You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by jf...@apache.org on 2010/02/10 09:18:31 UTC

svn commit: r908383 - in /tomcat/site/trunk: docs/security-6.html xdocs/security-6.xml

Author: jfclere
Date: Wed Feb 10 08:18:31 2010
New Revision: 908383

URL: http://svn.apache.org/viewvc?rev=908383&view=rev
Log:
Add information about CVE-2009-3555.

Modified:
    tomcat/site/trunk/docs/security-6.html
    tomcat/site/trunk/xdocs/security-6.xml

Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=908383&r1=908382&r2=908383&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Wed Feb 10 08:18:31 2010
@@ -3,18 +3,18 @@
 <html>
 <head>
 <title>Apache Tomcat - Apache Tomcat 6.x vulnerabilities</title>
-<meta name="author" content="Apache Tomcat Project"/>
-<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet"/>
-<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet" media="print"/>
+<meta content="Apache Tomcat Project" name="author" />
+<link rel="stylesheet" href="stylesheets/tomcat.css" type="text/css" />
+<link media="print" rel="stylesheet" href="stylesheets/tomcat-printer.css" type="text/css" />
 </head>
-<body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76">
-<table border="0" width="100%" cellspacing="0">
+<body vlink="#525D76" alink="#525D76" link="#525D76" text="#000000" bgcolor="#ffffff">
+<table cellspacing="0" width="100%" border="0">
 <!--PAGE HEADER-->
 <tr>
 <td>
 <!--PROJECT LOGO-->
 <a href="http://tomcat.apache.org/">
-<img src="./images/tomcat10.jpg" align="left" alt="Tomcat Logo" border="0"/>
+<img border="0" alt="Tomcat Logo" align="left" src="./images/tomcat10.jpg" />
 </a>
 </td>
 <td>
@@ -25,28 +25,28 @@
 <td>
 <!--APACHE LOGO-->
 <a href="http://www.apache.org/">
-<img src="http://www.apache.org/images/asf-logo.gif" align="right" alt="Apache Logo" border="0"/>
+<img border="0" alt="Apache Logo" align="right" src="http://www.apache.org/images/asf-logo.gif" />
 </a>
 </td>
 </tr>
 </table>
 <div class="searchbox noPrint">
-<form action="http://www.google.com/search" method="get">
-<input value="tomcat.apache.org" name="sitesearch" type="hidden"/>
-<input value="Search the Site" size="25" name="q" id="query" type="text"/>
-<input name="Search" value="Search Site" type="submit"/>
+<form method="get" action="http://www.google.com/search">
+<input type="hidden" name="sitesearch" value="tomcat.apache.org" />
+<input type="text" id="query" name="q" size="25" value="Search the Site" />
+<input type="submit" value="Search Site" name="Search" />
 </form>
 </div>
-<table border="0" width="100%" cellspacing="4">
+<table cellspacing="4" width="100%" border="0">
 <!--HEADER SEPARATOR-->
 <tr>
 <td colspan="2">
-<hr noshade="" size="1"/>
+<hr size="1" noshade="" />
 </td>
 </tr>
 <tr>
 <!--LEFT SIDE NAVIGATION-->
-<td width="20%" valign="top" nowrap="true" class="noPrint">
+<td class="noPrint" nowrap="true" valign="top" width="20%">
 <p>
 <strong>Apache Tomcat</strong>
 </p>
@@ -172,11 +172,11 @@
 </ul>
 </td>
 <!--RIGHT SIDE MAIN BODY-->
-<td width="80%" valign="top" align="left" id="mainBody">
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<td id="mainBody" align="left" valign="top" width="80%">
+<table width="100%" cellpadding="2" cellspacing="0" border="0">
 <tr>
 <td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
+<font face="arial,helvetica,sanserif" color="#ffffff">
 <a name="Apache Tomcat 6.x vulnerabilities">
 <strong>Apache Tomcat 6.x vulnerabilities</strong>
 </a>
@@ -204,14 +204,14 @@
 </tr>
 <tr>
 <td>
-<br/>
+<br />
 </td>
 </tr>
 </table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<table width="100%" cellpadding="2" cellspacing="0" border="0">
 <tr>
 <td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
+<font face="arial,helvetica,sanserif" color="#ffffff">
 <a name="Fixed in Apache Tomcat 6.0.24">
 <strong>Fixed in Apache Tomcat 6.0.24</strong>
 </a>
@@ -303,20 +303,43 @@
 
     <p>Affects: 6.0.0-6.0.20</p>
 
+   <p>
+<strong>Medium: SSL MITN</strong>
+      <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
+       CVE-2009-3555</a>
+</p>
+
+    <p>The TLS protocol, and the SSL protocol 3.0 and possibly earlier does not
+       properly associate renegotiation handshakes with an existing connection,
+       which allows man-in-the-middle attackers to insert data into HTTPS
+       sessions, and possibly other types of sessions protected by TLS or SSL,
+       by sending an unauthenticated request that is processed retroactively by
+       a server in a post-renegotiation context, related to a "plaintext
+       injection" attack, aka the "Project Mogul" issue.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=891292&amp;view=rev">
+       revision 891292</a> and
+       <a href="http://svn.apache.org/viewvc?rev=881774&amp;view=rev">
+       revision 881774</a>.</p>
+
+    <p>Affects: 6.0.0-6.0.20</p>
+
+
   </blockquote>
 </p>
 </td>
 </tr>
 <tr>
 <td>
-<br/>
+<br />
 </td>
 </tr>
 </table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<table width="100%" cellpadding="2" cellspacing="0" border="0">
 <tr>
 <td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
+<font face="arial,helvetica,sanserif" color="#ffffff">
 <a name="Fixed in Apache Tomcat 6.0.20">
 <strong>Fixed in Apache Tomcat 6.0.20</strong>
 </a>
@@ -433,14 +456,14 @@
 </tr>
 <tr>
 <td>
-<br/>
+<br />
 </td>
 </tr>
 </table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<table width="100%" cellpadding="2" cellspacing="0" border="0">
 <tr>
 <td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
+<font face="arial,helvetica,sanserif" color="#ffffff">
 <a name="Fixed in Apache Tomcat 6.0.18">
 <strong>Fixed in Apache Tomcat 6.0.18</strong>
 </a>
@@ -520,14 +543,14 @@
 </tr>
 <tr>
 <td>
-<br/>
+<br />
 </td>
 </tr>
 </table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<table width="100%" cellpadding="2" cellspacing="0" border="0">
 <tr>
 <td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
+<font face="arial,helvetica,sanserif" color="#ffffff">
 <a name="Fixed in Apache Tomcat 6.0.16">
 <strong>Fixed in Apache Tomcat 6.0.16</strong>
 </a>
@@ -609,14 +632,14 @@
 </tr>
 <tr>
 <td>
-<br/>
+<br />
 </td>
 </tr>
 </table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<table width="100%" cellpadding="2" cellspacing="0" border="0">
 <tr>
 <td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
+<font face="arial,helvetica,sanserif" color="#ffffff">
 <a name="Fixed in Apache Tomcat 6.0.14">
 <strong>Fixed in Apache Tomcat 6.0.14</strong>
 </a>
@@ -698,14 +721,14 @@
 </tr>
 <tr>
 <td>
-<br/>
+<br />
 </td>
 </tr>
 </table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<table width="100%" cellpadding="2" cellspacing="0" border="0">
 <tr>
 <td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
+<font face="arial,helvetica,sanserif" color="#ffffff">
 <a name="Fixed in Apache Tomcat 6.0.11">
 <strong>Fixed in Apache Tomcat 6.0.11</strong>
 </a>
@@ -753,14 +776,14 @@
 </tr>
 <tr>
 <td>
-<br/>
+<br />
 </td>
 </tr>
 </table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<table width="100%" cellpadding="2" cellspacing="0" border="0">
 <tr>
 <td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
+<font face="arial,helvetica,sanserif" color="#ffffff">
 <a name="Fixed in Apache Tomcat 6.0.10">
 <strong>Fixed in Apache Tomcat 6.0.10</strong>
 </a>
@@ -809,14 +832,14 @@
 </tr>
 <tr>
 <td>
-<br/>
+<br />
 </td>
 </tr>
 </table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<table width="100%" cellpadding="2" cellspacing="0" border="0">
 <tr>
 <td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
+<font face="arial,helvetica,sanserif" color="#ffffff">
 <a name="Fixed in Apache Tomcat 6.0.9">
 <strong>Fixed in Apache Tomcat 6.0.9</strong>
 </a>
@@ -845,14 +868,14 @@
 </tr>
 <tr>
 <td>
-<br/>
+<br />
 </td>
 </tr>
 </table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<table width="100%" cellpadding="2" cellspacing="0" border="0">
 <tr>
 <td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
+<font face="arial,helvetica,sanserif" color="#ffffff">
 <a name="Fixed in Apache Tomcat 6.0.6">
 <strong>Fixed in Apache Tomcat 6.0.6</strong>
 </a>
@@ -885,14 +908,14 @@
 </tr>
 <tr>
 <td>
-<br/>
+<br />
 </td>
 </tr>
 </table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<table width="100%" cellpadding="2" cellspacing="0" border="0">
 <tr>
 <td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
+<font face="arial,helvetica,sanserif" color="#ffffff">
 <a name="Not a vulnerability in Tomcat">
 <strong>Not a vulnerability in Tomcat</strong>
 </a>
@@ -975,7 +998,7 @@
 </tr>
 <tr>
 <td>
-<br/>
+<br />
 </td>
 </tr>
 </table>
@@ -984,17 +1007,17 @@
 <!--FOOTER SEPARATOR-->
 <tr>
 <td colspan="2">
-<hr noshade="" size="1"/>
+<hr size="1" noshade="" />
 </td>
 </tr>
 <!--PAGE FOOTER-->
 <tr>
 <td colspan="2">
 <div align="center">
-<font color="#525D76" size="-1">
+<font size="-1" color="#525D76">
 <em>
         Copyright © 1999-2010, The Apache Software Foundation
-        <br/>
+        <br />
         "Apache", the Apache feather, and the Apache Tomcat logo are
         trademarks of the Apache Software Foundation for our open source
         software.

Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=908383&r1=908382&r2=908383&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Wed Feb 10 08:18:31 2010
@@ -94,6 +94,27 @@
 
     <p>Affects: 6.0.0-6.0.20</p>
 
+   <p><strong>Medium: SSL MITN</strong>
+      <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
+       CVE-2009-3555</a></p>
+
+    <p>The TLS protocol, and the SSL protocol 3.0 and possibly earlier does not
+       properly associate renegotiation handshakes with an existing connection,
+       which allows man-in-the-middle attackers to insert data into HTTPS
+       sessions, and possibly other types of sessions protected by TLS or SSL,
+       by sending an unauthenticated request that is processed retroactively by
+       a server in a post-renegotiation context, related to a "plaintext
+       injection" attack, aka the "Project Mogul" issue.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=891292&amp;view=rev">
+       revision 891292</a> and
+       <a href="http://svn.apache.org/viewvc?rev=881774&amp;view=rev">
+       revision 881774</a>.</p>
+
+    <p>Affects: 6.0.0-6.0.20</p>
+
+
   </section>
 
   <section name="Fixed in Apache Tomcat 6.0.20">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org