You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by kk...@apache.org on 2011/09/23 00:38:40 UTC
svn commit: r1174435 - in /tomcat/site/trunk: docs/security-5.html
xdocs/security-5.xml
Author: kkolinko
Date: Thu Sep 22 22:38:40 2011
New Revision: 1174435
URL: http://svn.apache.org/viewvc?rev=1174435&view=rev
Log:
Simplify the markup
Modified:
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/xdocs/security-5.xml
Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1174435&r1=1174434&r2=1174435&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Thu Sep 22 22:38:40 2011
@@ -924,9 +924,7 @@
XSS attack, unfiltered user supplied data must be included in the message
argument.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=680947&view=rev">
- revision 680947</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=680947">revision 680947</a>.</p>
<p>This was first reported to the Tomcat security team on 24 Jan 2008 and
made public on 1 Aug 2008.</p>
@@ -944,9 +942,7 @@
out (closing the browser) of the application once the management tasks
have been completed.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=662583&view=rev">
- revision 662583</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=662583">revision 662583</a>.</p>
<p>This was first reported to the Tomcat security team on 15 May 2008 and
made public on 28 May 2008.</p>
@@ -964,9 +960,7 @@
protected by a security constraint or by locating it in under the WEB-INF
directory.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=680949&view=rev">
- revision 680949</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=680949">revision 680949</a>.</p>
<p>This was first reported to the Tomcat security team on 13 Jun 2008 and
made public on 1 August 2008.</p>
@@ -1010,9 +1004,8 @@
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333" rel="nofollow">CVE-2007-5333</a>
</p>
- <p>The previous fix for
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385" rel="nofollow">CVE-2007-3385</a> was incomplete. It did not consider the use of quotes
- or %5C within a cookie value.</p>
+ <p>The previous fix for <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385" rel="nofollow">CVE-2007-3385</a> was incomplete. It did
+ not consider the use of quotes or %5C within a cookie value.</p>
<p>Affects: 5.5.0-5.5.25</p>
@@ -1274,8 +1267,8 @@
</p>
<p>The fix for this issue was insufficient. A fix was also required in the
- JK connector module for httpd. See
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860" rel="nofollow">CVE-2007-1860</a> for further information.</p>
+ JK connector module for httpd. See <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860" rel="nofollow">CVE-2007-1860</a> for further
+ information.</p>
<p>Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used
behind a proxy (including, but not limited to, Apache HTTP server with
@@ -1582,7 +1575,7 @@
<p>The root cause is the relatively expensive calls required to generate
the content for the directory listings. If directory listings are
- enabled, the number of files in each directory should be kepp to a
+ enabled, the number of files in each directory should be kept to a
minimum. In response to this issue, directory listings were changed to
be disabled by default. Additionally, a
<a href="http://marc.info/?l=tomcat-dev&m=113356822719767&w=2">
@@ -1709,8 +1702,7 @@
</p>
<p>A work-around for this JVM bug was provided in
- <a href="http://svn.apache.org/viewvc?rev=1066318&view=rev">
- revision 1066318</a>.</p>
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1066318">revision 1066318</a>.</p>
<p>This was first reported to the Tomcat security team on 01 Feb 2011 and
made public on 31 Jan 2011.</p>
@@ -1748,8 +1740,8 @@
application.</p>
<p>A workaround was implemented in
- <a href="http://svn.apache.org/viewvc?view=revision&revision=904851">
- revision 904851</a> that provided the new allowUnsafeLegacyRenegotiation
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=904851">revision 904851</a>
+ that provided the new <code>allowUnsafeLegacyRenegotiation</code>
attribute. This work around will be included in Tomcat 5.5.29 onwards.</p>
<p>
@@ -1793,8 +1785,8 @@
status of this issue for your JVM, contact your JVM vendor.</p>
<p>A workaround was implemented in
- <a href="http://svn.apache.org/viewvc?rev=681029&view=rev">
- revision 681029</a> that protects against this and any similar character
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=681029">revision 681029</a>
+ that protects against this and any similar character
encoding issues that may still exist in the JVM. This work around is
included in Tomcat 5.5.27 onwards.</p>
Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=1174435&r1=1174434&r2=1174435&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Thu Sep 22 22:38:40 2011
@@ -418,8 +418,7 @@
<section name="Fixed in Apache Tomcat 5.5.27" rtext="released 8 Sep 2008">
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232"
- rel="nofollow">CVE-2008-1232</a></p>
+ <cve>CVE-2008-1232</cve></p>
<p>The message argument of HttpServletResponse.sendError() call is not only
displayed on the error page, but is also used for the reason-phrase of
@@ -429,9 +428,7 @@
XSS attack, unfiltered user supplied data must be included in the message
argument.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=680947&view=rev">
- revision 680947</a>.</p>
+ <p>This was fixed in <revlink rev="680947">revision 680947</revlink>.</p>
<p>This was first reported to the Tomcat security team on 24 Jan 2008 and
made public on 1 Aug 2008.</p>
@@ -439,8 +436,7 @@
<p>Affects: 5.5.0-5.5.26</p>
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947"
- rel="nofollow">CVE-2008-1947</a></p>
+ <cve>CVE-2008-1947</cve></p>
<p>The Host Manager web application did not escape user provided data before
including it in the output. This enabled a XSS attack. This application
@@ -448,9 +444,7 @@
out (closing the browser) of the application once the management tasks
have been completed.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=662583&view=rev">
- revision 662583</a>.</p>
+ <p>This was fixed in <revlink rev="662583">revision 662583</revlink>.</p>
<p>This was first reported to the Tomcat security team on 15 May 2008 and
made public on 28 May 2008.</p>
@@ -458,8 +452,7 @@
<p>Affects: 5.5.9-5.5.26</p>
<p><strong>important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370"
- rel="nofollow">CVE-2008-2370</a></p>
+ <cve>CVE-2008-2370</cve></p>
<p>When using a RequestDispatcher the target path was normalised before the
query string was removed. A request that included a specially crafted
@@ -467,9 +460,7 @@
protected by a security constraint or by locating it in under the WEB-INF
directory.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=680949&view=rev">
- revision 680949</a>.</p>
+ <p>This was fixed in <revlink rev="680949">revision 680949</revlink>.</p>
<p>This was first reported to the Tomcat security team on 13 Jun 2008 and
made public on 1 August 2008.</p>
@@ -480,19 +471,15 @@
<section name="Fixed in Apache Tomcat 5.5.26" rtext="released 5 Feb 2008">
<p><strong>low: Session hi-jacking</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333"
- rel="nofollow">CVE-2007-5333</a></p>
+ <cve>CVE-2007-5333</cve></p>
- <p>The previous fix for
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385"
- rel="nofollow">CVE-2007-3385</a> was incomplete. It did not consider the use of quotes
- or %5C within a cookie value.</p>
+ <p>The previous fix for <cve>CVE-2007-3385</cve> was incomplete. It did
+ not consider the use of quotes or %5C within a cookie value.</p>
<p>Affects: 5.5.0-5.5.25</p>
<p><strong>low: Elevated privileges</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342"
- rel="nofollow">CVE-2007-5342</a></p>
+ <cve>CVE-2007-5342</cve></p>
<p>The JULI logging component allows web applications to provide their own
logging configurations. The default security policy does not restrict
@@ -503,8 +490,7 @@
<p>Affects: 5.5.9-5.5.25</p>
<p><strong>important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461"
- rel="nofollow">CVE-2007-5461</a></p>
+ <cve>CVE-2007-5461</cve></p>
<p>When Tomcat's WebDAV servlet is configured for use with a context and
has been enabled for write, some WebDAV requests that specify an entity
@@ -514,8 +500,7 @@
<p>Affects: 5.5.0-5.5.25</p>
<p><strong>important: Data integrity</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286"
- rel="nofollow">CVE-2007-6286</a></p>
+ <cve>CVE-2007-6286</cve></p>
<p>When using the native (APR based) connector, connecting to the SSL port
using netcat and then disconnecting without sending any data will cause
@@ -527,8 +512,7 @@
<section name="Fixed in Apache Tomcat 5.5.25, 5.0.SVN"
rtext="released 8 Sep 2007">
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449"
- rel="nofollow">CVE-2007-2449</a></p>
+ <cve>CVE-2007-2449</cve></p>
<p>JSPs within the examples web application did not escape user provided
data before including it in the output. This enabled a XSS attack. These
@@ -541,8 +525,7 @@
<p>Affects: 5.0.0-5.0.30, 5.5.0-5.5.24</p>
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450"
- rel="nofollow">CVE-2007-2450</a></p>
+ <cve>CVE-2007-2450</cve></p>
<p>The Manager and Host Manager web applications did not escape user
provided data before including it in the output. This enabled a XSS
@@ -553,8 +536,7 @@
<p>Affects: 5.0.0-5.0.30, 5.5.0-5.5.24</p>
<p><strong>low: Session hi-jacking</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382"
- rel="nofollow">CVE-2007-3382</a></p>
+ <cve>CVE-2007-3382</cve></p>
<p>Tomcat incorrectly treated a single quote character (') in a cookie
value as a delimiter. In some circumstances this lead to the leaking of
@@ -563,8 +545,7 @@
<p>Affects: 5.0.0-5.0.30, 5.5.0-5.5.24</p>
<p><strong>low: Session hi-jacking</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385"
- rel="nofollow">CVE-2007-3385</a></p>
+ <cve>CVE-2007-3385</cve></p>
<p>Tomcat incorrectly handled the character sequence \" in a cookie value.
In some circumstances this lead to the leaking of information such as
@@ -573,8 +554,7 @@
<p>Affects: 5.0.0-5.0.30, 5.5.0-5.5.24</p>
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386"
- rel="nofollow">CVE-2007-3386</a></p>
+ <cve>CVE-2007-3386</cve></p>
<p>The Host Manager Servlet did not filter user supplied data before
display. This enabled an XSS attack.</p>
@@ -585,8 +565,7 @@
<section name="Fixed in Apache Tomcat 5.5.24, 5.0.SVN" rtext="Not released">
<p><strong>moderate: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355"
- rel="nofollow">CVE-2007-1355</a></p>
+ <cve>CVE-2007-1355</cve></p>
<p>The JSP and Servlet included in the sample application within the Tomcat
documentation webapp did not escape user provided data before including
@@ -600,8 +579,7 @@
<section name="Fixed in Apache Tomcat 5.5.23, 5.0.SVN"
rtext="released 9 Mar 2007">
<p><strong>important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090"
- rel="nofollow">CVE-2005-2090</a></p>
+ <cve>CVE-2005-2090</cve></p>
<p>Requests with multiple content-length headers should be rejected as
invalid. When multiple components (firewalls, caches, proxies and Tomcat)
@@ -619,13 +597,11 @@
<section name="Fixed in Apache Tomcat 5.5.22, 5.0.SVN" rtext="not released">
<p><strong>important: Directory traversal</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450"
- rel="nofollow">CVE-2007-0450</a></p>
+ <cve>CVE-2007-0450</cve></p>
<p>The fix for this issue was insufficient. A fix was also required in the
- JK connector module for httpd. See
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860"
- rel="nofollow">CVE-2007-1860</a> for further information.</p>
+ JK connector module for httpd. See <cve>CVE-2007-1860</cve> for further
+ information.</p>
<p>Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used
behind a proxy (including, but not limited to, Apache HTTP server with
@@ -657,8 +633,7 @@
<section name="Fixed in Apache Tomcat 5.5.21, 5.0.SVN" rtext="not released">
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358"
- rel="nofollow">CVE-2007-1358</a></p>
+ <cve>CVE-2007-1358</cve></p>
<p>Web pages that display the Accept-Language header value sent by the
client are susceptible to a cross-site scripting attack if they assume
@@ -674,8 +649,7 @@
<section name="Fixed in Apache Tomcat 5.5.21" rtext="not released">
<p><strong>moderate: Session hi-jacking</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128"
- rel="nofollow">CVE-2008-0128</a></p>
+ <cve>CVE-2008-0128</cve></p>
<p>When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is
transmitted without the "secure" attribute, resulting in it being
@@ -685,8 +659,7 @@
<p>Affects: 5.0.0-5.0.SVN, 5.5.0-5.5.20</p>
<p><strong>low: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4308"
- rel="nofollow">CVE-2008-4308</a></p>
+ <cve>CVE-2008-4308</cve></p>
<p><a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=40771">Bug
40771</a> may result in the disclosure of POSTed content from a previous
@@ -700,8 +673,7 @@
<section name="Fixed in Apache Tomcat 5.5.18, 5.0.SVN" rtext="not released">
<p><strong>moderate: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7195"
- rel="nofollow">CVE-2006-7195</a></p>
+ <cve>CVE-2006-7195</cve></p>
<p>The implicit-objects.jsp in the examples webapp displayed a number of
unfiltered header values. This enabled a XSS attack. These values are now
@@ -713,8 +685,7 @@
<section name="Fixed in Apache Tomcat 5.5.17, 5.0.SVN"
rtext="released 27 Apr 2006">
<p><strong>important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1858"
- rel="nofollow">CVE-2007-1858</a></p>
+ <cve>CVE-2007-1858</cve></p>
<p>The default SSL configuration permitted the use of insecure cipher suites
including the anonymous cipher suite. The default configuration no
@@ -726,8 +697,7 @@
<section name="Fixed in Apache Tomcat 5.5.16, 5.0.SVN"
rtext="released 15 Mar 2006">
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7196"
- rel="nofollow">CVE-2006-7196</a></p>
+ <cve>CVE-2006-7196</cve></p>
<p>The calendar application included as part of the JSP examples is
susceptible to a cross-site scripting attack as it does not escape
@@ -739,8 +709,7 @@
<section name="Fixed in Apache Tomcat 5.5.13, 5.0.SVN">
<p><strong>low: Directory listing</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3835"
- rel="nofollow">CVE-2006-3835</a></p>
+ <cve>CVE-2006-3835</cve></p>
<p>This is expected behaviour when directory listings are enabled. The
semicolon (;) is the separator for path parameters so inserting one
@@ -752,12 +721,11 @@
<p>Affects: 5.0.0-5.0.30, 5.5.0-5.5.12</p>
<p><strong>important: Denial of service</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3510"
- rel="nofollow">CVE-2005-3510</a></p>
+ <cve>CVE-2005-3510</cve></p>
<p>The root cause is the relatively expensive calls required to generate
the content for the directory listings. If directory listings are
- enabled, the number of files in each directory should be kepp to a
+ enabled, the number of files in each directory should be kept to a
minimum. In response to this issue, directory listings were changed to
be disabled by default. Additionally, a
<a href="http://marc.info/?l=tomcat-dev&m=113356822719767&w=2">
@@ -769,8 +737,7 @@
<section name="Fixed in Apache Tomcat 5.5.7, 5.0.SVN">
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4838"
- rel="nofollow">CVE-2005-4838</a></p>
+ <cve>CVE-2005-4838</cve></p>
<p>Various JSPs included as part of the JSP examples and the Tomcat Manager
are susceptible to a cross-site scripting attack as they do not escape
@@ -781,8 +748,7 @@
<section name="Fixed in Apache Tomcat 5.5.1">
<p><strong>low: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3271"
- rel="nofollow">CVE-2008-3271</a></p>
+ <cve>CVE-2008-3271</cve></p>
<p><a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=25835">
Bug 25835</a> can, in rare circumstances - this has only been reproduced
@@ -797,8 +763,7 @@
<section name="Not a vulnerability in Tomcat">
<p><strong>Important: Remote Denial Of Service</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476"
- rel="nofollow">CVE-2010-4476</a></p>
+ <cve>CVE-2010-4476</cve></p>
<p>A JVM bug could cause Double conversion to hang JVM when accessing to a
form based security constrained page or any page that calls
@@ -808,8 +773,7 @@
</p>
<p>A work-around for this JVM bug was provided in
- <a href="http://svn.apache.org/viewvc?rev=1066318&view=rev">
- revision 1066318</a>.</p>
+ <revlink rev="1066318">revision 1066318</revlink>.</p>
<p>This was first reported to the Tomcat security team on 01 Feb 2011 and
made public on 31 Jan 2011.</p>
@@ -817,8 +781,7 @@
<p>Affects: 5.5.0-5.5.32</p>
<p><strong>moderate: TLS SSL Man In The Middle</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555"
- rel="nofollow">CVE-2009-3555</a></p>
+ <cve>CVE-2009-3555</cve></p>
<p>A vulnerability exists in the TLS protocol that allows an attacker to
inject arbitrary requests into an TLS stream during renegotiation.</p>
@@ -846,25 +809,22 @@
application.</p>
<p>A workaround was implemented in
- <a href="http://svn.apache.org/viewvc?view=revision&revision=904851">
- revision 904851</a> that provided the new allowUnsafeLegacyRenegotiation
+ <revlink rev="904851">revision 904851</revlink>
+ that provided the new <code>allowUnsafeLegacyRenegotiation</code>
attribute. This work around will be included in Tomcat 5.5.29 onwards.</p>
<p><strong>JavaMail information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1754"
- rel="nofollow">CVE-2005-1754</a></p>
+ <cve>CVE-2005-1754</cve></p>
<p>The vulnerability described is in the web application deployed on Tomcat
rather than in Tomcat.</p>
<p><strong>JavaMail information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1753"
- rel="nofollow">CVE-2005-1753</a></p>
+ <cve>CVE-2005-1753</cve></p>
<p>The vulnerability described is in the web application deployed on Tomcat
rather than in Tomcat.</p>
<p><strong>important: Directory traversal</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938"
- rel="nofollow">CVE-2008-2938</a></p>
+ <cve>CVE-2008-2938</cve></p>
<p>Originally reported as a Tomcat vulnerability the root cause of this
issue is that the JVM does not correctly decode UTF-8 encoded URLs to
@@ -888,8 +848,8 @@
status of this issue for your JVM, contact your JVM vendor.</p>
<p>A workaround was implemented in
- <a href="http://svn.apache.org/viewvc?rev=681029&view=rev">
- revision 681029</a> that protects against this and any similar character
+ <revlink rev="681029">revision 681029</revlink>
+ that protects against this and any similar character
encoding issues that may still exist in the JVM. This work around is
included in Tomcat 5.5.27 onwards.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org