You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by kk...@apache.org on 2011/09/22 22:52:33 UTC
svn commit: r1174384 - in /tomcat/site/trunk: docs/security-6.html
xdocs/security-6.xml
Author: kkolinko
Date: Thu Sep 22 20:52:33 2011
New Revision: 1174384
URL: http://svn.apache.org/viewvc?rev=1174384&view=rev
Log:
Simplify the markup
Modified:
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/xdocs/security-6.xml
Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1174384&r1=1174383&r2=1174384&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Thu Sep 22 20:52:33 2011
@@ -357,9 +357,7 @@
</ul>
</p>
- <p>This was fixed in revision
- <a href="http://svn.apache.org/viewvc?rev=1162959&view=rev">
- 1162959</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1162959">revision 1162959</a>.</p>
<p>This was reported publicly on 20th August 2011.</p>
@@ -433,9 +431,7 @@
do not have these permissions but are able to read log files may be able
to discover a user's password.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=1140071&view=rev">
- revision 1140071</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1140071">revision 1140071</a>.</p>
<p>This was identified by Polina Genova on 14 June 2011 and
made public on 27 June 2011.</p>
@@ -470,9 +466,7 @@
</ul>
</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=1146703&view=rev">
- revision 1146703</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1146703">revision 1146703</a>.</p>
<p>This was identified by the Tomcat security team on 7 July 2011 and
made public on 13 July 2011.</p>
@@ -498,9 +492,7 @@
this vulnerability.
</p>
- <p>This was fixed in revision
- <a href="http://svn.apache.org/viewvc?rev=1153824&view=rev">
- 1153824</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1153824">revision 1153824</a>.</p>
<p>This was identified by Wilfried Weissmann on 20 July 2011 and made public
on 12 August 2011.</p>
@@ -557,9 +549,7 @@
processing. That behaviour can be used for a denial of service attack
using a carefully crafted request.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=1066313&view=rev">
- revision 1066313</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1066313">revision 1066313</a>.</p>
<p>This was identified by the Tomcat security team on 27 Jan 2011 and
made public on 5 Feb 2011.</p>
@@ -609,9 +599,7 @@
trigger script execution by an administrative user when viewing the
manager pages.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=1057270&view=rev">
- revision 1057270</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1057270">revision 1057270</a>.</p>
<p>This was identified by the Tomcat security team on 12 Nov 2010 and
made public on 5 Feb 2011.</p>
@@ -627,9 +615,7 @@
orderBy directly without filtering thereby permitting cross-site
scripting.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=1037779&view=rev">
- revision 1037779</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1037779">revision 1037779</a>.</p>
<p>This was first reported to the Tomcat security team on 15 Nov 2010 and
made public on 22 Nov 2010.</p>
@@ -655,9 +641,7 @@
applicable when hosting web applications from untrusted sources such as
shared hosting environments.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=1022560&view=rev">
- revision 1022560</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1022560">revision 1022560</a>.</p>
<p>This was discovered by the Tomcat security team on 12 Oct 2010 and
made public on 5 Feb 2011.</p>
@@ -709,11 +693,9 @@
information to leak between requests. This flaw is mitigated if Tomcat is
behind a reverse proxy (such as Apache httpd 2.2) as the proxy should
reject the invalid transfer encoding header.</p>
-
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=958977&view=rev">
- revision 958977</a>.</p>
-
+
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=958977">revision 958977</a>.</p>
+
<p>This was first reported to the Tomcat security team on 14 Jun 2010 and
made public on 9 Jul 2010.</p>
@@ -742,9 +724,7 @@
the local host name or IP address of the machine running Tomcat.
</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=936540&view=rev">
- revision 936540</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=936540">revision 936540</a>.</p>
<p>This was first reported to the Tomcat security team on 31 Dec 2009 and
made public on 21 Apr 2010.</p>
@@ -801,9 +781,7 @@
outside of the web root by including entries such as
<code>../../bin/catalina.sh</code> in the WAR.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=892815&view=rev">
- revision 892815</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=892815">revision 892815</a>.</p>
<p>This was first reported to the Tomcat security team on 30 Jul 2009 and
made public on 1 Mar 2010.</p>
@@ -823,11 +801,9 @@
security constraints may be deployed without those security constraints,
making them accessible without authentication. This issue only affects
Windows platforms.</p>
-
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=892815&view=rev">
- revision 892815</a>.</p>
-
+
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=892815">revision 892815</a>.</p>
+
<p>This was first reported to the Tomcat security team on 30 Jul 2009 and
made public on 1 Mar 2010.</p>
@@ -843,11 +819,9 @@
<code>...war</code> allows an attacker to cause the deletion of the
current contents of the host's work directory which may cause problems
for currently running applications.</p>
-
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=892815&view=rev">
- revision 892815</a>.</p>
-
+
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=892815">revision 892815</a>.</p>
+
<p>This was first reported to the Tomcat security team on 30 Jul 2009 and
made public on 1 Mar 2010.</p>
@@ -863,9 +837,7 @@
a user is created with the name admin, roles admin and manager and a
blank password.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=881771&view=rev">
- revision 881771</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=881771">revision 881771</a>.</p>
<p>This was first reported to the Tomcat security team on 26 Oct 2009 and
made public on 9 Nov 2009.</p>
@@ -922,9 +894,7 @@
content that would otherwise be protected by a security constraint or by
locating it in under the WEB-INF directory.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=734734&view=rev">
- revision 734734</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=734734">revision 734734</a>.</p>
<p>This was first reported to the Tomcat security team on 11 Dec 2008 and
made public on 8 Jun 2009.</p>
@@ -943,9 +913,7 @@
from use for approximately one minute. Thus the behaviour can be used for
a denial of service attack using a carefully crafted request.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=742915&view=rev">
- revision 742915</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=742915">revision 742915</a>.</p>
<p>This was first reported to the Tomcat security team on 26 Jan 2009 and
made public on 3 Jun 2009.</p>
@@ -962,9 +930,7 @@
supplying illegally URL encoded passwords. The attack is possible if FORM
based authentication (j_security_check) is used with the MemoryRealm.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=747840&view=rev">
- revision 747840</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=747840">revision 747840</a>.</p>
<p>This was first reported to the Tomcat security team on 25 Feb 2009 and
made public on 3 Jun 2009.</p>
@@ -980,9 +946,7 @@
XSS flaw due to invalid HTML which renders the XSS filtering protection
ineffective.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=750924&view=rev">
- revision 750924</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=750924">revision 750924</a>.</p>
<p>This was first reported to the Tomcat security team on 5 Mar 2009 and
made public on 3 Jun 2009.</p>
@@ -994,20 +958,15 @@
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783" rel="nofollow">CVE-2009-0783</a>
</p>
- <p>Bugs <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=29936">
- 29936</a> and
- <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=45933">
- 45933</a> allowed a web application to replace the XML parser used by
+ <p>Bugs <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=29936">29936</a> and <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=45933">45933</a> allowed a web application
+ to replace the XML parser used by
Tomcat to process web.xml, context.xml and tld files. In limited
circumstances these bugs may allow a rogue web application to view and/or
alter the web.xml, context.xml and tld files of other web applications
deployed on the Tomcat instance.</p>
- <p>This was fixed in revisions
- <a href="http://svn.apache.org/viewvc?rev=652592&view=rev">
- 652592</a> and
- <a href="http://svn.apache.org/viewvc?rev=739522&view=rev">
- 739522</a>.</p>
+ <p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=652592">652592</a> and
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=739522">739522</a>.</p>
<p>This was first reported to the Tomcat security team on 2 Mar 2009 and
made public on 4 Jun 2009.</p>
@@ -1066,9 +1025,7 @@
XSS attack, unfiltered user supplied data must be included in the message
argument.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=673834&view=rev">
- revision 673834</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=673834">revision 673834</a>.</p>
<p>This was first reported to the Tomcat security team on 24 Jan 2008 and
made public on 1 Aug 2008.</p>
@@ -1085,9 +1042,7 @@
out (closing the browser) of the application once the management tasks
have been completed.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=662585&view=rev">
- revision 662585</a>.</p>
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=662585">revision 662585</a>.</p>
<p>This was first reported to the Tomcat security team on 15 May 2008 and
made public on 28 May 2008.</p>
@@ -1104,10 +1059,8 @@
request parameter could be used to access content that would otherwise be
protected by a security constraint or by locating it in under the WEB-INF
directory.</p>
-
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=673839&view=rev">
- revision 673839</a>.</p>
+
+ <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=673839">revision 673839</a>.</p>
<p>This was first reported to the Tomcat security team on 13 Jun 2008 and
made public on 1 August 2008.</p>
@@ -1151,9 +1104,8 @@
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333" rel="nofollow">CVE-2007-5333</a>
</p>
- <p>The previous fix for
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385" rel="nofollow">CVE-2007-3385</a> was incomplete. It did not consider the use of quotes
- or %5C within a cookie value.</p>
+ <p>The previous fix for <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385" rel="nofollow">CVE-2007-3385</a> was incomplete. It did
+ not consider the use of quotes or %5C within a cookie value.</p>
<p>Affects: 6.0.0-6.0.14</p>
@@ -1552,8 +1504,7 @@
</p>
<p>A work-around for this JVM bug was provided in
- <a href="http://svn.apache.org/viewvc?rev=1066315&view=rev">
- revision 1066315</a>.</p>
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=1066315">revision 1066315</a>.</p>
<p>This was first reported to the Tomcat security team on 01 Feb 2011 and
made public on 31 Jan 2011.</p>
@@ -1591,10 +1542,9 @@
application.</p>
<p>A workaround was implemented in
- <a href="http://svn.apache.org/viewvc?rev=881774&view=rev">
- revision 881774</a> and
- <a href="http://svn.apache.org/viewvc?rev=891292&view=rev">
- revision 891292</a> that provided the new allowUnsafeLegacyRenegotiation
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=881774">revision 881774</a> and
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=891292">revision 891292</a>
+ that provided the new <code>allowUnsafeLegacyRenegotiation</code>
attribute. This work around is included in Tomcat 6.0.21 onwards.</p>
<p>
@@ -1624,8 +1574,8 @@
status of this issue for your JVM, contact your JVM vendor.</p>
<p>A workaround was implemented in
- <a href="http://svn.apache.org/viewvc?rev=678137&view=rev">
- revision 678137</a> that protects against this and any similar character
+ <a href="http://svn.apache.org/viewvc?view=rev&rev=678137">revision 678137</a>
+ that protects against this and any similar character
encoding issues that may still exist in the JVM. This work around is
included in Tomcat 6.0.18 onwards.</p>
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1174384&r1=1174383&r2=1174384&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Thu Sep 22 20:52:33 2011
@@ -35,8 +35,7 @@
<p><strong>Important: Authentication bypass and information disclosure
</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3190"
- rel="nofollow">CVE-2011-3190</a></p>
+ <cve>CVE-2011-3190</cve></p>
<p>Apache Tomcat supports the AJP protocol which is used with reverse
proxies to pass requests and associated data about the request from the
@@ -56,9 +55,7 @@
</ul>
</p>
- <p>This was fixed in revision
- <a href="http://svn.apache.org/viewvc?rev=1162959&view=rev">
- 1162959</a>.</p>
+ <p>This was fixed in <revlink rev="1162959">revision 1162959</revlink>.</p>
<p>This was reported publicly on 20th August 2011.</p>
@@ -91,8 +88,7 @@
<section name="Fixed in Apache Tomcat 6.0.33">
<p><strong>Low: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204"
- rel="nofollow">CVE-2011-2204</a></p>
+ <cve>CVE-2011-2204</cve></p>
<p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
creating users via JMX, an exception during the user creation process may
@@ -103,9 +99,7 @@
do not have these permissions but are able to read log files may be able
to discover a user's password.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=1140071&view=rev">
- revision 1140071</a>.</p>
+ <p>This was fixed in <revlink rev="1140071">revision 1140071</revlink>.</p>
<p>This was identified by Polina Genova on 14 June 2011 and
made public on 27 June 2011.</p>
@@ -113,8 +107,7 @@
<p>Affects: 6.0.0-6.0.32</p>
<p><strong>Low: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526"
- rel="nofollow">CVE-2011-2526</a></p>
+ <cve>CVE-2011-2526</cve></p>
<p>Tomcat provides support for sendfile with the HTTP NIO and HTTP APR
connectors. sendfile is used automatically for content served via the
@@ -139,9 +132,7 @@
</ul>
</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=1146703&view=rev">
- revision 1146703</a>.</p>
+ <p>This was fixed in <revlink rev="1146703">revision 1146703</revlink>.</p>
<p>This was identified by the Tomcat security team on 7 July 2011 and
made public on 13 July 2011.</p>
@@ -149,8 +140,7 @@
<p>Affects: 6.0.0-6.0.32</p>
<p><strong>Important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729"
- rel="nofollow">CVE-2011-2729</a></p>
+ <cve>CVE-2011-2729</cve></p>
<p>Due to a bug in the capabilities code, jsvc (the service wrapper for
Linux that is part of the Commons Daemon project) does not drop
@@ -166,9 +156,7 @@
this vulnerability.
</p>
- <p>This was fixed in revision
- <a href="http://svn.apache.org/viewvc?rev=1153824&view=rev">
- 1153824</a>.</p>
+ <p>This was fixed in <revlink rev="1153824">revision 1153824</revlink>.</p>
<p>This was identified by Wilfried Weissmann on 20 July 2011 and made public
on 12 August 2011.</p>
@@ -186,16 +174,13 @@
affected versions.</i></p>
<p><strong>Important: Remote Denial Of Service</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0534"
- rel="nofollow">CVE-2011-0534</a></p>
+ <cve>CVE-2011-0534</cve></p>
<p>The NIO connector expands its buffer endlessly during request line
processing. That behaviour can be used for a denial of service attack
using a carefully crafted request.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=1066313&view=rev">
- revision 1066313</a>.</p>
+ <p>This was fixed in <revlink rev="1066313">revision 1066313</revlink>.</p>
<p>This was identified by the Tomcat security team on 27 Jan 2011 and
made public on 5 Feb 2011.</p>
@@ -207,17 +192,14 @@
<section name="Fixed in Apache Tomcat 6.0.30" rtext="released 13 Jan 2011">
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0013"
- rel="nofollow">CVE-2011-0013</a></p>
+ <cve>CVE-2011-0013</cve></p>
<p>The HTML Manager interface displayed web application provided data, such
as display names, without filtering. A malicious web application could
trigger script execution by an administrative user when viewing the
manager pages.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=1057270&view=rev">
- revision 1057270</a>.</p>
+ <p>This was fixed in <revlink rev="1057270">revision 1057270</revlink>.</p>
<p>This was identified by the Tomcat security team on 12 Nov 2010 and
made public on 5 Feb 2011.</p>
@@ -225,16 +207,13 @@
<p>Affects: 6.0.0-6.0.29</p>
<p><strong>moderate: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4172"
- rel="nofollow">CVE-2010-4172</a></p>
+ <cve>CVE-2010-4172</cve></p>
<p>The Manager application used the user provided parameters sort and
orderBy directly without filtering thereby permitting cross-site
scripting.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=1037779&view=rev">
- revision 1037779</a>.</p>
+ <p>This was fixed in <revlink rev="1037779">revision 1037779</revlink>.</p>
<p>This was first reported to the Tomcat security team on 15 Nov 2010 and
made public on 22 Nov 2010.</p>
@@ -242,8 +221,7 @@
<p>Affects: 6.0.12-6.0.29</p>
<p><strong>low: SecurityManager file permission bypass</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3718"
- rel="nofollow">CVE-2010-3718</a></p>
+ <cve>CVE-2010-3718</cve></p>
<p>When running under a SecurityManager, access to the file system is
limited but web applications are granted read/write permissions to the
@@ -259,9 +237,7 @@
applicable when hosting web applications from untrusted sources such as
shared hosting environments.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=1022560&view=rev">
- revision 1022560</a>.</p>
+ <p>This was fixed in <revlink rev="1022560">revision 1022560</revlink>.</p>
<p>This was discovered by the Tomcat security team on 12 Oct 2010 and
made public on 5 Feb 2011.</p>
@@ -274,8 +250,7 @@
<p><strong>Important: Remote Denial Of Service and Information Disclosure
Vulnerability</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227"
- rel="nofollow">CVE-2010-2227</a></p>
+ <cve>CVE-2010-2227</cve></p>
<p>Several flaws in the handling of the 'Transfer-Encoding' header were
found that prevented the recycling of a buffer. A remote attacker could
@@ -283,11 +258,9 @@
information to leak between requests. This flaw is mitigated if Tomcat is
behind a reverse proxy (such as Apache httpd 2.2) as the proxy should
reject the invalid transfer encoding header.</p>
-
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=958977&view=rev">
- revision 958977</a>.</p>
-
+
+ <p>This was fixed in <revlink rev="958977">revision 958977</revlink>.</p>
+
<p>This was first reported to the Tomcat security team on 14 Jun 2010 and
made public on 9 Jul 2010.</p>
@@ -300,8 +273,7 @@
affected versions.</i></p>
<p><strong>Low: Information disclosure in authentication headers</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157"
- rel="nofollow">CVE-2010-1157</a></p>
+ <cve>CVE-2010-1157</cve></p>
<p>The <code>WWW-Authenticate</code> HTTP header for BASIC and DIGEST
authentication includes a realm name. If a
@@ -313,9 +285,7 @@
the local host name or IP address of the machine running Tomcat.
</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=936540&view=rev">
- revision 936540</a>.</p>
+ <p>This was fixed in <revlink rev="936540">revision 936540</revlink>.</p>
<p>This was first reported to the Tomcat security team on 31 Dec 2009 and
made public on 21 Apr 2010.</p>
@@ -332,17 +302,14 @@
are not included in the list of affected versions.</i></p>
<p><strong>Low: Arbitrary file deletion and/or alteration on deploy</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693"
- rel="nofollow">CVE-2009-2693</a></p>
+ <cve>CVE-2009-2693</cve></p>
<p>When deploying WAR files, the WAR files were not checked for directory
traversal attempts. This allows an attacker to create arbitrary content
outside of the web root by including entries such as
<code>../../bin/catalina.sh</code> in the WAR.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=892815&view=rev">
- revision 892815</a>.</p>
+ <p>This was fixed in <revlink rev="892815">revision 892815</revlink>.</p>
<p>This was first reported to the Tomcat security team on 30 Jul 2009 and
made public on 1 Mar 2010.</p>
@@ -350,8 +317,7 @@
<p>Affects: 6.0.0-6.0.20</p>
<p><strong>Low: Insecure partial deploy after failed undeploy</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2901"
- rel="nofollow">CVE-2009-2901</a></p>
+ <cve>CVE-2009-2901</cve></p>
<p>By default, Tomcat automatically deploys any directories placed in a
host's appBase. This behaviour is controlled by the autoDeploy attribute
@@ -361,47 +327,39 @@
security constraints may be deployed without those security constraints,
making them accessible without authentication. This issue only affects
Windows platforms.</p>
-
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=892815&view=rev">
- revision 892815</a>.</p>
-
+
+ <p>This was fixed in <revlink rev="892815">revision 892815</revlink>.</p>
+
<p>This was first reported to the Tomcat security team on 30 Jul 2009 and
made public on 1 Mar 2010.</p>
<p>Affects: 6.0.0-6.0.20 (Windows only)</p>
<p><strong>Low: Unexpected file deletion in work directory</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2902"
- rel="nofollow">CVE-2009-2902</a></p>
+ <cve>CVE-2009-2902</cve></p>
<p>When deploying WAR files, the WAR file names were not checked for
directory traversal attempts. For example, deploying and undeploying
<code>...war</code> allows an attacker to cause the deletion of the
current contents of the host's work directory which may cause problems
for currently running applications.</p>
-
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=892815&view=rev">
- revision 892815</a>.</p>
-
+
+ <p>This was fixed in <revlink rev="892815">revision 892815</revlink>.</p>
+
<p>This was first reported to the Tomcat security team on 30 Jul 2009 and
made public on 1 Mar 2010.</p>
<p>Affects: 6.0.0-6.0.20</p>
<p><strong>Low: Insecure default password</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548"
- rel="nofollow">CVE-2009-3548</a></p>
+ <cve>CVE-2009-3548</cve></p>
<p>The Windows installer defaults to a blank password for the administrative
user. If this is not changed during the install process, then by default
a user is created with the name admin, roles admin and manager and a
blank password.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=881771&view=rev">
- revision 881771</a>.</p>
+ <p>This was fixed in <revlink rev="881771">revision 881771</revlink>.</p>
<p>This was first reported to the Tomcat security team on 26 Oct 2009 and
made public on 9 Nov 2009.</p>
@@ -417,8 +375,7 @@
issues, 6.0.19 is not included in the list of affected versions.</i></p>
<p><strong>Important: Information Disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515"
- rel="nofollow">CVE-2008-5515</a></p>
+ <cve>CVE-2008-5515</cve></p>
<p>When using a RequestDispatcher obtained from the Request, the target path
was normalised before the query string was removed. A request that
@@ -426,9 +383,7 @@
content that would otherwise be protected by a security constraint or by
locating it in under the WEB-INF directory.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=734734&view=rev">
- revision 734734</a>.</p>
+ <p>This was fixed in <revlink rev="734734">revision 734734</revlink>.</p>
<p>This was first reported to the Tomcat security team on 11 Dec 2008 and
made public on 8 Jun 2009.</p>
@@ -436,8 +391,7 @@
<p>Affects: 6.0.0-6.0.18</p>
<p><strong>Important: Denial of Service</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033"
- rel="nofollow">CVE-2009-0033</a></p>
+ <cve>CVE-2009-0033</cve></p>
<p>If Tomcat receives a request with invalid headers via the Java AJP
connector, it does not return an error and instead closes the AJP
@@ -446,9 +400,7 @@
from use for approximately one minute. Thus the behaviour can be used for
a denial of service attack using a carefully crafted request.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=742915&view=rev">
- revision 742915</a>.</p>
+ <p>This was fixed in <revlink rev="742915">revision 742915</revlink>.</p>
<p>This was first reported to the Tomcat security team on 26 Jan 2009 and
made public on 3 Jun 2009.</p>
@@ -456,17 +408,14 @@
<p>Affects: 6.0.0-6.0.18</p>
<p><strong>low: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580"
- rel="nofollow">CVE-2009-0580</a></p>
+ <cve>CVE-2009-0580</cve></p>
<p>Due to insufficient error checking in some authentication classes, Tomcat
allows for the enumeration (brute force testing) of user names by
supplying illegally URL encoded passwords. The attack is possible if FORM
based authentication (j_security_check) is used with the MemoryRealm.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=747840&view=rev">
- revision 747840</a>.</p>
+ <p>This was fixed in <revlink rev="747840">revision 747840</revlink>.</p>
<p>This was first reported to the Tomcat security team on 25 Feb 2009 and
made public on 3 Jun 2009.</p>
@@ -474,16 +423,13 @@
<p>Affects: 6.0.0-6.0.18</p>
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781"
- rel="nofollow">CVE-2009-0781</a></p>
+ <cve>CVE-2009-0781</cve></p>
<p>The calendar application in the examples web application contains an
XSS flaw due to invalid HTML which renders the XSS filtering protection
ineffective.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=750924&view=rev">
- revision 750924</a>.</p>
+ <p>This was fixed in <revlink rev="750924">revision 750924</revlink>.</p>
<p>This was first reported to the Tomcat security team on 5 Mar 2009 and
made public on 3 Jun 2009.</p>
@@ -491,23 +437,17 @@
<p>Affects: 6.0.0-6.0.18</p>
<p><strong>low: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783"
- rel="nofollow">CVE-2009-0783</a></p>
+ <cve>CVE-2009-0783</cve></p>
- <p>Bugs <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=29936">
- 29936</a> and
- <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=45933">
- 45933</a> allowed a web application to replace the XML parser used by
+ <p>Bugs <bug>29936</bug> and <bug>45933</bug> allowed a web application
+ to replace the XML parser used by
Tomcat to process web.xml, context.xml and tld files. In limited
circumstances these bugs may allow a rogue web application to view and/or
alter the web.xml, context.xml and tld files of other web applications
deployed on the Tomcat instance.</p>
- <p>This was fixed in revisions
- <a href="http://svn.apache.org/viewvc?rev=652592&view=rev">
- 652592</a> and
- <a href="http://svn.apache.org/viewvc?rev=739522&view=rev">
- 739522</a>.</p>
+ <p>This was fixed in revisions <revlink rev="652592">652592</revlink> and
+ <revlink rev="739522">739522</revlink>.</p>
<p>This was first reported to the Tomcat security team on 2 Mar 2009 and
made public on 4 Jun 2009.</p>
@@ -523,8 +463,7 @@
issues, 6.0.17 is not included in the list of affected versions.</i></p>
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232"
- rel="nofollow">CVE-2008-1232</a></p>
+ <cve>CVE-2008-1232</cve></p>
<p>The message argument of HttpServletResponse.sendError() call is not only
displayed on the error page, but is also used for the reason-phrase of
@@ -534,17 +473,14 @@
XSS attack, unfiltered user supplied data must be included in the message
argument.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=673834&view=rev">
- revision 673834</a>.</p>
+ <p>This was fixed in <revlink rev="673834">revision 673834</revlink>.</p>
<p>This was first reported to the Tomcat security team on 24 Jan 2008 and
made public on 1 Aug 2008.</p>
<p>Affects: 6.0.0-6.0.16</p>
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947"
- rel="nofollow">CVE-2008-1947</a></p>
+ <cve>CVE-2008-1947</cve></p>
<p>The Host Manager web application did not escape user provided data before
including it in the output. This enabled a XSS attack. This application
@@ -552,9 +488,7 @@
out (closing the browser) of the application once the management tasks
have been completed.</p>
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=662585&view=rev">
- revision 662585</a>.</p>
+ <p>This was fixed in <revlink rev="662585">revision 662585</revlink>.</p>
<p>This was first reported to the Tomcat security team on 15 May 2008 and
made public on 28 May 2008.</p>
@@ -562,18 +496,15 @@
<p>Affects: 6.0.0-6.0.16</p>
<p><strong>important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370"
- rel="nofollow">CVE-2008-2370</a></p>
+ <cve>CVE-2008-2370</cve></p>
<p>When using a RequestDispatcher the target path was normalised before the
query string was removed. A request that included a specially crafted
request parameter could be used to access content that would otherwise be
protected by a security constraint or by locating it in under the WEB-INF
directory.</p>
-
- <p>This was fixed in
- <a href="http://svn.apache.org/viewvc?rev=673839&view=rev">
- revision 673839</a>.</p>
+
+ <p>This was fixed in <revlink rev="673839">revision 673839</revlink>.</p>
<p>This was first reported to the Tomcat security team on 13 Jun 2008 and
made public on 1 August 2008.</p>
@@ -585,19 +516,15 @@
<section name="Fixed in Apache Tomcat 6.0.16" rtext="released 8 Feb 2008">
<p><strong>low: Session hi-jacking</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333"
- rel="nofollow">CVE-2007-5333</a></p>
+ <cve>CVE-2007-5333</cve></p>
- <p>The previous fix for
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385"
- rel="nofollow">CVE-2007-3385</a> was incomplete. It did not consider the use of quotes
- or %5C within a cookie value.</p>
+ <p>The previous fix for <cve>CVE-2007-3385</cve> was incomplete. It did
+ not consider the use of quotes or %5C within a cookie value.</p>
<p>Affects: 6.0.0-6.0.14</p>
<p><strong>low: Elevated privileges</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342"
- rel="nofollow">CVE-2007-5342</a></p>
+ <cve>CVE-2007-5342</cve></p>
<p>The JULI logging component allows web applications to provide their own
logging configurations. The default security policy does not restrict
@@ -608,8 +535,7 @@
<p>Affects: 6.0.0-6.0.15</p>
<p><strong>important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461"
- rel="nofollow">CVE-2007-5461</a></p>
+ <cve>CVE-2007-5461</cve></p>
<p>When Tomcat's WebDAV servlet is configured for use with a context and
has been enabled for write, some WebDAV requests that specify an entity
@@ -619,8 +545,7 @@
<p>Affects: 6.0.0-6.0.14</p>
<p><strong>important: Data integrity</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286"
- rel="nofollow">CVE-2007-6286</a></p>
+ <cve>CVE-2007-6286</cve></p>
<p>When using the native (APR based) connector, connecting to the SSL port
using netcat and then disconnecting without sending any data will cause
@@ -629,8 +554,7 @@
<p>Affects: 6.0.0-6.0.15</p>
<p><strong>important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0002"
- rel="nofollow">CVE-2008-0002</a></p>
+ <cve>CVE-2008-0002</cve></p>
<p>If an exception occurs during the processing of parameters (eg if the
client disconnects) then it is possible that the parameters submitted for
@@ -643,8 +567,7 @@
<section name="Fixed in Apache Tomcat 6.0.14" rtext="released 13 Aug 2007">
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449"
- rel="nofollow">CVE-2007-2449</a></p>
+ <cve>CVE-2007-2449</cve></p>
<p>JSPs within the examples web application did not escape user provided
data before including it in the output. This enabled a XSS attack. These
@@ -657,8 +580,7 @@
<p>Affects: 6.0.0-6.0.13</p>
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450"
- rel="nofollow">CVE-2007-2450</a></p>
+ <cve>CVE-2007-2450</cve></p>
<p>The Manager and Host Manager web applications did not escape user
provided data before including it in the output. This enabled a XSS
@@ -669,8 +591,7 @@
<p>Affects: 6.0.0-6.0.13</p>
<p><strong>low: Session hi-jacking</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382"
- rel="nofollow">CVE-2007-3382</a></p>
+ <cve>CVE-2007-3382</cve></p>
<p>Tomcat incorrectly treated a single quote character (') in a cookie
value as a delimiter. In some circumstances this lead to the leaking of
@@ -679,8 +600,7 @@
<p>Affects: 6.0.0-6.0.13</p>
<p><strong>low: Session hi-jacking</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385"
- rel="nofollow">CVE-2007-3385</a></p>
+ <cve>CVE-2007-3385</cve></p>
<p>Tomcat incorrectly handled the character sequence \" in a cookie value.
In some circumstances this lead to the leaking of information such as
@@ -689,8 +609,7 @@
<p>Affects: 6.0.0-6.0.13</p>
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386"
- rel="nofollow">CVE-2007-3386</a></p>
+ <cve>CVE-2007-3386</cve></p>
<p>The Host Manager Servlet did not filter user supplied data before
display. This enabled an XSS attack.</p>
@@ -701,8 +620,7 @@
<section name="Fixed in Apache Tomcat 6.0.11" rtext="not released">
<p><strong>moderate: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355"
- rel="nofollow">CVE-2007-1355</a></p>
+ <cve>CVE-2007-1355</cve></p>
<p>The JSP and Servlet included in the sample application within the Tomcat
documentation webapp did not escape user provided data before including
@@ -712,8 +630,7 @@
<p>Affects: 6.0.0-6.0.10</p>
<p><strong>important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090"
- rel="nofollow">CVE-2005-2090</a></p>
+ <cve>CVE-2005-2090</cve></p>
<p>Requests with multiple content-length headers should be rejected as
invalid. When multiple components (firewalls, caches, proxies and Tomcat)
@@ -731,8 +648,7 @@
<section name="Fixed in Apache Tomcat 6.0.10" rtext="released 28 Feb 2007">
<p><strong>important: Directory traversal</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450"
- rel="nofollow">CVE-2007-0450</a></p>
+ <cve>CVE-2007-0450</cve></p>
<p>Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used
behind a proxy (including, but not limited to, Apache HTTP server with
@@ -764,8 +680,7 @@
<section name="Fixed in Apache Tomcat 6.0.9" rtext="released 8 Feb 2007">
<p><strong>moderate: Session hi-jacking</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128"
- rel="nofollow">CVE-2008-0128</a></p>
+ <cve>CVE-2008-0128</cve></p>
<p>When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is
transmitted without the "secure" attribute, resulting in it being
@@ -777,8 +692,7 @@
<section name="Fixed in Apache Tomcat 6.0.6" rtext="released 18 Dec 2006">
<p><strong>low: Cross-site scripting</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358"
- rel="nofollow">CVE-2007-1358</a></p>
+ <cve>CVE-2007-1358</cve></p>
<p>Web pages that display the Accept-Language header value sent by the
client are susceptible to a cross-site scripting attack if they assume
@@ -795,8 +709,7 @@
<section name="Not a vulnerability in Tomcat">
<p><strong>Important: Remote Denial Of Service</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476"
- rel="nofollow">CVE-2010-4476</a></p>
+ <cve>CVE-2010-4476</cve></p>
<p>A JVM bug could cause Double conversion to hang JVM when accessing to a
form based security constrained page or any page that calls
@@ -806,8 +719,7 @@
</p>
<p>A work-around for this JVM bug was provided in
- <a href="http://svn.apache.org/viewvc?rev=1066315&view=rev">
- revision 1066315</a>.</p>
+ <revlink rev="1066315">revision 1066315</revlink>.</p>
<p>This was first reported to the Tomcat security team on 01 Feb 2011 and
made public on 31 Jan 2011.</p>
@@ -815,8 +727,7 @@
<p>Affects: 6.0.0-6.0.31</p>
<p><strong>moderate: TLS SSL Man In The Middle</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555"
- rel="nofollow">CVE-2009-3555</a></p>
+ <cve>CVE-2009-3555</cve></p>
<p>A vulnerability exists in the TLS protocol that allows an attacker to
inject arbitrary requests into an TLS stream during renegotiation.</p>
@@ -844,15 +755,13 @@
application.</p>
<p>A workaround was implemented in
- <a href="http://svn.apache.org/viewvc?rev=881774&view=rev">
- revision 881774</a> and
- <a href="http://svn.apache.org/viewvc?rev=891292&view=rev">
- revision 891292</a> that provided the new allowUnsafeLegacyRenegotiation
+ <revlink rev="881774">revision 881774</revlink> and
+ <revlink rev="891292">revision 891292</revlink>
+ that provided the new <code>allowUnsafeLegacyRenegotiation</code>
attribute. This work around is included in Tomcat 6.0.21 onwards.</p>
<p><strong>important: Directory traversal</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938"
- rel="nofollow">CVE-2008-2938</a></p>
+ <cve>CVE-2008-2938</cve></p>
<p>Originally reported as a Tomcat vulnerability the root cause of this
issue is that the JVM does not correctly decode UTF-8 encoded URLs to
@@ -876,8 +785,8 @@
status of this issue for your JVM, contact your JVM vendor.</p>
<p>A workaround was implemented in
- <a href="http://svn.apache.org/viewvc?rev=678137&view=rev">
- revision 678137</a> that protects against this and any similar character
+ <revlink rev="678137">revision 678137</revlink>
+ that protects against this and any similar character
encoding issues that may still exist in the JVM. This work around is
included in Tomcat 6.0.18 onwards.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org