Return-Path: 
 <dev-return-80174-apmail-tomcat-dev-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-dev-archive@www.apache.org
Received: (qmail 98677 invoked from network); 12 Apr 2007 01:54:57 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 12 Apr 2007 01:54:57 -0000
Received: (qmail 9597 invoked by uid 500); 12 Apr 2007 01:54:56 -0000
Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org
Received: (qmail 9541 invoked by uid 500); 12 Apr 2007 01:54:55 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@tomcat.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@tomcat.apache.org>
List-Post: <mailto:dev@tomcat.apache.org>
List-Id: <dev.tomcat.apache.org>
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 9530 invoked by uid 500); 12 Apr 2007 01:54:55 -0000
Delivered-To: apmail-jakarta-tomcat-dev@jakarta.apache.org
Received: (qmail 9527 invoked by uid 99); 12 Apr 2007 01:54:55 -0000
Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Apr 2007 18:54:55 -0700
X-ASF-Spam-Status: No, hits=-99.5 required=10.0
	tests=ALL_TRUSTED,NO_REAL_NAME
X-Spam-Check-By: apache.org
Received: from [140.211.11.3] (HELO eris.apache.org) (140.211.11.3)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Apr 2007 18:54:48 -0700
Received: by eris.apache.org (Postfix, from userid 65534)
	id B72551A9838; Wed, 11 Apr 2007 18:54:28 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r527748 - in /tomcat/site/trunk: docs/security-4.html
 xdocs/security-4.xml
Date: Thu, 12 Apr 2007 01:54:28 -0000
To: tomcat-dev@jakarta.apache.org
From: markt@apache.org
X-Mailer: svnmailer-1.1.0
Message-Id: <20070412015428.B72551A9838@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org

Author: markt
Date: Wed Apr 11 18:54:27 2007
New Revision: 527748

URL: http://svn.apache.org/viewvc?view=rev&rev=527748
Log:
A couple of issues from the security list archives.

Modified:
    tomcat/site/trunk/docs/security-4.html
    tomcat/site/trunk/xdocs/security-4.xml

Modified: tomcat/site/trunk/docs/security-4.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?view=diff&rev=527748&r1=527747&r2=527748
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Wed Apr 11 18:54:27 2007
@@ -211,6 +211,45 @@
 <tr>
 <td bgcolor="#525D76">
 <font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Not fixed in Apache Tomcat 4.1.x">
+<strong>Not fixed in Apache Tomcat 4.1.x</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+    <p>
+<strong>moderate: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4836">
+       CVE-2005-4836</a>
+</p>
+
+    <p>The deprecated HTTP/1.1 connector does not reject request URIs containing
+       null bytes when used with contexts that are configured with
+       allowLinking="true". Failure to reject the null byte enables an attacker
+       to obtain the source for any JSP page in these contexts. Users of Tomcat
+       4.1.x are advised to use the default, supported Coyote HTTP/1.1 connector
+       which does not exhibit this issue. There are no plans to issue an update
+       to Tomcat 4.1.x for this issue.</p>
+
+    <p>Affects: 4.1.15-4.1.HEAD</p>
+  </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
 <a name="Fixed in Apache Tomcat 4.1.36">
 <strong>Fixed in Apache Tomcat 4.1.36</strong>
 </a>
@@ -270,6 +309,23 @@
        they are in proxy servers, Tomcat should always be secured as if no proxy 
        restricting context access was used.
     </p>
+
+    <p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.34</p>
+
+    <p>
+<strong>low: Cross-site scripting</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358">
+       CVE-2007-1358</a>
+</p>
+
+    <p>Web pages that display the Accept-Language header value sent by the
+       client are susceptible to a cross-site scripting attack if they assume
+       the Accept-Language header value conforms to RFC 2616. Under normal
+       circumstances this would not be possible to exploit, however older
+       versions of Flash player were known to allow carefully crafted malicious
+       Flash files to make requests with such custom headers. Tomcat now ignores
+       invalid values for Accept-Language headers that do not conform to RFC
+       2616.</p>
 
     <p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.34</p>
   </blockquote>

Modified: tomcat/site/trunk/xdocs/security-4.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?view=diff&rev=527748&r1=527747&r2=527748
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Wed Apr 11 18:54:27 2007
@@ -24,6 +24,22 @@
 
   </section>
 
+  <section name="Not fixed in Apache Tomcat 4.1.x">
+    <p><strong>moderate: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4836">
+       CVE-2005-4836</a></p>
+
+    <p>The deprecated HTTP/1.1 connector does not reject request URIs containing
+       null bytes when used with contexts that are configured with
+       allowLinking="true". Failure to reject the null byte enables an attacker
+       to obtain the source for any JSP page in these contexts. Users of Tomcat
+       4.1.x are advised to use the default, supported Coyote HTTP/1.1 connector
+       which does not exhibit this issue. There are no plans to issue an update
+       to Tomcat 4.1.x for this issue.</p>
+
+    <p>Affects: 4.1.15-4.1.HEAD</p>
+  </section>
+
   <section name="Fixed in Apache Tomcat 4.1.36">
     <p><strong>important: Information disclosure</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090">
@@ -70,6 +86,21 @@
        they are in proxy servers, Tomcat should always be secured as if no proxy 
        restricting context access was used.
     </p>
+
+    <p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.34</p>
+
+    <p><strong>low: Cross-site scripting</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358">
+       CVE-2007-1358</a></p>
+
+    <p>Web pages that display the Accept-Language header value sent by the
+       client are susceptible to a cross-site scripting attack if they assume
+       the Accept-Language header value conforms to RFC 2616. Under normal
+       circumstances this would not be possible to exploit, however older
+       versions of Flash player were known to allow carefully crafted malicious
+       Flash files to make requests with such custom headers. Tomcat now ignores
+       invalid values for Accept-Language headers that do not conform to RFC
+       2616.</p>
 
     <p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.34</p>
   </section>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org