You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2018/10/31 17:44:50 UTC
svn commit: r1845353 - in /tomcat/site/trunk: docs/security-jk.html
xdocs/security-jk.xml
Author: markt
Date: Wed Oct 31 17:44:50 2018
New Revision: 1845353
URL: http://svn.apache.org/viewvc?rev=1845353&view=rev
Log:
Add information for CVE-2018-11759
Modified:
tomcat/site/trunk/docs/security-jk.html
tomcat/site/trunk/xdocs/security-jk.xml
Modified: tomcat/site/trunk/docs/security-jk.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-jk.html?rev=1845353&r1=1845352&r2=1845353&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-jk.html (original)
+++ tomcat/site/trunk/docs/security-jk.html Wed Oct 31 17:44:50 2018
@@ -214,6 +214,9 @@
<a href="#Apache_Tomcat_JK_Connectors_vulnerabilities">Apache Tomcat JK Connectors vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.46">Fixed in Apache Tomcat JK Connector 1.2.46</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.43">Fixed in Apache Tomcat JK Connector 1.2.43</a>
</li>
<li>
@@ -256,6 +259,61 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.46">Fixed in Apache Tomcat JK Connector 1.2.46</h3>
+<div class="text">
+
+
+<p>
+<i>Note: The issue below was fixed in Apache Tomcat JK Connector 1.2.45
+ but the release vote for the 1.2.45 release candidate did not pass.
+ Therefore, although users must download 1.2.46 to obtain a version that
+ includes the fix for this issue, version 1.2.45 is not included in the
+ list of affected versions.</i>
+</p>
+
+
+<p>
+<strong>Important: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11759" rel="nofollow">CVE-2018-11759</a>
+</p>
+
+
+<p>The Apache Web Server (httpd) specific code that normalised the requested
+ path before matching it to the URI-worker map did not handle some edge
+ cases correctly. If only a sub-set of the URLs supported by Tomcat were
+ exposed via httpd, then it was possible for a specially constructed
+ request to expose application functionality through the reverse proxy
+ that was not intended for clients accessing the application via the
+ reverse proxy. It was also possible in some configurations for a
+ specially constructed request to bypass the access controls configured in
+ httpd. While there is some overlap between this issue and CVE-2018-1323,
+ they are not identical.</p>
+
+
+<p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1838836">1838836</a>,
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1838857">1838857</a>,
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1838871">1838871</a>,
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1838882">1838882</a>,
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1840444">1840444</a>,
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1840445">1840445</a>,
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1840448">1840448</a>,
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1840449">1840449</a>,
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1840450">1840450</a>,
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1840451">1840451</a>,
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1840491">1840491</a>,
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1840588">1840588</a>,
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1840592">1840592</a>,
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1840603">1840603</a>,
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1840604">1840604</a>,
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1840610">1840610</a>,
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1840629">1840629</a> and
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1841463">1841463</a>.</p>
+
+
+<p>Affects: JK 1.2.0-1.2.44</p>
+
+
+</div>
<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.43">Fixed in Apache Tomcat JK Connector 1.2.43</h3>
<div class="text">
Modified: tomcat/site/trunk/xdocs/security-jk.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-jk.xml?rev=1845353&r1=1845352&r2=1845353&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-jk.xml (original)
+++ tomcat/site/trunk/xdocs/security-jk.xml Wed Oct 31 17:44:50 2018
@@ -28,6 +28,51 @@
</section>
+ <section name="Fixed in Apache Tomcat JK Connector 1.2.46">
+
+ <p><i>Note: The issue below was fixed in Apache Tomcat JK Connector 1.2.45
+ but the release vote for the 1.2.45 release candidate did not pass.
+ Therefore, although users must download 1.2.46 to obtain a version that
+ includes the fix for this issue, version 1.2.45 is not included in the
+ list of affected versions.</i></p>
+
+ <p><strong>Important: Information disclosure</strong>
+ <cve>CVE-2018-11759</cve></p>
+
+ <p>The Apache Web Server (httpd) specific code that normalised the requested
+ path before matching it to the URI-worker map did not handle some edge
+ cases correctly. If only a sub-set of the URLs supported by Tomcat were
+ exposed via httpd, then it was possible for a specially constructed
+ request to expose application functionality through the reverse proxy
+ that was not intended for clients accessing the application via the
+ reverse proxy. It was also possible in some configurations for a
+ specially constructed request to bypass the access controls configured in
+ httpd. While there is some overlap between this issue and CVE-2018-1323,
+ they are not identical.</p>
+
+ <p>This was fixed in revisions <revlink rev="1838836">1838836</revlink>,
+ <revlink rev="1838857">1838857</revlink>,
+ <revlink rev="1838871">1838871</revlink>,
+ <revlink rev="1838882">1838882</revlink>,
+ <revlink rev="1840444">1840444</revlink>,
+ <revlink rev="1840445">1840445</revlink>,
+ <revlink rev="1840448">1840448</revlink>,
+ <revlink rev="1840449">1840449</revlink>,
+ <revlink rev="1840450">1840450</revlink>,
+ <revlink rev="1840451">1840451</revlink>,
+ <revlink rev="1840491">1840491</revlink>,
+ <revlink rev="1840588">1840588</revlink>,
+ <revlink rev="1840592">1840592</revlink>,
+ <revlink rev="1840603">1840603</revlink>,
+ <revlink rev="1840604">1840604</revlink>,
+ <revlink rev="1840610">1840610</revlink>,
+ <revlink rev="1840629">1840629</revlink> and
+ <revlink rev="1841463">1841463</revlink>.</p>
+
+ <p>Affects: JK 1.2.0-1.2.44</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat JK Connector 1.2.43">
<p><strong>Important: Information disclosure</strong>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org