You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2007/03/25 04:19:51 UTC
svn commit: r522147 - in /tomcat/site/trunk: docs/security-4.html xdocs/security-4.xml

Author: markt
Date: Sat Mar 24 19:19:50 2007
New Revision: 522147

URL: http://svn.apache.org/viewvc?view=rev&rev=522147
Log:
Add information on cve-2002-1394 and cve-2002-1148

Modified:
    tomcat/site/trunk/docs/security-4.html
    tomcat/site/trunk/xdocs/security-4.xml

Modified: tomcat/site/trunk/docs/security-4.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?view=diff&rev=522147&r1=522146&r2=522147
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Sat Mar 24 19:19:50 2007
@@ -379,6 +379,80 @@
 <tr>
 <td bgcolor="#525D76">
 <font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 4.1.13, 4.0.6">
+<strong>Fixed in Apache Tomcat 4.1.13, 4.0.6</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+    <p>
+<strong>important: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1394">
+       CVE-2002-1394</a>
+</p>
+
+    <p>A specially crafted URL using the invoker servlet in conjunction with the
+       default servlet can enable an attacker to obtain the source of JSP pages
+       or, under special circumstances, a static resource that would otherwise
+       have been protected by a security constraint without the need to be
+       properly authenticated. This is a variation of
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1148">
+       CVE-2002-1148</a>
+</p>
+
+    <p>Affects: 4.0.0-4.0.5, 4.1.0-4.1.12</p>
+  </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 4.1.12, 4.0.5">
+<strong>Fixed in Apache Tomcat 4.1.12, 4.0.5</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+    <p>
+<strong>important: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1148">
+       CVE-2002-1148</a>
+</p>
+
+    <p>A specially crafted URL using the default servlet can enable an attacker
+       to obtain the source of JSP pages.</p>
+
+    <p>Affects: 4.0.0-4.0.4, 4.1.0-4.1.11</p>
+  </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
 <a name="Fixed in Apache Tomcat 4.1.0">
 <strong>Fixed in Apache Tomcat 4.1.0</strong>
 </a>

Modified: tomcat/site/trunk/xdocs/security-4.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?view=diff&rev=522147&r1=522146&r2=522147
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Sat Mar 24 19:19:50 2007
@@ -119,6 +119,33 @@
     <p>Affects: 4.1.0-4.1.28</p>
   </section>
 
+  <section name="Fixed in Apache Tomcat 4.1.13, 4.0.6">
+    <p><strong>important: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1394">
+       CVE-2002-1394</a></p>
+
+    <p>A specially crafted URL using the invoker servlet in conjunction with the
+       default servlet can enable an attacker to obtain the source of JSP pages
+       or, under special circumstances, a static resource that would otherwise
+       have been protected by a security constraint without the need to be
+       properly authenticated. This is a variation of
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1148">
+       CVE-2002-1148</a></p>
+
+    <p>Affects: 4.0.0-4.0.5, 4.1.0-4.1.12</p>
+  </section>
+
+  <section name="Fixed in Apache Tomcat 4.1.12, 4.0.5">
+    <p><strong>important: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1148">
+       CVE-2002-1148</a></p>
+
+    <p>A specially crafted URL using the default servlet can enable an attacker
+       to obtain the source of JSP pages.</p>
+
+    <p>Affects: 4.0.0-4.0.4, 4.1.0-4.1.11</p>
+  </section>
+
   <section name="Fixed in Apache Tomcat 4.1.0">
     <p><strong>important: Denial of service</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0866">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org