You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2007/04/12 03:54:28 UTC
svn commit: r527748 - in /tomcat/site/trunk: docs/security-4.html
xdocs/security-4.xml
Author: markt
Date: Wed Apr 11 18:54:27 2007
New Revision: 527748
URL: http://svn.apache.org/viewvc?view=rev&rev=527748
Log:
A couple of issues from the security list archives.
Modified:
tomcat/site/trunk/docs/security-4.html
tomcat/site/trunk/xdocs/security-4.xml
Modified: tomcat/site/trunk/docs/security-4.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?view=diff&rev=527748&r1=527747&r2=527748
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Wed Apr 11 18:54:27 2007
@@ -211,6 +211,45 @@
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Not fixed in Apache Tomcat 4.1.x">
+<strong>Not fixed in Apache Tomcat 4.1.x</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+ <p>
+<strong>moderate: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4836">
+ CVE-2005-4836</a>
+</p>
+
+ <p>The deprecated HTTP/1.1 connector does not reject request URIs containing
+ null bytes when used with contexts that are configured with
+ allowLinking="true". Failure to reject the null byte enables an attacker
+ to obtain the source for any JSP page in these contexts. Users of Tomcat
+ 4.1.x are advised to use the default, supported Coyote HTTP/1.1 connector
+ which does not exhibit this issue. There are no plans to issue an update
+ to Tomcat 4.1.x for this issue.</p>
+
+ <p>Affects: 4.1.15-4.1.HEAD</p>
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 4.1.36">
<strong>Fixed in Apache Tomcat 4.1.36</strong>
</a>
@@ -270,6 +309,23 @@
they are in proxy servers, Tomcat should always be secured as if no proxy
restricting context access was used.
</p>
+
+ <p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.34</p>
+
+ <p>
+<strong>low: Cross-site scripting</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358">
+ CVE-2007-1358</a>
+</p>
+
+ <p>Web pages that display the Accept-Language header value sent by the
+ client are susceptible to a cross-site scripting attack if they assume
+ the Accept-Language header value conforms to RFC 2616. Under normal
+ circumstances this would not be possible to exploit, however older
+ versions of Flash player were known to allow carefully crafted malicious
+ Flash files to make requests with such custom headers. Tomcat now ignores
+ invalid values for Accept-Language headers that do not conform to RFC
+ 2616.</p>
<p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.34</p>
</blockquote>
Modified: tomcat/site/trunk/xdocs/security-4.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?view=diff&rev=527748&r1=527747&r2=527748
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Wed Apr 11 18:54:27 2007
@@ -24,6 +24,22 @@
</section>
+ <section name="Not fixed in Apache Tomcat 4.1.x">
+ <p><strong>moderate: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4836">
+ CVE-2005-4836</a></p>
+
+ <p>The deprecated HTTP/1.1 connector does not reject request URIs containing
+ null bytes when used with contexts that are configured with
+ allowLinking="true". Failure to reject the null byte enables an attacker
+ to obtain the source for any JSP page in these contexts. Users of Tomcat
+ 4.1.x are advised to use the default, supported Coyote HTTP/1.1 connector
+ which does not exhibit this issue. There are no plans to issue an update
+ to Tomcat 4.1.x for this issue.</p>
+
+ <p>Affects: 4.1.15-4.1.HEAD</p>
+ </section>
+
<section name="Fixed in Apache Tomcat 4.1.36">
<p><strong>important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090">
@@ -70,6 +86,21 @@
they are in proxy servers, Tomcat should always be secured as if no proxy
restricting context access was used.
</p>
+
+ <p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.34</p>
+
+ <p><strong>low: Cross-site scripting</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358">
+ CVE-2007-1358</a></p>
+
+ <p>Web pages that display the Accept-Language header value sent by the
+ client are susceptible to a cross-site scripting attack if they assume
+ the Accept-Language header value conforms to RFC 2616. Under normal
+ circumstances this would not be possible to exploit, however older
+ versions of Flash player were known to allow carefully crafted malicious
+ Flash files to make requests with such custom headers. Tomcat now ignores
+ invalid values for Accept-Language headers that do not conform to RFC
+ 2616.</p>
<p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.34</p>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org