svn commit: r1667437 - in /tomcat/site/trunk: docs/index.html docs/security-taglibs.html docs/security.html xdocs/index.xml xdocs/security-taglibs.xml xdocs/security.xml

[jb...@apache.org]

Author: jboynes
Date: Wed Mar 18 03:32:00 2015
New Revision: 1667437

URL: http://svn.apache.org/r1667437
Log:
Add security page for Taglibs

Added:
    tomcat/site/trunk/docs/security-taglibs.html
    tomcat/site/trunk/xdocs/security-taglibs.xml   (with props)
Modified:
    tomcat/site/trunk/docs/index.html
    tomcat/site/trunk/docs/security.html
    tomcat/site/trunk/xdocs/index.xml
    tomcat/site/trunk/xdocs/security.xml

Modified: tomcat/site/trunk/docs/index.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/index.html?rev=1667437&r1=1667436&r2=1667437&view=diff
==============================================================================
--- tomcat/site/trunk/docs/index.html (original)
+++ tomcat/site/trunk/docs/index.html Wed Mar 18 03:32:00 2015
@@ -238,7 +238,7 @@ of the JSTL 1.2 specification.
 <p>
 Version 1.2.3 is a security and bug fix release. It fixes a few bugs found
 in Standard Taglib 1.2.1 and provides protection against
-<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0254">CVE-2015-0254</a>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0254" rel="nofollow">CVE-2015-0254</a>
 vulnerability (XXE and RCE via XSL extension in JSTL XML tags).
 </p>
 

Added: tomcat/site/trunk/docs/security-taglibs.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-taglibs.html?rev=1667437&view=auto
==============================================================================
--- tomcat/site/trunk/docs/security-taglibs.html (added)
+++ tomcat/site/trunk/docs/security-taglibs.html Wed Mar 18 03:32:00 2015
@@ -0,0 +1,265 @@
+<!DOCTYPE html SYSTEM "about:legacy-compat">
+<html lang="en">
+<head>
+<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<link href="stylesheets/tomcat.css" rel="stylesheet" type="text/css">
+<title>Apache Tomcat - Apache Taglibs vulnerabilities</title>
+<meta name="author" content="Apache Tomcat Project">
+</head>
+<body>
+<div id="wrapper">
+<header>
+<div id="header">
+<div>
+<div>
+<div class="logo noPrint">
+<a href="http://tomcat.apache.org/"><img alt="Tomcat Home" src="./images/tomcat.png"></a>
+</div>
+<div style="height: 1px;"></div>
+<div class="asfLogo noPrint">
+<a href="http://www.apache.org/" target="_blank"><img src="//www.apache.org/images/feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a>
+</div>
+<h1 style="margin-top: 35px;">Apache Tomcat</h1>
+<div style="clear: right;"></div>
+<div class="searchbox noPrint">
+<form action="https://www.google.com/search" method="get">
+<input value="tomcat.apache.org" name="sitesearch" type="hidden"><input placeholder="Search the Site&hellip;" required="required" size="25" name="q" id="query" type="search"><button>Search</button>
+</form>
+</div>
+<div style="height: 1px;"></div>
+<div style="clear: left;"></div>
+</div>
+</div>
+</div>
+</header>
+<div id="middle">
+<div>
+<div id="mainLeft" class="noprint">
+<div>
+<nav>
+<div>
+<h2>Apache Tomcat</h2>
+<ul>
+<li>
+<a href="./index.html">Home</a>
+</li>
+<li>
+<a href="./taglibs/">Taglibs</a>
+</li>
+<li>
+<a href="./maven-plugin.html">Maven Plugin</a>
+</li>
+</ul>
+</div>
+<div>
+<h2>Download</h2>
+<ul>
+<li>
+<a href="./whichversion.html">Which version?</a>
+</li>
+<li>
+<a href="./download-80.cgi">Tomcat 8.0</a>
+</li>
+<li>
+<a href="./download-70.cgi">Tomcat 7.0</a>
+</li>
+<li>
+<a href="./download-60.cgi">Tomcat 6.0</a>
+</li>
+<li>
+<a href="./download-connectors.cgi">Tomcat Connectors</a>
+</li>
+<li>
+<a href="./download-native.cgi">Tomcat Native</a>
+</li>
+<li>
+<a href="http://archive.apache.org/dist/tomcat/">Archives</a>
+</li>
+</ul>
+</div>
+<div>
+<h2>Documentation</h2>
+<ul>
+<li>
+<a href="./tomcat-8.0-doc/index.html">Tomcat 8.0</a>
+</li>
+<li>
+<a href="./tomcat-7.0-doc/index.html">Tomcat 7.0</a>
+</li>
+<li>
+<a href="./tomcat-6.0-doc/index.html">Tomcat 6.0</a>
+</li>
+<li>
+<a href="./connectors-doc/">Tomcat Connectors</a>
+</li>
+<li>
+<a href="./native-doc/">Tomcat Native</a>
+</li>
+<li>
+<a href="http://wiki.apache.org/tomcat/FrontPage">Wiki</a>
+</li>
+<li>
+<a href="./migration.html">Migration Guide</a>
+</li>
+</ul>
+</div>
+<div>
+<h2>Problems?</h2>
+<ul>
+<li>
+<a href="./security.html">Security Reports</a>
+</li>
+<li>
+<a href="./findhelp.html">Find help</a>
+</li>
+<li>
+<a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a>
+</li>
+<li>
+<a href="./lists.html">Mailing Lists</a>
+</li>
+<li>
+<a href="./bugreport.html">Bug Database</a>
+</li>
+<li>
+<a href="./irc.html">IRC</a>
+</li>
+</ul>
+</div>
+<div>
+<h2>Get Involved</h2>
+<ul>
+<li>
+<a href="./getinvolved.html">Overview</a>
+</li>
+<li>
+<a href="./svn.html">SVN Repositories</a>
+</li>
+<li>
+<a href="./ci.html">Buildbot</a>
+</li>
+<li>
+<a href="https://reviews.apache.org/groups/tomcat/">Reviewboard</a>
+</li>
+<li>
+<a href="./tools.html">Tools</a>
+</li>
+</ul>
+</div>
+<div>
+<h2>Media</h2>
+<ul>
+<li>
+<a href="http://blogs.apache.org/tomcat/">Blog</a>
+</li>
+<li>
+<a href="http://twitter.com/theapachetomcat">Twitter</a>
+</li>
+</ul>
+</div>
+<div>
+<h2>Misc</h2>
+<ul>
+<li>
+<a href="./whoweare.html">Who We Are</a>
+</li>
+<li>
+<a href="./heritage.html">Heritage</a>
+</li>
+<li>
+<a href="http://www.apache.org">Apache Home</a>
+</li>
+<li>
+<a href="./resources.html">Resources</a>
+</li>
+<li>
+<a href="./contact.html">Contact</a>
+</li>
+<li>
+<a href="./legal.html">Legal</a>
+</li>
+<li>
+<a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a>
+</li>
+<li>
+<a href="http://www.apache.org/foundation/thanks.html">Thanks</a>
+</li>
+</ul>
+</div>
+</nav>
+</div>
+</div>
+<div id="mainRight">
+<div id="content">
+<h2 style="display: none;">Content</h2>
+<h3 id="Table_of_Contents">Table of Contents</h3>
+<div class="text">
+      
+<ul>
+<li>
+<a href="#Apache_Taglibs_vulnerabilities">Apache Taglibs vulnerabilities</a>
+</li>
+<li>
+<a href="#Fixed_in_Apache_Standard_Taglib_1.2.3">Fixed in Apache Standard Taglib 1.2.3</a>
+</li>
+</ul>
+    
+</div>
+<h3 id="Apache_Taglibs_vulnerabilities">Apache Taglibs vulnerabilities</h3>
+<div class="text">
+      
+<p>This page lists all security vulnerabilities fixed in released versions
+        of Apache Taglibs. Each vulnerability is given a
+        <a href="security-impact.html">security impact rating</a> by the Apache
+        Tomcat security team &mdash; please note that this rating may vary from
+        platform to platform. We also list the versions of Apache Taglibs
+        the flaw is known to affect, and where a flaw has not been
+        verified list the version with a question mark.</p>
+
+      
+<p>This page has been created from a review of the Apache Tomcat archives
+        and the CVE list. Please send comments or corrections for these
+        vulnerabilities to the <a href="security.html">Tomcat
+          Security Team</a>.</p>
+
+    
+</div>
+<h3 id="Fixed_in_Apache_Standard_Taglib_1.2.3">
+<span style="float: right;">20 February 2015</span> Fixed in Apache Standard Taglib 1.2.3</h3>
+<div class="text">
+
+      
+<p>
+<strong>Important: Information Disclosure</strong>
+        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0254" rel="nofollow">CVE-2015-0254</a>
+</p>
+
+      
+<p>Apache Standard Taglibs before 1.2.3 allows remote attackers to execute
+        arbitrary code or conduct external XML entity (XXE) attacks via a crafted
+        XSLT extension in a JSTL XML tag.</p>
+
+      
+<p>This issue was identified by the David Jorm of IIX
+        and made public on 27 February 2015.</p>
+
+      
+<p>Affects: All versions prior to 1.2.3</p>
+
+    
+</div>
+</div>
+</div>
+</div>
+</div>
+<footer>
+<div id="footer">
+    Copyright &copy; 1999-2015, The Apache Software Foundation
+    <br>
+    Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat
+    project logo are trademarks of the Apache Software Foundation.
+  </div>
+</footer>
+</div>
+</body>
+</html>

Modified: tomcat/site/trunk/docs/security.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security.html?rev=1667437&r1=1667436&r2=1667437&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security.html (original)
+++ tomcat/site/trunk/docs/security.html Wed Mar 18 03:32:00 2015
@@ -240,6 +240,11 @@
 <a href="security-native.html">Apache Tomcat APR/native Connector
           Security Vulnerabilities</a>
 </li>
+      
+<li>
+<a href="security-taglibs.html">Apache Taglibs
+          Security Vulnerabilities</a>
+</li>
     
 </ul>
 

Modified: tomcat/site/trunk/xdocs/index.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/index.xml?rev=1667437&r1=1667436&r2=1667437&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/index.xml (original)
+++ tomcat/site/trunk/xdocs/index.xml Wed Mar 18 03:32:00 2015
@@ -40,7 +40,6 @@ project logo are trademarks of the Apach
 <section name="Apache Standard Taglib 1.2.3 Released" rtext="2015-02-20">
 <!--
   FIXME:
-   1. There is no taglibs page at http://tomcat.apache.org/security.html
    2. Changelog link goes to SVN repository.
       Is the CHANGES file published on the site?
       Maybe upload it to the download area?
@@ -53,7 +52,7 @@ of the JSTL 1.2 specification.
 <p>
 Version 1.2.3 is a security and bug fix release. It fixes a few bugs found
 in Standard Taglib 1.2.1 and provides protection against
-<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0254">CVE-2015-0254</a>
+<cve>CVE-2015-0254</cve>
 vulnerability (XXE and RCE via XSL extension in JSTL XML tags).
 </p>
 <p>

Added: tomcat/site/trunk/xdocs/security-taglibs.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-taglibs.xml?rev=1667437&view=auto
==============================================================================
--- tomcat/site/trunk/xdocs/security-taglibs.xml (added)
+++ tomcat/site/trunk/xdocs/security-taglibs.xml Wed Mar 18 03:32:00 2015
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<document>
+
+  <properties>
+    <author>Apache Tomcat Project</author>
+    <title>Apache Taglibs vulnerabilities</title>
+  </properties>
+
+  <body>
+
+    <section name="Table of Contents">
+      <toc/>
+    </section>
+
+    <section name="Apache Taglibs vulnerabilities">
+      <p>This page lists all security vulnerabilities fixed in released versions
+        of Apache Taglibs. Each vulnerability is given a
+        <a href="security-impact.html">security impact rating</a> by the Apache
+        Tomcat security team &#x2014; please note that this rating may vary from
+        platform to platform. We also list the versions of Apache Taglibs
+        the flaw is known to affect, and where a flaw has not been
+        verified list the version with a question mark.</p>
+
+      <p>This page has been created from a review of the Apache Tomcat archives
+        and the CVE list. Please send comments or corrections for these
+        vulnerabilities to the <a href="security.html">Tomcat
+          Security Team</a>.</p>
+
+    </section>
+
+    <section name="Fixed in Apache Standard Taglib 1.2.3" rtext="20 February 2015">
+
+      <p><strong>Important: Information Disclosure</strong>
+        <cve>CVE-2015-0254</cve></p>
+
+      <p>Apache Standard Taglibs before 1.2.3 allows remote attackers to execute
+        arbitrary code or conduct external XML entity (XXE) attacks via a crafted
+        XSLT extension in a JSTL XML tag.</p>
+
+      <p>This issue was identified by the David Jorm of IIX
+        and made public on 27 February 2015.</p>
+
+      <p>Affects: All versions prior to 1.2.3</p>
+
+    </section>
+
+  </body>
+</document>
+

Propchange: tomcat/site/trunk/xdocs/security-taglibs.xml
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: tomcat/site/trunk/xdocs/security.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security.xml?rev=1667437&r1=1667436&r2=1667437&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security.xml (original)
+++ tomcat/site/trunk/xdocs/security.xml Wed Mar 18 03:32:00 2015
@@ -35,6 +35,8 @@
           Vulnerabilities</a></li>
       <li><a href="security-native.html">Apache Tomcat APR/native Connector
           Security Vulnerabilities</a></li>
+      <li><a href="security-taglibs.html">Apache Taglibs
+          Security Vulnerabilities</a></li>
     </ul>
 
     <p>Lists of security problems fixed in versions of Apache Tomcat that may



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org