tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r544698 - in /tomcat/site/trunk/xdocs: security-5.xml security-6.xml
Date Wed, 06 Jun 2007 00:54:16 GMT
Author: markt
Date: Tue Jun  5 17:54:15 2007
New Revision: 544698

URL: http://svn.apache.org/viewvc?view=rev&rev=544698
Log:
Add details for CVE-2007-1358 to TC5 and TC6.

Modified:
    tomcat/site/trunk/xdocs/security-5.xml
    tomcat/site/trunk/xdocs/security-6.xml

Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?view=diff&rev=544698&r1=544697&r2=544698
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Tue Jun  5 17:54:15 2007
@@ -94,6 +94,23 @@
     <p>Affects: 5.0.0-5.0.30, 5.5.0-5.5.21</p>
   </section>
 
+  <section name="Fixed in Apache Tomcat 5.5.21, 5.0.HEAD">
+    <p><strong>low: Cross-site scripting</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358">
+       CVE-2007-1358</a></p>
+
+    <p>Web pages that display the Accept-Language header value sent by the
+       client are susceptible to a cross-site scripting attack if they assume
+       the Accept-Language header value conforms to RFC 2616. Under normal
+       circumstances this would not be possible to exploit, however older
+       versions of Flash player were known to allow carefully crafted malicious
+       Flash files to make requests with such custom headers. Tomcat now ignores
+       invalid values for Accept-Language headers that do not conform to RFC
+       2616.</p>
+
+    <p>Affects: 5.0.0-5.0.30, 5.5.0-5.5.20</p>
+  </section>
+
   <section name="Fixed in Apache Tomcat 5.5.18, 5.0.HEAD">
     <p><strong>moderate: Cross-site scripting</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7195">

Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?view=diff&rev=544698&r1=544697&r2=544698
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Tue Jun  5 17:54:15 2007
@@ -89,6 +89,23 @@
     <p>Affects: 6.0.0-6.0.9</p>
   </section>
 
+  <section name="Fixed in Apache Tomcat 6.0.6">
+    <p><strong>low: Cross-site scripting</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358">
+       CVE-2007-1358</a></p>
+
+    <p>Web pages that display the Accept-Language header value sent by the
+       client are susceptible to a cross-site scripting attack if they assume
+       the Accept-Language header value conforms to RFC 2616. Under normal
+       circumstances this would not be possible to exploit, however older
+       versions of Flash player were known to allow carefully crafted malicious
+       Flash files to make requests with such custom headers. Tomcat now ignores
+       invalid values for Accept-Language headers that do not conform to RFC
+       2616.</p>
+
+    <p>Affects: 6.0.0-6.0.5</p>
+  </section>
+
 </body>
 </document>
 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message