You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2007/02/25 03:31:19 UTC
svn commit: r511406 - in /tomcat/site/trunk: docs/security-3.html
xdocs/security-3.xml
Author: markt
Date: Sat Feb 24 18:31:19 2007
New Revision: 511406
URL: http://svn.apache.org/viewvc?view=rev&rev=511406
Log:
Add documentation for CVE-2003-0044, CVE-2003-0043 and CVE-2003-0042
Modified:
tomcat/site/trunk/docs/security-3.html
tomcat/site/trunk/xdocs/security-3.xml
Modified: tomcat/site/trunk/docs/security-3.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-3.html?view=diff&rev=511406&r1=511405&r2=511406
==============================================================================
--- tomcat/site/trunk/docs/security-3.html (original)
+++ tomcat/site/trunk/docs/security-3.html Sat Feb 24 18:31:19 2007
@@ -245,6 +245,89 @@
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 3.3.2">
+<strong>Fixed in Apache Tomcat 3.3.2</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+ <p>
+<strong>moderate: Cross site scripting</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0044">
+ CVE-2003-0044</a>
+</p>
+
+ <p>The root web application and the examples web application contained a
+ number a cross-site scripting vulnerabilities. Note that is it
+ recommended that the examples web application is not installed on
+ production servers.</p>
+
+ <p>Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3-3.3.1a</p>
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 3.3.1a">
+<strong>Fixed in Apache Tomcat 3.3.1a</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+ <p>
+<strong>important: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0043">
+ CVE-2003-0043</a>
+</p>
+
+ <p>When used with JDK 1.3.1 or earlier, web.xml files were read with
+ trusted privileges enabling files outside of the web application to be
+ read even when running under a security manager.</p>
+
+ <p>Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3-3.3.1</p>
+
+ <p>
+<strong>important: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0042">
+ CVE-2003-0042</a>
+</p>
+
+ <p>URLs containing null characters could result in file contents being
+ returned or a directory listing being returned even when a welcome file
+ was defined.</p>
+
+ <p>Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3-3.3.1</p>
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 3.3.1">
<strong>Fixed in Apache Tomcat 3.3.1</strong>
</a>
Modified: tomcat/site/trunk/xdocs/security-3.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-3.xml?view=diff&rev=511406&r1=511405&r2=511406
==============================================================================
--- tomcat/site/trunk/xdocs/security-3.xml (original)
+++ tomcat/site/trunk/xdocs/security-3.xml Sat Feb 24 18:31:19 2007
@@ -38,6 +38,41 @@
<p>Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3-3.3.2</p>
</section>
+ <section name="Fixed in Apache Tomcat 3.3.2">
+ <p><strong>moderate: Cross site scripting</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0044">
+ CVE-2003-0044</a></p>
+
+ <p>The root web application and the examples web application contained a
+ number a cross-site scripting vulnerabilities. Note that is it
+ recommended that the examples web application is not installed on
+ production servers.</p>
+
+ <p>Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3-3.3.1a</p>
+ </section>
+
+ <section name="Fixed in Apache Tomcat 3.3.1a">
+ <p><strong>important: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0043">
+ CVE-2003-0043</a></p>
+
+ <p>When used with JDK 1.3.1 or earlier, web.xml files were read with
+ trusted privileges enabling files outside of the web application to be
+ read even when running under a security manager.</p>
+
+ <p>Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3-3.3.1</p>
+
+ <p><strong>important: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0042">
+ CVE-2003-0042</a></p>
+
+ <p>URLs containing null characters could result in file contents being
+ returned or a directory listing being returned even when a welcome file
+ was defined.</p>
+
+ <p>Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3-3.3.1</p>
+ </section>
+
<section name="Fixed in Apache Tomcat 3.3.1">
<p><strong>important: Denial of service</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0045">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org