You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by kk...@apache.org on 2011/10/13 11:22:26 UTC
svn commit: r1182736 [9/10] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1182736&r1=1182735&r2=1182736&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Thu Oct 13 09:22:24 2011
@@ -1,47 +1,33 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
+<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Apache Tomcat - Apache Tomcat 7 vulnerabilities</title>
-<meta name="author" content="Apache Tomcat Project"/>
-<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet"/>
-<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet" media="print"/>
+<meta name="author" content="Apache Tomcat Project">
+<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet">
+<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet" media="print">
</head>
<body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76">
<table border="0" width="100%" cellspacing="0">
<!--PAGE HEADER-->
<tr>
<td>
-<!--PROJECT LOGO-->
-<a href="http://tomcat.apache.org/">
-<img src="./images/tomcat.gif" align="left" alt="Tomcat Logo" border="0"/>
-</a>
-</td>
-<td>
-<font face="arial,helvetica,sanserif">
+<!--PROJECT LOGO--><a href="http://tomcat.apache.org/"><img src="./images/tomcat.gif" align="left" alt="Tomcat Logo" border="0"></a></td><td><font face="arial,helvetica,sanserif">
<h1>Apache Tomcat</h1>
-</font>
-</td>
-<td>
-<!--APACHE LOGO-->
-<a href="http://www.apache.org/">
-<img src="http://www.apache.org/images/asf-logo.gif" align="right" alt="Apache Logo" border="0"/>
-</a>
-</td>
+</font></td><td>
+<!--APACHE LOGO--><a href="http://www.apache.org/"><img src="http://www.apache.org/images/asf-logo.gif" align="right" alt="Apache Logo" border="0"></a></td>
</tr>
</table>
<div class="searchbox noPrint">
<form action="http://www.google.com/search" method="get">
-<input value="tomcat.apache.org" name="sitesearch" type="hidden"/>
-<input value="Search the Site" size="25" name="q" id="query" type="text"/>
-<input name="Search" value="Search Site" type="submit"/>
+<input value="tomcat.apache.org" name="sitesearch" type="hidden"><input value="Search the Site" size="25" name="q" id="query" type="text"><input name="Search" value="Search Site" type="submit">
</form>
</div>
<table border="0" width="100%" cellspacing="4">
<!--HEADER SEPARATOR-->
<tr>
<td colspan="2">
-<hr noshade="" size="1"/>
+<hr noshade size="1">
</td>
</tr>
<tr>
@@ -194,25 +180,17 @@
</li>
</ul>
</td>
-<!--RIGHT SIDE MAIN BODY-->
-<td width="80%" valign="top" align="left" id="mainBody">
+<!--RIGHT SIDE MAIN BODY--><td width="80%" valign="top" align="left" id="mainBody">
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Table of Contents">
-<!--()-->
-</a>
-<a name="Table_of_Contents">
-<strong>Table of Contents</strong>
-</a>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Table of Contents">
+<!--()--></a><a name="Table_of_Contents"><strong>Table of Contents</strong></a></font></td>
</tr>
<tr>
<td>
<p>
<blockquote>
+
<ul>
<li>
<a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x vulnerabilities</a>
@@ -254,34 +232,28 @@
<a href="#Not_a_vulnerability_in_Tomcat">Not a vulnerability in Tomcat</a>
</li>
</ul>
+
</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Apache Tomcat 7.x vulnerabilities">
-<!--()-->
-</a>
-<a name="Apache_Tomcat_7.x_vulnerabilities">
-<strong>Apache Tomcat 7.x vulnerabilities</strong>
-</a>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Apache Tomcat 7.x vulnerabilities">
+<!--()--></a><a name="Apache_Tomcat_7.x_vulnerabilities"><strong>Apache Tomcat 7.x vulnerabilities</strong></a></font></td>
</tr>
<tr>
<td>
<p>
<blockquote>
- <p>This page lists all security vulnerabilities fixed in released versions
+
+<p>This page lists all security vulnerabilities fixed in released versions
of Apache Tomcat 7.x. Each vulnerability is given a
<a href="security-impact.html">security impact rating</a> by the Apache
Tomcat security team - please note that this rating may vary from
@@ -289,48 +261,39 @@
is known to affect, and where a flaw has not been verified list the
version with a question mark.</p>
- <p>Please send comments or corrections for these vulnerabilities to the
+
+<p>Please send comments or corrections for these vulnerabilities to the
<a href="mailto:security@tomcat.apache.org">Tomcat Security Team</a>.</p>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Fixed in Apache Tomcat 7.0.21">
-<!--()-->
-</a>
-<a name="Fixed_in_Apache_Tomcat_7.0.21">
-<strong>Fixed in Apache Tomcat 7.0.21</strong>
-</a>
-</font>
-</td>
-<td align="right" bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica.sanserif">
-<strong>released 1 Sep 2011</strong>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.21">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.21"><strong>Fixed in Apache Tomcat 7.0.21</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 1 Sep 2011</strong></font></td>
</tr>
<tr>
<td colspan="2">
<p>
<blockquote>
- <p>
+
+<p>
<strong>Important: Authentication bypass and information disclosure
</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3190" rel="nofollow">CVE-2011-3190</a>
</p>
- <p>Apache Tomcat supports the AJP protocol which is used with reverse
+
+<p>Apache Tomcat supports the AJP protocol which is used with reverse
proxies to pass requests and associated data about the request from the
reverse proxy to Tomcat. The AJP protocol is designed so that when a
request includes a request body, an unsolicited AJP message is sent to
@@ -341,137 +304,143 @@
information disclosure. This vulnerability only occurs when all of the
following are true:
<ul>
- <li>The org.apache.jk.server.JkCoyoteHandler AJP connector is not used
+
+<li>The org.apache.jk.server.JkCoyoteHandler AJP connector is not used
</li>
- <li>POST requests are accepted</li>
- <li>The request body is not processed</li>
- </ul>
- </p>
+
+<li>POST requests are accepted</li>
+
+<li>The request body is not processed</li>
+
+</ul>
+
+</p>
- <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1162958">revision 1162958</a>.</p>
+
+<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1162958">revision 1162958</a>.</p>
- <p>This was reported publicly on 20th August 2011.</p>
+
+<p>This was reported publicly on 20th August 2011.</p>
- <p>Affects: 7.0.0-7.0.20</p>
+
+<p>Affects: 7.0.0-7.0.20</p>
- <p>Mitigation options:</p>
- <ul>
- <li>Upgrade to Tomcat 7.0.21</li>
- <li>Apply the appropriate <a href="http://svn.apache.org/viewvc?view=rev&rev=1162958">patch</a>
+
+<p>Mitigation options:</p>
+
+<ul>
+
+<li>Upgrade to Tomcat 7.0.21</li>
+
+<li>Apply the appropriate <a href="http://svn.apache.org/viewvc?view=rev&rev=1162958">patch</a>
</li>
- <li>Configure both Tomcat and the reverse proxy to use a shared secret.<br/>
+
+<li>Configure both Tomcat and the reverse proxy to use a shared secret.<br>
(It is "<code>requiredSecret</code>" attribute in AJP <Connector>,
"<code>worker.<i>workername</i>.secret</code>" directive for mod_jk.
The mod_proxy_ajp module currently does not support shared secrets).</li>
- </ul>
+
+</ul>
- <p>References:</p>
- <ul>
- <li>
+
+<p>References:</p>
+
+<ul>
+
+<li>
<a href="/tomcat-7.0-doc/config/ajp.html">AJP Connector documentation (Tomcat 7.0)</a>
</li>
- <li>
+
+<li>
<a href="/connectors-doc/reference/workers.html">workers.properties configuration (mod_jk)</a>
</li>
- </ul>
- </blockquote>
+
+</ul>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Fixed in Apache Tomcat 7.0.20">
-<!--()-->
-</a>
-<a name="Fixed_in_Apache_Tomcat_7.0.20">
-<strong>Fixed in Apache Tomcat 7.0.20</strong>
-</a>
-</font>
-</td>
-<td align="right" bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica.sanserif">
-<strong>released 11 Aug 2011</strong>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.20">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.20"><strong>Fixed in Apache Tomcat 7.0.20</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 11 Aug 2011</strong></font></td>
</tr>
<tr>
<td colspan="2">
<p>
<blockquote>
- <p>
+
+<p>
<strong>Important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729" rel="nofollow">CVE-2011-2729</a>
</p>
- <p>Due to a bug in the capabilities code, jsvc (the service wrapper for
+
+<p>Due to a bug in the capabilities code, jsvc (the service wrapper for
Linux that is part of the Commons Daemon project) does not drop
capabilities allowing the application to access files and directories
owned by superuser. This vulnerability only occurs when all of the
following are true:
<ul>
- <li>Tomcat is running on a Linux operating system</li>
- <li>jsvc was compiled with libcap</li>
- <li>-user parameter is used</li>
- </ul>
+
+<li>Tomcat is running on a Linux operating system</li>
+
+<li>jsvc was compiled with libcap</li>
+
+<li>-user parameter is used</li>
+
+</ul>
Affected Tomcat versions shipped with source files for jsvc that included
this vulnerability.
</p>
- <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1153379">revision 1153379</a>.</p>
+
+<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1153379">revision 1153379</a>.</p>
- <p>This was identified by Wilfried Weissmann on 20 July 2011 and made public
+
+<p>This was identified by Wilfried Weissmann on 20 July 2011 and made public
on 12 August 2011.</p>
- <p>Affects: 7.0.0-7.0.19</p>
+
+<p>Affects: 7.0.0-7.0.19</p>
+
- </blockquote>
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Fixed in Apache Tomcat 7.0.19">
-<!--()-->
-</a>
-<a name="Fixed_in_Apache_Tomcat_7.0.19">
-<strong>Fixed in Apache Tomcat 7.0.19</strong>
-</a>
-</font>
-</td>
-<td align="right" bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica.sanserif">
-<strong>released 19 Jul 2011</strong>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.19">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.19"><strong>Fixed in Apache Tomcat 7.0.19</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 19 Jul 2011</strong></font></td>
</tr>
<tr>
<td colspan="2">
<p>
<blockquote>
- <p>
+
+<p>
<strong>Low: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526" rel="nofollow">CVE-2011-2526</a>
</p>
- <p>Tomcat provides support for sendfile with the HTTP NIO and HTTP APR
+
+<p>Tomcat provides support for sendfile with the HTTP NIO and HTTP APR
connectors. sendfile is used automatically for content served via the
DefaultServlet and deployed web applications may use it directly via
setting request attributes. These request attributes were not validated.
@@ -479,34 +448,47 @@
malicious web application to do one or more of the following that would
normally be prevented by a security manager:
<ul>
- <li>return files to users that the security manager should make
+
+<li>return files to users that the security manager should make
inaccessible</li>
- <li>terminate (via a crash) the JVM</li>
- </ul>
+
+<li>terminate (via a crash) the JVM</li>
+
+</ul>
Additionally, these vulnerabilities only occur when all of the following
are true:
<ul>
- <li>untrusted web applications are being used</li>
- <li>the SecurityManager is used to limit the untrusted web applications
+
+<li>untrusted web applications are being used</li>
+
+<li>the SecurityManager is used to limit the untrusted web applications
</li>
- <li>the HTTP NIO or HTTP APR connector is used</li>
- <li>sendfile is enabled for the connector (this is the default)</li>
- </ul>
- </p>
+
+<li>the HTTP NIO or HTTP APR connector is used</li>
+
+<li>sendfile is enabled for the connector (this is the default)</li>
+
+</ul>
+
+</p>
- <p>This was fixed in revisions
+
+<p>This was fixed in revisions
<a href="http://svn.apache.org/viewvc?view=rev&rev=1145383">1145383</a>,
<a href="http://svn.apache.org/viewvc?view=rev&rev=1145489">1145489</a>,
<a href="http://svn.apache.org/viewvc?view=rev&rev=1145571">1145571</a>,
<a href="http://svn.apache.org/viewvc?view=rev&rev=1145694">1145694</a> and
<a href="http://svn.apache.org/viewvc?view=rev&rev=1146005">1146005</a>.</p>
- <p>This was identified by the Tomcat security team on 7 July 2011 and
+
+<p>This was identified by the Tomcat security team on 7 July 2011 and
made public on 13 July 2011.</p>
- <p>Affects: 7.0.0-7.0.18</p>
+
+<p>Affects: 7.0.0-7.0.18</p>
- <p>
+
+<p>
<i>Note: The issues below were fixed in Apache Tomcat 7.0.17 but the
release votes for the 7.0.17 and 7.0.18 release candidates did not pass.
Therefore, although users must download 7.0.19 to obtain a version that
@@ -514,12 +496,14 @@
included in the list of affected versions.</i>
</p>
- <p>
+
+<p>
<strong>Low: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204" rel="nofollow">CVE-2011-2204</a>
</p>
- <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
+
+<p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
creating users via JMX, an exception during the user creation process may
trigger an error message in the JMX client that includes the user's
password. This error message is also written to the Tomcat logs. User
@@ -528,19 +512,24 @@
do not have these permissions but are able to read log files may be able
to discover a user's password.</p>
- <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1140070">revision 1140070</a>.</p>
+
+<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1140070">revision 1140070</a>.</p>
- <p>This was identified by Polina Genova on 14 June 2011 and
+
+<p>This was identified by Polina Genova on 14 June 2011 and
made public on 27 June 2011.</p>
- <p>Affects: 7.0.0-7.0.16</p>
+
+<p>Affects: 7.0.0-7.0.16</p>
- <p>
+
+<p>
<strong>Low: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2481" rel="nofollow">CVE-2011-2481</a>
</p>
- <p>The re-factoring of XML validation for Tomcat 7.0.x re-introduced the
+
+<p>The re-factoring of XML validation for Tomcat 7.0.x re-introduced the
vulnerability previously reported as <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783" rel="nofollow">CVE-2009-0783</a>.
This was initially
<a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=51395">
@@ -549,104 +538,90 @@
view and/or alter the web.xml, context.xml and tld files of other web
applications deployed on the Tomcat instance.</p>
- <p>This was first fixed in
+
+<p>This was first fixed in
<a href="http://svn.apache.org/viewvc?view=rev&rev=1137753">revision 1137753</a>,
but reverted in <a href="http://svn.apache.org/viewvc?view=rev&rev=1138776">revision 1138776</a> and
finally fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1138788">revision 1138788</a>.</p>
- <p>This was identified by the Tomcat security team on 20 June 2011 and
+
+<p>This was identified by the Tomcat security team on 20 June 2011 and
made public on 12 August 2011.</p>
- <p>Affects: 7.0.0-7.0.16</p>
+
+<p>Affects: 7.0.0-7.0.16</p>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Fixed in Apache Tomcat 7.0.14">
-<!--()-->
-</a>
-<a name="Fixed_in_Apache_Tomcat_7.0.14">
-<strong>Fixed in Apache Tomcat 7.0.14</strong>
-</a>
-</font>
-</td>
-<td align="right" bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica.sanserif">
-<strong>released 12 May 2011</strong>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.14">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.14"><strong>Fixed in Apache Tomcat 7.0.14</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 12 May 2011</strong></font></td>
</tr>
<tr>
<td colspan="2">
<p>
<blockquote>
- <p>
+
+<p>
<strong>Important: Security constraint bypass</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1582" rel="nofollow">CVE-2011-1582</a>
</p>
- <p>An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant that security
+
+<p>An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant that security
constraints configured via annotations were ignored on the first request
to a Servlet. Subsequent requests were secured correctly.</p>
- <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1100832">revision 1100832</a>.</p>
+
+<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1100832">revision 1100832</a>.</p>
- <p>This was identified by the Tomcat security team on 13 April 2011 and
+
+<p>This was identified by the Tomcat security team on 13 April 2011 and
made public on 17 May 2011.</p>
- <p>Affects: 7.0.12-7.0.13</p>
+
+<p>Affects: 7.0.12-7.0.13</p>
+
- </blockquote>
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Fixed in Apache Tomcat 7.0.12">
-<!--()-->
-</a>
-<a name="Fixed_in_Apache_Tomcat_7.0.12">
-<strong>Fixed in Apache Tomcat 7.0.12</strong>
-</a>
-</font>
-</td>
-<td align="right" bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica.sanserif">
-<strong>released 6 Apr 2011</strong>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.12">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.12"><strong>Fixed in Apache Tomcat 7.0.12</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 6 Apr 2011</strong></font></td>
</tr>
<tr>
<td colspan="2">
<p>
<blockquote>
- <p>
+
+<p>
<strong>Important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1475" rel="nofollow">CVE-2011-1475</a>
</p>
- <p>Changes introduced to the HTTP BIO connector to support Servlet 3.0
+
+<p>Changes introduced to the HTTP BIO connector to support Servlet 3.0
asynchronous requests did not fully account for HTTP pipelining. As a
result, when using HTTP pipelining a range of unexpected behaviours
occurred including the mixing up of responses between requests. While
@@ -654,145 +629,147 @@
user, a mix-up of responses for requests from different users may also be
possible.</p>
- <p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1086349">1086349</a> and
+
+<p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1086349">1086349</a> and
<a href="http://svn.apache.org/viewvc?view=rev&rev=1086352">1086352</a>.
(Note: HTTP pipelined requests are still likely to fail with the
HTTP BIO connector but will do so in a secure manner.)</p>
- <p>This was reported publicly on the Tomcat Bugzilla issue tracker on 22 Mar
+
+<p>This was reported publicly on the Tomcat Bugzilla issue tracker on 22 Mar
2011.</p>
- <p>Affects: 7.0.0-7.0.11</p>
+
+<p>Affects: 7.0.0-7.0.11</p>
- <p>
+
+<p>
<strong>Moderate: Multiple weaknesses in HTTP DIGEST authentication</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184" rel="nofollow">CVE-2011-1184</a>
</p>
- <p>The implementation of HTTP DIGEST authentication was discovered to have
+
+<p>The implementation of HTTP DIGEST authentication was discovered to have
several weaknesses:
<ul>
- <li>replay attacks were permitted</li>
- <li>server nonces were not checked</li>
- <li>client nonce counts were not checked</li>
- <li>qop values were not checked</li>
- <li>realm values were not checked</li>
- <li>the server secret was hard-coded to a known string</li>
- </ul>
+
+<li>replay attacks were permitted</li>
+
+<li>server nonces were not checked</li>
+
+<li>client nonce counts were not checked</li>
+
+<li>qop values were not checked</li>
+
+<li>realm values were not checked</li>
+
+<li>the server secret was hard-coded to a known string</li>
+
+</ul>
The result of these weaknesses is that DIGEST authentication was only as
secure as BASIC authentication.
</p>
- <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1087655">revision 1087655</a>.</p>
+
+<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1087655">revision 1087655</a>.</p>
- <p>This was identified by the Tomcat security team on 16 March 2011 and
+
+<p>This was identified by the Tomcat security team on 16 March 2011 and
made public on 26 September 2011.</p>
- <p>Affects: 7.0.0-7.0.11</p>
+
+<p>Affects: 7.0.0-7.0.11</p>
- <p>
+
+<p>
<strong>Important: Security constraint bypass</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1183" rel="nofollow">CVE-2011-1183</a>
</p>
- <p>A regression in the fix for CVE-2011-1088 meant that security constraints
+
+<p>A regression in the fix for CVE-2011-1088 meant that security constraints
were ignored when no login configuration was present in the web.xml and
the web application was marked as meta-data complete.</p>
- <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1087643">revision 1087643</a>.</p>
+
+<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1087643">revision 1087643</a>.</p>
- <p>This was identified by the Tomcat security team on 17 March 2011 and
+
+<p>This was identified by the Tomcat security team on 17 March 2011 and
made public on 6 April 2011.</p>
- <p>Affects: 7.0.11</p>
+
+<p>Affects: 7.0.11</p>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Fixed in Apache Tomcat 7.0.11">
-<!--()-->
-</a>
-<a name="Fixed_in_Apache_Tomcat_7.0.11">
-<strong>Fixed in Apache Tomcat 7.0.11</strong>
-</a>
-</font>
-</td>
-<td align="right" bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica.sanserif">
-<strong>released 11 Mar 2011</strong>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.11">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.11"><strong>Fixed in Apache Tomcat 7.0.11</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 11 Mar 2011</strong></font></td>
</tr>
<tr>
<td colspan="2">
<p>
<blockquote>
- <p>
+
+<p>
<strong>Important: Security constraint bypass</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1088" rel="nofollow">CVE-2011-1088</a>
</p>
- <p>When a web application was started, <code>ServletSecurity</code>
+
+<p>When a web application was started, <code>ServletSecurity</code>
annotations were ignored. This meant that some areas of the application
may not have been protected as expected. This was partially fixed in
Apache Tomcat 7.0.10 and fully fixed in 7.0.11.</p>
- <p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1076586">1076586</a>,
+
+<p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1076586">1076586</a>,
<a href="http://svn.apache.org/viewvc?view=rev&rev=1076587">1076587</a>,
<a href="http://svn.apache.org/viewvc?view=rev&rev=1077995">1077995</a> and
<a href="http://svn.apache.org/viewvc?view=rev&rev=1079752">1079752</a>.</p>
- <p>This was reported publicly on the Tomcat users mailing list on 2 Mar
+
+<p>This was reported publicly on the Tomcat users mailing list on 2 Mar
2011.</p>
- <p>Affects: 7.0.0-7.0.10</p>
+
+<p>Affects: 7.0.0-7.0.10</p>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Fixed in Apache Tomcat 7.0.8">
-<!--()-->
-</a>
-<a name="Fixed_in_Apache_Tomcat_7.0.8">
-<strong>Fixed in Apache Tomcat 7.0.8</strong>
-</a>
-</font>
-</td>
-<td align="right" bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica.sanserif">
-<strong>released 5 Feb 2011</strong>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.8">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.8"><strong>Fixed in Apache Tomcat 7.0.8</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 5 Feb 2011</strong></font></td>
</tr>
<tr>
<td colspan="2">
<p>
<blockquote>
- <p>
+
+<p>
<i>Note: The issue below was fixed in Apache Tomcat 7.0.7 but the
release vote for the 7.0.7 release candidate did not pass. Therefore,
although users must download 7.0.8 to obtain a version that includes a
@@ -800,161 +777,142 @@
affected versions.</i>
</p>
- <p>
+
+<p>
<strong>Important: Remote Denial Of Service</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0534" rel="nofollow">CVE-2011-0534</a>
</p>
- <p>The NIO connector expands its buffer endlessly during request line
+
+<p>The NIO connector expands its buffer endlessly during request line
processing. That behaviour can be used for a denial of service attack
using a carefully crafted request.</p>
- <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1065939">revision 1065939</a>.</p>
+
+<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1065939">revision 1065939</a>.</p>
- <p>This was identified by the Tomcat security team on 27 Jan 2011 and
+
+<p>This was identified by the Tomcat security team on 27 Jan 2011 and
made public on 5 Feb 2011.</p>
- <p>Affects: 7.0.0-7.0.6</p>
+
+<p>Affects: 7.0.0-7.0.6</p>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Fixed in Apache Tomcat 7.0.6">
-<!--()-->
-</a>
-<a name="Fixed_in_Apache_Tomcat_7.0.6">
-<strong>Fixed in Apache Tomcat 7.0.6</strong>
-</a>
-</font>
-</td>
-<td align="right" bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica.sanserif">
-<strong>released 14 Jan 2011</strong>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.6">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.6"><strong>Fixed in Apache Tomcat 7.0.6</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 14 Jan 2011</strong></font></td>
</tr>
<tr>
<td colspan="2">
<p>
<blockquote>
- <p>
+
+<p>
<strong>low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0013" rel="nofollow">CVE-2011-0013</a>
</p>
- <p>The HTML Manager interface displayed web application provided data, such
+
+<p>The HTML Manager interface displayed web application provided data, such
as display names, without filtering. A malicious web application could
trigger script execution by an administrative user when viewing the
manager pages.</p>
- <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1057279">revision 1057279</a>.</p>
+
+<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1057279">revision 1057279</a>.</p>
- <p>This was identified by the Tomcat security team on 12 Nov 2010 and
+
+<p>This was identified by the Tomcat security team on 12 Nov 2010 and
made public on 5 Feb 2011.</p>
- <p>Affects: 7.0.0-7.0.5</p>
+
+<p>Affects: 7.0.0-7.0.5</p>
+
- </blockquote>
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Fixed in Apache Tomcat 7.0.5">
-<!--()-->
-</a>
-<a name="Fixed_in_Apache_Tomcat_7.0.5">
-<strong>Fixed in Apache Tomcat 7.0.5</strong>
-</a>
-</font>
-</td>
-<td align="right" bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica.sanserif">
-<strong>released 1 Dec 2010</strong>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.5">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.5"><strong>Fixed in Apache Tomcat 7.0.5</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 1 Dec 2010</strong></font></td>
</tr>
<tr>
<td colspan="2">
<p>
<blockquote>
- <p>
+
+<p>
<strong>low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4172" rel="nofollow">CVE-2010-4172</a>
</p>
- <p>The Manager application used the user provided parameters sort and
+
+<p>The Manager application used the user provided parameters sort and
orderBy directly without filtering thereby permitting cross-site
scripting. The CSRF protection, which is enabled by default, prevents an
attacker from exploiting this.</p>
- <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1037778">revision 1037778</a>.</p>
+
+<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1037778">revision 1037778</a>.</p>
- <p>This was first reported to the Tomcat security team on 15 Nov 2010 and
+
+<p>This was first reported to the Tomcat security team on 15 Nov 2010 and
made public on 22 Nov 2010.</p>
- <p>Affects: 7.0.0-7.0.4</p>
+
+<p>Affects: 7.0.0-7.0.4</p>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Fixed in Apache Tomcat 7.0.4">
-<!--()-->
-</a>
-<a name="Fixed_in_Apache_Tomcat_7.0.4">
-<strong>Fixed in Apache Tomcat 7.0.4</strong>
-</a>
-</font>
-</td>
-<td align="right" bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica.sanserif">
-<strong>released 21 Oct 2010</strong>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.4">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.4"><strong>Fixed in Apache Tomcat 7.0.4</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 21 Oct 2010</strong></font></td>
</tr>
<tr>
<td colspan="2">
<p>
<blockquote>
- <p>
+
+<p>
<strong>low: SecurityManager file permission bypass</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3718" rel="nofollow">CVE-2010-3718</a>
</p>
- <p>When running under a SecurityManager, access to the file system is
+
+<p>When running under a SecurityManager, access to the file system is
limited but web applications are granted read/write permissions to the
work directory. This directory is used for a variety of temporary files
such as the intermediate files generated when compiling JSPs to Servlets.
@@ -968,47 +926,39 @@
applicable when hosting web applications from untrusted sources such as
shared hosting environments.</p>
- <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1022134">revision 1022134</a>.</p>
+
+<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1022134">revision 1022134</a>.</p>
- <p>This was discovered by the Tomcat security team on 12 Oct 2010 and
+
+<p>This was discovered by the Tomcat security team on 12 Oct 2010 and
made public on 5 Feb 2011.</p>
- <p>Affects: 7.0.0-7.0.3</p>
+
+<p>Affects: 7.0.0-7.0.3</p>
+
- </blockquote>
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Fixed in Apache Tomcat 7.0.2">
-<!--()-->
-</a>
-<a name="Fixed_in_Apache_Tomcat_7.0.2">
-<strong>Fixed in Apache Tomcat 7.0.2</strong>
-</a>
-</font>
-</td>
-<td align="right" bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica.sanserif">
-<strong>released 11 Aug 2010</strong>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 7.0.2">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.2"><strong>Fixed in Apache Tomcat 7.0.2</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 11 Aug 2010</strong></font></td>
</tr>
<tr>
<td colspan="2">
<p>
<blockquote>
- <p>
+
+<p>
<i>Note: The issue below was fixed in Apache Tomcat 7.0.1 but the
release vote for the 7.0.1 release candidate did not pass. Therefore,
although users must download 7.0.2 to obtain a version that includes a
@@ -1016,130 +966,147 @@
affected versions.</i>
</p>
- <p>
+
+<p>
<strong>Important: Remote Denial Of Service and Information Disclosure
Vulnerability</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227" rel="nofollow">CVE-2010-2227</a>
</p>
- <p>Several flaws in the handling of the 'Transfer-Encoding' header were
+
+<p>Several flaws in the handling of the 'Transfer-Encoding' header were
found that prevented the recycling of a buffer. A remote attacker could
trigger this flaw which would cause subsequent requests to fail and/or
information to leak between requests. This flaw is mitigated if Tomcat is
behind a reverse proxy (such as Apache httpd 2.2) as the proxy should
reject the invalid transfer encoding header.</p>
- <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=958911">revision 958911</a>.</p>
+
+<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=958911">revision 958911</a>.</p>
- <p>This was first reported to the Tomcat security team on 14 Jun 2010 and
+
+<p>This was first reported to the Tomcat security team on 14 Jun 2010 and
made public on 9 Jul 2010.</p>
- <p>Affects: 7.0.0</p>
+
+<p>Affects: 7.0.0</p>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Not a vulnerability in Tomcat">
-<!--()-->
-</a>
-<a name="Not_a_vulnerability_in_Tomcat">
-<strong>Not a vulnerability in Tomcat</strong>
-</a>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Not a vulnerability in Tomcat">
+<!--()--></a><a name="Not_a_vulnerability_in_Tomcat"><strong>Not a vulnerability in Tomcat</strong></a></font></td>
</tr>
<tr>
<td>
<p>
<blockquote>
- <p>
+
+<p>
<strong>Important: Remote Denial Of Service</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476" rel="nofollow">CVE-2010-4476</a>
</p>
- <p>A JVM bug could cause Double conversion to hang JVM when accessing to a
+
+<p>A JVM bug could cause Double conversion to hang JVM when accessing to a
form based security constrained page or any page that calls
javax.servlet.ServletRequest.getLocale() or
javax.servlet.ServletRequest.getLocales(). A specially crafted request
can be used to trigger a denial of service.
</p>
- <p>A work-around for this JVM bug was provided in
+
+<p>A work-around for this JVM bug was provided in
<a href="http://svn.apache.org/viewvc?view=rev&rev=1066244">revision 1066244</a>.</p>
- <p>This was first reported to the Tomcat security team on 01 Feb 2011 and
+
+<p>This was first reported to the Tomcat security team on 01 Feb 2011 and
made public on 31 Jan 2011.</p>
- <p>Affects: 7.0.0-7.0.6</p>
+
+<p>Affects: 7.0.0-7.0.6</p>
- <p>
+
+<p>
<strong>moderate: TLS SSL Man In The Middle</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555" rel="nofollow">CVE-2009-3555</a>
</p>
- <p>A vulnerability exists in the TLS protocol that allows an attacker to
+
+<p>A vulnerability exists in the TLS protocol that allows an attacker to
inject arbitrary requests into an TLS stream during renegotiation.</p>
- <p>The TLS implementation used by Tomcat varies with connector. The blocking
+
+<p>The TLS implementation used by Tomcat varies with connector. The blocking
IO (BIO) and non-blocking (NIO) connectors use the JSSE implementation
provided by the JVM. The APR/native connector uses OpenSSL.</p>
- <p>The BIO connector is vulnerable if the JSSE version used is vulnerable.
+
+<p>The BIO connector is vulnerable if the JSSE version used is vulnerable.
To workaround this until a fix is available in JSSE, use the connector
attribute <code>allowUnsafeLegacyRenegotiation</code>. It should be set
to <code>false</code> (the default) to protect against this
vulnerability.</p>
- <p>The NIO connector is not vulnerable as it does not support
+
+<p>The NIO connector is not vulnerable as it does not support
renegotiation.</p>
- <p>The APR/native workarounds are detailed on the
+
+<p>The APR/native workarounds are detailed on the
<a href="security-native.html">APR/native connector security page</a>.
</p>
- <p>Users should be aware that the impact of disabling renegotiation will
+
+<p>Users should be aware that the impact of disabling renegotiation will
vary with both application and client. In some circumstances disabling
renegotiation may result in some clients being unable to access the
application.</p>
- <p>This was worked-around in
+
+<p>This was worked-around in
<a href="http://svn.apache.org/viewvc?view=rev&rev=882320">revision 891292</a>.</p>
- <p>Support for the new TLS renegotiation protocol (RFC 5746) that does not
+
+<p>Support for the new TLS renegotiation protocol (RFC 5746) that does not
have this security issue:</p>
- <ul>
- <li>For connectors using JSSE implementation provided by JVM:
- Added in Tomcat 7.0.8.<br/>
+
+<ul>
+
+<li>For connectors using JSSE implementation provided by JVM:
+ Added in Tomcat 7.0.8.<br>
Requires JRE that supports RFC 5746. For Oracle JRE that is
<a rel="nofollow" href="http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html">known</a>
to be 6u22 or later.
</li>
- <li>For connectors using APR and OpenSSL:<br/>
+
+<li>For connectors using APR and OpenSSL:<br>
TBD. See
<a href="security-native.html">APR/native connector security page</a>.
</li>
- </ul>
+
+</ul>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
@@ -1148,21 +1115,19 @@
<!--FOOTER SEPARATOR-->
<tr>
<td colspan="2">
-<hr noshade="" size="1"/>
+<hr noshade size="1">
</td>
</tr>
<!--PAGE FOOTER-->
<tr>
<td colspan="2">
<div align="center">
-<font color="#525D76" size="-1">
-<em>
- Copyright © 1999-2011, The Apache Software Foundation
- <br/>
+<font color="#525D76" size="-1"><em>
+ Copyright © 1999-2011, The Apache Software Foundation
+ <br>
Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat
project logo are trademarks of the Apache Software Foundation.
- </em>
-</font>
+ </em></font>
</div>
</td>
</tr>
Modified: tomcat/site/trunk/docs/security-impact.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-impact.html?rev=1182736&r1=1182735&r2=1182736&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-impact.html (original)
+++ tomcat/site/trunk/docs/security-impact.html Thu Oct 13 09:22:24 2011
@@ -1,47 +1,33 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
+<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Apache Tomcat - Security Impact Levels</title>
-<meta name="author" content="Apache Tomcat Project"/>
-<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet"/>
-<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet" media="print"/>
+<meta name="author" content="Apache Tomcat Project">
+<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet">
+<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet" media="print">
</head>
<body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76">
<table border="0" width="100%" cellspacing="0">
<!--PAGE HEADER-->
<tr>
<td>
-<!--PROJECT LOGO-->
-<a href="http://tomcat.apache.org/">
-<img src="./images/tomcat.gif" align="left" alt="Tomcat Logo" border="0"/>
-</a>
-</td>
-<td>
-<font face="arial,helvetica,sanserif">
+<!--PROJECT LOGO--><a href="http://tomcat.apache.org/"><img src="./images/tomcat.gif" align="left" alt="Tomcat Logo" border="0"></a></td><td><font face="arial,helvetica,sanserif">
<h1>Apache Tomcat</h1>
-</font>
-</td>
-<td>
-<!--APACHE LOGO-->
-<a href="http://www.apache.org/">
-<img src="http://www.apache.org/images/asf-logo.gif" align="right" alt="Apache Logo" border="0"/>
-</a>
-</td>
+</font></td><td>
+<!--APACHE LOGO--><a href="http://www.apache.org/"><img src="http://www.apache.org/images/asf-logo.gif" align="right" alt="Apache Logo" border="0"></a></td>
</tr>
</table>
<div class="searchbox noPrint">
<form action="http://www.google.com/search" method="get">
-<input value="tomcat.apache.org" name="sitesearch" type="hidden"/>
-<input value="Search the Site" size="25" name="q" id="query" type="text"/>
-<input name="Search" value="Search Site" type="submit"/>
+<input value="tomcat.apache.org" name="sitesearch" type="hidden"><input value="Search the Site" size="25" name="q" id="query" type="text"><input name="Search" value="Search Site" type="submit">
</form>
</div>
<table border="0" width="100%" cellspacing="4">
<!--HEADER SEPARATOR-->
<tr>
<td colspan="2">
-<hr noshade="" size="1"/>
+<hr noshade size="1">
</td>
</tr>
<tr>
@@ -194,163 +180,142 @@
</li>
</ul>
</td>
-<!--RIGHT SIDE MAIN BODY-->
-<td width="80%" valign="top" align="left" id="mainBody">
+<!--RIGHT SIDE MAIN BODY--><td width="80%" valign="top" align="left" id="mainBody">
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Summary of security impact levels for Apache Tomcat">
-<!--()-->
-</a>
-<a name="Summary_of_security_impact_levels_for_Apache_Tomcat">
-<strong>Summary of security impact levels for Apache Tomcat</strong>
-</a>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Summary of security impact levels for Apache Tomcat">
+<!--()--></a><a name="Summary_of_security_impact_levels_for_Apache_Tomcat"><strong>Summary of security impact levels for Apache Tomcat</strong></a></font></td>
</tr>
<tr>
<td>
<p>
<blockquote>
- <p>The Apache Tomcat Security Team rates the impact of each security flaw
+
+<p>The Apache Tomcat Security Team rates the impact of each security flaw
that affects Tomcat. We've chosen a rating scale quite similar to those
used by other major vendors in order to be consistent. Basically the goal
of the rating system is to answer the question "How worried should I be
about this vulnerability?".</p>
- <p>Note that the rating chosen for each flaw is the worst possible case
+
+<p>Note that the rating chosen for each flaw is the worst possible case
across all architectures. To determine the exact impact of a particular
vulnerability on your own systems you will still need to read the security
advisories to find out more about the flaw.</p>
- <p>We use the following descriptions to decide on the impact rating to give
+
+<p>We use the following descriptions to decide on the impact rating to give
each vulnerability:</p>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Critical">
-<strong>Critical</strong>
-</a>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Critical"><strong>Critical</strong></a></font></td>
</tr>
<tr>
<td>
<p>
<blockquote>
- <p>A vulnerability rated with a Critical impact is one which could
+
+<p>A vulnerability rated with a Critical impact is one which could
potentially be exploited by a remote attacker to get Tomcat to execute
arbitrary code (either as the user the server is running as, or root).
These are the sorts of vulnerabilities that could be exploited
automatically by worms.</p>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Important">
-<strong>Important</strong>
-</a>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Important"><strong>Important</strong></a></font></td>
</tr>
<tr>
<td>
<p>
<blockquote>
- <p>A vulnerability rated as Important impact is one which could result in
+
+<p>A vulnerability rated as Important impact is one which could result in
the compromise of data or availability of the server. For Tomcat this
includes issues that allow an easy remote denial of service (something
that is out of proportion to the attack or with a lasting consequence),
access to arbitrary files outside of the context root, or access to files
that should be otherwise prevented by limits or authentication.</p>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Moderate">
-<strong>Moderate</strong>
-</a>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Moderate"><strong>Moderate</strong></a></font></td>
</tr>
<tr>
<td>
<p>
<blockquote>
- <p>A vulnerability is likely to be rated as Moderate if there is significant
+
+<p>A vulnerability is likely to be rated as Moderate if there is significant
mitigation to make the issue less of an impact. This might be because the
flaw does not affect likely configurations, or it is a configuration that
isn't widely used, or where a remote user must be authenticated in order
to exploit the issue. Flaws that allow Tomcat to serve directory listings
instead of index files and cross-site scripting issues are included here.
</p>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Low">
-<strong>Low</strong>
-</a>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Low"><strong>Low</strong></a></font></td>
</tr>
<tr>
<td>
<p>
<blockquote>
- <p>All other security flaws are classed as a Low impact. This rating is used
+
+<p>All other security flaws are classed as a Low impact. This rating is used
for issues that are believed to be extremely hard to exploit, or where an
exploit gives minimal consequences.</p>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
@@ -359,21 +324,19 @@
<!--FOOTER SEPARATOR-->
<tr>
<td colspan="2">
-<hr noshade="" size="1"/>
+<hr noshade size="1">
</td>
</tr>
<!--PAGE FOOTER-->
<tr>
<td colspan="2">
<div align="center">
-<font color="#525D76" size="-1">
-<em>
- Copyright © 1999-2011, The Apache Software Foundation
- <br/>
+<font color="#525D76" size="-1"><em>
+ Copyright © 1999-2011, The Apache Software Foundation
+ <br>
Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat
project logo are trademarks of the Apache Software Foundation.
- </em>
-</font>
+ </em></font>
</div>
</td>
</tr>
Modified: tomcat/site/trunk/docs/security-jk.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-jk.html?rev=1182736&r1=1182735&r2=1182736&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-jk.html (original)
+++ tomcat/site/trunk/docs/security-jk.html Thu Oct 13 09:22:24 2011
@@ -1,47 +1,33 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
+<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Apache Tomcat - Apache Tomcat JK Connectors vulnerabilities</title>
-<meta name="author" content="Apache Tomcat Project"/>
-<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet"/>
-<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet" media="print"/>
+<meta name="author" content="Apache Tomcat Project">
+<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet">
+<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet" media="print">
</head>
<body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76">
<table border="0" width="100%" cellspacing="0">
<!--PAGE HEADER-->
<tr>
<td>
-<!--PROJECT LOGO-->
-<a href="http://tomcat.apache.org/">
-<img src="./images/tomcat.gif" align="left" alt="Tomcat Logo" border="0"/>
-</a>
-</td>
-<td>
-<font face="arial,helvetica,sanserif">
+<!--PROJECT LOGO--><a href="http://tomcat.apache.org/"><img src="./images/tomcat.gif" align="left" alt="Tomcat Logo" border="0"></a></td><td><font face="arial,helvetica,sanserif">
<h1>Apache Tomcat</h1>
-</font>
-</td>
-<td>
-<!--APACHE LOGO-->
-<a href="http://www.apache.org/">
-<img src="http://www.apache.org/images/asf-logo.gif" align="right" alt="Apache Logo" border="0"/>
-</a>
-</td>
+</font></td><td>
+<!--APACHE LOGO--><a href="http://www.apache.org/"><img src="http://www.apache.org/images/asf-logo.gif" align="right" alt="Apache Logo" border="0"></a></td>
</tr>
</table>
<div class="searchbox noPrint">
<form action="http://www.google.com/search" method="get">
-<input value="tomcat.apache.org" name="sitesearch" type="hidden"/>
-<input value="Search the Site" size="25" name="q" id="query" type="text"/>
-<input name="Search" value="Search Site" type="submit"/>
+<input value="tomcat.apache.org" name="sitesearch" type="hidden"><input value="Search the Site" size="25" name="q" id="query" type="text"><input name="Search" value="Search Site" type="submit">
</form>
</div>
<table border="0" width="100%" cellspacing="4">
<!--HEADER SEPARATOR-->
<tr>
<td colspan="2">
-<hr noshade="" size="1"/>
+<hr noshade size="1">
</td>
</tr>
<tr>
@@ -194,25 +180,17 @@
</li>
</ul>
</td>
-<!--RIGHT SIDE MAIN BODY-->
-<td width="80%" valign="top" align="left" id="mainBody">
+<!--RIGHT SIDE MAIN BODY--><td width="80%" valign="top" align="left" id="mainBody">
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Table of Contents">
-<!--()-->
-</a>
-<a name="Table_of_Contents">
-<strong>Table of Contents</strong>
-</a>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Table of Contents">
+<!--()--></a><a name="Table_of_Contents"><strong>Table of Contents</strong></a></font></td>
</tr>
<tr>
<td>
<p>
<blockquote>
+
<ul>
<li>
<a href="#Apache_Tomcat_JK_Connectors_vulnerabilities">Apache Tomcat JK Connectors vulnerabilities</a>
@@ -230,34 +208,28 @@
<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.16">Fixed in Apache Tomcat JK Connector 1.2.16</a>
</li>
</ul>
+
</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Apache Tomcat JK Connectors vulnerabilities">
-<!--()-->
-</a>
-<a name="Apache_Tomcat_JK_Connectors_vulnerabilities">
-<strong>Apache Tomcat JK Connectors vulnerabilities</strong>
-</a>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Apache Tomcat JK Connectors vulnerabilities">
+<!--()--></a><a name="Apache_Tomcat_JK_Connectors_vulnerabilities"><strong>Apache Tomcat JK Connectors vulnerabilities</strong></a></font></td>
</tr>
<tr>
<td>
<p>
<blockquote>
- <p>This page lists all security vulnerabilities fixed in released versions
+
+<p>This page lists all security vulnerabilities fixed in released versions
of Apache Tomcat Jk Connectors. Each vulnerability is given a
<a href="security-impact.html">security impact rating</a> by the Apache
Tomcat security team - please note that this rating may vary from
@@ -265,97 +237,92 @@
Connectors the flaw is known to affect, and where a flaw has not been
verified list the version with a question mark.</p>
- <p>This page has been created from a review of the Apache Tomcat archives
+
+<p>This page has been created from a review of the Apache Tomcat archives
and the CVE list. Please send comments or corrections for these
vulnerabilities to the <a href="mailto:security@tomcat.apache.org">Tomcat
Security Team</a>.</p>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Fixed in Apache Tomcat JK Connector 1.2.27">
-<!--()-->
-</a>
-<a name="Fixed_in_Apache_Tomcat_JK_Connector_1.2.27">
-<strong>Fixed in Apache Tomcat JK Connector 1.2.27</strong>
-</a>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat JK Connector 1.2.27">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_JK_Connector_1.2.27"><strong>Fixed in Apache Tomcat JK Connector 1.2.27</strong></a></font></td>
</tr>
<tr>
<td>
<p>
<blockquote>
- <p>
+
+<p>
<strong>important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5519" rel="nofollow">CVE-2008-5519</a>
</p>
- <p>Situations where faulty clients set Content-Length without providing
+
+<p>Situations where faulty clients set Content-Length without providing
data, or where a user submits repeated requests very quickly, may permit
one user to view the response associated with a different user's request.
</p>
- <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=702540">revision 702540</a>.</p>
+
+<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=702540">revision 702540</a>.</p>
- <p>Affects: JK 1.2.0-1.2.26<br/>
+
+<p>Affects: JK 1.2.0-1.2.26<br>
Source shipped with Tomcat 4.0.0-4.0.6, 4.1.0-4.1.36, 5.0.0-5.0.30,
5.5.0-5.5.27</p>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Fixed in Apache Tomcat JK Connector 1.2.23">
-<!--()-->
-</a>
-<a name="Fixed_in_Apache_Tomcat_JK_Connector_1.2.23">
-<strong>Fixed in Apache Tomcat JK Connector 1.2.23</strong>
-</a>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat JK Connector 1.2.23">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_JK_Connector_1.2.23"><strong>Fixed in Apache Tomcat JK Connector 1.2.23</strong></a></font></td>
</tr>
<tr>
<td>
<p>
<blockquote>
- <p>
+
+<p>
<strong>important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860" rel="nofollow">CVE-2007-1860</a>
</p>
- <p>The issue is related to
+
+<p>The issue is related to
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450" rel="nofollow">CVE-2007-0450</a>, the patch for which was insufficient.</p>
- <p>When multiple components (firewalls, caches, proxies and Tomcat)
+
+<p>When multiple components (firewalls, caches, proxies and Tomcat)
process a request, the request URL should not get decoded multiple times
in an iterative way by these components. Otherwise it might be possible
to pass access control rules implemented on front of the last component
by applying multiple URL encoding to the request.
</p>
- <p>mod_jk before version 1.2.23 by default decoded request URLs inside Apache
+
+<p>mod_jk before version 1.2.23 by default decoded request URLs inside Apache
httpd and forwarded the encoded URL to Tomcat, which itself did a second
decoding. This made it possible to pass a prefix JkMount for /someapp,
but actually access /otherapp on Tomcat. Starting with version 1.2.23
@@ -364,7 +331,8 @@
the forwarding option "JkOption ForwardURICompatUnparsed".
</p>
- <p>Please note, that your configuration might contain a different forwarding
+
+<p>Please note, that your configuration might contain a different forwarding
JkOption. In this case, please consult the
<a href="http://tomcat.apache.org/connectors-doc/reference/apache.html#Forwarding">
forwarding documentation</a> concerning the security implications.
@@ -372,97 +340,91 @@
interoperability with mod_rewrite.
</p>
- <p>Affects: JK 1.2.0-1.2.22 (httpd mod_jk module only)<br/>
+
+<p>Affects: JK 1.2.0-1.2.22 (httpd mod_jk module only)<br>
Source shipped with Tomcat 4.0.0-4.0.6, 4.1.0-4.1.36, 5.0.0-5.0.30,
5.5.0-5.5.23</p>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Fixed in Apache Tomcat JK Connector 1.2.21">
-<!--()-->
-</a>
-<a name="Fixed_in_Apache_Tomcat_JK_Connector_1.2.21">
-<strong>Fixed in Apache Tomcat JK Connector 1.2.21</strong>
-</a>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat JK Connector 1.2.21">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_JK_Connector_1.2.21"><strong>Fixed in Apache Tomcat JK Connector 1.2.21</strong></a></font></td>
</tr>
<tr>
<td>
<p>
<blockquote>
- <p>
+
+<p>
<strong>critical: Arbitrary code execution and denial of service</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0774" rel="nofollow">CVE-2007-0774</a>
</p>
- <p>An unsafe memory copy in the URI handler for the native JK connector
+
+<p>An unsafe memory copy in the URI handler for the native JK connector
could result in a stack overflow condition which could be leveraged to
execute arbitrary code or crash the web server.</p>
- <p>Affects: JK 1.2.19-1.2.20<br/>
+
+<p>Affects: JK 1.2.19-1.2.20<br>
Source shipped with: Tomcat 4.1.34, 5.5.20</p>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Fixed in Apache Tomcat JK Connector 1.2.16">
-<!--()-->
-</a>
-<a name="Fixed_in_Apache_Tomcat_JK_Connector_1.2.16">
-<strong>Fixed in Apache Tomcat JK Connector 1.2.16</strong>
-</a>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat JK Connector 1.2.16">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_JK_Connector_1.2.16"><strong>Fixed in Apache Tomcat JK Connector 1.2.16</strong></a></font></td>
</tr>
<tr>
<td>
<p>
<blockquote>
- <p>
+
+<p>
<strong>important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7197" rel="nofollow">CVE-2006-7197</a>
</p>
- <p>The Tomcat AJP connector contained a bug that sometimes set a too long
+
+<p>The Tomcat AJP connector contained a bug that sometimes set a too long
length for the chunks delivered by send_body_chunks AJP messages. Bugs of
this type can cause mod_jk to read beyond buffer boundaries and thus
reveal sensitive memory information to a client.</p>
- <p>Affects: JK 1.2.0-1.2.15<br/>
+
+<p>Affects: JK 1.2.0-1.2.15<br>
Source shipped with: Tomcat 4.0.0-4.0.6, 4.1.0-4.1.32, 5.0.0-5.0.30,
5.5.0-5.5.16</p>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
@@ -471,21 +433,19 @@
<!--FOOTER SEPARATOR-->
<tr>
<td colspan="2">
-<hr noshade="" size="1"/>
+<hr noshade size="1">
</td>
</tr>
<!--PAGE FOOTER-->
<tr>
<td colspan="2">
<div align="center">
-<font color="#525D76" size="-1">
-<em>
- Copyright © 1999-2011, The Apache Software Foundation
- <br/>
+<font color="#525D76" size="-1"><em>
+ Copyright © 1999-2011, The Apache Software Foundation
+ <br>
Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat
project logo are trademarks of the Apache Software Foundation.
- </em>
-</font>
+ </em></font>
</div>
</td>
</tr>
Modified: tomcat/site/trunk/docs/security-native.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-native.html?rev=1182736&r1=1182735&r2=1182736&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-native.html (original)
+++ tomcat/site/trunk/docs/security-native.html Thu Oct 13 09:22:24 2011
@@ -1,47 +1,33 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
+<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Apache Tomcat - Apache Tomcat APR/native Connector vulnerabilities</title>
-<meta name="author" content="Apache Tomcat Project"/>
-<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet"/>
-<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet" media="print"/>
+<meta name="author" content="Apache Tomcat Project">
+<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet">
+<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet" media="print">
</head>
<body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76">
<table border="0" width="100%" cellspacing="0">
<!--PAGE HEADER-->
<tr>
<td>
-<!--PROJECT LOGO-->
-<a href="http://tomcat.apache.org/">
-<img src="./images/tomcat.gif" align="left" alt="Tomcat Logo" border="0"/>
-</a>
-</td>
-<td>
-<font face="arial,helvetica,sanserif">
+<!--PROJECT LOGO--><a href="http://tomcat.apache.org/"><img src="./images/tomcat.gif" align="left" alt="Tomcat Logo" border="0"></a></td><td><font face="arial,helvetica,sanserif">
<h1>Apache Tomcat</h1>
-</font>
-</td>
-<td>
-<!--APACHE LOGO-->
-<a href="http://www.apache.org/">
-<img src="http://www.apache.org/images/asf-logo.gif" align="right" alt="Apache Logo" border="0"/>
-</a>
-</td>
+</font></td><td>
+<!--APACHE LOGO--><a href="http://www.apache.org/"><img src="http://www.apache.org/images/asf-logo.gif" align="right" alt="Apache Logo" border="0"></a></td>
</tr>
</table>
<div class="searchbox noPrint">
<form action="http://www.google.com/search" method="get">
-<input value="tomcat.apache.org" name="sitesearch" type="hidden"/>
-<input value="Search the Site" size="25" name="q" id="query" type="text"/>
-<input name="Search" value="Search Site" type="submit"/>
+<input value="tomcat.apache.org" name="sitesearch" type="hidden"><input value="Search the Site" size="25" name="q" id="query" type="text"><input name="Search" value="Search Site" type="submit">
</form>
</div>
<table border="0" width="100%" cellspacing="4">
<!--HEADER SEPARATOR-->
<tr>
<td colspan="2">
-<hr noshade="" size="1"/>
+<hr noshade size="1">
</td>
</tr>
<tr>
@@ -194,25 +180,17 @@
</li>
</ul>
</td>
-<!--RIGHT SIDE MAIN BODY-->
-<td width="80%" valign="top" align="left" id="mainBody">
+<!--RIGHT SIDE MAIN BODY--><td width="80%" valign="top" align="left" id="mainBody">
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Table of Contents">
-<!--()-->
-</a>
-<a name="Table_of_Contents">
-<strong>Table of Contents</strong>
-</a>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Table of Contents">
+<!--()--></a><a name="Table_of_Contents"><strong>Table of Contents</strong></a></font></td>
</tr>
<tr>
<td>
<p>
<blockquote>
+
<ul>
<li>
<a href="#Apache_Tomcat_APR/native_Connector_vulnerabilities">Apache Tomcat APR/native Connector vulnerabilities</a>
@@ -221,34 +199,28 @@
<a href="#Not_a_vulnerability_in_the_Apache_Tomcat_APR/native_Connector">Not a vulnerability in the Apache Tomcat APR/native Connector</a>
</li>
</ul>
+
</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Apache Tomcat APR/native Connector vulnerabilities">
-<!--()-->
-</a>
-<a name="Apache_Tomcat_APR/native_Connector_vulnerabilities">
-<strong>Apache Tomcat APR/native Connector vulnerabilities</strong>
-</a>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Apache Tomcat APR/native Connector vulnerabilities">
+<!--()--></a><a name="Apache_Tomcat_APR/native_Connector_vulnerabilities"><strong>Apache Tomcat APR/native Connector vulnerabilities</strong></a></font></td>
</tr>
<tr>
<td>
<p>
<blockquote>
- <p>This page lists all security vulnerabilities fixed in released versions
+
+<p>This page lists all security vulnerabilities fixed in released versions
of Apache Tomcat APR/native Connector. Each vulnerability is given a
<a href="security-impact.html">security impact rating</a> by the Apache
Tomcat security team - please note that this rating may vary from
@@ -256,68 +228,69 @@
Connectors the flaw is known to affect, and where a flaw has not been
verified list the version with a question mark.</p>
- <p>This page has been created from a review of the Apache Tomcat archives
+
+<p>This page has been created from a review of the Apache Tomcat archives
and the CVE list. Please send comments or corrections for these
vulnerabilities to the <a href="mailto:security@tomcat.apache.org">Tomcat
Security Team</a>.</p>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Not a vulnerability in the Apache Tomcat APR/native Connector">
-<!--()-->
-</a>
-<a name="Not_a_vulnerability_in_the_Apache_Tomcat_APR/native_Connector">
-<strong>Not a vulnerability in the Apache Tomcat APR/native Connector</strong>
-</a>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Not a vulnerability in the Apache Tomcat APR/native Connector">
+<!--()--></a><a name="Not_a_vulnerability_in_the_Apache_Tomcat_APR/native_Connector"><strong>Not a vulnerability in the Apache Tomcat APR/native Connector</strong></a></font></td>
</tr>
<tr>
<td>
<p>
<blockquote>
- <p>
+
+<p>
<strong>TLS SSL Man In The Middle</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555" rel="nofollow">CVE-2009-3555</a>
</p>
- <p>A vulnerability exists in the TLS protocol that allows an attacker to
+
+<p>A vulnerability exists in the TLS protocol that allows an attacker to
inject arbitrary requests into an TLS stream during renegotiation.</p>
- <p>The TLS implementation used by Tomcat varies with connector. The
+
+<p>The TLS implementation used by Tomcat varies with connector. The
APR/native connector uses OpenSSL.</p>
- <p>The APR/native connector is vulnerable if the OpenSSL version used is
+
+<p>The APR/native connector is vulnerable if the OpenSSL version used is
vulnerable. Note: Building with OpenSSL 0.9.8l will disable all
renegotiation and protect against this vulnerability.</p>
- <p>From 1.1.18 onwards, client initiated renegotiations are rejected to
+
+<p>From 1.1.18 onwards, client initiated renegotiations are rejected to
provide partial protection against this vulnerability with any OpenSSL
version.</p>
- <p>Users should be aware that the impact of disabling renegotiation will
+
+<p>Users should be aware that the impact of disabling renegotiation will
vary with both application and client. In some circumstances disabling
renegotiation may result in some clients being unable to access the
application.</p>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
@@ -326,21 +299,19 @@
<!--FOOTER SEPARATOR-->
<tr>
<td colspan="2">
-<hr noshade="" size="1"/>
+<hr noshade size="1">
</td>
</tr>
<!--PAGE FOOTER-->
<tr>
<td colspan="2">
<div align="center">
-<font color="#525D76" size="-1">
-<em>
- Copyright © 1999-2011, The Apache Software Foundation
- <br/>
+<font color="#525D76" size="-1"><em>
+ Copyright © 1999-2011, The Apache Software Foundation
+ <br>
Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat
project logo are trademarks of the Apache Software Foundation.
- </em>
-</font>
+ </em></font>
</div>
</td>
</tr>
Modified: tomcat/site/trunk/docs/security.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security.html?rev=1182736&r1=1182735&r2=1182736&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security.html (original)
+++ tomcat/site/trunk/docs/security.html Thu Oct 13 09:22:24 2011
@@ -1,47 +1,33 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
+<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Apache Tomcat - Reporting Security Problems</title>
-<meta name="author" content="Apache Tomcat Project"/>
-<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet"/>
-<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet" media="print"/>
+<meta name="author" content="Apache Tomcat Project">
+<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet">
+<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet" media="print">
</head>
<body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76">
<table border="0" width="100%" cellspacing="0">
<!--PAGE HEADER-->
<tr>
<td>
-<!--PROJECT LOGO-->
-<a href="http://tomcat.apache.org/">
-<img src="./images/tomcat.gif" align="left" alt="Tomcat Logo" border="0"/>
-</a>
-</td>
-<td>
-<font face="arial,helvetica,sanserif">
+<!--PROJECT LOGO--><a href="http://tomcat.apache.org/"><img src="./images/tomcat.gif" align="left" alt="Tomcat Logo" border="0"></a></td><td><font face="arial,helvetica,sanserif">
<h1>Apache Tomcat</h1>
-</font>
-</td>
-<td>
-<!--APACHE LOGO-->
-<a href="http://www.apache.org/">
-<img src="http://www.apache.org/images/asf-logo.gif" align="right" alt="Apache Logo" border="0"/>
-</a>
-</td>
+</font></td><td>
+<!--APACHE LOGO--><a href="http://www.apache.org/"><img src="http://www.apache.org/images/asf-logo.gif" align="right" alt="Apache Logo" border="0"></a></td>
</tr>
</table>
<div class="searchbox noPrint">
<form action="http://www.google.com/search" method="get">
-<input value="tomcat.apache.org" name="sitesearch" type="hidden"/>
-<input value="Search the Site" size="25" name="q" id="query" type="text"/>
-<input name="Search" value="Search Site" type="submit"/>
+<input value="tomcat.apache.org" name="sitesearch" type="hidden"><input value="Search the Site" size="25" name="q" id="query" type="text"><input name="Search" value="Search Site" type="submit">
</form>
</div>
<table border="0" width="100%" cellspacing="4">
<!--HEADER SEPARATOR-->
<tr>
<td colspan="2">
-<hr noshade="" size="1"/>
+<hr noshade size="1">
</td>
</tr>
<tr>
@@ -194,32 +180,25 @@
</li>
</ul>
</td>
-<!--RIGHT SIDE MAIN BODY-->
-<td width="80%" valign="top" align="left" id="mainBody">
+<!--RIGHT SIDE MAIN BODY--><td width="80%" valign="top" align="left" id="mainBody">
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Security Updates">
-<!--()-->
-</a>
-<a name="Security_Updates">
-<strong>Security Updates</strong>
-</a>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Security Updates">
+<!--()--></a><a name="Security_Updates"><strong>Security Updates</strong></a></font></td>
</tr>
<tr>
<td>
<p>
<blockquote>
- <p>Please note that, except in rare circumstances, binary patches are not
+
+<p>Please note that, except in rare circumstances, binary patches are not
produced for individual vulnerabilities. To obtain the binary fix for a
particular vulnerability you should upgrade to an Apache Tomcat version
where that vulnerability has been fixed.</p>
- <p>Source patches, usually in the form of references to SVN commits, may be
+
+<p>Source patches, usually in the form of references to SVN commits, may be
provided in either in a vulnerability announcement and/or the
vulnerability details listed on these pages. These source patches may be
used by users wishing to build their own local version of Tomcat with just
@@ -227,80 +206,89 @@
currently underway to add links to the svn commits for all the
vulnerabilities listed on these pages.</p>
- <p>Lists of security problems fixed in released versions of Apache Tomcat
+
+<p>Lists of security problems fixed in released versions of Apache Tomcat
are available:</p>
- <ul>
- <li>
+
+<ul>
+
+<li>
<a href="security-7.html">Apache Tomcat 7.x Security Vulnerabilities
</a>
</li>
- <li>
+
+<li>
<a href="security-6.html">Apache Tomcat 6.x Security Vulnerabilities
</a>
</li>
- <li>
+
+<li>
<a href="security-5.html">Apache Tomcat 5.x Security Vulnerabilities
</a>
</li>
- <li>
+
+<li>
<a href="security-jk.html">Apache Tomcat JK Connectors Security
Vulnerabilities</a>
</li>
- <li>
+
+<li>
<a href="security-native.html">Apache Tomcat APR/native Connector
Security Vulnerabilities</a>
</li>
- </ul>
+
+</ul>
- <p>Lists of security problems fixed in versions of Apache Tomcat that may
+
+<p>Lists of security problems fixed in versions of Apache Tomcat that may
be downloaded from the archives are also available:</p>
- <ul>
- <li>
+
+<ul>
+
+<li>
<a href="security-4.html">Apache Tomcat 4.x Security Vulnerabilities
</a>
</li>
- <li>
+
+<li>
<a href="security-3.html">Apache Tomcat 3.x Security Vulnerabilities
</a>
</li>
- </ul>
+
+</ul>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Reporting New Security Problems with Apache Tomcat">
-<!--()-->
-</a>
-<a name="Reporting_New_Security_Problems_with_Apache_Tomcat">
-<strong>Reporting New Security Problems with Apache Tomcat</strong>
-</a>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Reporting New Security Problems with Apache Tomcat">
+<!--()--></a><a name="Reporting_New_Security_Problems_with_Apache_Tomcat"><strong>Reporting New Security Problems with Apache Tomcat</strong></a></font></td>
</tr>
<tr>
<td>
<p>
<blockquote>
- <p>The Apache Software Foundation takes a very active stance in eliminating
+
+<p>The Apache Software Foundation takes a very active stance in eliminating
security problems and denial of service attacks against Apache Tomcat.
</p>
- <p>We strongly encourage folks to report such problems to our private
+
+<p>We strongly encourage folks to report such problems to our private
security mailing list first, before disclosing them in a public forum.
</p>
- <p>
+
+<p>
<strong>Please note that the security mailing list should only be used
for reporting undisclosed security vulnerabilities in Apache Tomcat and
managing the process of fixing such vulnerabilities. We cannot accept
@@ -309,72 +297,78 @@
the Apache Tomcat source code will be ignored.</strong>
</p>
- <p>If you need to report a bug that isn't an undisclosed security
+
+<p>If you need to report a bug that isn't an undisclosed security
vulnerability, please use the <a href="bugreport.html">bug reporting
page</a>.</p>
- <p>Questions about:</p>
- <ul>
- <li>how to configure Tomcat securely</li>
- <li>if a vulnerability applies to your particular application</li>
- <li>obtaining further information on a published vulnerability</li>
- <li>availability of patches and/or new releases</li>
- </ul>
- <p>should be address to the users mailing list. Please see the
+
+<p>Questions about:</p>
+
+<ul>
+
+<li>how to configure Tomcat securely</li>
+
+<li>if a vulnerability applies to your particular application</li>
+
+<li>obtaining further information on a published vulnerability</li>
+
+<li>availability of patches and/or new releases</li>
+
+</ul>
+
+<p>should be address to the users mailing list. Please see the
<a href="lists.html">mailing lists</a> page for details of how to
subscribe.</p>
- <p>The private security mailing address is:
+
+<p>The private security mailing address is:
<a href="mailto:security@tomcat.apache.org">
security@tomcat.apache.org</a>
</p>
- <p>Note that all networked servers are subject to denial of service attacks,
+
+<p>Note that all networked servers are subject to denial of service attacks,
and we cannot promise magic workarounds to generic problems (such as a
client streaming lots of data to your server, or re-requesting the same
URL repeatedly). In general our philosophy is to avoid any attacks which
can cause the server to consume resources in a non-linear relationship to
the size of inputs.</p>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Errors and omissions">
-<!--()-->
-</a>
-<a name="Errors_and_omissions">
-<strong>Errors and omissions</strong>
-</a>
-</font>
-</td>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Errors and omissions">
+<!--()--></a><a name="Errors_and_omissions"><strong>Errors and omissions</strong></a></font></td>
</tr>
<tr>
<td>
<p>
<blockquote>
- <p>Please report any errors or omissions to
+
+<p>Please report any errors or omissions to
<a href="mailto:security@tomcat.apache.org">security@tomcat.apache.org
</a>.
</p>
- </blockquote>
+
+</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br/>
+<br>
</td>
</tr>
</table>
@@ -383,21 +377,19 @@
<!--FOOTER SEPARATOR-->
<tr>
<td colspan="2">
-<hr noshade="" size="1"/>
+<hr noshade size="1">
</td>
</tr>
<!--PAGE FOOTER-->
<tr>
<td colspan="2">
<div align="center">
-<font color="#525D76" size="-1">
-<em>
- Copyright © 1999-2011, The Apache Software Foundation
- <br/>
+<font color="#525D76" size="-1"><em>
+ Copyright © 1999-2011, The Apache Software Foundation
+ <br>
Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat
project logo are trademarks of the Apache Software Foundation.
- </em>
-</font>
+ </em></font>
</div>
</td>
</tr>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org