You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2010/11/22 18:29:36 UTC
svn commit: r1037784 - in /tomcat/site/trunk: docs/security-6.html
docs/security-7.html xdocs/security-6.xml xdocs/security-7.xml
Author: markt
Date: Mon Nov 22 17:29:35 2010
New Revision: 1037784
URL: http://svn.apache.org/viewvc?rev=1037784&view=rev
Log:
Updates for CVE-2010-4172
Modified:
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/xdocs/security-6.xml
tomcat/site/trunk/xdocs/security-7.xml
Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1037784&r1=1037783&r2=1037784&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Nov 22 17:29:35 2010
@@ -201,6 +201,9 @@
<a href="#Apache_Tomcat_6.x_vulnerabilities">Apache Tomcat 6.x vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_SVN_for_Apache_Tomcat_6.0.30_(not_yet_released)">Fixed in SVN for Apache Tomcat 6.0.30 (not yet released)</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_6.0.28">Fixed in Apache Tomcat 6.0.28</a>
</li>
<li>
@@ -290,6 +293,50 @@
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in SVN for Apache Tomcat 6.0.30 (not yet released)">
+<!--()-->
+</a>
+<a name="Fixed_in_SVN_for_Apache_Tomcat_6.0.30_(not_yet_released)">
+<strong>Fixed in SVN for Apache Tomcat 6.0.30 (not yet released)</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+
+ <p>
+<strong>moderate: Cross-site scripting</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4172">
+ CVE-2010-4172</a>
+</p>
+
+ <p>The Manager application used the user provided parameters sort and
+ orderBy directly without filtering thereby permitting cross-site
+ scripting.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=1037779&view=rev">
+ revision 1037779</a>.</p>
+
+ <p>Affects: 6.0.12-6.0.29</p>
+
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.28">
<!--()-->
</a>
Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1037784&r1=1037783&r2=1037784&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Mon Nov 22 17:29:35 2010
@@ -201,6 +201,9 @@
<a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_SVN_for_Apache_Tomcat_7.0.5_(not_yet_released)">Fixed in SVN for Apache Tomcat 7.0.5 (not yet released)</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_7.0.2">Fixed in Apache Tomcat 7.0.2</a>
</li>
<li>
@@ -258,6 +261,51 @@
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in SVN for Apache Tomcat 7.0.5 (not yet released)">
+<!--()-->
+</a>
+<a name="Fixed_in_SVN_for_Apache_Tomcat_7.0.5_(not_yet_released)">
+<strong>Fixed in SVN for Apache Tomcat 7.0.5 (not yet released)</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+
+ <p>
+<strong>low: Cross-site scripting</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4172">
+ CVE-2010-4172</a>
+</p>
+
+ <p>The Manager application used the user provided parameters sort and
+ orderBy directly without filtering thereby permitting cross-site
+ scripting. The CSRF protection, which is enabled by default, prevents an
+ attacker from exploiting this.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=1037778&view=rev">
+ revision 1037778</a>.</p>
+
+ <p>Affects: 7.0.0-7.0.4</p>
+
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 7.0.2">
<!--()-->
</a>
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1037784&r1=1037783&r2=1037784&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon Nov 22 17:29:35 2010
@@ -30,6 +30,24 @@
</section>
+ <section name="Fixed in SVN for Apache Tomcat 6.0.30 (not yet released)">
+
+ <p><strong>moderate: Cross-site scripting</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4172">
+ CVE-2010-4172</a></p>
+
+ <p>The Manager application used the user provided parameters sort and
+ orderBy directly without filtering thereby permitting cross-site
+ scripting.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=1037779&view=rev">
+ revision 1037779</a>.</p>
+
+ <p>Affects: 6.0.12-6.0.29</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 6.0.28">
<p><strong>Important: Remote Denial Of Service and Information Disclosure
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1037784&r1=1037783&r2=1037784&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Mon Nov 22 17:29:35 2010
@@ -25,6 +25,25 @@
<a href="mailto:security@tomcat.apache.org">Tomcat Security Team</a>.</p>
</section>
+ <section name="Fixed in SVN for Apache Tomcat 7.0.5 (not yet released)">
+
+ <p><strong>low: Cross-site scripting</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4172">
+ CVE-2010-4172</a></p>
+
+ <p>The Manager application used the user provided parameters sort and
+ orderBy directly without filtering thereby permitting cross-site
+ scripting. The CSRF protection, which is enabled by default, prevents an
+ attacker from exploiting this.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=1037778&view=rev">
+ revision 1037778</a>.</p>
+
+ <p>Affects: 7.0.0-7.0.4</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 7.0.2">
<p><i>Note: The issue below was fixed in Apache Tomcat 7.0.1 but the
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org