You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2014/02/25 12:18:51 UTC
svn commit: r1571649 - in /tomcat/site/trunk: docs/security-4.html
docs/security-5.html docs/security-6.html docs/security-7.html
docs/security-8.html xdocs/security-4.xml xdocs/security-5.xml
xdocs/security-6.xml xdocs/security-7.xml xdocs/security-8.xml
Author: markt
Date: Tue Feb 25 11:18:51 2014
New Revision: 1571649
URL: http://svn.apache.org/r1571649
Log:
Add:
CVE-2013-4286
CVE-2013-4322
CVE-2013-4590
CVE-2014-0033
Also fix a couple of typos.
Modified:
tomcat/site/trunk/docs/security-4.html
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/docs/security-8.html
tomcat/site/trunk/xdocs/security-4.xml
tomcat/site/trunk/xdocs/security-5.xml
tomcat/site/trunk/xdocs/security-6.xml
tomcat/site/trunk/xdocs/security-7.xml
tomcat/site/trunk/xdocs/security-8.xml
Modified: tomcat/site/trunk/docs/security-4.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?rev=1571649&r1=1571648&r2=1571649&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Tue Feb 25 11:18:51 2014
@@ -624,7 +624,7 @@
multiple content-length headers and several components do not
reject the request and make different decisions as to which
content-length header to use an attacker can poison a web-cache, perform
- an XSS attack and obtain senstive information from requests other then
+ an XSS attack and obtain sensitive information from requests other then
their own. Tomcat now returns 400 for requests with multiple
content-length headers.
</p>
Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1571649&r1=1571648&r2=1571649&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Tue Feb 25 11:18:51 2014
@@ -1241,7 +1241,7 @@
multiple content-length headers and several components do not
reject the request and make different decisions as to which
content-length header to use an attacker can poison a web-cache, perform
- an XSS attack and obtain senstive information from requests other then
+ an XSS attack and obtain sensitive information from requests other then
their own. Tomcat now returns 400 for requests with multiple
content-length headers.
</p>
Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1571649&r1=1571648&r2=1571649&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Tue Feb 25 11:18:51 2014
@@ -333,6 +333,133 @@
<p>Affects: 6.0.0-6.0.37</p>
+
+
+<p>
+<i>Note: The issues below were fixed in Apache Tomcat 6.0.38 but the
+ release vote for 6.0.38 did not pass.
+ Therefore, although users must download 6.0.39 to obtain a version
+ that includes the fixes for these issues, version 6.0.38 is not
+ included in the list of affected versions.</i>
+</p>
+
+
+<p>
+<strong>Important: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4286" rel="nofollow">CVE-2013-4286</a>
+</p>
+
+
+<p>The fix for CVE-2005-2090 was not complete. It did not cover the
+ following cases:</p>
+
+<ul>
+
+<li>content-length header with chunked encoding over any HTTP connector
+ </li>
+
+<li>multiple content-length headers over any AJP connector</li>
+
+</ul>
+
+
+<p>Requests with multiple content-length headers or with a content-length
+ header when chunked encoding is being used should be rejected as invalid.
+ When multiple components (firewalls, caches, proxies and Tomcat) process
+ a sequence of requests where one or more requests contain either multiple
+ content-length headers or a content-length header when chunked encoding
+ is being used and several components do not reject the request and make
+ different decisions as to which content-length header to use an attacker
+ can poison a web-cache, perform an XSS attack and obtain sensitive
+ information from requests other then their own. Tomcat now rejects
+ requests with multiple content-length headers or with a content-length
+ header when chunked encoding is being used.</p>
+
+
+<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1552565">1552565</a>.</p>
+
+
+<p>This issue was identified by the Apache Tomcat security team on 15 August
+ 2013 and made public on 25 February 2014.</p>
+
+
+<p>Affects: 6.0.0 to 6.0.37</p>
+
+
+<p>
+<strong>Important: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322" rel="nofollow">CVE-2013-4322</a>
+</p>
+
+
+<p>The fix for CVE-2012-3544 was not complete. It did not cover the
+ following cases:</p>
+
+<ul>
+
+<li>chunk extensions were not limited</li>
+
+<li>whitespace after the : in a trailing header was not limited</li>
+
+</ul>
+
+
+<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1556540">1556540</a>.</p>
+
+
+<p>The first part of this issue was identified by the Apache Tomcat security
+ team on 27 August 2013 and the second part by Saran Neti of TELUS
+ Security Labs on 5 November 2014. It was made public on 25 February 2014.
+ </p>
+
+
+<p>Affects: 6.0.0 to 6.0.37</p>
+
+
+<p>
+<strong>Low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590" rel="nofollow">CVE-2013-4590</a>
+</p>
+
+
+<p>Application provided XML files such as web.xml, context.xml, *.tld,
+ *.tagx and *.jspx allowed XXE which could be used to expose Tomcat
+ internals to an attacker. This vulnerability only occurs when Tomcat is
+ running web applications from untrusted sources such as in a shared
+ hosting environment.</p>
+
+
+<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1558828">1558828</a>.</p>
+
+
+<p>This issue was identified by the Apache Tomcat security team on 29
+ October 2014 and made public on 25 February 2014.</p>
+
+
+<p>Affects: 6.0.0 to 6.0.37</p>
+
+
+<p>
+<strong>Low: Session fixation</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0033" rel="nofollow">CVE-2014-0033</a>
+</p>
+
+
+<p>Previous fixes to path parameter handling
+ (<a href="http://svn.apache.org/viewvc?view=rev&rev=1149220">1149220</a>) introduced a regression that
+ meant session IDs provided in the URL were considered even when
+ disableURLRewriting was configured to true. Note that the session is only
+ used for that single request.</p>
+
+
+<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1558822">1558822</a>.</p>
+
+
+<p>This issue was identified by the Apache Tomcat security team on 1
+ December 2014 and made public on 25 February 2014.</p>
+
+
+<p>Affects: 6.0.33 to 6.0.37</p>
</div>
@@ -1547,7 +1674,7 @@
multiple content-length headers and several components do not
reject the request and make different decisions as to which
content-length header to use an attacker can poison a web-cache, perform
- an XSS attack and obtain senstive information from requests other then
+ an XSS attack and obtain sensitive information from requests other then
their own. Tomcat now returns 400 for requests with multiple
content-length headers.
</p>
Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1571649&r1=1571648&r2=1571649&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Tue Feb 25 11:18:51 2014
@@ -203,6 +203,12 @@
<a href="#Fixed_in_Apache_Tomcat_7.0.52">Fixed in Apache Tomcat 7.0.52</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_7.0.50">Fixed in Apache Tomcat 7.0.50</a>
+</li>
+<li>
+<a href="#Fixed_in_Apache_Tomcat_7.0.47">Fixed in Apache Tomcat 7.0.47</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_7.0.40">Fixed in Apache Tomcat 7.0.40</a>
</li>
<li>
@@ -352,6 +358,132 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_7.0.50">
+<span style="float: right;">2014-01-08</span> Fixed in Apache Tomcat 7.0.50</h3>
+<div class="text">
+
+
+<p>
+<i>Note: The issues below were fixed in Apache Tomcat 7.0.48 but the
+ release votes for 7.0.48 to 7.0.49 did not pass.
+ Therefore, although users must download 7.0.50 to obtain a version
+ that includes fixes for these issues, versions 7.0.48 to 7.0.49 are
+ not included in the list of affected versions.</i>
+</p>
+
+
+<p>
+<strong>Important: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322" rel="nofollow">CVE-2013-4322</a>
+</p>
+
+
+<p>The fix for CVE-2012-3544 was not complete. It did not cover the
+ following cases:</p>
+
+<ul>
+
+<li>chunk extensions were not limited</li>
+
+<li>whitespace after the : in a trailing header was not limited</li>
+
+</ul>
+
+
+<p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1521864">1521864</a> and
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1549523">1549523</a>.</p>
+
+
+<p>The first part of this issue was identified by the Apache Tomcat security
+ team on 27 August 2013 and the second part by Saran Neti of TELUS
+ Security Labs on 5 November 2014. It was made public on 25 February 2014.
+ </p>
+
+
+<p>Affects: 7.0.0 to 7.0.47</p>
+
+
+<p>
+<strong>Low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590" rel="nofollow">CVE-2013-4590</a>
+</p>
+
+
+<p>Application provided XML files such as web.xml, context.xml, *.tld,
+ *.tagx and *.jspx allowed XXE which could be used to expose Tomcat
+ internals to an attacker. This vulnerability only occurs when Tomcat is
+ running web applications from untrusted sources such as in a shared
+ hosting environment.</p>
+
+
+<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1549529">1549529</a>.</p>
+
+
+<p>This issue was identified by the Apache Tomcat security team on 29
+ October 2014 and made public on 25 February 2014.</p>
+
+
+<p>Affects: 7.0.0 to 7.0.47</p>
+
+
+</div>
+<h3 id="Fixed_in_Apache_Tomcat_7.0.47">
+<span style="float: right;">2013-10-24</span> Fixed in Apache Tomcat 7.0.47</h3>
+<div class="text">
+
+
+<p>
+<i>Note: The issue below was fixed in Apache Tomcat 7.0.43 but the
+ release votes for 7.0.43 to 7.0.46 did not pass.
+ Therefore, although users must download 7.0.47 to obtain a version
+ that includes a fix for this issue, versions 7.0.43 to 7.0.46 are not
+ included in the list of affected versions.</i>
+</p>
+
+
+<p>
+<strong>Important: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4286" rel="nofollow">CVE-2013-4286</a>
+</p>
+
+
+<p>The fix for CVE-2005-2090 was not complete. It did not cover the
+ following cases:</p>
+
+<ul>
+
+<li>content-length header with chunked encoding over any HTTP connector
+ </li>
+
+<li>multiple content-length headers over any AJP connector</li>
+
+</ul>
+
+
+<p>Requests with multiple content-length headers or with a content-length
+ header when chunked encoding is being used should be rejected as invalid.
+ When multiple components (firewalls, caches, proxies and Tomcat) process
+ a sequence of requests where one or more requests contain either multiple
+ content-length headers or a content-length header when chunked encoding
+ is being used and several components do not reject the request and make
+ different decisions as to which content-length header to use an attacker
+ can poison a web-cache, perform an XSS attack and obtain sensitive
+ information from requests other then their own. Tomcat now rejects
+ requests with multiple content-length headers or with a content-length
+ header when chunked encoding is being used.</p>
+
+
+<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1521854">1521854</a>.</p>
+
+
+<p>This issue was identified by the Apache Tomcat security team on 15 August
+ 2013 and made public on 25 February 2014.</p>
+
+
+<p>Affects: 7.0.0 to 7.0.42</p>
+
+
+</div>
<h3 id="Fixed_in_Apache_Tomcat_7.0.40">
<span style="float: right;">released 9 May 2013</span> Fixed in Apache Tomcat 7.0.40</h3>
<div class="text">
Modified: tomcat/site/trunk/docs/security-8.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1571649&r1=1571648&r2=1571649&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-8.html (original)
+++ tomcat/site/trunk/docs/security-8.html Tue Feb 25 11:18:51 2014
@@ -203,6 +203,12 @@
<a href="#Fixed_in_Apache_Tomcat_8.0.3">Fixed in Apache Tomcat 8.0.3</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_8.0.0-RC10">Fixed in Apache Tomcat 8.0.0-RC10</a>
+</li>
+<li>
+<a href="#Fixed_in_Apache_Tomcat_8.0.0-RC3">Fixed in Apache Tomcat 8.0.0-RC3</a>
+</li>
+<li>
<a href="#Not_a_vulnerability_in_Tomcat">Not a vulnerability in Tomcat</a>
</li>
</ul>
@@ -298,6 +304,132 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_8.0.0-RC10">
+<span style="float: right;">alpha, 2013-12-26</span> Fixed in Apache Tomcat 8.0.0-RC10</h3>
+<div class="text">
+
+
+<p>
+<i>Note: The issue below was fixed in Apache Tomcat 8.0.0-RC6 but the
+ release votes for 8.0.0-RC6 to 8.0.0-RC9 did not pass.
+ Therefore, although users must download 8.0.0-RC10 to obtain a version
+ that includes a fix for this issue, versions 8.0.0-RC6 to 8.0.0-RC9 are
+ not included in the list of affected versions.</i>
+</p>
+
+
+<p>
+<strong>Important: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322" rel="nofollow">CVE-2013-4322</a>
+</p>
+
+
+<p>The fix for CVE-2012-3544 was not complete. It did not cover the
+ following cases:</p>
+
+<ul>
+
+<li>chunk extensions were not limited</li>
+
+<li>whitespace after the : in a trailing header was not limited</li>
+
+</ul>
+
+
+<p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1521834">1521834</a> and
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1549522">1549522</a>.</p>
+
+
+<p>The first part of this issue was identified by the Apache Tomcat security
+ team on 27 August 2013 and the second part by Saran Neti of TELUS
+ Security Labs on 5 November 2014. It was made public on 25 February 2014.
+ </p>
+
+
+<p>Affects: 8.0.0-RC1 to 8.0.0-RC5</p>
+
+
+<p>
+<strong>Low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590" rel="nofollow">CVE-2013-4590</a>
+</p>
+
+
+<p>Application provided XML files such as web.xml, context.xml, *.tld,
+ *.tagx and *.jspx allowed XXE which could be used to expose Tomcat
+ internals to an attacker. This vulnerability only occurs when Tomcat is
+ running web applications from untrusted sources such as in a shared
+ hosting environment.</p>
+
+
+<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1549528">1549528</a>.</p>
+
+
+<p>This issue was identified by the Apache Tomcat security team on 29
+ October 2014 and made public on 25 February 2014.</p>
+
+
+<p>Affects: 8.0.0-RC1 to 8.0.0-RC5</p>
+
+
+</div>
+<h3 id="Fixed_in_Apache_Tomcat_8.0.0-RC3">
+<span style="float: right;">alpha, 2013-09-23</span> Fixed in Apache Tomcat 8.0.0-RC3</h3>
+<div class="text">
+
+
+<p>
+<i>Note: The issue below was fixed in Apache Tomcat 8.0.0-RC2 but the
+ release vote for 8.0.0-RC2 did not pass.
+ Therefore, although users must download 8.0.0-RC3 to obtain a version
+ that includes a fix for this issue, version 8.0.0-RC2 is not
+ included in the list of affected versions.</i>
+</p>
+
+
+<p>
+<strong>Important: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4286" rel="nofollow">CVE-2013-4286</a>
+</p>
+
+
+<p>The fix for CVE-2005-2090 was not complete. It did not cover the
+ following cases:</p>
+
+<ul>
+
+<li>content-length header with chunked encoding over any HTTP connector
+ </li>
+
+<li>multiple content-length headers over any AJP connector</li>
+
+</ul>
+
+
+<p>Requests with multiple content-length headers or with a content-length
+ header when chunked encoding is being used should be rejected as invalid.
+ When multiple components (firewalls, caches, proxies and Tomcat) process
+ a sequence of requests where one or more requests contain either multiple
+ content-length headers or a content-length header when chunked encoding
+ is being used and several components do not reject the request and make
+ different decisions as to which content-length header to use an attacker
+ can poison a web-cache, perform an XSS attack and obtain sensitive
+ information from requests other then their own. Tomcat now rejects
+ requests with multiple content-length headers or with a content-length
+ header when chunked encoding is being used.</p>
+
+
+<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1521829">1521829</a>.</p>
+
+
+<p>This issue was identified by the Apache Tomcat security team on 15 August
+ 2013 and made public on 25 February 2014.</p>
+
+
+<p>Affects: 8.0.0-RC1</p>
+
+
+</div>
<h3 id="Not_a_vulnerability_in_Tomcat">Not a vulnerability in Tomcat</h3>
<div class="text">
Modified: tomcat/site/trunk/xdocs/security-4.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?rev=1571649&r1=1571648&r2=1571649&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Tue Feb 25 11:18:51 2014
@@ -273,7 +273,7 @@
multiple content-length headers and several components do not
reject the request and make different decisions as to which
content-length header to use an attacker can poison a web-cache, perform
- an XSS attack and obtain senstive information from requests other then
+ an XSS attack and obtain sensitive information from requests other then
their own. Tomcat now returns 400 for requests with multiple
content-length headers.
</p>
Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=1571649&r1=1571648&r2=1571649&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Tue Feb 25 11:18:51 2014
@@ -700,7 +700,7 @@
multiple content-length headers and several components do not
reject the request and make different decisions as to which
content-length header to use an attacker can poison a web-cache, perform
- an XSS attack and obtain senstive information from requests other then
+ an XSS attack and obtain sensitive information from requests other then
their own. Tomcat now returns 400 for requests with multiple
content-length headers.
</p>
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1571649&r1=1571648&r2=1571649&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Tue Feb 25 11:18:51 2014
@@ -70,6 +70,93 @@
<p>This issue was published by Oracle on 18 June 2013.</p>
<p>Affects: 6.0.0-6.0.37</p>
+
+ <p><i>Note: The issues below were fixed in Apache Tomcat 6.0.38 but the
+ release vote for 6.0.38 did not pass.
+ Therefore, although users must download 6.0.39 to obtain a version
+ that includes the fixes for these issues, version 6.0.38 is not
+ included in the list of affected versions.</i></p>
+
+ <p><strong>Important: Information disclosure</strong>
+ <cve>CVE-2013-4286</cve></p>
+
+ <p>The fix for CVE-2005-2090 was not complete. It did not cover the
+ following cases:</p>
+ <ul>
+ <li>content-length header with chunked encoding over any HTTP connector
+ </li>
+ <li>multiple content-length headers over any AJP connector</li>
+ </ul>
+
+ <p>Requests with multiple content-length headers or with a content-length
+ header when chunked encoding is being used should be rejected as invalid.
+ When multiple components (firewalls, caches, proxies and Tomcat) process
+ a sequence of requests where one or more requests contain either multiple
+ content-length headers or a content-length header when chunked encoding
+ is being used and several components do not reject the request and make
+ different decisions as to which content-length header to use an attacker
+ can poison a web-cache, perform an XSS attack and obtain sensitive
+ information from requests other then their own. Tomcat now rejects
+ requests with multiple content-length headers or with a content-length
+ header when chunked encoding is being used.</p>
+
+ <p>This was fixed in revision <revlink rev="1552565">1552565</revlink>.</p>
+
+ <p>This issue was identified by the Apache Tomcat security team on 15 August
+ 2013 and made public on 25 February 2014.</p>
+
+ <p>Affects: 6.0.0 to 6.0.37</p>
+
+ <p><strong>Important: Information disclosure</strong>
+ <cve>CVE-2013-4322</cve></p>
+
+ <p>The fix for CVE-2012-3544 was not complete. It did not cover the
+ following cases:</p>
+ <ul>
+ <li>chunk extensions were not limited</li>
+ <li>whitespace after the : in a trailing header was not limited</li>
+ </ul>
+
+ <p>This was fixed in revision <revlink rev="1556540">1556540</revlink>.</p>
+
+ <p>The first part of this issue was identified by the Apache Tomcat security
+ team on 27 August 2013 and the second part by Saran Neti of TELUS
+ Security Labs on 5 November 2014. It was made public on 25 February 2014.
+ </p>
+
+ <p>Affects: 6.0.0 to 6.0.37</p>
+
+ <p><strong>Low: Information disclosure</strong>
+ <cve>CVE-2013-4590</cve></p>
+
+ <p>Application provided XML files such as web.xml, context.xml, *.tld,
+ *.tagx and *.jspx allowed XXE which could be used to expose Tomcat
+ internals to an attacker. This vulnerability only occurs when Tomcat is
+ running web applications from untrusted sources such as in a shared
+ hosting environment.</p>
+
+ <p>This was fixed in revision <revlink rev="1558828">1558828</revlink>.</p>
+
+ <p>This issue was identified by the Apache Tomcat security team on 29
+ October 2014 and made public on 25 February 2014.</p>
+
+ <p>Affects: 6.0.0 to 6.0.37</p>
+
+ <p><strong>Low: Session fixation</strong>
+ <cve>CVE-2014-0033</cve></p>
+
+ <p>Previous fixes to path parameter handling
+ (<revlink rev="1149220">1149220</revlink>) introduced a regression that
+ meant session IDs provided in the URL were considered even when
+ disableURLRewriting was configured to true. Note that the session is only
+ used for that single request.</p>
+
+ <p>This was fixed in revision <revlink rev="1558822">1558822</revlink>.</p>
+
+ <p>This issue was identified by the Apache Tomcat security team on 1
+ December 2014 and made public on 25 February 2014.</p>
+
+ <p>Affects: 6.0.33 to 6.0.37</p>
</section>
@@ -908,7 +995,7 @@
multiple content-length headers and several components do not
reject the request and make different decisions as to which
content-length header to use an attacker can poison a web-cache, perform
- an XSS attack and obtain senstive information from requests other then
+ an XSS attack and obtain sensitive information from requests other then
their own. Tomcat now returns 400 for requests with multiple
content-length headers.
</p>
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1571649&r1=1571648&r2=1571649&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Tue Feb 25 11:18:51 2014
@@ -81,6 +81,92 @@
</section>
+ <section name="Fixed in Apache Tomcat 7.0.50" rtext="2014-01-08">
+
+ <p><i>Note: The issues below were fixed in Apache Tomcat 7.0.48 but the
+ release votes for 7.0.48 to 7.0.49 did not pass.
+ Therefore, although users must download 7.0.50 to obtain a version
+ that includes fixes for these issues, versions 7.0.48 to 7.0.49 are
+ not included in the list of affected versions.</i></p>
+
+ <p><strong>Important: Information disclosure</strong>
+ <cve>CVE-2013-4322</cve></p>
+
+ <p>The fix for CVE-2012-3544 was not complete. It did not cover the
+ following cases:</p>
+ <ul>
+ <li>chunk extensions were not limited</li>
+ <li>whitespace after the : in a trailing header was not limited</li>
+ </ul>
+
+ <p>This was fixed in revisions <revlink rev="1521864">1521864</revlink> and
+ <revlink rev="1549523">1549523</revlink>.</p>
+
+ <p>The first part of this issue was identified by the Apache Tomcat security
+ team on 27 August 2013 and the second part by Saran Neti of TELUS
+ Security Labs on 5 November 2014. It was made public on 25 February 2014.
+ </p>
+
+ <p>Affects: 7.0.0 to 7.0.47</p>
+
+ <p><strong>Low: Information disclosure</strong>
+ <cve>CVE-2013-4590</cve></p>
+
+ <p>Application provided XML files such as web.xml, context.xml, *.tld,
+ *.tagx and *.jspx allowed XXE which could be used to expose Tomcat
+ internals to an attacker. This vulnerability only occurs when Tomcat is
+ running web applications from untrusted sources such as in a shared
+ hosting environment.</p>
+
+ <p>This was fixed in revision <revlink rev="1549529">1549529</revlink>.</p>
+
+ <p>This issue was identified by the Apache Tomcat security team on 29
+ October 2014 and made public on 25 February 2014.</p>
+
+ <p>Affects: 7.0.0 to 7.0.47</p>
+
+ </section>
+
+ <section name="Fixed in Apache Tomcat 7.0.47" rtext="2013-10-24">
+
+ <p><i>Note: The issue below was fixed in Apache Tomcat 7.0.43 but the
+ release votes for 7.0.43 to 7.0.46 did not pass.
+ Therefore, although users must download 7.0.47 to obtain a version
+ that includes a fix for this issue, versions 7.0.43 to 7.0.46 are not
+ included in the list of affected versions.</i></p>
+
+ <p><strong>Important: Information disclosure</strong>
+ <cve>CVE-2013-4286</cve></p>
+
+ <p>The fix for CVE-2005-2090 was not complete. It did not cover the
+ following cases:</p>
+ <ul>
+ <li>content-length header with chunked encoding over any HTTP connector
+ </li>
+ <li>multiple content-length headers over any AJP connector</li>
+ </ul>
+
+ <p>Requests with multiple content-length headers or with a content-length
+ header when chunked encoding is being used should be rejected as invalid.
+ When multiple components (firewalls, caches, proxies and Tomcat) process
+ a sequence of requests where one or more requests contain either multiple
+ content-length headers or a content-length header when chunked encoding
+ is being used and several components do not reject the request and make
+ different decisions as to which content-length header to use an attacker
+ can poison a web-cache, perform an XSS attack and obtain sensitive
+ information from requests other then their own. Tomcat now rejects
+ requests with multiple content-length headers or with a content-length
+ header when chunked encoding is being used.</p>
+
+ <p>This was fixed in revision <revlink rev="1521854">1521854</revlink>.</p>
+
+ <p>This issue was identified by the Apache Tomcat security team on 15 August
+ 2013 and made public on 25 February 2014.</p>
+
+ <p>Affects: 7.0.0 to 7.0.42</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 7.0.40" rtext="released 9 May 2013">
<p><strong>Moderate: Information disclosure</strong>
Modified: tomcat/site/trunk/xdocs/security-8.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1571649&r1=1571648&r2=1571649&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-8.xml (original)
+++ tomcat/site/trunk/xdocs/security-8.xml Tue Feb 25 11:18:51 2014
@@ -81,6 +81,92 @@
</section>
+ <section name="Fixed in Apache Tomcat 8.0.0-RC10" rtext="alpha, 2013-12-26">
+
+ <p><i>Note: The issue below was fixed in Apache Tomcat 8.0.0-RC6 but the
+ release votes for 8.0.0-RC6 to 8.0.0-RC9 did not pass.
+ Therefore, although users must download 8.0.0-RC10 to obtain a version
+ that includes a fix for this issue, versions 8.0.0-RC6 to 8.0.0-RC9 are
+ not included in the list of affected versions.</i></p>
+
+ <p><strong>Important: Information disclosure</strong>
+ <cve>CVE-2013-4322</cve></p>
+
+ <p>The fix for CVE-2012-3544 was not complete. It did not cover the
+ following cases:</p>
+ <ul>
+ <li>chunk extensions were not limited</li>
+ <li>whitespace after the : in a trailing header was not limited</li>
+ </ul>
+
+ <p>This was fixed in revisions <revlink rev="1521834">1521834</revlink> and
+ <revlink rev="1549522">1549522</revlink>.</p>
+
+ <p>The first part of this issue was identified by the Apache Tomcat security
+ team on 27 August 2013 and the second part by Saran Neti of TELUS
+ Security Labs on 5 November 2014. It was made public on 25 February 2014.
+ </p>
+
+ <p>Affects: 8.0.0-RC1 to 8.0.0-RC5</p>
+
+ <p><strong>Low: Information disclosure</strong>
+ <cve>CVE-2013-4590</cve></p>
+
+ <p>Application provided XML files such as web.xml, context.xml, *.tld,
+ *.tagx and *.jspx allowed XXE which could be used to expose Tomcat
+ internals to an attacker. This vulnerability only occurs when Tomcat is
+ running web applications from untrusted sources such as in a shared
+ hosting environment.</p>
+
+ <p>This was fixed in revision <revlink rev="1549528">1549528</revlink>.</p>
+
+ <p>This issue was identified by the Apache Tomcat security team on 29
+ October 2014 and made public on 25 February 2014.</p>
+
+ <p>Affects: 8.0.0-RC1 to 8.0.0-RC5</p>
+
+ </section>
+
+ <section name="Fixed in Apache Tomcat 8.0.0-RC3" rtext="alpha, 2013-09-23">
+
+ <p><i>Note: The issue below was fixed in Apache Tomcat 8.0.0-RC2 but the
+ release vote for 8.0.0-RC2 did not pass.
+ Therefore, although users must download 8.0.0-RC3 to obtain a version
+ that includes a fix for this issue, version 8.0.0-RC2 is not
+ included in the list of affected versions.</i></p>
+
+ <p><strong>Important: Information disclosure</strong>
+ <cve>CVE-2013-4286</cve></p>
+
+ <p>The fix for CVE-2005-2090 was not complete. It did not cover the
+ following cases:</p>
+ <ul>
+ <li>content-length header with chunked encoding over any HTTP connector
+ </li>
+ <li>multiple content-length headers over any AJP connector</li>
+ </ul>
+
+ <p>Requests with multiple content-length headers or with a content-length
+ header when chunked encoding is being used should be rejected as invalid.
+ When multiple components (firewalls, caches, proxies and Tomcat) process
+ a sequence of requests where one or more requests contain either multiple
+ content-length headers or a content-length header when chunked encoding
+ is being used and several components do not reject the request and make
+ different decisions as to which content-length header to use an attacker
+ can poison a web-cache, perform an XSS attack and obtain sensitive
+ information from requests other then their own. Tomcat now rejects
+ requests with multiple content-length headers or with a content-length
+ header when chunked encoding is being used.</p>
+
+ <p>This was fixed in revision <revlink rev="1521829">1521829</revlink>.</p>
+
+ <p>This issue was identified by the Apache Tomcat security team on 15 August
+ 2013 and made public on 25 February 2014.</p>
+
+ <p>Affects: 8.0.0-RC1</p>
+
+ </section>
+
<section name="Not a vulnerability in Tomcat">
<p>No reports</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org