You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2013/05/13 15:17:51 UTC

svn commit: r1481837 - in /tomcat/site/trunk: docs/security-6.html xdocs/security-6.xml

Author: markt
Date: Mon May 13 13:17:51 2013
New Revision: 1481837

URL: http://svn.apache.org/r1481837
Log:
Add a note on why CVE-2013-2067 only affects 6.0.21 onwards.

Modified:
    tomcat/site/trunk/docs/security-6.html
    tomcat/site/trunk/xdocs/security-6.xml

Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1481837&r1=1481836&r2=1481837&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon May 13 13:17:51 2013
@@ -338,6 +338,13 @@
        the victim's credentials.</p>
 
     
+<p>Note that the option to change session ID on authentication was added in
+       Tomcat 6.0.21. In earlier 6.0.x releases, prevention of session fixation
+       was an application responsibility. This vulnerability represents a bug in
+       Tomcat's session fixation protection that was added in 6.0.21.
+       Hence, only versions 6.0.21 onwards are listed as vulnerable.</p>
+
+    
 <p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1417891">1417891</a>.</p>
 
     

Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1481837&r1=1481836&r2=1481837&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon May 13 13:17:51 2013
@@ -60,6 +60,12 @@
        form, an attacker could inject a request that would be executed using
        the victim's credentials.</p>
 
+    <p>Note that the option to change session ID on authentication was added in
+       Tomcat 6.0.21. In earlier 6.0.x releases, prevention of session fixation
+       was an application responsibility. This vulnerability represents a bug in
+       Tomcat&apos;s session fixation protection that was added in 6.0.21.
+       Hence, only versions 6.0.21 onwards are listed as vulnerable.</p>
+
     <p>This was fixed in revision <revlink rev="1417891">1417891</revlink>.</p>
 
     <p>This issue was identified by the Tomcat security team on 15 Oct 2012 and



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org