You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2018/09/27 15:03:30 UTC
svn commit: r1842101 [26/36] - in /tomcat/site/trunk: docs/
xdocs/stylesheets/
Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1842101&r1=1842100&r2=1842101&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Thu Sep 27 15:03:29 2018
@@ -1,487 +1,486 @@
<!DOCTYPE html SYSTEM "about:legacy-compat">
<html lang="en">
-<head>
-<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<meta name="viewport" content="width=device-width, initial-scale=1">
-<link href="res/css/tomcat.css" rel="stylesheet" type="text/css">
-<link href="res/css/fonts/fonts.css" rel="stylesheet" type="text/css">
-<title>Apache Tomcat® - Apache Tomcat 5 vulnerabilities</title>
-<meta name="author" content="Apache Tomcat Project">
-</head>
-<body>
-<div id="wrapper">
-<header id="header">
-<div class="clearfix">
-<div class="menu-toggler pull-left" tabindex="1">
-<div class="hamburger"></div>
-</div>
-<a href="http://tomcat.apache.org/"><img class="tomcat-logo pull-left noPrint" alt="Tomcat Home" src="res/images/tomcat.png"></a>
-<h1 class="pull-left">Apache Tomcat<sup>®</sup>
-</h1>
-<div class="asf-logos pull-right">
-<a href="https://www.apache.org/foundation/contributing.html" target="_blank" class="pull-left"><img src="https://www.apache.org/images/SupportApache-small.png" class="support-asf" alt="Support Apache"></a><a href="http://www.apache.org/" target="_blank" class="pull-left"><img src="res/images/asf_logo.svg" class="asf-logo" alt="The Apache Software Foundation"></a>
-</div>
-</div>
-</header>
-<main id="middle">
-<div>
-<div id="mainLeft">
-<div id="nav-wrapper">
-<form action="https://www.google.com/search" method="get">
-<div class="searchbox">
-<input value="tomcat.apache.org" name="sitesearch" type="hidden"><input placeholder="Search…" required="required" name="q" id="query" type="search"><button>GO</button>
-</div>
-</form>
-<div class="asfevents">
-<a href="https://www.apache.org/events/current-event.html"><img src="https://www.apache.org/events/current-event-234x60.png"></a>
-</div>
-<nav>
-<div>
-<h2>Apache Tomcat</h2>
-<ul>
-<li>
-<a href="./index.html">Home</a>
-</li>
-<li>
-<a href="./taglibs.html">Taglibs</a>
-</li>
-<li>
-<a href="./maven-plugin.html">Maven Plugin</a>
-</li>
-</ul>
-</div>
-<div>
-<h2>TomcatCon</h2>
-<ul>
-<li>
-<a href="./conference.html">North America</a>
-</li>
-</ul>
-</div>
-<div>
-<h2>Download</h2>
-<ul>
-<li>
-<a href="./whichversion.html">Which version?</a>
-</li>
-<li>
-<a href="https://tomcat.apache.org/download-90.cgi">Tomcat 9</a>
-</li>
-<li>
-<a href="https://tomcat.apache.org/download-80.cgi">Tomcat 8</a>
-</li>
-<li>
-<a href="https://tomcat.apache.org/download-70.cgi">Tomcat 7</a>
-</li>
-<li>
-<a href="https://tomcat.apache.org/download-connectors.cgi">Tomcat Connectors</a>
-</li>
-<li>
-<a href="https://tomcat.apache.org/download-native.cgi">Tomcat Native</a>
-</li>
-<li>
-<a href="https://tomcat.apache.org/download-taglibs.cgi">Taglibs</a>
-</li>
-<li>
-<a href="https://archive.apache.org/dist/tomcat/">Archives</a>
-</li>
-</ul>
-</div>
-<div>
-<h2>Documentation</h2>
-<ul>
-<li>
-<a href="./tomcat-9.0-doc/index.html">Tomcat 9.0</a>
-</li>
-<li>
-<a href="./tomcat-8.5-doc/index.html">Tomcat 8.5</a>
-</li>
-<li>
-<a href="./tomcat-8.0-doc/index.html">Tomcat 8.0</a>
-</li>
-<li>
-<a href="./tomcat-7.0-doc/index.html">Tomcat 7.0</a>
-</li>
-<li>
-<a href="./connectors-doc/">Tomcat Connectors</a>
-</li>
-<li>
-<a href="./native-doc/">Tomcat Native</a>
-</li>
-<li>
-<a href="https://wiki.apache.org/tomcat/FrontPage">Wiki</a>
-</li>
-<li>
-<a href="./migration.html">Migration Guide</a>
-</li>
-<li>
-<a href="./presentations.html">Presentations</a>
-</li>
-</ul>
-</div>
-<div>
-<h2>Problems?</h2>
-<ul>
-<li>
-<a href="./security.html">Security Reports</a>
-</li>
-<li>
-<a href="./findhelp.html">Find help</a>
-</li>
-<li>
-<a href="https://wiki.apache.org/tomcat/FAQ">FAQ</a>
-</li>
-<li>
-<a href="./lists.html">Mailing Lists</a>
-</li>
-<li>
-<a href="./bugreport.html">Bug Database</a>
-</li>
-<li>
-<a href="./irc.html">IRC</a>
-</li>
-</ul>
-</div>
-<div>
-<h2>Get Involved</h2>
-<ul>
-<li>
-<a href="./getinvolved.html">Overview</a>
-</li>
-<li>
-<a href="./svn.html">Source code</a>
-</li>
-<li>
-<a href="./ci.html">Buildbot</a>
-</li>
-<li>
-<a href="./tools.html">Tools</a>
-</li>
-</ul>
-</div>
-<div>
-<h2>Media</h2>
-<ul>
-<li>
-<a href="https://twitter.com/theapachetomcat">Twitter</a>
-</li>
-<li>
-<a href="https://www.youtube.com/c/ApacheTomcatOfficial">YouTube</a>
-</li>
-<li>
-<a href="https://blogs.apache.org/tomcat/">Blog</a>
-</li>
-</ul>
-</div>
-<div>
-<h2>Misc</h2>
-<ul>
-<li>
-<a href="./whoweare.html">Who We Are</a>
-</li>
-<li>
-<a href="./heritage.html">Heritage</a>
-</li>
-<li>
-<a href="http://www.apache.org">Apache Home</a>
-</li>
-<li>
-<a href="./resources.html">Resources</a>
-</li>
-<li>
-<a href="./contact.html">Contact</a>
-</li>
-<li>
-<a href="./legal.html">Legal</a>
-</li>
-<li>
-<a href="https://www.apache.org/foundation/contributing.html">Support Apache</a>
-</li>
-<li>
-<a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a>
-</li>
-<li>
-<a href="http://www.apache.org/foundation/thanks.html">Thanks</a>
-</li>
-<li>
-<a href="http://www.apache.org/licenses/">License</a>
-</li>
-</ul>
-</div>
-</nav>
-</div>
-</div>
-<div id="mainRight">
-<div id="content">
-<h2 style="display: none;">Content</h2>
-<h3 id="Table_of_Contents">Table of Contents</h3>
-<div class="text">
-
-<ul>
-<li>
-<a href="#Apache_Tomcat_5.x_vulnerabilities">Apache Tomcat 5.x vulnerabilities</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_5.5.36">Fixed in Apache Tomcat 5.5.36</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_5.5.35">Fixed in Apache Tomcat 5.5.35</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_5.5.34">Fixed in Apache Tomcat 5.5.34</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_5.5.32">Fixed in Apache Tomcat 5.5.32</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_5.5.30">Fixed in Apache Tomcat 5.5.30</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_5.5.29">Fixed in Apache Tomcat 5.5.29</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_5.5.28">Fixed in Apache Tomcat 5.5.28</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_5.5.27">Fixed in Apache Tomcat 5.5.27</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_5.5.26">Fixed in Apache Tomcat 5.5.26</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_5.5.25,_5.0.SVN">Fixed in Apache Tomcat 5.5.25, 5.0.SVN</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_5.5.24,_5.0.SVN">Fixed in Apache Tomcat 5.5.24, 5.0.SVN</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_5.5.23,_5.0.SVN">Fixed in Apache Tomcat 5.5.23, 5.0.SVN</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_5.5.22,_5.0.SVN">Fixed in Apache Tomcat 5.5.22, 5.0.SVN</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_5.5.21,_5.0.SVN">Fixed in Apache Tomcat 5.5.21, 5.0.SVN</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_5.5.21">Fixed in Apache Tomcat 5.5.21</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_5.5.18,_5.0.SVN">Fixed in Apache Tomcat 5.5.18, 5.0.SVN</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_5.5.17,_5.0.SVN">Fixed in Apache Tomcat 5.5.17, 5.0.SVN</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_5.5.16,_5.0.SVN">Fixed in Apache Tomcat 5.5.16, 5.0.SVN</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_5.5.13,_5.0.SVN">Fixed in Apache Tomcat 5.5.13, 5.0.SVN</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_5.5.7,_5.0.SVN">Fixed in Apache Tomcat 5.5.7, 5.0.SVN</a>
-</li>
-<li>
-<a href="#Fixed_in_Apache_Tomcat_5.5.1">Fixed in Apache Tomcat 5.5.1</a>
-</li>
-<li>
-<a href="#Not_a_vulnerability_in_Tomcat">Not a vulnerability in Tomcat</a>
-</li>
-</ul>
-
-</div>
-<h3 id="Apache_Tomcat_5.x_vulnerabilities">Apache Tomcat 5.x vulnerabilities</h3>
-<div class="text">
-
-<p>This page lists all security vulnerabilities fixed in released versions
+ <head>
+ <META http-equiv="Content-Type" content="text/html; charset=UTF-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1">
+ <link href="res/css/tomcat.css" rel="stylesheet" type="text/css">
+ <link href="res/css/fonts/fonts.css" rel="stylesheet" type="text/css">
+ <title>Apache Tomcat® - Apache Tomcat 5 vulnerabilities</title>
+ <meta name="author" content="Apache Tomcat Project">
+ </head>
+ <body>
+ <div id="wrapper">
+ <header id="header">
+ <div class="clearfix">
+ <div class="menu-toggler pull-left" tabindex="1">
+ <div class="hamburger"></div>
+ </div>
+ <a href="http://tomcat.apache.org/"><img class="tomcat-logo pull-left noPrint" alt="Tomcat Home" src="res/images/tomcat.png"></a>
+ <h1 class="pull-left">
+ Apache Tomcat<sup>®</sup>
+ </h1>
+ <div class="asf-logos pull-right">
+ <a href="https://www.apache.org/foundation/contributing.html" target="_blank" class="pull-left"><img src="https://www.apache.org/images/SupportApache-small.png" class="support-asf" alt="Support Apache"></a><a href="http://www.apache.org/" target="_blank" class="pull-left"><img src="res/images/asf_logo.svg" class="asf-logo" alt="The Apache Software Foundation"></a>
+ </div>
+ </div>
+ </header>
+ <main id="middle">
+ <div>
+ <div id="mainLeft">
+ <div id="nav-wrapper">
+ <form action="https://www.google.com/search" method="get">
+ <div class="searchbox">
+ <input value="tomcat.apache.org" name="sitesearch" type="hidden"><input placeholder="Search…" required="required" name="q" id="query" type="search"><button>GO</button>
+ </div>
+ </form>
+ <div class="asfevents">
+ <a href="https://www.apache.org/events/current-event.html"><img src="https://www.apache.org/events/current-event-234x60.png"></a>
+ </div>
+ <nav>
+ <div>
+ <h2>Apache Tomcat</h2>
+ <ul>
+ <li>
+ <a href="./index.html">Home</a>
+ </li>
+ <li>
+ <a href="./taglibs.html">Taglibs</a>
+ </li>
+ <li>
+ <a href="./maven-plugin.html">Maven Plugin</a>
+ </li>
+ </ul>
+ </div>
+ <div>
+ <h2>TomcatCon</h2>
+ <ul>
+ <li>
+ <a href="./conference.html">North America</a>
+ </li>
+ </ul>
+ </div>
+ <div>
+ <h2>Download</h2>
+ <ul>
+ <li>
+ <a href="./whichversion.html">Which version?</a>
+ </li>
+ <li>
+ <a href="https://tomcat.apache.org/download-90.cgi">Tomcat 9</a>
+ </li>
+ <li>
+ <a href="https://tomcat.apache.org/download-80.cgi">Tomcat 8</a>
+ </li>
+ <li>
+ <a href="https://tomcat.apache.org/download-70.cgi">Tomcat 7</a>
+ </li>
+ <li>
+ <a href="https://tomcat.apache.org/download-connectors.cgi">Tomcat Connectors</a>
+ </li>
+ <li>
+ <a href="https://tomcat.apache.org/download-native.cgi">Tomcat Native</a>
+ </li>
+ <li>
+ <a href="https://tomcat.apache.org/download-taglibs.cgi">Taglibs</a>
+ </li>
+ <li>
+ <a href="https://archive.apache.org/dist/tomcat/">Archives</a>
+ </li>
+ </ul>
+ </div>
+ <div>
+ <h2>Documentation</h2>
+ <ul>
+ <li>
+ <a href="./tomcat-9.0-doc/index.html">Tomcat 9.0</a>
+ </li>
+ <li>
+ <a href="./tomcat-8.5-doc/index.html">Tomcat 8.5</a>
+ </li>
+ <li>
+ <a href="./tomcat-8.0-doc/index.html">Tomcat 8.0</a>
+ </li>
+ <li>
+ <a href="./tomcat-7.0-doc/index.html">Tomcat 7.0</a>
+ </li>
+ <li>
+ <a href="./connectors-doc/">Tomcat Connectors</a>
+ </li>
+ <li>
+ <a href="./native-doc/">Tomcat Native</a>
+ </li>
+ <li>
+ <a href="https://wiki.apache.org/tomcat/FrontPage">Wiki</a>
+ </li>
+ <li>
+ <a href="./migration.html">Migration Guide</a>
+ </li>
+ <li>
+ <a href="./presentations.html">Presentations</a>
+ </li>
+ </ul>
+ </div>
+ <div>
+ <h2>Problems?</h2>
+ <ul>
+ <li>
+ <a href="./security.html">Security Reports</a>
+ </li>
+ <li>
+ <a href="./findhelp.html">Find help</a>
+ </li>
+ <li>
+ <a href="https://wiki.apache.org/tomcat/FAQ">FAQ</a>
+ </li>
+ <li>
+ <a href="./lists.html">Mailing Lists</a>
+ </li>
+ <li>
+ <a href="./bugreport.html">Bug Database</a>
+ </li>
+ <li>
+ <a href="./irc.html">IRC</a>
+ </li>
+ </ul>
+ </div>
+ <div>
+ <h2>Get Involved</h2>
+ <ul>
+ <li>
+ <a href="./getinvolved.html">Overview</a>
+ </li>
+ <li>
+ <a href="./svn.html">Source code</a>
+ </li>
+ <li>
+ <a href="./ci.html">Buildbot</a>
+ </li>
+ <li>
+ <a href="./tools.html">Tools</a>
+ </li>
+ </ul>
+ </div>
+ <div>
+ <h2>Media</h2>
+ <ul>
+ <li>
+ <a href="https://twitter.com/theapachetomcat">Twitter</a>
+ </li>
+ <li>
+ <a href="https://www.youtube.com/c/ApacheTomcatOfficial">YouTube</a>
+ </li>
+ <li>
+ <a href="https://blogs.apache.org/tomcat/">Blog</a>
+ </li>
+ </ul>
+ </div>
+ <div>
+ <h2>Misc</h2>
+ <ul>
+ <li>
+ <a href="./whoweare.html">Who We Are</a>
+ </li>
+ <li>
+ <a href="https://www.redbubble.com/people/comdev/works/30885254-apache-tomcat">Swag</a>
+ </li>
+ <li>
+ <a href="./heritage.html">Heritage</a>
+ </li>
+ <li>
+ <a href="http://www.apache.org">Apache Home</a>
+ </li>
+ <li>
+ <a href="./resources.html">Resources</a>
+ </li>
+ <li>
+ <a href="./contact.html">Contact</a>
+ </li>
+ <li>
+ <a href="./legal.html">Legal</a>
+ </li>
+ <li>
+ <a href="https://www.apache.org/foundation/contributing.html">Support Apache</a>
+ </li>
+ <li>
+ <a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a>
+ </li>
+ <li>
+ <a href="http://www.apache.org/foundation/thanks.html">Thanks</a>
+ </li>
+ <li>
+ <a href="http://www.apache.org/licenses/">License</a>
+ </li>
+ </ul>
+ </div>
+ </nav>
+ </div>
+ </div>
+ <div id="mainRight">
+ <div id="content">
+ <h2 style="display: none;">Content</h2>
+ <h3 id="Table_of_Contents">Table of Contents</h3>
+ <div class="text">
+
+ <ul>
+ <li>
+ <a href="#Apache_Tomcat_5.x_vulnerabilities">Apache Tomcat 5.x vulnerabilities</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_5.5.36">Fixed in Apache Tomcat 5.5.36</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_5.5.35">Fixed in Apache Tomcat 5.5.35</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_5.5.34">Fixed in Apache Tomcat 5.5.34</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_5.5.32">Fixed in Apache Tomcat 5.5.32</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_5.5.30">Fixed in Apache Tomcat 5.5.30</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_5.5.29">Fixed in Apache Tomcat 5.5.29</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_5.5.28">Fixed in Apache Tomcat 5.5.28</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_5.5.27">Fixed in Apache Tomcat 5.5.27</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_5.5.26">Fixed in Apache Tomcat 5.5.26</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_5.5.25,_5.0.SVN">Fixed in Apache Tomcat 5.5.25, 5.0.SVN</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_5.5.24,_5.0.SVN">Fixed in Apache Tomcat 5.5.24, 5.0.SVN</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_5.5.23,_5.0.SVN">Fixed in Apache Tomcat 5.5.23, 5.0.SVN</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_5.5.22,_5.0.SVN">Fixed in Apache Tomcat 5.5.22, 5.0.SVN</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_5.5.21,_5.0.SVN">Fixed in Apache Tomcat 5.5.21, 5.0.SVN</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_5.5.21">Fixed in Apache Tomcat 5.5.21</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_5.5.18,_5.0.SVN">Fixed in Apache Tomcat 5.5.18, 5.0.SVN</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_5.5.17,_5.0.SVN">Fixed in Apache Tomcat 5.5.17, 5.0.SVN</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_5.5.16,_5.0.SVN">Fixed in Apache Tomcat 5.5.16, 5.0.SVN</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_5.5.13,_5.0.SVN">Fixed in Apache Tomcat 5.5.13, 5.0.SVN</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_5.5.7,_5.0.SVN">Fixed in Apache Tomcat 5.5.7, 5.0.SVN</a>
+ </li>
+ <li>
+ <a href="#Fixed_in_Apache_Tomcat_5.5.1">Fixed in Apache Tomcat 5.5.1</a>
+ </li>
+ <li>
+ <a href="#Not_a_vulnerability_in_Tomcat">Not a vulnerability in Tomcat</a>
+ </li>
+ </ul>
+
+ </div>
+ <h3 id="Apache_Tomcat_5.x_vulnerabilities">Apache Tomcat 5.x vulnerabilities</h3>
+ <div class="text">
+
+ <p>
+ This page lists all security vulnerabilities fixed in released versions
of Apache Tomcat 5.x. Each vulnerability is given a
<a href="security-impact.html">security impact rating</a> by the Apache
Tomcat security team — please note that this rating may vary from
platform to platform. We also list the versions of Apache Tomcat the flaw
is known to affect, and where a flaw has not been verified list the
- version with a question mark.</p>
-
-
-<p>
-<strong>Note:</strong> Vulnerabilities that are not Tomcat vulnerabilities
+ version with a question mark.
+ </p>
+
+ <p>
+ <strong>Note:</strong> Vulnerabilities that are not Tomcat vulnerabilities
but have either been incorrectly reported against Tomcat or where Tomcat
- provides a workaround are listed at the end of this page.</p>
-
-
-<p>Please note that Tomcat 5.0.x and 5.5.x are no longer supported. Further
+ provides a workaround are listed at the end of this page.
+ </p>
+
+ <p>Please note that Tomcat 5.0.x and 5.5.x are no longer supported. Further
vulnerabilities in the 5.0.x and 5.5.x branches will not be fixed. Users
should upgrade to 7.x or later to obtain security fixes. Vulnerabilities
fixed in Tomcat 5.5.26 onwards have not been assessed to determine if
they are present in the 5.0.x branch.</p>
-
-
-<p>Please note that binary patches are never provided. If you need to
+
+ <p>
+ Please note that binary patches are never provided. If you need to
apply a source code patch, use the building instructions for the
Apache Tomcat version that you are using. For Tomcat 5.5 those are
<a href="/tomcat-5.5-doc/building.html"><code>building.html</code></a>
in documentation (<code>webapps/tomcat-docs</code> subdirectory of
a binary distributive) and <code>BUILDING.txt</code> file in a source
- distributive.</p>
-
-
-<p>If you need help on building or configuring Tomcat or other help on
+ distributive.
+ </p>
+
+ <p>
+ If you need help on building or configuring Tomcat or other help on
following the instructions to mitigate the known vulnerabilities listed
here, please send your questions to the public
<a href="lists.html">Tomcat Users mailing list</a>
-</p>
-
-
-<p>If you have encountered an unlisted security vulnerability or other
+ </p>
+
+ <p>
+ If you have encountered an unlisted security vulnerability or other
unexpected behaviour that has <a href="security-impact.html">security
impact</a>, or if the descriptions here are incomplete,
please report them privately to the
<a href="security.html">Tomcat Security Team</a>. Thank you.
- </p>
-
-
-</div>
-<h3 id="Fixed_in_Apache_Tomcat_5.5.36">
-<span class="pull-right">released 10 Oct 2012</span> Fixed in Apache Tomcat 5.5.36</h3>
-<div class="text">
-
-<p>
-<strong>Moderate: DIGEST authentication weakness</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3439" rel="nofollow">CVE-2012-3439</a>
-</p>
-
+ </p>
+
+ </div>
+ <h3 id="Fixed_in_Apache_Tomcat_5.5.36">
+ <span class="pull-right">released 10 Oct 2012</span> Fixed in Apache Tomcat 5.5.36
+ </h3>
+ <div class="text">
+
-<p>Three weaknesses in Tomcat's implementation of DIGEST authentication
+ <p>
+ <strong>Moderate: DIGEST authentication weakness</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3439" rel="nofollow">CVE-2012-3439</a>
+ </p>
+
+ <p>Three weaknesses in Tomcat's implementation of DIGEST authentication
were identified and resolved:
</p>
-
-<ol>
-
-<li>Tomcat tracked client rather than server nonces and nonce count.</li>
-
-<li>When a session ID was present, authentication was bypassed.</li>
-
-<li>The user name and password were not checked before when indicating
+
+ <ol>
+
+ <li>Tomcat tracked client rather than server nonces and nonce count.</li>
+
+ <li>When a session ID was present, authentication was bypassed.</li>
+
+ <li>The user name and password were not checked before when indicating
that a nonce was stale.</li>
-
-</ol>
-
-<p>
+
+ </ol>
+
+ <p>
These issues reduced the security of DIGEST authentication making
replay attacks possible in some circumstances.
</p>
-
-
-<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1392248">1392248</a>.</p>
-
-
-<p>The first issue was reported by Tilmann Kuhn to the Tomcat security team
+
+ <p>
+ This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1392248">1392248</a>.
+ </p>
+
+ <p>The first issue was reported by Tilmann Kuhn to the Tomcat security team
on 19 July 2012. The second and third issues were discovered by the
Tomcat security team during the resulting code review. All three issues
were made public on 5 November 2012.</p>
-
-
-<p>Affects: 5.5.0-5.5.35</p>
-
-
-</div>
-<h3 id="Fixed_in_Apache_Tomcat_5.5.35">
-<span class="pull-right">released 16 Jan 2012</span> Fixed in Apache Tomcat 5.5.35</h3>
-<div class="text">
-
-
-<p>
-<strong>Important: Denial of service</strong>
+
+ <p>Affects: 5.5.0-5.5.35</p>
+
+
+ </div>
+ <h3 id="Fixed_in_Apache_Tomcat_5.5.35">
+ <span class="pull-right">released 16 Jan 2012</span> Fixed in Apache Tomcat 5.5.35
+ </h3>
+ <div class="text">
+
+ <p>
+ <strong>Important: Denial of service</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0022" rel="nofollow">CVE-2012-0022</a>
-</p>
-
-
-<p>Analysis of the recent hash collision vulnerability identified unrelated
+ </p>
+
+ <p>Analysis of the recent hash collision vulnerability identified unrelated
inefficiencies with Apache Tomcat's handling of large numbers of
parameters and parameter values. These inefficiencies could allow an
attacker, via a specially crafted request, to cause large amounts of CPU
to be used which in turn could create a denial of service. The issue was
addressed by modifying the Tomcat parameter handling code to efficiently
process large numbers of parameters and parameter values.</p>
-
-
-<p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1221282">1221282</a>,
+
+ <p>
+ This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1221282">1221282</a>,
<a href="http://svn.apache.org/viewvc?view=rev&rev=1224640">1224640</a> and
- <a href="http://svn.apache.org/viewvc?view=rev&rev=1228191">1228191</a>.</p>
-
-
-<p>This was identified by the Tomcat security team on 21 October 2011 and
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1228191">1228191</a>.
+ </p>
+
+ <p>This was identified by the Tomcat security team on 21 October 2011 and
made public on 17 January 2012.</p>
-
-
-<p>Affects: 5.5.0-5.5.34</p>
-
-
-</div>
-<h3 id="Fixed_in_Apache_Tomcat_5.5.34">
-<span class="pull-right">released 22 Sep 2011</span> Fixed in Apache Tomcat 5.5.34</h3>
-<div class="text">
-
-
-<p>
-<strong>Moderate: Multiple weaknesses in HTTP DIGEST authentication</strong>
+
+ <p>Affects: 5.5.0-5.5.34</p>
+
+ </div>
+ <h3 id="Fixed_in_Apache_Tomcat_5.5.34">
+ <span class="pull-right">released 22 Sep 2011</span> Fixed in Apache Tomcat 5.5.34
+ </h3>
+ <div class="text">
+
+ <p>
+ <strong>Moderate: Multiple weaknesses in HTTP DIGEST authentication</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184" rel="nofollow">CVE-2011-1184</a>
-</p>
-
-
-<p>Note: Mitre elected to break this issue down into multiple issues and
+ </p>
+
+ <p>
+ Note: Mitre elected to break this issue down into multiple issues and
have allocated the following additional references to parts of this
issue:
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5062" rel="nofollow">CVE-2011-5062</a>,
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5063" rel="nofollow">CVE-2011-5063</a> and
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5064" rel="nofollow">CVE-2011-5064</a>. The Apache Tomcat security team will
continue to treat this as a single issue using the reference
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184" rel="nofollow">CVE-2011-1184</a>.</p>
-
-
-<p>The implementation of HTTP DIGEST authentication was discovered to have
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184" rel="nofollow">CVE-2011-1184</a>.
+ </p>
+
+ <p>The implementation of HTTP DIGEST authentication was discovered to have
several weaknesses:</p>
-
-<ul>
-
-<li>replay attacks were permitted</li>
-
-<li>server nonces were not checked</li>
-
-<li>client nonce counts were not checked</li>
-
-<li>qop values were not checked</li>
-
-<li>realm values were not checked</li>
-
-<li>the server secret was hard-coded to a known string</li>
-
-</ul>
-
-<p>
+
+ <ul>
+
+ <li>replay attacks were permitted</li>
+
+ <li>server nonces were not checked</li>
+
+ <li>client nonce counts were not checked</li>
+
+ <li>qop values were not checked</li>
+
+ <li>realm values were not checked</li>
+
+ <li>the server secret was hard-coded to a known string</li>
+
+ </ul>
+
+ <p>
The result of these weaknesses is that DIGEST authentication was only as
secure as BASIC authentication.
</p>
-
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1159309">revision 1159309</a>.</p>
-
-
-<p>This was identified by the Tomcat security team on 16 March 2011 and
+
+ <p>
+ This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1159309">revision 1159309</a>.
+ </p>
+
+ <p>This was identified by the Tomcat security team on 16 March 2011 and
made public on 26 September 2011.</p>
-
-
-<p>Affects: 5.5.0-5.5.33</p>
-
-
-<p>
-<strong>Low: Information disclosure</strong>
+
+ <p>Affects: 5.5.0-5.5.33</p>
+
+ <p>
+ <strong>Low: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204" rel="nofollow">CVE-2011-2204</a>
-</p>
-
-
-<p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
+ </p>
+
+ <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
creating users via JMX, an exception during the user creation process may
trigger an error message in the JMX client that includes the user's
password. This error message is also written to the Tomcat logs. User
@@ -489,25 +488,23 @@
administrators with read access to the tomcat-users.xml file. Users that
do not have these permissions but are able to read log files may be able
to discover a user's password.</p>
-
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1140072">revision 1140072</a>.</p>
-
-
-<p>This was identified by Polina Genova on 14 June 2011 and
+
+ <p>
+ This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1140072">revision 1140072</a>.
+ </p>
+
+ <p>This was identified by Polina Genova on 14 June 2011 and
made public on 27 June 2011.</p>
-
+
+ <p>Affects: 5.5.0-5.5.33</p>
+
-<p>Affects: 5.5.0-5.5.33</p>
-
-
-<p>
-<strong>Low: Information disclosure</strong>
+ <p>
+ <strong>Low: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526" rel="nofollow">CVE-2011-2526</a>
-</p>
-
-
-<p>Tomcat provides support for sendfile with the HTTP APR
+ </p>
+
+ <p>Tomcat provides support for sendfile with the HTTP APR
connector. sendfile is used automatically for content served via the
DefaultServlet and deployed web applications may use it directly via
setting request attributes. These request attributes were not validated.
@@ -515,90 +512,85 @@
malicious web application to do one or more of the following that would
normally be prevented by a security manager:
</p>
-
-<ul>
-
-<li>return files to users that the security manager should make
+
+ <ul>
+
+ <li>return files to users that the security manager should make
inaccessible</li>
-
-<li>terminate (via a crash) the JVM</li>
-
-</ul>
-
-<p>Additionally, these vulnerabilities only occur when all of the following
+
+ <li>terminate (via a crash) the JVM</li>
+
+ </ul>
+
+ <p>Additionally, these vulnerabilities only occur when all of the following
are true:</p>
-
-<ul>
-
-<li>untrusted web applications are being used</li>
-
-<li>the SecurityManager is used to limit the untrusted web applications
+
+ <ul>
+
+ <li>untrusted web applications are being used</li>
+
+ <li>the SecurityManager is used to limit the untrusted web applications
</li>
-
-<li>the HTTP APR connector is used</li>
-
-<li>sendfile is enabled for the connector (this is the default)</li>
-
-</ul>
-
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1158244">revision 1158244</a>.</p>
-
-
-<p>This was identified by the Tomcat security team on 7 July 2011 and
+
+ <li>the HTTP APR connector is used</li>
+
+ <li>sendfile is enabled for the connector (this is the default)</li>
+
+ </ul>
+
+ <p>
+ This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1158244">revision 1158244</a>.
+ </p>
+
+ <p>This was identified by the Tomcat security team on 7 July 2011 and
made public on 13 July 2011.</p>
-
-
-<p>Affects: 5.5.0-5.5.33</p>
-
-
-<p>
-<strong>Important: Information disclosure</strong>
+
+ <p>Affects: 5.5.0-5.5.33</p>
+
+ <p>
+ <strong>Important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729" rel="nofollow">CVE-2011-2729</a>
-</p>
-
-
-<p>Due to a bug in the capabilities code, jsvc (the service wrapper for
+ </p>
+
+ <p>Due to a bug in the capabilities code, jsvc (the service wrapper for
Linux that is part of the Commons Daemon project) does not drop
capabilities allowing the application to access files and directories
owned by superuser. This vulnerability only occurs when all of the
following are true:
</p>
-
-<ul>
-
-<li>Tomcat is running on a Linux operating system</li>
-
-<li>jsvc was compiled with libcap</li>
-
-<li>-user parameter is used</li>
-
-</ul>
-
-<p>
+
+ <ul>
+
+ <li>Tomcat is running on a Linux operating system</li>
+
+ <li>jsvc was compiled with libcap</li>
+
+ <li>-user parameter is used</li>
+
+ </ul>
+
+ <p>
Affected Tomcat versions shipped with source files for jsvc that included
this vulnerability.
</p>
-
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1159346">revision 1159346</a>.</p>
-
-
-<p>This was identified by Wilfried Weissmann on 20 July 2011 and made public
+
+ <p>
+ This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1159346">revision 1159346</a>.
+ </p>
+
+ <p>This was identified by Wilfried Weissmann on 20 July 2011 and made public
on 12 August 2011.</p>
-
-
-<p>Affects: 5.5.32-5.5.33</p>
-
+
+ <p>Affects: 5.5.32-5.5.33</p>
+
-<p>
-<strong>Important: Authentication bypass and information disclosure
+ <p>
+ <strong>Important: Authentication bypass and information disclosure
</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3190" rel="nofollow">CVE-2011-3190</a>
-</p>
-
-
-<p>Apache Tomcat supports the AJP protocol which is used with reverse
+ </p>
+
+ <p>Apache Tomcat supports the AJP protocol which is used with reverse
proxies to pass requests and associated data about the request from the
reverse proxy to Tomcat. The AJP protocol is designed so that when a
request includes a request body, an unsolicited AJP message is sent to
@@ -609,107 +601,111 @@
information disclosure. This vulnerability only occurs when all of the
following are true:
</p>
-
-<ul>
-
-<li>The org.apache.jk.server.JkCoyoteHandler AJP connector is not used
+
+ <ul>
+
+ <li>The org.apache.jk.server.JkCoyoteHandler AJP connector is not used
</li>
-
-<li>POST requests are accepted</li>
-
-<li>The request body is not processed</li>
-
-</ul>
-
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1162960">revision 1162960</a>.</p>
-
-
-<p>This was reported publicly on 20th August 2011.</p>
-
-
-<p>Affects: 5.5.0-5.5.33</p>
-
-
-<p>Mitigation options:</p>
-
-<ul>
-
-<li>Upgrade to Tomcat 5.5.34.</li>
-
-<li>Apply the appropriate <a href="http://svn.apache.org/viewvc?view=rev&rev=1162960">patch</a>.</li>
-
-<li>Configure both Tomcat and the reverse proxy to use a shared secret.<br>
- (It is "<code>request.secret</code>" attribute in AJP <Connector>,
+
+ <li>POST requests are accepted</li>
+
+ <li>The request body is not processed</li>
+
+ </ul>
+
+ <p>
+ This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1162960">revision 1162960</a>.
+ </p>
+
+ <p>This was reported publicly on 20th August 2011.</p>
+
+ <p>Affects: 5.5.0-5.5.33</p>
+
+
+ <p>Mitigation options:</p>
+
+ <ul>
+
+ <li>Upgrade to Tomcat 5.5.34.</li>
+
+ <li>
+ Apply the appropriate <a href="http://svn.apache.org/viewvc?view=rev&rev=1162960">patch</a>.
+ </li>
+
+ <li>
+ Configure both Tomcat and the reverse proxy to use a shared secret.
+ <br>
+ (It is "<code>request.secret</code>" attribute in AJP <Connector>,
"<code>worker.<i>workername</i>.secret</code>" directive for mod_jk.
The mod_proxy_ajp module currently does not support shared secrets).
- </li>
-<li>Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector
- implementation.<br>
- (It is automatically selected if you do not have Tomcat-Native library
+ </li>
+
+ <li>
+ Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector
+ implementation.
+ <br>
+ (It is automatically selected if you do not have Tomcat-Native library
installed. It can be also selected explicitly:
<code><Connector protocol="org.apache.jk.server.JkCoyoteHandler"></code>).
- </li>
-
-</ul>
-
-
-<p>References:</p>
-
-<ul>
-
-<li>
-<a href="/tomcat-5.5-doc/config/ajp.html">AJP Connector documentation (Tomcat 5.5)</a>
-</li>
-<li>
-<a href="/connectors-doc/reference/workers.html">workers.properties configuration (mod_jk)</a>
-</li>
+ </li>
+
+ </ul>
+
+ <p>References:</p>
+
+ <ul>
+
+ <li>
+ <a href="/tomcat-5.5-doc/config/ajp.html">AJP Connector documentation (Tomcat 5.5)</a>
+ </li>
+
+ <li>
+ <a href="/connectors-doc/reference/workers.html">workers.properties configuration (mod_jk)</a>
+ </li>
+
+ </ul>
+
+ </div>
+ <h3 id="Fixed_in_Apache_Tomcat_5.5.32">
+ <span class="pull-right">released 1 Feb 2011</span> Fixed in Apache Tomcat 5.5.32
+ </h3>
+ <div class="text">
+
-</ul>
-
-</div>
-<h3 id="Fixed_in_Apache_Tomcat_5.5.32">
-<span class="pull-right">released 1 Feb 2011</span> Fixed in Apache Tomcat 5.5.32</h3>
-<div class="text">
-
-
-<p>
-<strong>Low: Cross-site scripting</strong>
+ <p>
+ <strong>Low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0013" rel="nofollow">CVE-2011-0013</a>
-</p>
-
-
-<p>The HTML Manager interface displayed web application provided data, such
+ </p>
+
+ <p>The HTML Manager interface displayed web application provided data, such
as display names, without filtering. A malicious web application could
trigger script execution by an administrative user when viewing the
manager pages.</p>
-
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1057518">revision 1057518</a>.</p>
-
-
-<p>This was identified by the Tomcat security team on 12 Nov 2010 and
+
+ <p>
+ This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1057518">revision 1057518</a>.
+ </p>
+
+ <p>This was identified by the Tomcat security team on 12 Nov 2010 and
made public on 5 Feb 2011.</p>
-
+
+ <p>Affects: 5.5.0-5.5.31</p>
+
+ </div>
+ <h3 id="Fixed_in_Apache_Tomcat_5.5.30">
+ <span class="pull-right">released 9 Jul 2010</span> Fixed in Apache Tomcat 5.5.30
+ </h3>
+ <div class="text">
+
-<p>Affects: 5.5.0-5.5.31</p>
-
-
-</div>
-<h3 id="Fixed_in_Apache_Tomcat_5.5.30">
-<span class="pull-right">released 9 Jul 2010</span> Fixed in Apache Tomcat 5.5.30</h3>
-<div class="text">
-
-
-<p>
-<strong>Low: SecurityManager file permission bypass</strong>
+ <p>
+ <strong>Low: SecurityManager file permission bypass</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3718" rel="nofollow">CVE-2010-3718</a>
-</p>
-
-
-<p>When running under a SecurityManager, access to the file system is
+ </p>
+
+ <p>When running under a SecurityManager, access to the file system is
limited but web applications are granted read/write permissions to the
work directory. This directory is used for a variety of temporary files
such as the intermediate files generated when compiling JSPs to Servlets.
@@ -722,50 +718,46 @@
application may then take advantage of. This vulnerability is only
applicable when hosting web applications from untrusted sources such as
shared hosting environments.</p>
-
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1027610">revision 1027610</a>.</p>
-
-
-<p>This was discovered by the Tomcat security team on 12 Oct 2010 and
+
+ <p>
+ This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1027610">revision 1027610</a>.
+ </p>
+
+ <p>This was discovered by the Tomcat security team on 12 Oct 2010 and
made public on 5 Feb 2011.</p>
-
-
-<p>Affects: 5.5.0-5.5.29</p>
+
+ <p>Affects: 5.5.0-5.5.29</p>
+
-
-<p>
-<strong>Important: Remote Denial Of Service and Information Disclosure
+ <p>
+ <strong>Important: Remote Denial Of Service and Information Disclosure
Vulnerability</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227" rel="nofollow">CVE-2010-2227</a>
-</p>
-
-
-<p>Several flaws in the handling of the 'Transfer-Encoding' header were
+ </p>
+
+ <p>Several flaws in the handling of the 'Transfer-Encoding' header were
found that prevented the recycling of a buffer. A remote attacker could
trigger this flaw which would cause subsequent requests to fail and/or
information to leak between requests. This flaw is mitigated if Tomcat is
behind a reverse proxy (such as Apache httpd 2.2) as the proxy should
reject the invalid transfer encoding header.</p>
-
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=959428">revision 959428</a>.</p>
-
-
-<p>This was first reported to the Tomcat security team on 14 Jun 2010 and
+
+ <p>
+ This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=959428">revision 959428</a>.
+ </p>
+
+ <p>This was first reported to the Tomcat security team on 14 Jun 2010 and
made public on 9 Jul 2010.</p>
-
-
-<p>Affects: 5.5.0-5.5.29</p>
-
-
-<p>
-<strong>Low: Information disclosure in authentication headers</strong>
+
+ <p>Affects: 5.5.0-5.5.29</p>
+
+ <p>
+ <strong>Low: Information disclosure in authentication headers</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157" rel="nofollow">CVE-2010-1157</a>
-</p>
-
-
-<p>The <code>WWW-Authenticate</code> HTTP header for BASIC and DIGEST
+ </p>
+
+ <p>
+ The <code>WWW-Authenticate</code> HTTP header for BASIC and DIGEST
authentication includes a realm name. If a
<code><realm-name></code> element is specified for the application
in web.xml it will be used. However, a <code><realm-name></code>
@@ -773,54 +765,52 @@
snippet <code>request.getServerName() + ":" +
request.getServerPort()</code>. In some circumstances this can expose
the local host name or IP address of the machine running Tomcat.
- </p>
-
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=936541">revision 936541</a>.</p>
-
-<p>This was first reported to the Tomcat security team on 31 Dec 2009 and
+ </p>
+
+ <p>
+ This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=936541">revision 936541</a>.
+ </p>
+
+ <p>This was first reported to the Tomcat security team on 31 Dec 2009 and
made public on 21 Apr 2010.</p>
-
-
-<p>Affects: 5.5.0-5.5.29</p>
-
-
-</div>
-<h3 id="Fixed_in_Apache_Tomcat_5.5.29">
-<span class="pull-right">released 20 Apr 2010</span> Fixed in Apache Tomcat 5.5.29</h3>
-<div class="text">
-
+
+ <p>Affects: 5.5.0-5.5.29</p>
+
+ </div>
+ <h3 id="Fixed_in_Apache_Tomcat_5.5.29">
+ <span class="pull-right">released 20 Apr 2010</span> Fixed in Apache Tomcat 5.5.29
+ </h3>
+ <div class="text">
+
-<p>
-<strong>Low: Arbitrary file deletion and/or alteration on deploy</strong>
+ <p>
+ <strong>Low: Arbitrary file deletion and/or alteration on deploy</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693" rel="nofollow">CVE-2009-2693</a>
-</p>
-
-
-<p>When deploying WAR files, the WAR files were not checked for directory
+ </p>
+
+ <p>
+ When deploying WAR files, the WAR files were not checked for directory
traversal attempts. This allows an attacker to create arbitrary content
outside of the web root by including entries such as
- <code>../../bin/catalina.sh</code> in the WAR.</p>
-
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=902650">revision 902650</a>.</p>
-
-
-<p>This was first reported to the Tomcat security team on 30 Jul 2009 and
+ <code>../../bin/catalina.sh</code> in the WAR.
+ </p>
+
+ <p>
+ This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=902650">revision 902650</a>.
+ </p>
+
+ <p>This was first reported to the Tomcat security team on 30 Jul 2009 and
made public on 1 Mar 2010.</p>
-
-
-<p>Affects: 5.5.0-5.5.28</p>
-
-
-<p>
-<strong>Low: Insecure partial deploy after failed undeploy</strong>
+
+ <p>Affects: 5.5.0-5.5.28</p>
+
+ <p>
+ <strong>Low: Insecure partial deploy after failed undeploy</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2901" rel="nofollow">CVE-2009-2901</a>
-</p>
-
-
-<p>By default, Tomcat automatically deploys any directories placed in a
+ </p>
+
+ <p>By default, Tomcat automatically deploys any directories placed in a
host's appBase. This behaviour is controlled by the autoDeploy attribute
of a host which defaults to true. After a failed undeploy, the remaining
files will be deployed as a result of the autodeployment process.
@@ -828,436 +818,393 @@
security constraints may be deployed without those security constraints,
making them accessible without authentication. This issue only affects
Windows platforms</p>
-
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=902650">revision 902650</a>.</p>
-
-
-<p>This was first reported to the Tomcat security team on 30 Jul 2009 and
+
+ <p>
+ This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=902650">revision 902650</a>.
+ </p>
+
+ <p>This was first reported to the Tomcat security team on 30 Jul 2009 and
made public on 1 Mar 2010.</p>
-
-
-<p>Affects: 5.5.0-5.5.28 (Windows only)</p>
+
+ <p>Affects: 5.5.0-5.5.28 (Windows only)</p>
+
-
-<p>
-<strong>Low: Unexpected file deletion in work directory</strong>
+ <p>
+ <strong>Low: Unexpected file deletion in work directory</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2902" rel="nofollow">CVE-2009-2902</a>
-</p>
-
-
-<p>When deploying WAR files, the WAR file names were not checked for
+ </p>
+
+ <p>
+ When deploying WAR files, the WAR file names were not checked for
directory traversal attempts. For example, deploying and undeploying
<code>...war</code> allows an attacker to cause the deletion of the
current contents of the host's work directory which may cause problems
- for currently running applications.</p>
-
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=902650">revision 902650</a>.</p>
-
-
-<p>This was first reported to the Tomcat security team on 30 Jul 2009 and
+ for currently running applications.
+ </p>
+
+ <p>
+ This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=902650">revision 902650</a>.
+ </p>
+
+ <p>This was first reported to the Tomcat security team on 30 Jul 2009 and
made public on 1 Mar 2010.</p>
-
-
-<p>Affects: 5.5.0-5.5.28</p>
-
-
-<p>
-<strong>Low: Insecure default password</strong>
+
+ <p>Affects: 5.5.0-5.5.28</p>
+
+ <p>
+ <strong>Low: Insecure default password</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548" rel="nofollow">CVE-2009-3548</a>
-</p>
-
-
-<p>The Windows installer defaults to a blank password for the administrative
+ </p>
+
+ <p>The Windows installer defaults to a blank password for the administrative
user. If this is not changed during the install process, then by default
a user is created with the name admin, roles admin and manager and a
blank password.</p>
-
-
-<p>Affects: 5.5.0-5.5.28</p>
-
-
-<p>This was first reported to the Tomcat security team on 26 Oct 2009 and
+
+ <p>Affects: 5.5.0-5.5.28</p>
+
+ <p>This was first reported to the Tomcat security team on 26 Oct 2009 and
made public on 9 Nov 2009.</p>
-
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=919006">revision 919006</a>.</p>
-
-</div>
-<h3 id="Fixed_in_Apache_Tomcat_5.5.28">
-<span class="pull-right">released 4 Sep 2009</span> Fixed in Apache Tomcat 5.5.28</h3>
-<div class="text">
-
-<p>
-<strong>Important: Information Disclosure</strong>
+
+ <p>
+ This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=919006">revision 919006</a>.
+ </p>
+
+ </div>
+ <h3 id="Fixed_in_Apache_Tomcat_5.5.28">
+ <span class="pull-right">released 4 Sep 2009</span> Fixed in Apache Tomcat 5.5.28
+ </h3>
+ <div class="text">
+
+ <p>
+ <strong>Important: Information Disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515" rel="nofollow">CVE-2008-5515</a>
-</p>
-
-
-<p>When using a RequestDispatcher obtained from the Request, the target path
+ </p>
+
+ <p>When using a RequestDispatcher obtained from the Request, the target path
was normalised before the query string was removed. A request that
included a specially crafted request parameter could be used to access
content that would otherwise be protected by a security constraint or by
locating it in under the WEB-INF directory.</p>
-
-
-<p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=782757">782757</a> and
- <a href="http://svn.apache.org/viewvc?view=rev&rev=783291">783291</a>.</p>
-
-
-<p>This was first reported to the Tomcat security team on 11 Dec 2008 and
+
+ <p>
+ This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=782757">782757</a> and
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=783291">783291</a>.
+ </p>
+
+ <p>This was first reported to the Tomcat security team on 11 Dec 2008 and
made public on 8 Jun 2009.</p>
-
-
-<p>Affects: 5.5.0-5.5.27</p>
-
-
-<p>
-<strong>Important: Denial of Service</strong>
+
+ <p>Affects: 5.5.0-5.5.27</p>
+
+ <p>
+ <strong>Important: Denial of Service</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033" rel="nofollow">CVE-2009-0033</a>
-</p>
-
-
-<p>If Tomcat receives a request with invalid headers via the Java AJP
+ </p>
+
+ <p>If Tomcat receives a request with invalid headers via the Java AJP
connector, it does not return an error and instead closes the AJP
connection. In case this connector is member of a mod_jk load balancing
worker, this member will be put into an error state and will be blocked
from use for approximately one minute. Thus the behaviour can be used for
a denial of service attack using a carefully crafted request.</p>
-
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=781362">revision 781362</a>.</p>
-
-
-<p>This was first reported to the Tomcat security team on 26 Jan 2009 and
+
+ <p>
+ This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=781362">revision 781362</a>.
+ </p>
+
+ <p>This was first reported to the Tomcat security team on 26 Jan 2009 and
made public on 3 Jun 2009.</p>
-
+
+ <p>Affects: 5.5.0-5.5.27</p>
+
-<p>Affects: 5.5.0-5.5.27</p>
-
-
-<p>
-<strong>Low: Information disclosure</strong>
+ <p>
+ <strong>Low: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580" rel="nofollow">CVE-2009-0580</a>
-</p>
-
-
-<p>Due to insufficient error checking in some authentication classes, Tomcat
+ </p>
+
+ <p>Due to insufficient error checking in some authentication classes, Tomcat
allows for the enumeration (brute force testing) of user names by
supplying illegally URL encoded passwords. The attack is possible if FORM
based authentication (j_security_check) is used with the MemoryRealm.
Note that in early versions, the DataSourceRealm and JDBCRealm were also
affected.</p>
-
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=781379">revision 781379</a>.</p>
-
-
-<p>This was first reported to the Tomcat security team on 25 Feb 2009 and
+
+ <p>
+ This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=781379">revision 781379</a>.
+ </p>
+
+ <p>This was first reported to the Tomcat security team on 25 Feb 2009 and
made public on 3 Jun 2009.</p>
-
-
-<p>Affects: 5.5.0-5.5.27 (Memory Realm), 5.5.0-5.5.5 (DataSource and JDBC
+
+ <p>Affects: 5.5.0-5.5.27 (Memory Realm), 5.5.0-5.5.5 (DataSource and JDBC
Realms)</p>
-
+
-<p>
-<strong>Low: Cross-site scripting</strong>
+ <p>
+ <strong>Low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781" rel="nofollow">CVE-2009-0781</a>
-</p>
-
-
-<p>The calendar application in the examples web application contains an
+ </p>
+
+ <p>The calendar application in the examples web application contains an
XSS flaw due to invalid HTML which renders the XSS filtering protection
ineffective.</p>
-
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=750928">revision 750928</a>.</p>
-
-
-<p>This was first reported to the Tomcat security team on 5 Mar 2009 and
+
+ <p>
+ This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=750928">revision 750928</a>.
+ </p>
+
+ <p>This was first reported to the Tomcat security team on 5 Mar 2009 and
made public on 6 Mar 2009.</p>
-
-
-<p>Affects: 5.5.0-5.5.27</p>
-
-
-<p>
-<strong>Low: Information disclosure</strong>
+
+ <p>Affects: 5.5.0-5.5.27</p>
+
+ <p>
+ <strong>Low: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783" rel="nofollow">CVE-2009-0783</a>
-</p>
-
-
-<p>Bugs <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=29936">29936</a> and <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=45933">45933</a> allowed a web application
+ </p>
+
+ <p>
+ Bugs <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=29936">29936</a> and <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=45933">45933</a> allowed a web application
to replace the XML parser used by
Tomcat to process web.xml, context.xml and tld files. In limited
circumstances these bugs may allow a rogue web application to view and/or
alter the web.xml, context.xml and tld files of other web applications
- deployed on the Tomcat instance.</p>
-
-
-<p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=681156">681156</a> and
- <a href="http://svn.apache.org/viewvc?view=rev&rev=781542">781542</a>.</p>
-
-
-<p>This was first reported to the Tomcat security team on 2 Mar 2009 and
+ deployed on the Tomcat instance.
+ </p>
+
+ <p>
+ This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=681156">681156</a> and
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=781542">781542</a>.
+ </p>
+
+ <p>This was first reported to the Tomcat security team on 2 Mar 2009 and
made public on 4 Jun 2009.</p>
-
-
-<p>Affects: 5.5.0-5.5.27</p>
-
-
-</div>
-<h3 id="Fixed_in_Apache_Tomcat_5.5.27">
-<span class="pull-right">released 8 Sep 2008</span> Fixed in Apache Tomcat 5.5.27</h3>
-<div class="text">
-
-<p>
-<strong>Low: Cross-site scripting</strong>
+
+ <p>Affects: 5.5.0-5.5.27</p>
+
+
+ </div>
+ <h3 id="Fixed_in_Apache_Tomcat_5.5.27">
+ <span class="pull-right">released 8 Sep 2008</span> Fixed in Apache Tomcat 5.5.27
+ </h3>
+ <div class="text">
+
+ <p>
+ <strong>Low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232" rel="nofollow">CVE-2008-1232</a>
-</p>
-
-
-<p>The message argument of HttpServletResponse.sendError() call is not only
+ </p>
+
+ <p>The message argument of HttpServletResponse.sendError() call is not only
displayed on the error page, but is also used for the reason-phrase of
HTTP response. This may include characters that are illegal in HTTP
headers. It is possible for a specially crafted message to result in
arbitrary content being injected into the HTTP response. For a successful
XSS attack, unfiltered user supplied data must be included in the message
argument.</p>
-
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=680947">revision 680947</a>.</p>
-
-
-<p>This was first reported to the Tomcat security team on 24 Jan 2008 and
+
+ <p>
+ This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=680947">revision 680947</a>.
+ </p>
+
+ <p>This was first reported to the Tomcat security team on 24 Jan 2008 and
made public on 1 Aug 2008.</p>
-
-
-<p>Affects: 5.5.0-5.5.26</p>
-
-
-<p>
-<strong>Low: Cross-site scripting</strong>
+
+ <p>Affects: 5.5.0-5.5.26</p>
+
+ <p>
+ <strong>Low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947" rel="nofollow">CVE-2008-1947</a>
-</p>
-
-
-<p>The Host Manager web application did not escape user provided data before
+ </p>
+
+ <p>The Host Manager web application did not escape user provided data before
including it in the output. This enabled a XSS attack. This application
now filters the data before use. This issue may be mitigated by logging
out (closing the browser) of the application once the management tasks
have been completed.</p>
-
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=662583">revision 662583</a>.</p>
-
-
-<p>This was first reported to the Tomcat security team on 15 May 2008 and
+
+ <p>
+ This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=662583">revision 662583</a>.
+ </p>
+
+ <p>This was first reported to the Tomcat security team on 15 May 2008 and
made public on 28 May 2008.</p>
-
+
+ <p>Affects: 5.5.9-5.5.26</p>
+
-<p>Affects: 5.5.9-5.5.26</p>
-
-
-<p>
-<strong>Important: Information disclosure</strong>
+ <p>
+ <strong>Important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370" rel="nofollow">CVE-2008-2370</a>
-</p>
-
-
-<p>When using a RequestDispatcher the target path was normalised before the
+ </p>
+
+ <p>When using a RequestDispatcher the target path was normalised before the
query string was removed. A request that included a specially crafted
request parameter could be used to access content that would otherwise be
protected by a security constraint or by locating it in under the WEB-INF
directory.</p>
-
-
-<p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=680949">revision 680949</a>.</p>
-
-
-<p>This was first reported to the Tomcat security team on 13 Jun 2008 and
+
+ <p>
+ This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=680949">revision 680949</a>.
+ </p>
+
+ <p>This was first reported to the Tomcat security team on 13 Jun 2008 and
made public on 1 August 2008.</p>
-
-
-<p>Affects: 5.5.0-5.5.26</p>
-
-
-</div>
-<h3 id="Fixed_in_Apache_Tomcat_5.5.26">
-<span class="pull-right">released 5 Feb 2008</span> Fixed in Apache Tomcat 5.5.26</h3>
-<div class="text">
-
-<p>
-<strong>Low: Session hi-jacking</strong>
+
+ <p>Affects: 5.5.0-5.5.26</p>
+
+
+ </div>
+ <h3 id="Fixed_in_Apache_Tomcat_5.5.26">
+ <span class="pull-right">released 5 Feb 2008</span> Fixed in Apache Tomcat 5.5.26
+ </h3>
+ <div class="text">
+
+ <p>
+ <strong>Low: Session hi-jacking</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333" rel="nofollow">CVE-2007-5333</a>
-</p>
-
-
-<p>The previous fix for <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385" rel="nofollow">CVE-2007-3385</a> was incomplete. It did
- not consider the use of quotes or %5C within a cookie value.</p>
-
-
-<p>Affects: 5.5.0-5.5.25</p>
-
-
-<p>
-<strong>Low: Elevated privileges</strong>
+ </p>
+
+ <p>
+ The previous fix for <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385" rel="nofollow">CVE-2007-3385</a> was incomplete. It did
+ not consider the use of quotes or %5C within a cookie value.
+ </p>
+
+ <p>Affects: 5.5.0-5.5.25</p>
+
+ <p>
+ <strong>Low: Elevated privileges</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342" rel="nofollow">CVE-2007-5342</a>
-</p>
-
-
-<p>The JULI logging component allows web applications to provide their own
+ </p>
+
+ <p>The JULI logging component allows web applications to provide their own
logging configurations. The default security policy does not restrict
this configuration and allows an untrusted web application to add files
or overwrite existing files where the Tomcat process has the necessary
file permissions to do so.</p>
-
-
-<p>Affects: 5.5.9-5.5.25</p>
-
-
-<p>
-<strong>Important: Information disclosure</strong>
+
+ <p>Affects: 5.5.9-5.5.25</p>
+
+ <p>
+ <strong>Important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461" rel="nofollow">CVE-2007-5461</a>
-</p>
-
-
-<p>When Tomcat's WebDAV servlet is configured for use with a context and
+ </p>
+
+ <p>When Tomcat's WebDAV servlet is configured for use with a context and
has been enabled for write, some WebDAV requests that specify an entity
with a SYSTEM tag can result in the contents of arbitary files being
returned to the client.</p>
-
-
-<p>Affects: 5.5.0-5.5.25</p>
-
-
-<p>
-<strong>Important: Data integrity</strong>
+
+ <p>Affects: 5.5.0-5.5.25</p>
+
+ <p>
+ <strong>Important: Data integrity</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286" rel="nofollow">CVE-2007-6286</a>
-</p>
-
-
-<p>When using the native (APR based) connector, connecting to the SSL port
+ </p>
+
+ <p>When using the native (APR based) connector, connecting to the SSL port
using netcat and then disconnecting without sending any data will cause
tomcat to handle a duplicate copy of one of the recent requests.</p>
-
-
-<p>Affects: 5.5.11-5.5.25</p>
-
-</div>
-<h3 id="Fixed_in_Apache_Tomcat_5.5.25,_5.0.SVN">
-<span class="pull-right">released 8 Sep 2007</span> Fixed in Apache Tomcat 5.5.25, 5.0.SVN</h3>
-<div class="text">
-
-<p>
-<strong>Low: Cross-site scripting</strong>
[... 896 lines stripped ...]
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org