tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r544699 - in /tomcat/site/trunk/docs: security-5.html security-6.html
Date Wed, 06 Jun 2007 00:55:55 GMT
Author: markt
Date: Tue Jun  5 17:55:54 2007
New Revision: 544699

URL: http://svn.apache.org/viewvc?view=rev&rev=544699
Log:
Remember to update the html as well...

Modified:
    tomcat/site/trunk/docs/security-5.html
    tomcat/site/trunk/docs/security-6.html

Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?view=diff&rev=544699&r1=544698&r2=544699
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Tue Jun  5 17:55:54 2007
@@ -350,6 +350,46 @@
 <tr>
 <td bgcolor="#525D76">
 <font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 5.5.21, 5.0.HEAD">
+<strong>Fixed in Apache Tomcat 5.5.21, 5.0.HEAD</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+    <p>
+<strong>low: Cross-site scripting</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358">
+       CVE-2007-1358</a>
+</p>
+
+    <p>Web pages that display the Accept-Language header value sent by the
+       client are susceptible to a cross-site scripting attack if they assume
+       the Accept-Language header value conforms to RFC 2616. Under normal
+       circumstances this would not be possible to exploit, however older
+       versions of Flash player were known to allow carefully crafted malicious
+       Flash files to make requests with such custom headers. Tomcat now ignores
+       invalid values for Accept-Language headers that do not conform to RFC
+       2616.</p>
+
+    <p>Affects: 5.0.0-5.0.30, 5.5.0-5.5.20</p>
+  </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
 <a name="Fixed in Apache Tomcat 5.5.18, 5.0.HEAD">
 <strong>Fixed in Apache Tomcat 5.5.18, 5.0.HEAD</strong>
 </a>

Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?view=diff&rev=544699&r1=544698&r2=544699
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Tue Jun  5 17:55:54 2007
@@ -341,6 +341,46 @@
 </td>
 </tr>
 </table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 6.0.6">
+<strong>Fixed in Apache Tomcat 6.0.6</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+    <p>
+<strong>low: Cross-site scripting</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358">
+       CVE-2007-1358</a>
+</p>
+
+    <p>Web pages that display the Accept-Language header value sent by the
+       client are susceptible to a cross-site scripting attack if they assume
+       the Accept-Language header value conforms to RFC 2616. Under normal
+       circumstances this would not be possible to exploit, however older
+       versions of Flash player were known to allow carefully crafted malicious
+       Flash files to make requests with such custom headers. Tomcat now ignores
+       invalid values for Accept-Language headers that do not conform to RFC
+       2616.</p>
+
+    <p>Affects: 6.0.0-6.0.5</p>
+  </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
 </td>
 </tr>
 <!--FOOTER SEPARATOR-->



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message