You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by jb...@apache.org on 2015/03/18 04:32:01 UTC
svn commit: r1667437 - in /tomcat/site/trunk: docs/index.html
docs/security-taglibs.html docs/security.html xdocs/index.xml
xdocs/security-taglibs.xml xdocs/security.xml
Author: jboynes
Date: Wed Mar 18 03:32:00 2015
New Revision: 1667437
URL: http://svn.apache.org/r1667437
Log:
Add security page for Taglibs
Added:
tomcat/site/trunk/docs/security-taglibs.html
tomcat/site/trunk/xdocs/security-taglibs.xml (with props)
Modified:
tomcat/site/trunk/docs/index.html
tomcat/site/trunk/docs/security.html
tomcat/site/trunk/xdocs/index.xml
tomcat/site/trunk/xdocs/security.xml
Modified: tomcat/site/trunk/docs/index.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/index.html?rev=1667437&r1=1667436&r2=1667437&view=diff
==============================================================================
--- tomcat/site/trunk/docs/index.html (original)
+++ tomcat/site/trunk/docs/index.html Wed Mar 18 03:32:00 2015
@@ -238,7 +238,7 @@ of the JSTL 1.2 specification.
<p>
Version 1.2.3 is a security and bug fix release. It fixes a few bugs found
in Standard Taglib 1.2.1 and provides protection against
-<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0254">CVE-2015-0254</a>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0254" rel="nofollow">CVE-2015-0254</a>
vulnerability (XXE and RCE via XSL extension in JSTL XML tags).
</p>
Added: tomcat/site/trunk/docs/security-taglibs.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-taglibs.html?rev=1667437&view=auto
==============================================================================
--- tomcat/site/trunk/docs/security-taglibs.html (added)
+++ tomcat/site/trunk/docs/security-taglibs.html Wed Mar 18 03:32:00 2015
@@ -0,0 +1,265 @@
+<!DOCTYPE html SYSTEM "about:legacy-compat">
+<html lang="en">
+<head>
+<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<link href="stylesheets/tomcat.css" rel="stylesheet" type="text/css">
+<title>Apache Tomcat - Apache Taglibs vulnerabilities</title>
+<meta name="author" content="Apache Tomcat Project">
+</head>
+<body>
+<div id="wrapper">
+<header>
+<div id="header">
+<div>
+<div>
+<div class="logo noPrint">
+<a href="http://tomcat.apache.org/"><img alt="Tomcat Home" src="./images/tomcat.png"></a>
+</div>
+<div style="height: 1px;"></div>
+<div class="asfLogo noPrint">
+<a href="http://www.apache.org/" target="_blank"><img src="//www.apache.org/images/feather.png" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a>
+</div>
+<h1 style="margin-top: 35px;">Apache Tomcat</h1>
+<div style="clear: right;"></div>
+<div class="searchbox noPrint">
+<form action="https://www.google.com/search" method="get">
+<input value="tomcat.apache.org" name="sitesearch" type="hidden"><input placeholder="Search the Site…" required="required" size="25" name="q" id="query" type="search"><button>Search</button>
+</form>
+</div>
+<div style="height: 1px;"></div>
+<div style="clear: left;"></div>
+</div>
+</div>
+</div>
+</header>
+<div id="middle">
+<div>
+<div id="mainLeft" class="noprint">
+<div>
+<nav>
+<div>
+<h2>Apache Tomcat</h2>
+<ul>
+<li>
+<a href="./index.html">Home</a>
+</li>
+<li>
+<a href="./taglibs/">Taglibs</a>
+</li>
+<li>
+<a href="./maven-plugin.html">Maven Plugin</a>
+</li>
+</ul>
+</div>
+<div>
+<h2>Download</h2>
+<ul>
+<li>
+<a href="./whichversion.html">Which version?</a>
+</li>
+<li>
+<a href="./download-80.cgi">Tomcat 8.0</a>
+</li>
+<li>
+<a href="./download-70.cgi">Tomcat 7.0</a>
+</li>
+<li>
+<a href="./download-60.cgi">Tomcat 6.0</a>
+</li>
+<li>
+<a href="./download-connectors.cgi">Tomcat Connectors</a>
+</li>
+<li>
+<a href="./download-native.cgi">Tomcat Native</a>
+</li>
+<li>
+<a href="http://archive.apache.org/dist/tomcat/">Archives</a>
+</li>
+</ul>
+</div>
+<div>
+<h2>Documentation</h2>
+<ul>
+<li>
+<a href="./tomcat-8.0-doc/index.html">Tomcat 8.0</a>
+</li>
+<li>
+<a href="./tomcat-7.0-doc/index.html">Tomcat 7.0</a>
+</li>
+<li>
+<a href="./tomcat-6.0-doc/index.html">Tomcat 6.0</a>
+</li>
+<li>
+<a href="./connectors-doc/">Tomcat Connectors</a>
+</li>
+<li>
+<a href="./native-doc/">Tomcat Native</a>
+</li>
+<li>
+<a href="http://wiki.apache.org/tomcat/FrontPage">Wiki</a>
+</li>
+<li>
+<a href="./migration.html">Migration Guide</a>
+</li>
+</ul>
+</div>
+<div>
+<h2>Problems?</h2>
+<ul>
+<li>
+<a href="./security.html">Security Reports</a>
+</li>
+<li>
+<a href="./findhelp.html">Find help</a>
+</li>
+<li>
+<a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a>
+</li>
+<li>
+<a href="./lists.html">Mailing Lists</a>
+</li>
+<li>
+<a href="./bugreport.html">Bug Database</a>
+</li>
+<li>
+<a href="./irc.html">IRC</a>
+</li>
+</ul>
+</div>
+<div>
+<h2>Get Involved</h2>
+<ul>
+<li>
+<a href="./getinvolved.html">Overview</a>
+</li>
+<li>
+<a href="./svn.html">SVN Repositories</a>
+</li>
+<li>
+<a href="./ci.html">Buildbot</a>
+</li>
+<li>
+<a href="https://reviews.apache.org/groups/tomcat/">Reviewboard</a>
+</li>
+<li>
+<a href="./tools.html">Tools</a>
+</li>
+</ul>
+</div>
+<div>
+<h2>Media</h2>
+<ul>
+<li>
+<a href="http://blogs.apache.org/tomcat/">Blog</a>
+</li>
+<li>
+<a href="http://twitter.com/theapachetomcat">Twitter</a>
+</li>
+</ul>
+</div>
+<div>
+<h2>Misc</h2>
+<ul>
+<li>
+<a href="./whoweare.html">Who We Are</a>
+</li>
+<li>
+<a href="./heritage.html">Heritage</a>
+</li>
+<li>
+<a href="http://www.apache.org">Apache Home</a>
+</li>
+<li>
+<a href="./resources.html">Resources</a>
+</li>
+<li>
+<a href="./contact.html">Contact</a>
+</li>
+<li>
+<a href="./legal.html">Legal</a>
+</li>
+<li>
+<a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a>
+</li>
+<li>
+<a href="http://www.apache.org/foundation/thanks.html">Thanks</a>
+</li>
+</ul>
+</div>
+</nav>
+</div>
+</div>
+<div id="mainRight">
+<div id="content">
+<h2 style="display: none;">Content</h2>
+<h3 id="Table_of_Contents">Table of Contents</h3>
+<div class="text">
+
+<ul>
+<li>
+<a href="#Apache_Taglibs_vulnerabilities">Apache Taglibs vulnerabilities</a>
+</li>
+<li>
+<a href="#Fixed_in_Apache_Standard_Taglib_1.2.3">Fixed in Apache Standard Taglib 1.2.3</a>
+</li>
+</ul>
+
+</div>
+<h3 id="Apache_Taglibs_vulnerabilities">Apache Taglibs vulnerabilities</h3>
+<div class="text">
+
+<p>This page lists all security vulnerabilities fixed in released versions
+ of Apache Taglibs. Each vulnerability is given a
+ <a href="security-impact.html">security impact rating</a> by the Apache
+ Tomcat security team — please note that this rating may vary from
+ platform to platform. We also list the versions of Apache Taglibs
+ the flaw is known to affect, and where a flaw has not been
+ verified list the version with a question mark.</p>
+
+
+<p>This page has been created from a review of the Apache Tomcat archives
+ and the CVE list. Please send comments or corrections for these
+ vulnerabilities to the <a href="security.html">Tomcat
+ Security Team</a>.</p>
+
+
+</div>
+<h3 id="Fixed_in_Apache_Standard_Taglib_1.2.3">
+<span style="float: right;">20 February 2015</span> Fixed in Apache Standard Taglib 1.2.3</h3>
+<div class="text">
+
+
+<p>
+<strong>Important: Information Disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0254" rel="nofollow">CVE-2015-0254</a>
+</p>
+
+
+<p>Apache Standard Taglibs before 1.2.3 allows remote attackers to execute
+ arbitrary code or conduct external XML entity (XXE) attacks via a crafted
+ XSLT extension in a JSTL XML tag.</p>
+
+
+<p>This issue was identified by the David Jorm of IIX
+ and made public on 27 February 2015.</p>
+
+
+<p>Affects: All versions prior to 1.2.3</p>
+
+
+</div>
+</div>
+</div>
+</div>
+</div>
+<footer>
+<div id="footer">
+ Copyright © 1999-2015, The Apache Software Foundation
+ <br>
+ Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat
+ project logo are trademarks of the Apache Software Foundation.
+ </div>
+</footer>
+</div>
+</body>
+</html>
Modified: tomcat/site/trunk/docs/security.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security.html?rev=1667437&r1=1667436&r2=1667437&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security.html (original)
+++ tomcat/site/trunk/docs/security.html Wed Mar 18 03:32:00 2015
@@ -240,6 +240,11 @@
<a href="security-native.html">Apache Tomcat APR/native Connector
Security Vulnerabilities</a>
</li>
+
+<li>
+<a href="security-taglibs.html">Apache Taglibs
+ Security Vulnerabilities</a>
+</li>
</ul>
Modified: tomcat/site/trunk/xdocs/index.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/index.xml?rev=1667437&r1=1667436&r2=1667437&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/index.xml (original)
+++ tomcat/site/trunk/xdocs/index.xml Wed Mar 18 03:32:00 2015
@@ -40,7 +40,6 @@ project logo are trademarks of the Apach
<section name="Apache Standard Taglib 1.2.3 Released" rtext="2015-02-20">
<!--
FIXME:
- 1. There is no taglibs page at http://tomcat.apache.org/security.html
2. Changelog link goes to SVN repository.
Is the CHANGES file published on the site?
Maybe upload it to the download area?
@@ -53,7 +52,7 @@ of the JSTL 1.2 specification.
<p>
Version 1.2.3 is a security and bug fix release. It fixes a few bugs found
in Standard Taglib 1.2.1 and provides protection against
-<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0254">CVE-2015-0254</a>
+<cve>CVE-2015-0254</cve>
vulnerability (XXE and RCE via XSL extension in JSTL XML tags).
</p>
<p>
Added: tomcat/site/trunk/xdocs/security-taglibs.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-taglibs.xml?rev=1667437&view=auto
==============================================================================
--- tomcat/site/trunk/xdocs/security-taglibs.xml (added)
+++ tomcat/site/trunk/xdocs/security-taglibs.xml Wed Mar 18 03:32:00 2015
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<document>
+
+ <properties>
+ <author>Apache Tomcat Project</author>
+ <title>Apache Taglibs vulnerabilities</title>
+ </properties>
+
+ <body>
+
+ <section name="Table of Contents">
+ <toc/>
+ </section>
+
+ <section name="Apache Taglibs vulnerabilities">
+ <p>This page lists all security vulnerabilities fixed in released versions
+ of Apache Taglibs. Each vulnerability is given a
+ <a href="security-impact.html">security impact rating</a> by the Apache
+ Tomcat security team — please note that this rating may vary from
+ platform to platform. We also list the versions of Apache Taglibs
+ the flaw is known to affect, and where a flaw has not been
+ verified list the version with a question mark.</p>
+
+ <p>This page has been created from a review of the Apache Tomcat archives
+ and the CVE list. Please send comments or corrections for these
+ vulnerabilities to the <a href="security.html">Tomcat
+ Security Team</a>.</p>
+
+ </section>
+
+ <section name="Fixed in Apache Standard Taglib 1.2.3" rtext="20 February 2015">
+
+ <p><strong>Important: Information Disclosure</strong>
+ <cve>CVE-2015-0254</cve></p>
+
+ <p>Apache Standard Taglibs before 1.2.3 allows remote attackers to execute
+ arbitrary code or conduct external XML entity (XXE) attacks via a crafted
+ XSLT extension in a JSTL XML tag.</p>
+
+ <p>This issue was identified by the David Jorm of IIX
+ and made public on 27 February 2015.</p>
+
+ <p>Affects: All versions prior to 1.2.3</p>
+
+ </section>
+
+ </body>
+</document>
+
Propchange: tomcat/site/trunk/xdocs/security-taglibs.xml
------------------------------------------------------------------------------
svn:eol-style = native
Modified: tomcat/site/trunk/xdocs/security.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security.xml?rev=1667437&r1=1667436&r2=1667437&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security.xml (original)
+++ tomcat/site/trunk/xdocs/security.xml Wed Mar 18 03:32:00 2015
@@ -35,6 +35,8 @@
Vulnerabilities</a></li>
<li><a href="security-native.html">Apache Tomcat APR/native Connector
Security Vulnerabilities</a></li>
+ <li><a href="security-taglibs.html">Apache Taglibs
+ Security Vulnerabilities</a></li>
</ul>
<p>Lists of security problems fixed in versions of Apache Tomcat that may
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org