You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2013/05/13 15:17:51 UTC
svn commit: r1481837 - in /tomcat/site/trunk: docs/security-6.html
xdocs/security-6.xml
Author: markt
Date: Mon May 13 13:17:51 2013
New Revision: 1481837
URL: http://svn.apache.org/r1481837
Log:
Add a note on why CVE-2013-2067 only affects 6.0.21 onwards.
Modified:
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/xdocs/security-6.xml
Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1481837&r1=1481836&r2=1481837&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon May 13 13:17:51 2013
@@ -338,6 +338,13 @@
the victim's credentials.</p>
+<p>Note that the option to change session ID on authentication was added in
+ Tomcat 6.0.21. In earlier 6.0.x releases, prevention of session fixation
+ was an application responsibility. This vulnerability represents a bug in
+ Tomcat's session fixation protection that was added in 6.0.21.
+ Hence, only versions 6.0.21 onwards are listed as vulnerable.</p>
+
+
<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1417891">1417891</a>.</p>
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1481837&r1=1481836&r2=1481837&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon May 13 13:17:51 2013
@@ -60,6 +60,12 @@
form, an attacker could inject a request that would be executed using
the victim's credentials.</p>
+ <p>Note that the option to change session ID on authentication was added in
+ Tomcat 6.0.21. In earlier 6.0.x releases, prevention of session fixation
+ was an application responsibility. This vulnerability represents a bug in
+ Tomcat's session fixation protection that was added in 6.0.21.
+ Hence, only versions 6.0.21 onwards are listed as vulnerable.</p>
+
<p>This was fixed in revision <revlink rev="1417891">1417891</revlink>.</p>
<p>This issue was identified by the Tomcat security team on 15 Oct 2012 and
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org