Return-Path: 
 <announce-return-51-apmail-tomcat-announce-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-announce-archive@minotaur.apache.org
Delivered-To: apmail-tomcat-announce-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 4737147E9
	for <apmail-tomcat-announce-archive@minotaur.apache.org>;
 Tue, 17 May 2011 12:48:51 +0000 (UTC)
Received: (qmail 63297 invoked by uid 500); 17 May 2011 12:48:45 -0000
Delivered-To: apmail-tomcat-announce-archive@tomcat.apache.org
Received: (qmail 63270 invoked by uid 500); 17 May 2011 12:48:45 -0000
Mailing-List: contact announce-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:announce-help@tomcat.apache.org>
List-Unsubscribe: <mailto:announce-unsubscribe@tomcat.apache.org>
List-Post: <mailto:announce@tomcat.apache.org>
List-Id: <announce.tomcat.apache.org>
Reply-To: announce@tomcat.apache.org
Delivered-To: mailing list announce@tomcat.apache.org
Delivered-To: moderator for announce@tomcat.apache.org
Received: (qmail 57224 invoked by uid 99); 17 May 2011 12:47:15 -0000
X-ASF-Spam-Status: No, hits=1.9 required=5.0
	tests=RCVD_IN_DNSWL_NONE,RCVD_IN_RP_RNBL,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
X-ME-UUID: 20110517124647663.A1E17700006C@mwinf3613.me.freeserve.com
X-Virus-Scanned: Debian amavisd-new at homeinbox.net
Message-ID: <4DD26E30.2060103@apache.org>
Date: Tue, 17 May 2011 13:46:40 +0100
From: Mark Thomas <markt@apache.org>
Reply-To: Tomcat Security List <security@tomcat.apache.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB;
 rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
CC: Tomcat Developers List <dev@tomcat.apache.org>,
 Tomcat Announce List <announce@tomcat.apache.org>,
 announce@apache.org, full-disclosure@lists.grok.org.uk,
 bugtraq@securityfocus.com
Subject: [SECURITY] CVE-2011-1582 Apache Tomcat security constraint bypass
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2011-1582 Apache Tomcat security constraint bypass

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.12-7.0.13
- - Earlier versions are not affected

Description:
An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant that
security constraints configured via annotations were ignored on the
first request to a Servlet. Subsequent requests were secured correctly.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Upgrade to a Tomcat 7.0.14 or later
- - Define all security constraints in web.xml

Credit:
This issue was identified by the Apache Tomcat security team.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJN0m4vAAoJEBDAHFovYFnn5NkQAOBocyvRk9fTGX569Ga95yDJ
vV84ZS3D1jCP3VQ1swh1Ouzd9NdP9pRGVWysTjz6N1bsZ+BMpGIyT/GpMqhfPAPx
OzzbkM2cNow8MR/PG3rFbYjQH1r6D400zSu+drHDtTzrOY2uXS2ClL0UuxUg9LcN
tUfidh9629OMVtuWqA2jwTSrc7fDdye5Ti1HZ0g5vUG5Cvab4LCcRdwh2VWT7g3T
LKUTr6AZAz0mQ/7+QNJOOykX+FJcOL99Q46NLVZzeLPWFoEBZn/BRs8O9WehYnLV
EEZtARSaUzTjssePo/O+oV4xYW5JIA1+5sKG7+xIvIaWKMbIPbdrPEPZusK/X0QR
LjdLbMUGcGzDUVNP0hGzpArIDXcWmslJKJ3YFTCg3VdeamULh12bqxw3AtliAzI9
pSTcMcVNOMWZOUl/Czc2I3t5ehWaOGr5j3D7No8mEFMCcRoQoRTNS7hKqqqKsyY4
hTxMJV9dXox5mIuDY8hLaGY9KuUFIo2AXWnr7lqIBrKGrziVAySuIpKSnzuFvz2z
q2DjPnXrFo/5W2ZVfUk0utCjyJX/NJdizKmW9PdQu4aT2BJdEgjjiW+qzPi20kZy
HgySY8kEFbI8CyM6PqD6Yb5nzA/xR1YAYRQx1pWTrE5Y0B5MTctAaPCIJQoc3nIA
GZ0Ziz0q/PX/x7ug1TnP
=srIH
-----END PGP SIGNATURE-----