You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2007/03/05 05:51:37 UTC
svn commit: r514549 - in /tomcat/site/trunk: docs/security-3.html
docs/security-4.html xdocs/security-3.xml xdocs/security-4.xml
Author: markt
Date: Sun Mar 4 20:51:36 2007
New Revision: 514549
URL: http://svn.apache.org/viewvc?view=rev&rev=514549
Log:
Add more CVE reports to the security pages.
Modified:
tomcat/site/trunk/docs/security-3.html
tomcat/site/trunk/docs/security-4.html
tomcat/site/trunk/xdocs/security-3.xml
tomcat/site/trunk/xdocs/security-4.xml
Modified: tomcat/site/trunk/docs/security-3.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-3.html?view=diff&rev=514549&r1=514548&r2=514549
==============================================================================
--- tomcat/site/trunk/docs/security-3.html (original)
+++ tomcat/site/trunk/docs/security-3.html Sun Mar 4 20:51:36 2007
@@ -234,6 +234,18 @@
There are no plans to issue a an update to Tomcat 3.x for this issue.</p>
<p>Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3-3.3.2</p>
+
+ <p>
+<strong>low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2006">
+ CVE-2002-2006</a>
+</p>
+
+ <p>The snoop servlet installed as part of the examples includes output that
+ identifies the Tomcat installation path. There are no plans to issue a an
+ update to Tomcat 3.x for this issue.</p>
+
+ <p>Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3-3.3.2</p>
</blockquote>
</p>
</td>
@@ -353,6 +365,41 @@
hence Tomcat, to become unresponsive.</p>
<p>Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3</p>
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 3.3">
+<strong>Fixed in Apache Tomcat 3.3</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+ <p>
+<strong>moderate: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2007">
+ CVE-2002-2007</a>
+</p>
+
+ <p>Non-standard requests to the sample applications installed by default
+ could result in unexpected directory listings or disclosure of the full
+ file system path for a JSP.</p>
+
+ <p>Affects: 3.2.3-3.2.4</p>
</blockquote>
</p>
</td>
Modified: tomcat/site/trunk/docs/security-4.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?view=diff&rev=514549&r1=514548&r2=514549
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Sun Mar 4 20:51:36 2007
@@ -287,6 +287,53 @@
processing threads, and hence Tomcat as a whole, to become unresponsive.</p>
<p>Affects: 4.0.0-4.0.6</p>
+
+ <p>
+<strong>low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2006">
+ CVE-2002-2006</a>
+</p>
+
+ <p>The snoop and trouble shooting servlets installed as part of the examples
+ include output that identifies the Tomcat installation path.</p>
+
+ <p>Affects: 4.0.0-4.0.6</p>
+
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 4.0.2">
+<strong>Fixed in Apache Tomcat 4.0.2</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+ <p>
+<strong>low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2009">
+ CVE-2002-2009</a>
+</p>
+
+ <p>Requests for JSP files where the file name is preceded by '+/', '>/',
+ '</' or %20/ would result in in an error page that included the full
+ file system path to the JSP file.</p>
+
+ <p>Affects: 4.0.0-4.0.1</p>
</blockquote>
</p>
</td>
@@ -314,12 +361,17 @@
<p>
<strong>low: Installation path disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4703">
- CVE-2005-4703</a>
+ CVE-2005-4703</a>,
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2008">
+ CVE-2002-2008</a>
+<br/>
</p>
<p>This issue only affects Windows operating systems. It can not be
reproduced on Windows XP Home with JDKs 1.3.1, 1.4.2, 1.5.0 or 1.6.0.
Further investigation is required to determine the Windows operating
- system and JDK combinations that do exhibit this issue.</p>
+ system and JDK combinations that do exhibit this issue. The
+ vulnerability reports for this issue state that it is fixed in 4.1.3
+ onwards.</p>
<p>Affects: 4.0.3?</p>
</blockquote>
Modified: tomcat/site/trunk/xdocs/security-3.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-3.xml?view=diff&rev=514549&r1=514548&r2=514549
==============================================================================
--- tomcat/site/trunk/xdocs/security-3.xml (original)
+++ tomcat/site/trunk/xdocs/security-3.xml Sun Mar 4 20:51:36 2007
@@ -36,6 +36,16 @@
There are no plans to issue a an update to Tomcat 3.x for this issue.</p>
<p>Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3-3.3.2</p>
+
+ <p><strong>low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2006">
+ CVE-2002-2006</a></p>
+
+ <p>The snoop servlet installed as part of the examples includes output that
+ identifies the Tomcat installation path. There are no plans to issue a an
+ update to Tomcat 3.x for this issue.</p>
+
+ <p>Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3-3.3.2</p>
</section>
<section name="Fixed in Apache Tomcat 3.3.2">
@@ -84,6 +94,18 @@
hence Tomcat, to become unresponsive.</p>
<p>Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3</p>
+ </section>
+
+ <section name="Fixed in Apache Tomcat 3.3">
+ <p><strong>moderate: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2007">
+ CVE-2002-2007</a></p>
+
+ <p>Non-standard requests to the sample applications installed by default
+ could result in unexpected directory listings or disclosure of the full
+ file system path for a JSP.</p>
+
+ <p>Affects: 3.2.3-3.2.4</p>
</section>
</body>
Modified: tomcat/site/trunk/xdocs/security-4.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?view=diff&rev=514549&r1=514548&r2=514549
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Sun Mar 4 20:51:36 2007
@@ -64,16 +64,42 @@
processing threads, and hence Tomcat as a whole, to become unresponsive.</p>
<p>Affects: 4.0.0-4.0.6</p>
+
+ <p><strong>low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2006">
+ CVE-2002-2006</a></p>
+
+ <p>The snoop and trouble shooting servlets installed as part of the examples
+ include output that identifies the Tomcat installation path.</p>
+
+ <p>Affects: 4.0.0-4.0.6</p>
+
+ </section>
+
+ <section name="Fixed in Apache Tomcat 4.0.2">
+ <p><strong>low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2009">
+ CVE-2002-2009</a></p>
+
+ <p>Requests for JSP files where the file name is preceded by '+/', '>/',
+ '</' or %20/ would result in in an error page that included the full
+ file system path to the JSP file.</p>
+
+ <p>Affects: 4.0.0-4.0.1</p>
</section>
<section name="Unverified">
<p><strong>low: Installation path disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4703">
- CVE-2005-4703</a></p>
+ CVE-2005-4703</a>,
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2008">
+ CVE-2002-2008</a><br/></p>
<p>This issue only affects Windows operating systems. It can not be
reproduced on Windows XP Home with JDKs 1.3.1, 1.4.2, 1.5.0 or 1.6.0.
Further investigation is required to determine the Windows operating
- system and JDK combinations that do exhibit this issue.</p>
+ system and JDK combinations that do exhibit this issue. The
+ vulnerability reports for this issue state that it is fixed in 4.1.3
+ onwards.</p>
<p>Affects: 4.0.3?</p>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org