You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2011/07/13 15:56:54 UTC
svn commit: r1146033 - in /tomcat/site/trunk: docs/security-5.html
docs/security-6.html docs/security-7.html xdocs/security-5.xml
xdocs/security-6.xml xdocs/security-7.xml
Author: markt
Date: Wed Jul 13 13:56:53 2011
New Revision: 1146033
URL: http://svn.apache.org/viewvc?rev=1146033&view=rev
Log:
Add CVE-2011-2526 info
Modified:
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/xdocs/security-5.xml
tomcat/site/trunk/xdocs/security-6.xml
tomcat/site/trunk/xdocs/security-7.xml
Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1146033&r1=1146032&r2=1146033&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Wed Jul 13 13:56:53 2011
@@ -215,6 +215,9 @@
<a href="#Apache_Tomcat_5.x_vulnerabilities">Apache Tomcat 5.x vulnerabilities</a>
</li>
<li>
+<a href="#To_be_fixed_in_Apache_Tomcat_5.5.34_(not_yet_released)">To be fixed in Apache Tomcat 5.5.34 (not yet released)</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_5.5.34_(not_yet_released)">Fixed in Apache Tomcat 5.5.34 (not yet released)</a>
</li>
<li>
@@ -337,6 +340,70 @@
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="To be fixed in Apache Tomcat 5.5.34 (not yet released)">
+<!--()-->
+</a>
+<a name="To_be_fixed_in_Apache_Tomcat_5.5.34_(not_yet_released)">
+<strong>To be fixed in Apache Tomcat 5.5.34 (not yet released)</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+
+ <p>
+<strong>Low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526" rel="nofollow">CVE-2011-2526</a>
+</p>
+
+ <p>Tomcat provides support for sendfile with the HTTP NIO and HTTP APR
+ connectors. sendfile is used automatically for content served via the
+ DefaultServlet and deployed web applications may use it directly via
+ setting request attributes. These request attributes were not validated.
+ When running under a security manager, this lack of validation allowed a
+ malicious web application to do one or more of the following that would
+ normally be prevented by a security manager:
+ <ul>
+ <li>return files to users that the security manager should make
+ inaccessible</li>
+ <li>terminate (via a crash) the JVM</li>
+ </ul>
+ Additionally, these vulnerabilities only occur when all of the following
+ are true:
+ <ul>
+ <li>untrusted web applications are being used</li>
+ <li>the SecurityManager is used to limit the untrusted web applications
+ </li>
+ <li>the HTTP NIO or HTTP APR connector is used</li>
+ <li>sendfile is enabled for the connector (this is the default)</li>
+ </ul>
+ </p>
+
+ <p>There is a <a href="http://people.apache.org/~markt/patches/2011-07-13-cve-2011-2526-tc5.patch">
+ proposed patch</a> for this issue.</p>
+
+ <p>This was identified by the Tomcat security team on 7 July 2011 and
+ made public on 13 July 2011.</p>
+
+ <p>Affects: 5.5.0-5.5.33</p>
+
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 5.5.34 (not yet released)">
<!--()-->
</a>
Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1146033&r1=1146032&r2=1146033&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Wed Jul 13 13:56:53 2011
@@ -215,6 +215,9 @@
<a href="#Apache_Tomcat_6.x_vulnerabilities">Apache Tomcat 6.x vulnerabilities</a>
</li>
<li>
+<a href="#To_be_fixed_in_Apache_Tomcat_6.0.33_(not_yet_released)">To be fixed in Apache Tomcat 6.0.33 (not yet released)</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_6.0.33_(not_yet_released)">Fixed in Apache Tomcat 6.0.33 (not yet released)</a>
</li>
<li>
@@ -313,6 +316,70 @@
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="To be fixed in Apache Tomcat 6.0.33 (not yet released)">
+<!--()-->
+</a>
+<a name="To_be_fixed_in_Apache_Tomcat_6.0.33_(not_yet_released)">
+<strong>To be fixed in Apache Tomcat 6.0.33 (not yet released)</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+
+ <p>
+<strong>Low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526" rel="nofollow">CVE-2011-2526</a>
+</p>
+
+ <p>Tomcat provides support for sendfile with the HTTP NIO and HTTP APR
+ connectors. sendfile is used automatically for content served via the
+ DefaultServlet and deployed web applications may use it directly via
+ setting request attributes. These request attributes were not validated.
+ When running under a security manager, this lack of validation allowed a
+ malicious web application to do one or more of the following that would
+ normally be prevented by a security manager:
+ <ul>
+ <li>return files to users that the security manager should make
+ inaccessible</li>
+ <li>terminate (via a crash) the JVM</li>
+ </ul>
+ Additionally, these vulnerabilities only occur when all of the following
+ are true:
+ <ul>
+ <li>untrusted web applications are being used</li>
+ <li>the SecurityManager is used to limit the untrusted web applications
+ </li>
+ <li>the HTTP NIO or HTTP APR connector is used</li>
+ <li>sendfile is enabled for the connector (this is the default)</li>
+ </ul>
+ </p>
+
+ <p>There is a <a href="http://people.apache.org/~markt/patches/2011-07-13-cve-2011-2526-tc6.patch">
+ proposed patch</a> for this issue.</p>
+
+ <p>This was identified by the Tomcat security team on 7 July 2011 and
+ made public on 13 July 2011.</p>
+
+ <p>Affects: 6.0.0-6.0.32</p>
+
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.33 (not yet released)">
<!--()-->
</a>
Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1146033&r1=1146032&r2=1146033&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Wed Jul 13 13:56:53 2011
@@ -215,6 +215,9 @@
<a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_7.0.19_(not_yet_released)">Fixed in Apache Tomcat 7.0.19 (not yet released)</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_7.0.17_(not_yet_released)">Fixed in Apache Tomcat 7.0.17 (not yet released)</a>
</li>
<li>
@@ -296,6 +299,79 @@
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 7.0.19 (not yet released)">
+<!--()-->
+</a>
+<a name="Fixed_in_Apache_Tomcat_7.0.19_(not_yet_released)">
+<strong>Fixed in Apache Tomcat 7.0.19 (not yet released)</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+
+ <p>
+<strong>Low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526" rel="nofollow">CVE-2011-2526</a>
+</p>
+
+ <p>Tomcat provides support for sendfile with the HTTP NIO and HTTP APR
+ connectors. sendfile is used automatically for content served via the
+ DefaultServlet and deployed web applications may use it directly via
+ setting request attributes. These request attributes were not validated.
+ When running under a security manager, this lack of validation allowed a
+ malicious web application to do one or more of the following that would
+ normally be prevented by a security manager:
+ <ul>
+ <li>return files to users that the security manager should make
+ inaccessible</li>
+ <li>terminate (via a crash) the JVM</li>
+ </ul>
+ Additionally, these vulnerabilities only occur when all of the following
+ are true:
+ <ul>
+ <li>untrusted web applications are being used</li>
+ <li>the SecurityManager is used to limit the untrusted web applications
+ </li>
+ <li>the HTTP NIO or HTTP APR connector is used</li>
+ <li>sendfile is enabled for the connector (this is the default)</li>
+ </ul>
+ </p>
+
+ <p>This was fixed in revisions
+ <a href="http://svn.apache.org/viewvc?rev=1145383&view=rev">
+ 1145383</a>,
+ <a href="http://svn.apache.org/viewvc?rev=1145489&view=rev">
+ 1145489</a>,
+ <a href="http://svn.apache.org/viewvc?rev=1145571&view=rev">
+ 1145571</a>,
+ <a href="http://svn.apache.org/viewvc?rev=1145694&view=rev">
+ 1145694</a> and
+ <a href="http://svn.apache.org/viewvc?rev=1146005&view=rev">
+ 1146005</a>.</p>
+
+ <p>This was identified by the Tomcat security team on 7 July 2011 and
+ made public on 13 July 2011.</p>
+
+ <p>Affects: 7.0.0-7.0.18</p>
+
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 7.0.17 (not yet released)">
<!--()-->
</a>
Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=1146033&r1=1146032&r2=1146033&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Wed Jul 13 13:56:53 2011
@@ -46,6 +46,45 @@
</section>
-->
+ <section name="To be fixed in Apache Tomcat 5.5.34 (not yet released)">
+
+ <p><strong>Low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526"
+ rel="nofollow">CVE-2011-2526</a></p>
+
+ <p>Tomcat provides support for sendfile with the HTTP NIO and HTTP APR
+ connectors. sendfile is used automatically for content served via the
+ DefaultServlet and deployed web applications may use it directly via
+ setting request attributes. These request attributes were not validated.
+ When running under a security manager, this lack of validation allowed a
+ malicious web application to do one or more of the following that would
+ normally be prevented by a security manager:
+ <ul>
+ <li>return files to users that the security manager should make
+ inaccessible</li>
+ <li>terminate (via a crash) the JVM</li>
+ </ul>
+ Additionally, these vulnerabilities only occur when all of the following
+ are true:
+ <ul>
+ <li>untrusted web applications are being used</li>
+ <li>the SecurityManager is used to limit the untrusted web applications
+ </li>
+ <li>the HTTP NIO or HTTP APR connector is used</li>
+ <li>sendfile is enabled for the connector (this is the default)</li>
+ </ul>
+ </p>
+
+ <p>There is a <a href="http://people.apache.org/~markt/patches/2011-07-13-cve-2011-2526-tc5.patch">
+ proposed patch</a> for this issue.</p>
+
+ <p>This was identified by the Tomcat security team on 7 July 2011 and
+ made public on 13 July 2011.</p>
+
+ <p>Affects: 5.5.0-5.5.33</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 5.5.34 (not yet released)">
<p><strong>Low: Information disclosure</strong>
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1146033&r1=1146032&r2=1146033&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Wed Jul 13 13:56:53 2011
@@ -30,6 +30,45 @@
</section>
+ <section name="To be fixed in Apache Tomcat 6.0.33 (not yet released)">
+
+ <p><strong>Low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526"
+ rel="nofollow">CVE-2011-2526</a></p>
+
+ <p>Tomcat provides support for sendfile with the HTTP NIO and HTTP APR
+ connectors. sendfile is used automatically for content served via the
+ DefaultServlet and deployed web applications may use it directly via
+ setting request attributes. These request attributes were not validated.
+ When running under a security manager, this lack of validation allowed a
+ malicious web application to do one or more of the following that would
+ normally be prevented by a security manager:
+ <ul>
+ <li>return files to users that the security manager should make
+ inaccessible</li>
+ <li>terminate (via a crash) the JVM</li>
+ </ul>
+ Additionally, these vulnerabilities only occur when all of the following
+ are true:
+ <ul>
+ <li>untrusted web applications are being used</li>
+ <li>the SecurityManager is used to limit the untrusted web applications
+ </li>
+ <li>the HTTP NIO or HTTP APR connector is used</li>
+ <li>sendfile is enabled for the connector (this is the default)</li>
+ </ul>
+ </p>
+
+ <p>There is a <a href="http://people.apache.org/~markt/patches/2011-07-13-cve-2011-2526-tc6.patch">
+ proposed patch</a> for this issue.</p>
+
+ <p>This was identified by the Tomcat security team on 7 July 2011 and
+ made public on 13 July 2011.</p>
+
+ <p>Affects: 6.0.0-6.0.32</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 6.0.33 (not yet released)">
<p><strong>Low: Information disclosure</strong>
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1146033&r1=1146032&r2=1146033&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Wed Jul 13 13:56:53 2011
@@ -25,6 +25,54 @@
<a href="mailto:security@tomcat.apache.org">Tomcat Security Team</a>.</p>
</section>
+ <section name="Fixed in Apache Tomcat 7.0.19 (not yet released)">
+
+ <p><strong>Low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526"
+ rel="nofollow">CVE-2011-2526</a></p>
+
+ <p>Tomcat provides support for sendfile with the HTTP NIO and HTTP APR
+ connectors. sendfile is used automatically for content served via the
+ DefaultServlet and deployed web applications may use it directly via
+ setting request attributes. These request attributes were not validated.
+ When running under a security manager, this lack of validation allowed a
+ malicious web application to do one or more of the following that would
+ normally be prevented by a security manager:
+ <ul>
+ <li>return files to users that the security manager should make
+ inaccessible</li>
+ <li>terminate (via a crash) the JVM</li>
+ </ul>
+ Additionally, these vulnerabilities only occur when all of the following
+ are true:
+ <ul>
+ <li>untrusted web applications are being used</li>
+ <li>the SecurityManager is used to limit the untrusted web applications
+ </li>
+ <li>the HTTP NIO or HTTP APR connector is used</li>
+ <li>sendfile is enabled for the connector (this is the default)</li>
+ </ul>
+ </p>
+
+ <p>This was fixed in revisions
+ <a href="http://svn.apache.org/viewvc?rev=1145383&view=rev">
+ 1145383</a>,
+ <a href="http://svn.apache.org/viewvc?rev=1145489&view=rev">
+ 1145489</a>,
+ <a href="http://svn.apache.org/viewvc?rev=1145571&view=rev">
+ 1145571</a>,
+ <a href="http://svn.apache.org/viewvc?rev=1145694&view=rev">
+ 1145694</a> and
+ <a href="http://svn.apache.org/viewvc?rev=1146005&view=rev">
+ 1146005</a>.</p>
+
+ <p>This was identified by the Tomcat security team on 7 July 2011 and
+ made public on 13 July 2011.</p>
+
+ <p>Affects: 7.0.0-7.0.18</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 7.0.17 (not yet released)">
<p><strong>Low: Information disclosure</strong>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org