You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by jf...@apache.org on 2018/07/21 09:04:53 UTC

svn commit: r1836400 - in /tomcat/site/trunk: docs/security-native.html xdocs/security-native.xml

Author: jfclere
Date: Sat Jul 21 09:04:53 2018
New Revision: 1836400

URL: http://svn.apache.org/viewvc?rev=1836400&view=rev
Log:
Add the CVE fixed in 1.2.17

Modified:
    tomcat/site/trunk/docs/security-native.html
    tomcat/site/trunk/xdocs/security-native.xml

Modified: tomcat/site/trunk/docs/security-native.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-native.html?rev=1836400&r1=1836399&r2=1836400&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-native.html (original)
+++ tomcat/site/trunk/docs/security-native.html Sat Jul 21 09:04:53 2018
@@ -222,6 +222,9 @@
 <a href="#Apache_Tomcat_APR/native_Connector_vulnerabilities">Apache Tomcat APR/native Connector vulnerabilities</a>
 </li>
 <li>
+<a href="#Fixed_in_Apache_Tomcat_Native_Connector_1.2.17">Fixed in Apache Tomcat Native Connector 1.2.17</a>
+</li>
+<li>
 <a href="#Fixed_in_Apache_Tomcat_Native_Connector_1.2.16">Fixed in Apache Tomcat Native Connector 1.2.16</a>
 </li>
 <li>
@@ -255,6 +258,48 @@
 
   
 </div>
+<h3 id="Fixed_in_Apache_Tomcat_Native_Connector_1.2.17">Fixed in Apache Tomcat Native Connector 1.2.17</h3>
+<div class="text">
+
+    
+<p>
+<strong>Moderate: Mishandled OCSP invalid response</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8019" rel="nofollow">CVE-2018-8019</a>
+</p>
+    
+<p>When using an OCSP responder Tomcat Native did not correctly handle
+       invalid responses.  This allowed for revoked client certificates to
+       be incorrectly identified.  It was therefore possible for users to
+       authenticate with revoked certificates when using mutual TLS.</p>
+
+    
+<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1832832">1832832</a>.</p>
+
+    
+<p>Affects: 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34</p>
+
+    
+<p>
+<strong>Important:  Mishandled OCSP responses can allow clients to
+       authenticate with revoked certificates</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8020" rel="nofollow">CVE-2018-8020</a>
+</p>
+
+    
+<p>Apache Tomcat Native has a flaw that does not properly check OCSP
+       pre-produced responses, which are lists (multiple entries) of
+       certificate statuses. Subsequently, revoked client certificates may not be
+       properly identified, allowing for users to authenticate with revoked
+       certicates to connections that require mutual TLS.</p>
+
+    
+<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1832863">1832863</a>.</p>
+
+    
+<p>Affects: 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34</p>
+
+  
+</div>
 <h3 id="Fixed_in_Apache_Tomcat_Native_Connector_1.2.16">Fixed in Apache Tomcat Native Connector 1.2.16</h3>
 <div class="text">
 

Modified: tomcat/site/trunk/xdocs/security-native.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-native.xml?rev=1836400&r1=1836399&r2=1836400&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-native.xml (original)
+++ tomcat/site/trunk/xdocs/security-native.xml Sat Jul 21 09:04:53 2018
@@ -32,6 +32,35 @@
 
   </section>
 
+  <section name="Fixed in Apache Tomcat Native Connector 1.2.17">
+
+    <p><strong>Moderate: Mishandled OCSP invalid response</strong>
+       <cve>CVE-2018-8019</cve></p>
+    <p>When using an OCSP responder Tomcat Native did not correctly handle
+       invalid responses.  This allowed for revoked client certificates to
+       be incorrectly identified.  It was therefore possible for users to
+       authenticate with revoked certificates when using mutual TLS.</p>
+
+    <p>This was fixed in revision <revlink rev="1832832">1832832</revlink>.</p>
+
+    <p>Affects: 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34</p>
+
+    <p><strong>Important:  Mishandled OCSP responses can allow clients to
+       authenticate with revoked certificates</strong>
+       <cve>CVE-2018-8020</cve></p>
+
+    <p>Apache Tomcat Native has a flaw that does not properly check OCSP
+       pre-produced responses, which are lists (multiple entries) of
+       certificate statuses. Subsequently, revoked client certificates may not be
+       properly identified, allowing for users to authenticate with revoked
+       certicates to connections that require mutual TLS.</p>
+
+    <p>This was fixed in revision <revlink rev="1832863">1832863</revlink>.</p>
+
+    <p>Affects: 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34</p>
+
+  </section>
+
   <section name="Fixed in Apache Tomcat Native Connector 1.2.16">
 
     <p><i>Note: The issue below was fixed in Apache Tomcat Native Connector



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org