You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2010/02/11 11:37:26 UTC
svn commit: r908917 - in /tomcat/site/trunk: docs/security-6.html
xdocs/security-6.xml
Author: markt
Date: Thu Feb 11 10:37:24 2010
New Revision: 908917
URL: http://svn.apache.org/viewvc?rev=908917&view=rev
Log:
Add a note on where to find the "not a vulnerability section"
Add the missing severity and svn reference for CVE-2009-3555
Remove the reference to CVE-2009-3555 from the fixed in 6.0.24 section to keep it consistent with the other non-Tomcat vulnerabilities
Modified:
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/xdocs/security-6.xml
Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=908917&r1=908916&r2=908917&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Thu Feb 11 10:37:24 2010
@@ -3,18 +3,18 @@
<html>
<head>
<title>Apache Tomcat - Apache Tomcat 6.x vulnerabilities</title>
-<meta content="Apache Tomcat Project" name="author" />
-<link rel="stylesheet" href="stylesheets/tomcat.css" type="text/css" />
-<link media="print" rel="stylesheet" href="stylesheets/tomcat-printer.css" type="text/css" />
+<meta name="author" content="Apache Tomcat Project"/>
+<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet"/>
+<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet" media="print"/>
</head>
-<body vlink="#525D76" alink="#525D76" link="#525D76" text="#000000" bgcolor="#ffffff">
-<table cellspacing="0" width="100%" border="0">
+<body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76">
+<table border="0" width="100%" cellspacing="0">
<!--PAGE HEADER-->
<tr>
<td>
<!--PROJECT LOGO-->
<a href="http://tomcat.apache.org/">
-<img border="0" alt="Tomcat Logo" align="left" src="./images/tomcat10.jpg" />
+<img src="./images/tomcat10.jpg" align="left" alt="Tomcat Logo" border="0"/>
</a>
</td>
<td>
@@ -25,28 +25,28 @@
<td>
<!--APACHE LOGO-->
<a href="http://www.apache.org/">
-<img border="0" alt="Apache Logo" align="right" src="http://www.apache.org/images/asf-logo.gif" />
+<img src="http://www.apache.org/images/asf-logo.gif" align="right" alt="Apache Logo" border="0"/>
</a>
</td>
</tr>
</table>
<div class="searchbox noPrint">
-<form method="get" action="http://www.google.com/search">
-<input type="hidden" name="sitesearch" value="tomcat.apache.org" />
-<input type="text" id="query" name="q" size="25" value="Search the Site" />
-<input type="submit" value="Search Site" name="Search" />
+<form action="http://www.google.com/search" method="get">
+<input value="tomcat.apache.org" name="sitesearch" type="hidden"/>
+<input value="Search the Site" size="25" name="q" id="query" type="text"/>
+<input name="Search" value="Search Site" type="submit"/>
</form>
</div>
-<table cellspacing="4" width="100%" border="0">
+<table border="0" width="100%" cellspacing="4">
<!--HEADER SEPARATOR-->
<tr>
<td colspan="2">
-<hr size="1" noshade="" />
+<hr noshade="" size="1"/>
</td>
</tr>
<tr>
<!--LEFT SIDE NAVIGATION-->
-<td class="noPrint" nowrap="true" valign="top" width="20%">
+<td width="20%" valign="top" nowrap="true" class="noPrint">
<p>
<strong>Apache Tomcat</strong>
</p>
@@ -172,11 +172,11 @@
</ul>
</td>
<!--RIGHT SIDE MAIN BODY-->
-<td id="mainBody" align="left" valign="top" width="80%">
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<td width="80%" valign="top" align="left" id="mainBody">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Apache Tomcat 6.x vulnerabilities">
<strong>Apache Tomcat 6.x vulnerabilities</strong>
</a>
@@ -195,6 +195,10 @@
is known to affect, and where a flaw has not been verified list the
version with a question mark.</p>
+ <p>Note: Vulnerabilities that are not Tomcat vulnerabilities but have either
+ been incorrectly reported against Tomcat or where Tomcat provides a
+ workaround are listed at the end of this page.</p>
+
<p>Please send comments or corrections for these vulnerabilities to the
<a href="mailto:security@tomcat.apache.org">Tomcat Security Team</a>.</p>
@@ -204,14 +208,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.24">
<strong>Fixed in Apache Tomcat 6.0.24</strong>
</a>
@@ -303,37 +307,20 @@
<p>Affects: 6.0.0-6.0.20</p>
- <p>
-<strong>Medium: SSL MITN</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
- CVE-2009-3555</a>
-</p>
-
- <p>See Not a vulnerability in Tomcat below</p>
-
- <p>This was worked-around in
- <a href="http://svn.apache.org/viewvc?rev=891292&view=rev">
- revision 891292</a> and
- <a href="http://svn.apache.org/viewvc?rev=881774&view=rev">
- revision 881774</a>.</p>
-
- <p>Affects: 6.0.0-6.0.20</p>
-
-
</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.20">
<strong>Fixed in Apache Tomcat 6.0.20</strong>
</a>
@@ -450,14 +437,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.18">
<strong>Fixed in Apache Tomcat 6.0.18</strong>
</a>
@@ -537,14 +524,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.16">
<strong>Fixed in Apache Tomcat 6.0.16</strong>
</a>
@@ -626,14 +613,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.14">
<strong>Fixed in Apache Tomcat 6.0.14</strong>
</a>
@@ -715,14 +702,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.11">
<strong>Fixed in Apache Tomcat 6.0.11</strong>
</a>
@@ -770,14 +757,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.10">
<strong>Fixed in Apache Tomcat 6.0.10</strong>
</a>
@@ -826,14 +813,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.9">
<strong>Fixed in Apache Tomcat 6.0.9</strong>
</a>
@@ -862,14 +849,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.6">
<strong>Fixed in Apache Tomcat 6.0.6</strong>
</a>
@@ -902,14 +889,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Not a vulnerability in Tomcat">
<strong>Not a vulnerability in Tomcat</strong>
</a>
@@ -922,7 +909,7 @@
<blockquote>
<p>
-<strong>TLS SSL Man In The Middle</strong>
+<strong>moderate: TLS SSL Man In The Middle</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
CVE-2009-3555</a>
</p>
@@ -953,6 +940,10 @@
renegotiation may result in some clients being unable to access the
application.</p>
+ <p>This was worked-around in
+ <a href="http://svn.apache.org/viewvc?rev=891292&view=rev">
+ revision 881774</a>.</p>
+
<p>
<strong>important: Directory traversal</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938">
@@ -992,7 +983,7 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
@@ -1001,17 +992,17 @@
<!--FOOTER SEPARATOR-->
<tr>
<td colspan="2">
-<hr size="1" noshade="" />
+<hr noshade="" size="1"/>
</td>
</tr>
<!--PAGE FOOTER-->
<tr>
<td colspan="2">
<div align="center">
-<font size="-1" color="#525D76">
+<font color="#525D76" size="-1">
<em>
Copyright © 1999-2010, The Apache Software Foundation
- <br />
+ <br/>
"Apache", the Apache feather, and the Apache Tomcat logo are
trademarks of the Apache Software Foundation for our open source
software.
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=908917&r1=908916&r2=908917&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Thu Feb 11 10:37:24 2010
@@ -17,6 +17,10 @@
is known to affect, and where a flaw has not been verified list the
version with a question mark.</p>
+ <p>Note: Vulnerabilities that are not Tomcat vulnerabilities but have either
+ been incorrectly reported against Tomcat or where Tomcat provides a
+ workaround are listed at the end of this page.</p>
+
<p>Please send comments or corrections for these vulnerabilities to the
<a href="mailto:security@tomcat.apache.org">Tomcat Security Team</a>.</p>
@@ -94,21 +98,6 @@
<p>Affects: 6.0.0-6.0.20</p>
- <p><strong>Medium: SSL MITN</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
- CVE-2009-3555</a></p>
-
- <p>See Not a vulnerability in Tomcat below</p>
-
- <p>This was worked-around in
- <a href="http://svn.apache.org/viewvc?rev=891292&view=rev">
- revision 891292</a> and
- <a href="http://svn.apache.org/viewvc?rev=881774&view=rev">
- revision 881774</a>.</p>
-
- <p>Affects: 6.0.0-6.0.20</p>
-
-
</section>
<section name="Fixed in Apache Tomcat 6.0.20">
@@ -472,7 +461,7 @@
<section name="Not a vulnerability in Tomcat">
- <p><strong>TLS SSL Man In The Middle</strong>
+ <p><strong>moderate: TLS SSL Man In The Middle</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
CVE-2009-3555</a></p>
@@ -502,6 +491,10 @@
renegotiation may result in some clients being unable to access the
application.</p>
+ <p>This was worked-around in
+ <a href="http://svn.apache.org/viewvc?rev=891292&view=rev">
+ revision 881774</a>.</p>
+
<p><strong>important: Directory traversal</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938">
CVE-2008-2938</a></p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r908917 - in /tomcat/site/trunk: docs/security-6.html
xdocs/security-6.xml
Posted by Mark Thomas <ma...@apache.org>.
On 11/02/2010 11:23, Konstantin Kolinko wrote:
> 2010/2/11 <ma...@apache.org>:
>> Author: markt
>> Date: Thu Feb 11 10:37:24 2010
>> New Revision: 908917
>
> 1. rev.881774 mentioned in the text, but the link points to rev.891292.
I was trying to avoid referencing the old fix that didn't work. I'll
take another look.
> 2. With this change now there is no information about what TC release
> includes the workaround. It requires some experience to derive that
> from revision numbers. Though everyone can look in the changelog.
<quote>The attribute will be available in Tomcat 6.0.21 onwards</quote>
It can't get much clearer than that.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r908917 - in /tomcat/site/trunk: docs/security-6.html
xdocs/security-6.xml
Posted by Konstantin Kolinko <kn...@gmail.com>.
2010/2/11 <ma...@apache.org>:
> Author: markt
> Date: Thu Feb 11 10:37:24 2010
> New Revision: 908917
>
> URL: http://svn.apache.org/viewvc?rev=908917&view=rev
> Log:
> Add a note on where to find the "not a vulnerability section"
> Add the missing severity and svn reference for CVE-2009-3555
> Remove the reference to CVE-2009-3555 from the fixed in 6.0.24 section to keep it consistent with the other non-Tomcat vulnerabilities
>
> Modified:
> tomcat/site/trunk/docs/security-6.html
> tomcat/site/trunk/xdocs/security-6.xml
>
> - <p><strong>Medium: SSL MITN</strong>
> - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
> - CVE-2009-3555</a></p>
> -
> - <p>See Not a vulnerability in Tomcat below</p>
> -
> - <p>This was worked-around in
> - <a href="http://svn.apache.org/viewvc?rev=891292&view=rev">
> - revision 891292</a> and
> - <a href="http://svn.apache.org/viewvc?rev=881774&view=rev">
> - revision 881774</a>.</p>
> -
> - <p>Affects: 6.0.0-6.0.20</p>
> -
> -
> </section>
>
> + <p>This was worked-around in
> + <a href="http://svn.apache.org/viewvc?rev=891292&view=rev">
> + revision 881774</a>.</p>
> +
1. rev.881774 mentioned in the text, but the link points to rev.891292.
Actually the fix is a combination of both those revisions. (E.g.
allowUnsafeLegacyRenegotiation field introduced in the first one is
still used in the second).
2. With this change now there is no information about what TC release
includes the workaround. It requires some experience to derive that
from revision numbers. Though everyone can look in the changelog.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org