You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Mark Thomas <ma...@apache.org> on 2011/03/02 17:49:03 UTC
[SECURITY] Tomcat 7 ignores @ServletSecurity annotations
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As reported on the users list [1], both Tomcat 7.0.8 and the latest
Tomcat 7 code from svn appear to ignore @ServletSecurity annotations.
Assuming this issue is confirmed, it may lead to authentication bypass
and information disclosure.
The exact details are still being investigated but this e-mail is being
provided to give users early warning of this public issue.
If code changes are required to address this, they will be included in
the next release of Tomcat 7, 7.0.10. The release process for 7.0.10 is
expected to start once the investigation of this issue is complete.
Mark
on behalf of the Apache Tomcat security team
[1] http://markmail.org/message/yzmyn44f5aetmm2r
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNbnT/AAoJEBDAHFovYFnnfuMQAKwsYR44UklP4LH1n4m+pBby
OUDiW0nbxCDDyIbk7Q/K0yzd34YAu/1k4fHTnAiFJ3FPkpSMSmKDxsBvY8lgHkOx
gWWPx4RhJ+Iv2jqltyxITZFTpI6BIpU5Kl0oPH6q5RkO4GOw94HryYoLynID0u47
sfCgYqN6P4bCmXTofR+eRNTD7OGreNTmSVy96RyYOEV7vLs9Kffcj/QKyQFM0wj3
tlFSZ+YW+kQcolX28wNnWcWLlRyhsb6mCdcyYrYwjvnH0Y/PpNcdkdfqxQnH2X0a
R6YFzW+flNURWmTxyZZKqB6vEjrckZ4q+AjodienOEmef/iSX5nBkIrFYEffMSeP
SNAdfrtXJ3PSDCC1g15I21uU2hrYorPh22f8tLzK1MIDriplt0Fx1JSg4rBqUJnz
UPVambUySxZ3xpyRWY8Sr9DlY4jfKsZT1RJRunmBfLdJBaIORY45fyHyNxXnMp0S
p8mML0/aVDXxucpo12/DVtT7yLLVGUw55IA479qfkB8216Xog1DxeLA64MdFKTQo
vrtJfOWg8UqguVaBij4PYohE8XM52mm4Ogy2g8VbnEot8JgKp9p+RQo8pZTzVbAo
8A8SbVKL3yMg9nIL/iOzBqpkCHJn5EL8bALh2en844gZ88fG9GCWxD7navY/Vf7b
M9/R3+IwpRrosZWFHng1
=/RPi
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@apache.org
For additional commands, e-mail: announce-help@apache.org
Re: [SECURITY] Tomcat 7 ignores @ServletSecurity annotations
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
On 3/4/2011 10:21 AM, Mark Thomas wrote:
> On 03/03/2011 09:05, Mark Thomas wrote:
>> Based on what I have seen so far it looks to be a valid issue. I have a
>> very rough patch that addresses the bulk of the problem but there is
>> some unexpected behaviour still to be resolved. Today's task is writing
>> some unit tests, getting my head around exactly what needs to be done
>> and refining the patch.
>>
>> I'd like to make statement regarding time-scales but the last time I hit
>> what on the surface looked like a simple bug it took a month of
>> refactoring to fix it. I don't think this is going to take anywhere near
>> that long but until the full extent of the required changes is
>> understood, it would be foolish to speculate about time-scales.
>
> I believe this is now fixed. I'm running the unit tests now followed by
> the Servlet TCK. Assuming everything passes, I'll start the 7.0.10
> release process later today.
Given that previous releases have passed the TCK, does that mean that
the TCK lacks testing of this particular feature of Servlet 3.0?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1xS0EACgkQ9CaO5/Lv0PAkqACfbP0zgqvgm2zmsApVzO8hUXTJ
RUYAn00svPJiX0hRoO6bDgxU1x8vlcjY
=DhBR
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] Tomcat 7 ignores @ServletSecurity annotations
Posted by Mark Thomas <ma...@apache.org>.
On 03/03/2011 09:05, Mark Thomas wrote:
> Based on what I have seen so far it looks to be a valid issue. I have a
> very rough patch that addresses the bulk of the problem but there is
> some unexpected behaviour still to be resolved. Today's task is writing
> some unit tests, getting my head around exactly what needs to be done
> and refining the patch.
>
> I'd like to make statement regarding time-scales but the last time I hit
> what on the surface looked like a simple bug it took a month of
> refactoring to fix it. I don't think this is going to take anywhere near
> that long but until the full extent of the required changes is
> understood, it would be foolish to speculate about time-scales.
I believe this is now fixed. I'm running the unit tests now followed by
the Servlet TCK. Assuming everything passes, I'll start the 7.0.10
release process later today.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] Tomcat 7 ignores @ServletSecurity annotations
Posted by Mark Thomas <ma...@apache.org>.
On 03/03/2011 05:54, Caldarale, Charles R wrote:
>> From: Michael McCutcheon [mailto:michael.mccutcheon@att.net]
>> Subject: Re: [SECURITY] Tomcat 7 ignores @ServletSecurity annotations
>
>> On 3/2/2011 8:49 AM, Mark Thomas wrote:
>>> If code changes are required to address this, they will be included in
>>> the next release of Tomcat 7, 7.0.10. The release process for 7.0.10 is
>>> expected to start once the investigation of this issue is complete.
>
>> Hello, I was just wondering if there was any update on this issue.
>
> Bit impatient, aren't we? Give Mark a chance to sleep a couple hours a day.
:)
Based on what I have seen so far it looks to be a valid issue. I have a
very rough patch that addresses the bulk of the problem but there is
some unexpected behaviour still to be resolved. Today's task is writing
some unit tests, getting my head around exactly what needs to be done
and refining the patch.
I'd like to make statement regarding time-scales but the last time I hit
what on the surface looked like a simple bug it took a month of
refactoring to fix it. I don't think this is going to take anywhere near
that long but until the full extent of the required changes is
understood, it would be foolish to speculate about time-scales.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: [SECURITY] Tomcat 7 ignores @ServletSecurity annotations
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Michael McCutcheon [mailto:michael.mccutcheon@att.net]
> Subject: Re: [SECURITY] Tomcat 7 ignores @ServletSecurity annotations
> On 3/2/2011 8:49 AM, Mark Thomas wrote:
> > If code changes are required to address this, they will be included in
> > the next release of Tomcat 7, 7.0.10. The release process for 7.0.10 is
> > expected to start once the investigation of this issue is complete.
> Hello, I was just wondering if there was any update on this issue.
Bit impatient, aren't we? Give Mark a chance to sleep a couple hours a day.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] Tomcat 7 ignores @ServletSecurity annotations
Posted by Michael McCutcheon <mi...@att.net>.
On 3/2/2011 8:49 AM, Mark Thomas wrote:
> As reported on the users list [1], both Tomcat 7.0.8 and the latest
> Tomcat 7 code from svn appear to ignore @ServletSecurity annotations.
> Assuming this issue is confirmed, it may lead to authentication bypass
> and information disclosure.
>
> The exact details are still being investigated but this e-mail is being
> provided to give users early warning of this public issue.
>
> If code changes are required to address this, they will be included in
> the next release of Tomcat 7, 7.0.10. The release process for 7.0.10 is
> expected to start once the investigation of this issue is complete.
>
> Mark
> on behalf of the Apache Tomcat security team
Hello, I was just wondering if there was any update on this issue.
-Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org