You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2018/02/23 00:25:01 UTC
svn commit: r1825106 [5/5] - in /tomcat/site/trunk: docs/security-7.html
docs/security-8.html docs/security-9.html xdocs/security-7.xml
xdocs/security-8.xml xdocs/security-9.xml
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1825106&r1=1825105&r2=1825106&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Fri Feb 23 00:25:01 2018
@@ -50,6 +50,46 @@
</section>
+ <section name="Fixed in Apache Tomcat 7.0.85" rtext="13 February 2018">
+
+ <p><strong>High: Security constraint annotations applied too late</strong>
+ <cve>CVE-2018-1305</cve></p>
+
+ <p>Security constraints defined by annotations of Servlets were only applied
+ once a Servlet had been loaded. Because security constraints defined in
+ this way apply to the URL pattern and any URLs below that point, it was
+ possible - depending on the order Servlets were loaded - for some
+ security constraints not to be applied. This could have exposed resources
+ to users who were not authorised to access them.</p>
+
+ <p>This was fixed in revisions <revlink rev="1823322">1823322</revlink> and
+ <revlink rev="1824360">1824360</revlink>.</p>
+
+ <p>This issue was by the Apache Tomcat Security on 1 February 2018 and made
+ public on 23 February 2018.</p>
+
+ <p>Affects: 8.0.0.RC1 to 8.0.49</p>
+
+ <p><strong>High: Security constraints mapped to context root are
+ ignored</strong> <cve>CVE-2018-1304</cve></p>
+
+ <p>The URL pattern of "" (the empty string) which exactly maps to the
+ context root was not correctly handled when used as part of a security
+ constraint definition. This caused the constraint to be ignored. It was,
+ therefore, possible for unauthorised users to gain access to web
+ application resources that should have been protected. Only security
+ constraints with a URL pattern of the empty string were affected.</p>
+
+ <p>This was fixed in revision <revlink rev="1823309">1823309</revlink>.</p>
+
+ <p>This issue was reported publicly as <bug>62067</bug> on 31 January 2018
+ and the security implications identified by the Apache Tomcat Security
+ Team the same day. It was made public on 23 February 2018.</p>
+
+ <p>Affects: 7.0.0 to 7.0.84</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 7.0.84" rtext="24 January 2018">
<p><strong>Low: Incorrectly documented CGI search algorithm</strong>
Modified: tomcat/site/trunk/xdocs/security-8.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1825106&r1=1825105&r2=1825106&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-8.xml (original)
+++ tomcat/site/trunk/xdocs/security-8.xml Fri Feb 23 00:25:01 2018
@@ -50,6 +50,86 @@
</section>
+ <section name="Fixed in Apache Tomcat 8.0.50" rtext="13 February 2018">
+
+ <p><strong>High: Security constraint annotations applied too late</strong>
+ <cve>CVE-2018-1305</cve></p>
+
+ <p>Security constraints defined by annotations of Servlets were only applied
+ once a Servlet had been loaded. Because security constraints defined in
+ this way apply to the URL pattern and any URLs below that point, it was
+ possible - depending on the order Servlets were loaded - for some
+ security constraints not to be applied. This could have exposed resources
+ to users who were not authorised to access them.</p>
+
+ <p>This was fixed in revisions <revlink rev="1823319">1823319</revlink> and
+ <revlink rev="1824359">1824359</revlink>.</p>
+
+ <p>This issue was by the Apache Tomcat Security on 1 February 2018 and made
+ public on 23 February 2018.</p>
+
+ <p>Affects: 8.0.0.RC1 to 8.0.49</p>
+
+ <p><strong>High: Security constraints mapped to context root are
+ ignored</strong> <cve>CVE-2018-1304</cve></p>
+
+ <p>The URL pattern of "" (the empty string) which exactly maps to the
+ context root was not correctly handled when used as part of a security
+ constraint definition. This caused the constraint to be ignored. It was,
+ therefore, possible for unauthorised users to gain access to web
+ application resources that should have been protected. Only security
+ constraints with a URL pattern of the empty string were affected.</p>
+
+ <p>This was fixed in revision <revlink rev="1823308">1823308</revlink>.</p>
+
+ <p>This issue was reported publicly as <bug>62067</bug> on 31 January 2018
+ and the security implications identified by the Apache Tomcat Security
+ Team the same day. It was made public on 23 February 2018.</p>
+
+ <p>Affects: 8.0.0.RC1 to 8.0.49</p>
+
+ </section>
+
+ <section name="Fixed in Apache Tomcat 8.5.28" rtext="11 February 2018">
+
+ <p><strong>High: Security constraint annotations applied too late</strong>
+ <cve>CVE-2018-1305</cve></p>
+
+ <p>Security constraints defined by annotations of Servlets were only applied
+ once a Servlet had been loaded. Because security constraints defined in
+ this way apply to the URL pattern and any URLs below that point, it was
+ possible - depending on the order Servlets were loaded - for some
+ security constraints not to be applied. This could have exposed resources
+ to users who were not authorised to access them.</p>
+
+ <p>This was fixed in revisions <revlink rev="1823314">1823314</revlink> and
+ <revlink rev="1824358">1824358</revlink>.</p>
+
+ <p>This issue was by the Apache Tomcat Security on 1 February 2018 and made
+ public on 23 February 2018.</p>
+
+ <p>Affects: 8.5.0 to 8.5.27</p>
+
+ <p><strong>High: Security constraints mapped to context root are
+ ignored</strong> <cve>CVE-2018-1304</cve></p>
+
+ <p>The URL pattern of "" (the empty string) which exactly maps to the
+ context root was not correctly handled when used as part of a security
+ constraint definition. This caused the constraint to be ignored. It was,
+ therefore, possible for unauthorised users to gain access to web
+ application resources that should have been protected. Only security
+ constraints with a URL pattern of the empty string were affected.</p>
+
+ <p>This was fixed in revision <revlink rev="1823307">1823307</revlink>.</p>
+
+ <p>This issue was reported publicly as <bug>62067</bug> on 31 January 2018
+ and the security implications identified by the Apache Tomcat Security
+ Team the same day. It was made public on 23 February 2018.</p>
+
+ <p>Affects: 8.5.0 to 8.5.27</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 8.0.48" rtext="12 December 2017">
<p><strong>Low: Incorrectly documented CGI search algorithm</strong>
Modified: tomcat/site/trunk/xdocs/security-9.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-9.xml?rev=1825106&r1=1825105&r2=1825106&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-9.xml (original)
+++ tomcat/site/trunk/xdocs/security-9.xml Fri Feb 23 00:25:01 2018
@@ -50,6 +50,46 @@
</section>
+ <section name="Fixed in Apache Tomcat 9.0.5" rtext="11 February 2018">
+
+ <p><strong>High: Security constraint annotations applied too late</strong>
+ <cve>CVE-2018-1305</cve></p>
+
+ <p>Security constraints defined by annotations of Servlets were only applied
+ once a Servlet had been loaded. Because security constraints defined in
+ this way apply to the URL pattern and any URLs below that point, it was
+ possible - depending on the order Servlets were loaded - for some
+ security constraints not to be applied. This could have exposed resources
+ to users who were not authorised to access them.</p>
+
+ <p>This was fixed in revisions <revlink rev="1823310">1823310</revlink> and
+ <revlink rev="1824323">1824323</revlink>.</p>
+
+ <p>This issue was by the Apache Tomcat Security on 1 February 2018 and made
+ public on 23 February 2018.</p>
+
+ <p>Affects: 9.0.0.M1 to 9.0.4</p>
+
+ <p><strong>High: Security constraints mapped to context root are
+ ignored</strong> <cve>CVE-2018-1304</cve></p>
+
+ <p>The URL pattern of "" (the empty string) which exactly maps to the
+ context root was not correctly handled when used as part of a security
+ constraint definition. This caused the constraint to be ignored. It was,
+ therefore, possible for unauthorised users to gain access to web
+ application resources that should have been protected. Only security
+ constraints with a URL pattern of the empty string were affected.</p>
+
+ <p>This was fixed in revision <revlink rev="1823306">1823306</revlink>.</p>
+
+ <p>This issue was reported publicly as <bug>62067</bug> on 31 January 2018
+ and the security implications identified by the Apache Tomcat Security
+ Team the same day. It was made public on 23 February 2018.</p>
+
+ <p>Affects: 9.0.0.M1 to 9.0.4</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 9.0.2" rtext="30 November 2017">
<p><strong>Low: Incorrectly documented CGI search algorithm</strong>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1825106 [5/5] - in /tomcat/site/trunk:
docs/security-7.html docs/security-8.html docs/security-9.html
xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml
Posted by Mark Thomas <ma...@apache.org>.
On 23/02/18 00:37, Emmanuel Bourg wrote:
> Le 23/02/2018 à 01:25, markt@apache.org a écrit :
>> + <p>This issue was by the Apache Tomcat Security on 1 February 2018 and made
>> + public on 23 February 2018.</p>
>
> The word "identified" is missing in this sentence.
Thanks for spotting this. I'll get that fixed shortly.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1825106 [5/5] - in /tomcat/site/trunk:
docs/security-7.html docs/security-8.html docs/security-9.html
xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml
Posted by Emmanuel Bourg <eb...@apache.org>.
Le 23/02/2018 à 01:25, markt@apache.org a écrit :
> + <p>This issue was by the Apache Tomcat Security on 1 February 2018 and made
> + public on 23 February 2018.</p>
The word "identified" is missing in this sentence.
Emmanuel Bourg
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org