You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by ma...@apache.org on 2008/08/11 22:16:02 UTC

svn commit: r684900 - in /tomcat: container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java current/tc4.1.x/STATUS.txt

Author: markt
Date: Mon Aug 11 13:16:02 2008
New Revision: 684900

URL: http://svn.apache.org/viewvc?rev=684900&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=41217
Mark SSO cookies as secure. This is CVE-2008-0128.

Modified:
    tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt
    tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
    tomcat/current/tc4.1.x/STATUS.txt

Modified: tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt
URL: http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt?rev=684900&r1=684899&r2=684900&view=diff
==============================================================================
--- tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt (original)
+++ tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt Mon Aug 11 13:16:02 2008
@@ -1728,7 +1728,10 @@
          Fix issues with MS clients.
 
 [4.1.37] WebDAV
-         Fix CVE-2007-5461, an important information disclosure vulnerability
+         Fix CVE-2007-5461, an important information disclosure vulnerability.
+
+[4.1.38] #41217
+         SSO cookies are now marked as secure. This is CVE-2008-0128.
 
 
 ----------------

Modified: tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=684900&r1=684899&r2=684900&view=diff
==============================================================================
--- tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java (original)
+++ tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java Mon Aug 11 13:16:02 2008
@@ -1035,6 +1035,7 @@
             Cookie cookie = new Cookie(Constants.SINGLE_SIGN_ON_COOKIE, ssoId);
             cookie.setMaxAge(-1);
             cookie.setPath("/");
+            cookie.setSecure(true);
             hres.addCookie(cookie);
 
             // Register this principal with our SSO valve

Modified: tomcat/current/tc4.1.x/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/current/tc4.1.x/STATUS.txt?rev=684900&r1=684899&r2=684900&view=diff
==============================================================================
--- tomcat/current/tc4.1.x/STATUS.txt (original)
+++ tomcat/current/tc4.1.x/STATUS.txt Mon Aug 11 13:16:02 2008
@@ -31,12 +31,6 @@
   +1: markt, yoavs, funkman
   -1:
 
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=41217
-  This is CVE-2008-0128.
-  http://people.apache.org/~markt/patches/2008-03-10-bug41217-tc4.patch
-  +1: markt, yoavs, funkman, mturk, hgomez
-  -1:
-
 * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45301
   Remove a JDK 1.4 dep for the few users that still run TC4 on 1.3 JDKs
   http://people.apache.org/~markt/patches/2008-07-07-bug45301-tc4.patch



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org