You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2011/09/26 12:36:53 UTC
svn commit: r1175778 - in /tomcat/site/trunk: docs/security-5.html
docs/security-6.html docs/security-7.html xdocs/security-5.xml
xdocs/security-6.xml xdocs/security-7.xml
Author: markt
Date: Mon Sep 26 10:36:53 2011
New Revision: 1175778
URL: http://svn.apache.org/viewvc?rev=1175778&view=rev
Log:
Add CVE-2011-1184
Modified:
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/xdocs/security-5.xml
tomcat/site/trunk/xdocs/security-6.xml
tomcat/site/trunk/xdocs/security-7.xml
Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1175778&r1=1175777&r2=1175778&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Mon Sep 26 10:36:53 2011
@@ -360,6 +360,32 @@
<blockquote>
<p>
+<strong>Moderate: Multiple weaknesses in HTTP DIGEST authentication</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184" rel="nofollow">CVE-2011-1184</a>
+</p>
+
+ <p>The implementation of HTTP DIGEST authentication was discovered to have
+ several weaknesses:
+ <ul>
+ <li>replay attacks were permitted</li>
+ <li>server nonces were not checked</li>
+ <li>client nonce counts were not checked</li>
+ <li>qop values were not checked</li>
+ <li>realm values were not checked</li>
+ <li>the server secret was hard-coded to a known string</li>
+ </ul>
+ The result of these weaknesses is that DIGEST authentication was only as
+ secure as BASIC authentication.
+ </p>
+
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1159309">revision 1159309</a>.</p>
+
+ <p>This was identified by the Tomcat security team on 16 March 2011 and
+ made public on 26 September 2011.</p>
+
+ <p>Affects: 5.5.0-5.5.33</p>
+
+ <p>
<strong>Low: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204" rel="nofollow">CVE-2011-2204</a>
</p>
Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1175778&r1=1175777&r2=1175778&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Sep 26 10:36:53 2011
@@ -418,6 +418,32 @@
<blockquote>
<p>
+<strong>Moderate: Multiple weaknesses in HTTP DIGEST authentication</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184" rel="nofollow">CVE-2011-1184</a>
+</p>
+
+ <p>The implementation of HTTP DIGEST authentication was discovered to have
+ several weaknesses:
+ <ul>
+ <li>replay attacks were permitted</li>
+ <li>server nonces were not checked</li>
+ <li>client nonce counts were not checked</li>
+ <li>qop values were not checked</li>
+ <li>realm values were not checked</li>
+ <li>the server secret was hard-coded to a known string</li>
+ </ul>
+ The result of these weaknesses is that DIGEST authentication was only as
+ secure as BASIC authentication.
+ </p>
+
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1158180">revision 1158180</a>.</p>
+
+ <p>This was identified by the Tomcat security team on 16 March 2011 and
+ made public on 26 September 2011.</p>
+
+ <p>Affects: 6.0.0-6.0.32</p>
+
+ <p>
<strong>Low: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204" rel="nofollow">CVE-2011-2204</a>
</p>
Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1175778&r1=1175777&r2=1175778&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Mon Sep 26 10:36:53 2011
@@ -665,6 +665,32 @@
<p>Affects: 7.0.0-7.0.11</p>
<p>
+<strong>Moderate: Multiple weaknesses in HTTP DIGEST authentication</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184" rel="nofollow">CVE-2011-1184</a>
+</p>
+
+ <p>The implementation of HTTP DIGEST authentication was discovered to have
+ several weaknesses:
+ <ul>
+ <li>replay attacks were permitted</li>
+ <li>server nonces were not checked</li>
+ <li>client nonce counts were not checked</li>
+ <li>qop values were not checked</li>
+ <li>realm values were not checked</li>
+ <li>the server secret was hard-coded to a known string</li>
+ </ul>
+ The result of these weaknesses is that DIGEST authentication was only as
+ secure as BASIC authentication.
+ </p>
+
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1087655">revision 1087655</a>.</p>
+
+ <p>This was identified by the Tomcat security team on 16 March 2011 and
+ made public on 26 September 2011.</p>
+
+ <p>Affects: 7.0.0-7.0.11</p>
+
+ <p>
<strong>Important: Security constraint bypass</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1183" rel="nofollow">CVE-2011-1183</a>
</p>
Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=1175778&r1=1175777&r2=1175778&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Mon Sep 26 10:36:53 2011
@@ -48,6 +48,31 @@
<section name="Fixed in Apache Tomcat 5.5.34" rtext="released 22 Sep 2011">
+ <p><strong>Moderate: Multiple weaknesses in HTTP DIGEST authentication</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184"
+ rel="nofollow">CVE-2011-1184</a></p>
+
+ <p>The implementation of HTTP DIGEST authentication was discovered to have
+ several weaknesses:
+ <ul>
+ <li>replay attacks were permitted</li>
+ <li>server nonces were not checked</li>
+ <li>client nonce counts were not checked</li>
+ <li>qop values were not checked</li>
+ <li>realm values were not checked</li>
+ <li>the server secret was hard-coded to a known string</li>
+ </ul>
+ The result of these weaknesses is that DIGEST authentication was only as
+ secure as BASIC authentication.
+ </p>
+
+ <p>This was fixed in <revlink rev="1159309">revision 1159309</revlink>.</p>
+
+ <p>This was identified by the Tomcat security team on 16 March 2011 and
+ made public on 26 September 2011.</p>
+
+ <p>Affects: 5.5.0-5.5.33</p>
+
<p><strong>Low: Information disclosure</strong>
<cve>CVE-2011-2204</cve></p>
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1175778&r1=1175777&r2=1175778&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon Sep 26 10:36:53 2011
@@ -87,6 +87,31 @@
<section name="Fixed in Apache Tomcat 6.0.33">
+ <p><strong>Moderate: Multiple weaknesses in HTTP DIGEST authentication</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184"
+ rel="nofollow">CVE-2011-1184</a></p>
+
+ <p>The implementation of HTTP DIGEST authentication was discovered to have
+ several weaknesses:
+ <ul>
+ <li>replay attacks were permitted</li>
+ <li>server nonces were not checked</li>
+ <li>client nonce counts were not checked</li>
+ <li>qop values were not checked</li>
+ <li>realm values were not checked</li>
+ <li>the server secret was hard-coded to a known string</li>
+ </ul>
+ The result of these weaknesses is that DIGEST authentication was only as
+ secure as BASIC authentication.
+ </p>
+
+ <p>This was fixed in <revlink rev="1158180">revision 1158180</revlink>.</p>
+
+ <p>This was identified by the Tomcat security team on 16 March 2011 and
+ made public on 26 September 2011.</p>
+
+ <p>Affects: 6.0.0-6.0.32</p>
+
<p><strong>Low: Information disclosure</strong>
<cve>CVE-2011-2204</cve></p>
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1175778&r1=1175777&r2=1175778&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Mon Sep 26 10:36:53 2011
@@ -230,6 +230,31 @@
<p>Affects: 7.0.0-7.0.11</p>
+ <p><strong>Moderate: Multiple weaknesses in HTTP DIGEST authentication</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184"
+ rel="nofollow">CVE-2011-1184</a></p>
+
+ <p>The implementation of HTTP DIGEST authentication was discovered to have
+ several weaknesses:
+ <ul>
+ <li>replay attacks were permitted</li>
+ <li>server nonces were not checked</li>
+ <li>client nonce counts were not checked</li>
+ <li>qop values were not checked</li>
+ <li>realm values were not checked</li>
+ <li>the server secret was hard-coded to a known string</li>
+ </ul>
+ The result of these weaknesses is that DIGEST authentication was only as
+ secure as BASIC authentication.
+ </p>
+
+ <p>This was fixed in <revlink rev="1087655">revision 1087655</revlink>.</p>
+
+ <p>This was identified by the Tomcat security team on 16 March 2011 and
+ made public on 26 September 2011.</p>
+
+ <p>Affects: 7.0.0-7.0.11</p>
+
<p><strong>Important: Security constraint bypass</strong>
<cve>CVE-2011-1183</cve></p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org