You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by jf...@apache.org on 2010/02/10 09:32:12 UTC

svn commit: r908386 - in /tomcat/site/trunk: docs/security-6.html xdocs/security-6.xml

Author: jfclere
Date: Wed Feb 10 08:32:11 2010
New Revision: 908386

URL: http://svn.apache.org/viewvc?rev=908386&view=rev
Log:
Just a ref to Not a vulnerability in Tomcat.

Modified:
    tomcat/site/trunk/docs/security-6.html
    tomcat/site/trunk/xdocs/security-6.xml

Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=908386&r1=908385&r2=908386&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Wed Feb 10 08:32:11 2010
@@ -309,15 +309,9 @@
        CVE-2009-3555</a>
 </p>
 
-    <p>The TLS protocol, and the SSL protocol 3.0 and possibly earlier does not
-       properly associate renegotiation handshakes with an existing connection,
-       which allows man-in-the-middle attackers to insert data into HTTPS
-       sessions, and possibly other types of sessions protected by TLS or SSL,
-       by sending an unauthenticated request that is processed retroactively by
-       a server in a post-renegotiation context, related to a "plaintext
-       injection" attack, aka the "Project Mogul" issue.</p>
+    <p>See Not a vulnerability in Tomcat below</p>
 
-    <p>This was fixed in
+    <p>This was worked-around in
        <a href="http://svn.apache.org/viewvc?rev=891292&amp;view=rev">
        revision 891292</a> and
        <a href="http://svn.apache.org/viewvc?rev=881774&amp;view=rev">

Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=908386&r1=908385&r2=908386&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Wed Feb 10 08:32:11 2010
@@ -98,15 +98,9 @@
       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
        CVE-2009-3555</a></p>
 
-    <p>The TLS protocol, and the SSL protocol 3.0 and possibly earlier does not
-       properly associate renegotiation handshakes with an existing connection,
-       which allows man-in-the-middle attackers to insert data into HTTPS
-       sessions, and possibly other types of sessions protected by TLS or SSL,
-       by sending an unauthenticated request that is processed retroactively by
-       a server in a post-renegotiation context, related to a "plaintext
-       injection" attack, aka the "Project Mogul" issue.</p>
+    <p>See Not a vulnerability in Tomcat below</p>
 
-    <p>This was fixed in
+    <p>This was worked-around in
        <a href="http://svn.apache.org/viewvc?rev=891292&amp;view=rev">
        revision 891292</a> and
        <a href="http://svn.apache.org/viewvc?rev=881774&amp;view=rev">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: svn commit: r908386 - in /tomcat/site/trunk: docs/security-6.html xdocs/security-6.xml

Posted by Mark Thomas <ma...@apache.org>.

On 10/02/2010 08:43, jean-frederic clere wrote:
> On 02/10/2010 09:32 AM, jfclere@apache.org wrote:
>> Author: jfclere
>> Date: Wed Feb 10 08:32:11 2010
>> New Revision: 908386
>>
>> URL: http://svn.apache.org/viewvc?rev=908386&view=rev
>> Log:
>> Just a ref to Not a vulnerability in Tomcat.
>>
> 
> Should I put the work-around in the "Not a vulnerability in Tomcat" part?

No need, the workarounds are already listed.

On a related note, I don't think the 6.0.24 section should have been
changed at all. CVE-2009-3555 is not a vulnerability in Tomcat.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: svn commit: r908386 - in /tomcat/site/trunk: docs/security-6.html xdocs/security-6.xml

Posted by jean-frederic clere <jf...@gmail.com>.

On 02/10/2010 09:32 AM, jfclere@apache.org wrote:
> Author: jfclere
> Date: Wed Feb 10 08:32:11 2010
> New Revision: 908386
> 
> URL: http://svn.apache.org/viewvc?rev=908386&view=rev
> Log:
> Just a ref to Not a vulnerability in Tomcat.
> 

Should I put the work-around in the "Not a vulnerability in Tomcat" part?

Cheers

Jean-Frederic

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org