You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2018/10/31 17:44:50 UTC

svn commit: r1845353 - in /tomcat/site/trunk: docs/security-jk.html xdocs/security-jk.xml

Author: markt
Date: Wed Oct 31 17:44:50 2018
New Revision: 1845353

URL: http://svn.apache.org/viewvc?rev=1845353&view=rev
Log:
Add information for CVE-2018-11759

Modified:
    tomcat/site/trunk/docs/security-jk.html
    tomcat/site/trunk/xdocs/security-jk.xml

Modified: tomcat/site/trunk/docs/security-jk.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-jk.html?rev=1845353&r1=1845352&r2=1845353&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-jk.html (original)
+++ tomcat/site/trunk/docs/security-jk.html Wed Oct 31 17:44:50 2018
@@ -214,6 +214,9 @@
 <a href="#Apache_Tomcat_JK_Connectors_vulnerabilities">Apache Tomcat JK Connectors vulnerabilities</a>
 </li>
 <li>
+<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.46">Fixed in Apache Tomcat JK Connector 1.2.46</a>
+</li>
+<li>
 <a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.43">Fixed in Apache Tomcat JK Connector 1.2.43</a>
 </li>
 <li>
@@ -256,6 +259,61 @@
 
   
 </div>
+<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.46">Fixed in Apache Tomcat JK Connector 1.2.46</h3>
+<div class="text">
+
+    
+<p>
+<i>Note: The issue below was fixed in Apache Tomcat JK Connector 1.2.45
+       but the release vote for the 1.2.45 release candidate did not pass.
+       Therefore, although users must download 1.2.46 to obtain a version that
+       includes the fix for this issue, version 1.2.45 is not included in the
+       list of affected versions.</i>
+</p>
+
+    
+<p>
+<strong>Important: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11759" rel="nofollow">CVE-2018-11759</a>
+</p>
+
+    
+<p>The Apache Web Server (httpd) specific code that normalised the requested 
+       path before matching it to the URI-worker map did not handle some edge
+       cases correctly. If only a sub-set of the URLs supported by Tomcat were
+       exposed via httpd, then it was possible for a specially constructed
+       request to expose application functionality through the reverse proxy
+       that was not intended for clients accessing the application via the
+       reverse proxy. It was also possible in some configurations for a
+       specially constructed request to bypass the access controls configured in
+       httpd. While there is some overlap between this issue and CVE-2018-1323,
+       they are not identical.</p>
+
+    
+<p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1838836">1838836</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1838857">1838857</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1838871">1838871</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1838882">1838882</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840444">1840444</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840445">1840445</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840448">1840448</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840449">1840449</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840450">1840450</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840451">1840451</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840491">1840491</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840588">1840588</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840592">1840592</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840603">1840603</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840604">1840604</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840610">1840610</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840629">1840629</a> and
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1841463">1841463</a>.</p>
+
+    
+<p>Affects: JK 1.2.0-1.2.44</p>
+
+  
+</div>
 <h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.43">Fixed in Apache Tomcat JK Connector 1.2.43</h3>
 <div class="text">
 

Modified: tomcat/site/trunk/xdocs/security-jk.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-jk.xml?rev=1845353&r1=1845352&r2=1845353&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-jk.xml (original)
+++ tomcat/site/trunk/xdocs/security-jk.xml Wed Oct 31 17:44:50 2018
@@ -28,6 +28,51 @@
 
   </section>
 
+  <section name="Fixed in Apache Tomcat JK Connector 1.2.46">
+
+    <p><i>Note: The issue below was fixed in Apache Tomcat JK Connector 1.2.45
+       but the release vote for the 1.2.45 release candidate did not pass.
+       Therefore, although users must download 1.2.46 to obtain a version that
+       includes the fix for this issue, version 1.2.45 is not included in the
+       list of affected versions.</i></p>
+
+    <p><strong>Important: Information disclosure</strong>
+       <cve>CVE-2018-11759</cve></p>
+
+    <p>The Apache Web Server (httpd) specific code that normalised the requested 
+       path before matching it to the URI-worker map did not handle some edge
+       cases correctly. If only a sub-set of the URLs supported by Tomcat were
+       exposed via httpd, then it was possible for a specially constructed
+       request to expose application functionality through the reverse proxy
+       that was not intended for clients accessing the application via the
+       reverse proxy. It was also possible in some configurations for a
+       specially constructed request to bypass the access controls configured in
+       httpd. While there is some overlap between this issue and CVE-2018-1323,
+       they are not identical.</p>
+
+    <p>This was fixed in revisions <revlink rev="1838836">1838836</revlink>,
+       <revlink rev="1838857">1838857</revlink>,
+       <revlink rev="1838871">1838871</revlink>,
+       <revlink rev="1838882">1838882</revlink>,
+       <revlink rev="1840444">1840444</revlink>,
+       <revlink rev="1840445">1840445</revlink>,
+       <revlink rev="1840448">1840448</revlink>,
+       <revlink rev="1840449">1840449</revlink>,
+       <revlink rev="1840450">1840450</revlink>,
+       <revlink rev="1840451">1840451</revlink>,
+       <revlink rev="1840491">1840491</revlink>,
+       <revlink rev="1840588">1840588</revlink>,
+       <revlink rev="1840592">1840592</revlink>,
+       <revlink rev="1840603">1840603</revlink>,
+       <revlink rev="1840604">1840604</revlink>,
+       <revlink rev="1840610">1840610</revlink>,
+       <revlink rev="1840629">1840629</revlink> and
+       <revlink rev="1841463">1841463</revlink>.</p>
+
+    <p>Affects: JK 1.2.0-1.2.44</p>
+
+  </section>
+
   <section name="Fixed in Apache Tomcat JK Connector 1.2.43">
 
     <p><strong>Important: Information disclosure</strong>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org