protocol which is used with reverse
proxies to pass requests and associated data about the request from the
@@ -50,9 +49,7 @@
</ul>
</p>
- <p>This was fixed in revision
- <a href="http://svn.apache.org/viewvc?rev=1162958&view=rev">
- 1162958</a>.</p>
+ <p>This was fixed in <revlink rev="1162958">revision 1162958</revlink>.</p>
<p>This was reported publicly on 20th August 2011.</p>
@@ -61,7 +58,7 @@
<p>Mitigation options:</p>
<ul>
<li>Upgrade to Tomcat 7.0.21</li>
- <li>Apply the appropriate <a href="http://svn.apache.org/viewvc?rev=1162958&view=rev">patch</a></li>
+ <li>Apply the appropriate <revlink rev="1162958">patch</revlink></li>
<li>Configure both Tomcat and the reverse proxy to use a shared secret
("requiredSecret" attribute in
<a href="/tomcat-7.0-doc/config/ajp.html"><Connector></a>;
@@ -74,8 +71,7 @@
<section name="Fixed in Apache Tomcat 7.0.20">
<p><strong>Important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729"
- rel="nofollow">CVE-2011-2729</a></p>
+ <cve>CVE-2011-2729</cve></p>
<p>Due to a bug in the capabilities code, jsvc (the service wrapper for
Linux that is part of the Commons Daemon project) does not drop
@@ -91,9 +87,7 @@
this vulnerability.
</p>
- <p>This was fixed in revision
- <a href="http://svn.apache.org/viewvc?rev=1153379&view=rev">
- 1153379</a>.</p>
+ <p>This was fixed in <revlink rev="1153379">revision 1153379</revlink>.</p>
<p>This was identified by Wilfried Weissmann on 20 July 2011 and made public
on 12 August 2011.</p>
@@ -105,8 +99,7 @@
<section name="Fixed in Apache Tomcat 7.0.19">
<p><strong>Low: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526"
- rel="nofollow">CVE-2011-2526</a></p>
+ <cve>CVE-2011-2526</cve></p>
<p>Tomcat provides support for sendfile with the HTTP NIO and HTTP APR
connectors. sendfile is used automatically for content served via the
@@ -132,16 +125,11 @@
</p>
<p>This was fixed in revisions
- <a href="http://svn.apache.org/viewvc?rev=1145383&view=rev">
- 1145383</a>,
- <a href="http://svn.apache.org/viewvc?rev=1145489&view=rev">
- 1145489</a>,
- <a href="http://svn.apache.org/viewvc?rev=1145571&view=rev">
- 1145571</a>,
- <a href="http://svn.apache.org/viewvc?rev=1145694&view=rev">
- 1145694</a> and
- <a href="http://svn.apache.org/viewvc?rev=1146005&view=rev">
- 1146005</a>.</p>
+ <revlink rev="1145383">1145383</revlink>,
+ <revlink rev="1145489">1145489</revlink>,
+ <revlink rev="1145571">1145571</revlink>,
+ <revlink rev="1145694">1145694</revlink> and
+ <revlink rev="1146005">1146005</revlink>.</p>
<p>This was identified by the Tomcat security team on 7 July 2011 and
made public on 13 July 2011.</p>
@@ -155,8 +143,7 @@
included in the list of affected versions.</i></p>
<p><strong>Low: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204"
- rel="nofollow">CVE-2011-2204</a></p>
+ <cve>CVE-2011-2204</cve></p>
<p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
creating users via JMX, an exception during the user creation process may
@@ -167,9 +154,7 @@
do not have these permissions but are able to read log files may be able
to discover a user's password.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=1140070&view=rev">
- revision 1140070</a>.</p>
+ <p>This was fixed in <revlink rev="1140070">revision 1140070</revlink>.</p>
<p>This was identified by Polina Genova on 14 June 2011 and
made public on 27 June 2011.</p>
@@ -177,13 +162,11 @@
<p>Affects: 7.0.0-7.0.16</p>
<p><strong>Low: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2481"
- rel="nofollow">CVE-2011-2481</a></p>
+ <cve>CVE-2011-2481</cve></p>
<p>The re-factoring of XML validation for Tomcat 7.0.x re-introduced the
- vulnerability previously reported as
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783"
- rel="nofollow">CVE-2009-0783</a>. This was initially
+ vulnerability previously reported as <cve>CVE-2009-0783</cve>.
+ This was initially
<a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=51395">
reported</a> as a memory leak. If a web application is the first web
application loaded, this bugs allows that web application to potentially
Modified: tomcat/site/trunk/xdocs/stylesheets/tomcat-site.xsl
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/stylesheets/tomcat-site.xsl?rev=1169992&r1=1169991&r2=1169992&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/stylesheets/tomcat-site.xsl (original)
+++ tomcat/site/trunk/xdocs/stylesheets/tomcat-site.xsl Tue Sep 13 01:04:36 2011
@@ -17,7 +17,9 @@
<!-- Defined parameters (overrideable) -->
<xsl:param name="relative-path" select="'.'"/>
+ <xsl:param name="buglink" select="'https://issues.apache.org/bugzilla/show_bug.cgi?id='"/>
<xsl:param name="revlink" select="'http://svn.apache.org/viewvc?view=rev&rev='"/>
+ <xsl:param name="cvelink" select="'http://cve.mitre.org/cgi-bin/cvename.cgi?name='"/>
<!-- Defined variables (non-overrideable) -->
<xsl:variable name="body-bg" select="'#ffffff'"/>
@@ -334,13 +336,31 @@
</div>
</xsl:template>
+ <!-- Link to a bug report -->
+ <xsl:template match="bug">
+ <xsl:variable name="link"><xsl:value-of select="$buglink"/><xsl:value-of select="text()"/></xsl:variable>
+ <a href="{$link}"><xsl:apply-templates/></a>
+ </xsl:template>
+
+ <!-- Link to a SVN revision report -->
+ <xsl:template match="rev">
+ <xsl:variable name="link"><xsl:value-of select="$revlink"/><xsl:value-of select="text()"/></xsl:variable>
+ <a href="{$link}">r<xsl:apply-templates/></a>
+ </xsl:template>
+
<!-- Link to a SVN revision report -->
- <!-- It is similar to <rev> tag in tomcat-docs.xsl, but allows arbitrary text inside -->
+ <!-- It is similat to <rev> tag, but allows arbitrary text inside -->
<xsl:template match="revlink">
<xsl:variable name="link"><xsl:value-of select="$revlink"/><xsl:value-of select="@rev"/></xsl:variable>
<a href="{$link}"><xsl:apply-templates/></a>
</xsl:template>
+ <!-- Link to a CVE report -->
+ <xsl:template match="cve">
+ <xsl:variable name="link"><xsl:value-of select="$cvelink"/><xsl:value-of select="text()"/></xsl:variable>
+ <a href="{$link}" rel="nofollow"><xsl:apply-templates/></a>
+ </xsl:template>
+
<!-- specially process td tags ala site.vsl -->
<xsl:template match="table[@class='detail-table']/tr/td">
<td bgcolor="{$table-td-bg}" valign="top" align="left">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org