You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2007/03/25 17:08:44 UTC

svn commit: r522275 - in /tomcat/site/trunk: docs/security-4.html xdocs/security-4.xml

Author: markt
Date: Sun Mar 25 08:08:43 2007
New Revision: 522275

URL: http://svn.apache.org/viewvc?view=rev&rev=522275
Log:
Add info on CVE-2002-0639

Modified:
    tomcat/site/trunk/docs/security-4.html
    tomcat/site/trunk/xdocs/security-4.xml

Modified: tomcat/site/trunk/docs/security-4.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?view=diff&rev=522275&r1=522274&r2=522275
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Sun Mar 25 08:08:43 2007
@@ -586,6 +586,41 @@
 </td>
 </tr>
 </table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Not a vulnerability in Tomcat">
+<strong>Not a vulnerability in Tomcat</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+    <p>
+<strong>Denial of service vulnerability</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0936">
+       CVE-2002-0639</a>
+</p>
+    <p>The issue described requires an attacker to be able to plant a JSP page
+       on the Tomcat server. If an attacker can do this then the server is
+       already compromised. In this case an attacker could just as easily add a
+       page that called System.exit(1) rather than relying on a bug in an
+       internal Sun class.</p>
+
+  </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
 </td>
 </tr>
 <!--FOOTER SEPARATOR-->

Modified: tomcat/site/trunk/xdocs/security-4.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?view=diff&rev=522275&r1=522274&r2=522275
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Sun Mar 25 08:08:43 2007
@@ -207,6 +207,19 @@
 
     <p>Affects: 4.0.4?</p>
   </section>
+
+  <section name="Not a vulnerability in Tomcat">
+    <p><strong>Denial of service vulnerability</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0936">
+       CVE-2002-0639</a></p>
+    <p>The issue described requires an attacker to be able to plant a JSP page
+       on the Tomcat server. If an attacker can do this then the server is
+       already compromised. In this case an attacker could just as easily add a
+       page that called System.exit(1) rather than relying on a bug in an
+       internal Sun class.</p>
+
+  </section>
+
 </body>
 </document>
 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org