You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2008/08/11 22:16:02 UTC
svn commit: r684900 - in /tomcat:
container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt
container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
current/tc4.1.x/STATUS.txt
Author: markt
Date: Mon Aug 11 13:16:02 2008
New Revision: 684900
URL: http://svn.apache.org/viewvc?rev=684900&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=41217
Mark SSO cookies as secure. This is CVE-2008-0128.
Modified:
tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/current/tc4.1.x/STATUS.txt
Modified: tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt
URL: http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt?rev=684900&r1=684899&r2=684900&view=diff
==============================================================================
--- tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt (original)
+++ tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt Mon Aug 11 13:16:02 2008
@@ -1728,7 +1728,10 @@
Fix issues with MS clients.
[4.1.37] WebDAV
- Fix CVE-2007-5461, an important information disclosure vulnerability
+ Fix CVE-2007-5461, an important information disclosure vulnerability.
+
+[4.1.38] #41217
+ SSO cookies are now marked as secure. This is CVE-2008-0128.
----------------
Modified: tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=684900&r1=684899&r2=684900&view=diff
==============================================================================
--- tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java (original)
+++ tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java Mon Aug 11 13:16:02 2008
@@ -1035,6 +1035,7 @@
Cookie cookie = new Cookie(Constants.SINGLE_SIGN_ON_COOKIE, ssoId);
cookie.setMaxAge(-1);
cookie.setPath("/");
+ cookie.setSecure(true);
hres.addCookie(cookie);
// Register this principal with our SSO valve
Modified: tomcat/current/tc4.1.x/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/current/tc4.1.x/STATUS.txt?rev=684900&r1=684899&r2=684900&view=diff
==============================================================================
--- tomcat/current/tc4.1.x/STATUS.txt (original)
+++ tomcat/current/tc4.1.x/STATUS.txt Mon Aug 11 13:16:02 2008
@@ -31,12 +31,6 @@
+1: markt, yoavs, funkman
-1:
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=41217
- This is CVE-2008-0128.
- http://people.apache.org/~markt/patches/2008-03-10-bug41217-tc4.patch
- +1: markt, yoavs, funkman, mturk, hgomez
- -1:
-
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=45301
Remove a JDK 1.4 dep for the few users that still run TC4 on 1.3 JDKs
http://people.apache.org/~markt/patches/2008-07-07-bug45301-tc4.patch
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org