You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by rj...@apache.org on 2009/04/16 17:34:20 UTC
svn commit: r765667 -
/tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml
Author: rjung
Date: Thu Apr 16 15:34:20 2009
New Revision: 765667
URL: http://svn.apache.org/viewvc?rev=765667&view=rev
Log:
Add all disclosed CVEs for mod_jk to changelog.
Modified:
tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml
Modified: tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml?rev=765667&r1=765666&r2=765667&view=diff
==============================================================================
--- tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml (original)
+++ tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml Thu Apr 16 15:34:20 2009
@@ -246,7 +246,9 @@
connection timeout but higher operational timeouts. (mturk)
</add>
<fix>
- AJP13: Always send initial POST packet even if the client
+ AJP13:
+ [<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5519"><b>CVE-2008-5519</b></a>]
+ Always send initial POST packet even if the client
disconnected after sending request but before providing
POST data. In that case or in case the client broke the
connection in a middle of read send an zero size packet
@@ -806,6 +808,9 @@
<subsection name="Native">
<changelog>
<update>
+ [<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450"><b>CVE-2007-0450</b></a>]
+ and
+ [<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860"><b>CVE-2007-1860</b></a>]:
Change the default value of JkOptions to ForwardURICompatUnparsed.
The old default value was ForwardURICompat.
This should make URL interpretation between Apache httpd and
@@ -936,8 +941,8 @@
<subsection name="Native">
<changelog>
<fix>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0774"><b>CVE-2007-0774</b></a>
- : A denial of service and critical remote code execution vulnerability.
+ [<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0774"><b>CVE-2007-0774</b></a>]:
+ A denial of service and critical remote code execution vulnerability.
Caused by buffer overflow in map_uri_to_worker() when URL were longer that 4095 bytes.
Reported by ZDI (www.zerodayintiative.com).
Please note this issue only affected versions 1.2.19 and 1.2.20 of the
@@ -1511,7 +1516,9 @@
snprintf functions. (mturk)
</fix>
<fix>
- <bug>38859</bug>: Protect mod_jk against buggy or malicious
+ <bug>38859</bug>:
+ [<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7197"><b>CVE-2006-7197</b></a>]
+ Protect mod_jk against buggy or malicious
AJP servers in the backend. Patch provided by Ruediger Pluem. (mturk)
</fix>
<fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org