You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by sc...@apache.org on 2014/04/13 16:11:34 UTC
svn commit: r1586992 - in /tomcat/site/trunk: docs/security-6.html
docs/security-7.html docs/security-8.html xdocs/security-6.xml
xdocs/security-7.xml xdocs/security-8.xml
Author: schultz
Date: Sun Apr 13 14:11:34 2014
New Revision: 1586992
URL: http://svn.apache.org/r1586992
Log:
Added information about CVE-2014-0160 (OpenSSL "Heartbleed").
Modified:
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/docs/security-8.html
tomcat/site/trunk/xdocs/security-6.xml
tomcat/site/trunk/xdocs/security-7.xml
tomcat/site/trunk/xdocs/security-8.xml
Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1586992&r1=1586991&r2=1586992&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Sun Apr 13 14:11:34 2014
@@ -1927,6 +1927,30 @@
encoding issues that may still exist in the JVM. This work around is
included in Tomcat 6.0.18 onwards.</p>
+
+<p>
+<strong>Important: Remote Memory Read</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160" rel="nofollow">CVE-2014-0160</a> (a.k.a. "Heartbleed")</p>
+
+
+<p>A bug in certain versions of <a href="www.openssl.org">OpenSSL</a>
+ can allow an unauthenticated remote user to read certain contents of
+ the server's memory. Binary versions of tcnative 1.1.24 - 1.1.29
+ include this vulnerable version of OpenSSL. tcnative 1.1.30 and later
+ ship with patched versions of OpenSSL.</p>
+
+
+<p>An explanation of how to deterine whether you are vulnerable and what
+ steps to take, see the Tomcat Wiki's
+ <a href="https://wiki.apache.org/tomcat/Security/Heartbleed">Heartbleed</a>
+ page.</p>
+
+
+<p>This issue was first announced on 7 April 2014.</p>
+
+
+<p>Affects: OpenSSL 1.0.1-1.0.1f, tcnative 1.1.24-1.1.29</p>
+
</div>
</div>
Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1586992&r1=1586991&r2=1586992&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Sun Apr 13 14:11:34 2014
@@ -1529,6 +1529,30 @@
</ul>
+
+<p>
+<strong>Important: Remote Memory Read</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160" rel="nofollow">CVE-2014-0160</a> (a.k.a. "Heartbleed")</p>
+
+
+<p>A bug in certain versions of <a href="www.openssl.org">OpenSSL</a>
+ can allow an unauthenticated remote user to read certain contents of
+ the server's memory. Binary versions of tcnative 1.1.24 - 1.1.29
+ include this vulnerable version of OpenSSL. tcnative 1.1.30 and later
+ ship with patched versions of OpenSSL.</p>
+
+
+<p>An explanation of how to deterine whether you are vulnerable and what
+ steps to take, see the Tomcat Wiki's
+ <a href="https://wiki.apache.org/tomcat/Security/Heartbleed">Heartbleed</a>
+ page.</p>
+
+
+<p>This issue was first announced on 7 April 2014.</p>
+
+
+<p>Affects: OpenSSL 1.0.1-1.0.1f, tcnative 1.1.24-1.1.29</p>
+
</div>
</div>
Modified: tomcat/site/trunk/docs/security-8.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1586992&r1=1586991&r2=1586992&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-8.html (original)
+++ tomcat/site/trunk/docs/security-8.html Sun Apr 13 14:11:34 2014
@@ -434,7 +434,28 @@
<div class="text">
-<p>No reports</p>
+<p>
+<strong>Important: Remote Memory Read</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160" rel="nofollow">CVE-2014-0160</a> (a.k.a. "Heartbleed")</p>
+
+
+<p>A bug in certain versions of <a href="www.openssl.org">OpenSSL</a>
+ can allow an unauthenticated remote user to read certain contents of
+ the server's memory. Binary versions of tcnative 1.1.24 - 1.1.29
+ include this vulnerable version of OpenSSL. tcnative 1.1.30 and later
+ ship with patched versions of OpenSSL.</p>
+
+
+<p>An explanation of how to deterine whether you are vulnerable and what
+ steps to take, see the Tomcat Wiki's
+ <a href="https://wiki.apache.org/tomcat/Security/Heartbleed">Heartbleed</a>
+ page.</p>
+
+
+<p>This issue was first announced on 7 April 2014.</p>
+
+
+<p>Affects: OpenSSL 1.0.1-1.0.1f, tcnative 1.1.24-1.1.29</p>
</div>
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1586992&r1=1586991&r2=1586992&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Sun Apr 13 14:11:34 2014
@@ -1183,8 +1183,24 @@
encoding issues that may still exist in the JVM. This work around is
included in Tomcat 6.0.18 onwards.</p>
+ <p><strong>Important: Remote Memory Read</strong>
+ <cve>CVE-2014-0160</cve> (a.k.a. "Heartbleed")</p>
+
+ <p>A bug in certain versions of <a href="www.openssl.org">OpenSSL</a>
+ can allow an unauthenticated remote user to read certain contents of
+ the server's memory. Binary versions of tcnative 1.1.24 - 1.1.29
+ include this vulnerable version of OpenSSL. tcnative 1.1.30 and later
+ ship with patched versions of OpenSSL.</p>
+
+ <p>An explanation of how to deterine whether you are vulnerable and what
+ steps to take, see the Tomcat Wiki's
+ <a href="https://wiki.apache.org/tomcat/Security/Heartbleed">Heartbleed</a>
+ page.</p>
+
+ <p>This issue was first announced on 7 April 2014.</p>
+
+ <p>Affects: OpenSSL 1.0.1-1.0.1f, tcnative 1.1.24-1.1.29</p>
+
</section>
-
</body>
</document>
-
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1586992&r1=1586991&r2=1586992&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Sun Apr 13 14:11:34 2014
@@ -906,6 +906,24 @@
</li>
</ul>
+ <p><strong>Important: Remote Memory Read</strong>
+ <cve>CVE-2014-0160</cve> (a.k.a. "Heartbleed")</p>
+
+ <p>A bug in certain versions of <a href="www.openssl.org">OpenSSL</a>
+ can allow an unauthenticated remote user to read certain contents of
+ the server's memory. Binary versions of tcnative 1.1.24 - 1.1.29
+ include this vulnerable version of OpenSSL. tcnative 1.1.30 and later
+ ship with patched versions of OpenSSL.</p>
+
+ <p>An explanation of how to deterine whether you are vulnerable and what
+ steps to take, see the Tomcat Wiki's
+ <a href="https://wiki.apache.org/tomcat/Security/Heartbleed">Heartbleed</a>
+ page.</p>
+
+ <p>This issue was first announced on 7 April 2014.</p>
+
+ <p>Affects: OpenSSL 1.0.1-1.0.1f, tcnative 1.1.24-1.1.29</p>
+
</section>
</body>
Modified: tomcat/site/trunk/xdocs/security-8.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1586992&r1=1586991&r2=1586992&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-8.xml (original)
+++ tomcat/site/trunk/xdocs/security-8.xml Sun Apr 13 14:11:34 2014
@@ -169,10 +169,26 @@
<section name="Not a vulnerability in Tomcat">
- <p>No reports</p>
+ <p><strong>Important: Remote Memory Read</strong>
+ <cve>CVE-2014-0160</cve> (a.k.a. "Heartbleed")</p>
+
+ <p>A bug in certain versions of <a href="www.openssl.org">OpenSSL</a>
+ can allow an unauthenticated remote user to read certain contents of
+ the server's memory. Binary versions of tcnative 1.1.24 - 1.1.29
+ include this vulnerable version of OpenSSL. tcnative 1.1.30 and later
+ ship with patched versions of OpenSSL.</p>
+
+ <p>An explanation of how to deterine whether you are vulnerable and what
+ steps to take, see the Tomcat Wiki's
+ <a href="https://wiki.apache.org/tomcat/Security/Heartbleed">Heartbleed</a>
+ page.</p>
+
+ <p>This issue was first announced on 7 April 2014.</p>
+
+ <p>Affects: OpenSSL 1.0.1-1.0.1f, tcnative 1.1.24-1.1.29</p>
</section>
-
+
</body>
</document>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1586992 - in /tomcat/site/trunk: docs/security-6.html
docs/security-7.html docs/security-8.html xdocs/security-6.xml
xdocs/security-7.xml xdocs/security-8.xml
Posted by Konstantin Kolinko <kn...@gmail.com>.
2014-04-13 18:11 GMT+04:00 <sc...@apache.org>:
> Author: schultz
> Date: Sun Apr 13 14:11:34 2014
> New Revision: 1586992
>
> URL: http://svn.apache.org/r1586992
> Log:
> Added information about CVE-2014-0160 (OpenSSL "Heartbleed").
>
>
> Modified:
> tomcat/site/trunk/docs/security-6.html
> tomcat/site/trunk/docs/security-7.html
> tomcat/site/trunk/docs/security-8.html
> tomcat/site/trunk/xdocs/security-6.xml
> tomcat/site/trunk/xdocs/security-7.xml
> tomcat/site/trunk/xdocs/security-8.xml
>
Note, that there is also separate page for Tomcat-Native,
http://tomcat.apache.org/security-native.html
Strictly speaking, this affects "Windows" versions (zip, exe) of
Tomcat that bundle those versions of TC-Native,
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org