tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r781365 - in /tomcat/site/trunk: docs/security-4.html docs/security-5.html docs/security-6.html xdocs/security-4.xml xdocs/security-5.xml xdocs/security-6.xml
Date Wed, 03 Jun 2009 13:30:25 GMT
Author: markt
Date: Wed Jun  3 13:30:25 2009
New Revision: 781365

URL: http://svn.apache.org/viewvc?rev=781365&view=rev
Log:
Add CVE-2009-0033

Modified:
    tomcat/site/trunk/docs/security-4.html
    tomcat/site/trunk/docs/security-5.html
    tomcat/site/trunk/docs/security-6.html
    tomcat/site/trunk/xdocs/security-4.xml
    tomcat/site/trunk/xdocs/security-5.xml
    tomcat/site/trunk/xdocs/security-6.xml

Modified: tomcat/site/trunk/docs/security-4.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?rev=781365&r1=781364&r2=781365&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Wed Jun  3 13:30:25 2009
@@ -271,6 +271,25 @@
 <p>
 <blockquote>
     <p>
+<strong>Important: Denial of Service</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033">
+       CVE-2009-0033</a>
+</p>
+
+    <p>If Tomcat receives a request with invalid headers via the Java AJP
+       connector, it does not return an error and instead closes the AJP
+       connection. In case this connector is member of a mod_jk load balancing
+       worker, this member will be put into an error state and will be blocked
+       from use for approximately one minute. Thus the behaviour can be used for
+       a denial of service attack using a carefully crafted request.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=781362&amp;view=rev">
+       revision 781362</a>.</p>
+
+    <p>Affects: 4.1.0-4.1.39</p>
+ 
+    <p>
 <strong>low: Cross-site scripting</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781">
        CVE-2009-0781</a>

Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=781365&r1=781364&r2=781365&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Wed Jun  3 13:30:25 2009
@@ -233,6 +233,25 @@
 <p>
 <blockquote>
     <p>
+<strong>Important: Denial of Service</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033">
+       CVE-2009-0033</a>
+</p>
+
+    <p>If Tomcat receives a request with invalid headers via the Java AJP
+       connector, it does not return an error and instead closes the AJP
+       connection. In case this connector is member of a mod_jk load balancing
+       worker, this member will be put into an error state and will be blocked
+       from use for approximately one minute. Thus the behaviour can be used for
+       a denial of service attack using a carefully crafted request.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=781362&amp;view=rev">
+       revision 781362</a>.</p>
+
+    <p>Affects: 5.5.0-5.5.27</p>
+ 
+    <p>
 <strong>low: Cross-site scripting</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781">
        CVE-2009-0781</a>

Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=781365&r1=781364&r2=781365&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Wed Jun  3 13:30:25 2009
@@ -216,8 +216,8 @@
 <tr>
 <td bgcolor="#525D76">
 <font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Fixed in Apache Tomcat 6.0.SVN">
-<strong>Fixed in Apache Tomcat 6.0.SVN</strong>
+<a name="Fixed in Apache Tomcat 6.0.20">
+<strong>Fixed in Apache Tomcat 6.0.20</strong>
 </a>
 </font>
 </td>
@@ -227,6 +227,32 @@
 <p>
 <blockquote>
     <p>
+<i>Note: These issues were fixed in Apache Tomcat 6.0.19 but the release
+       vote for that release candidate did not pass. Therefore, although users
+       must download 6.0.20 to obtain a version that includes fixes for these
+       issues, 6.0.19 is not included in the list of affected versions.</i>
+</p>
+
+    <p>
+<strong>Important: Denial of Service</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033">
+       CVE-2009-0033</a>
+</p>
+
+    <p>If Tomcat receives a request with invalid headers via the Java AJP
+       connector, it does not return an error and instead closes the AJP
+       connection. In case this connector is member of a mod_jk load balancing
+       worker, this member will be put into an error state and will be blocked
+       from use for approximately one minute. Thus the behaviour can be used for
+       a denial of service attack using a carefully crafted request.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=742915&amp;view=rev">
+       revision 742915</a>.</p>
+
+    <p>Affects: 6.0.0-6.0.18</p>
+
+    <p>
 <strong>low: Cross-site scripting</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781">
        CVE-2009-0781</a>
@@ -241,7 +267,7 @@
        revision 750924</a>.</p>
 
     <p>Affects: 6.0.0-6.0.18</p>
-
+       
   </blockquote>
 </p>
 </td>

Modified: tomcat/site/trunk/xdocs/security-4.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?rev=781365&r1=781364&r2=781365&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Wed Jun  3 13:30:25 2009
@@ -44,6 +44,23 @@
   </section>
 
   <section name="Fixed in Apache Tomcat 4.1.SVN">
+    <p><strong>Important: Denial of Service</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033">
+       CVE-2009-0033</a></p>
+
+    <p>If Tomcat receives a request with invalid headers via the Java AJP
+       connector, it does not return an error and instead closes the AJP
+       connection. In case this connector is member of a mod_jk load balancing
+       worker, this member will be put into an error state and will be blocked
+       from use for approximately one minute. Thus the behaviour can be used for
+       a denial of service attack using a carefully crafted request.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=781362&amp;view=rev">
+       revision 781362</a>.</p>
+
+    <p>Affects: 4.1.0-4.1.39</p>
+ 
     <p><strong>low: Cross-site scripting</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781">
        CVE-2009-0781</a></p>

Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=781365&r1=781364&r2=781365&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Wed Jun  3 13:30:25 2009
@@ -29,6 +29,23 @@
   </section>
 
   <section name="Fixed in Apache Tomcat 5.5.SVN">
+    <p><strong>Important: Denial of Service</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033">
+       CVE-2009-0033</a></p>
+
+    <p>If Tomcat receives a request with invalid headers via the Java AJP
+       connector, it does not return an error and instead closes the AJP
+       connection. In case this connector is member of a mod_jk load balancing
+       worker, this member will be put into an error state and will be blocked
+       from use for approximately one minute. Thus the behaviour can be used for
+       a denial of service attack using a carefully crafted request.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=781362&amp;view=rev">
+       revision 781362</a>.</p>
+
+    <p>Affects: 5.5.0-5.5.27</p>
+ 
     <p><strong>low: Cross-site scripting</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781">
        CVE-2009-0781</a></p>

Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=781365&r1=781364&r2=781365&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Wed Jun  3 13:30:25 2009
@@ -22,7 +22,29 @@
 
   </section>
 
-  <section name="Fixed in Apache Tomcat 6.0.SVN">
+  <section name="Fixed in Apache Tomcat 6.0.20">
+    <p><i>Note: These issues were fixed in Apache Tomcat 6.0.19 but the release
+       vote for that release candidate did not pass. Therefore, although users
+       must download 6.0.20 to obtain a version that includes fixes for these
+       issues, 6.0.19 is not included in the list of affected versions.</i></p>
+
+    <p><strong>Important: Denial of Service</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033">
+       CVE-2009-0033</a></p>
+
+    <p>If Tomcat receives a request with invalid headers via the Java AJP
+       connector, it does not return an error and instead closes the AJP
+       connection. In case this connector is member of a mod_jk load balancing
+       worker, this member will be put into an error state and will be blocked
+       from use for approximately one minute. Thus the behaviour can be used for
+       a denial of service attack using a carefully crafted request.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=742915&amp;view=rev">
+       revision 742915</a>.</p>
+
+    <p>Affects: 6.0.0-6.0.18</p>
+
     <p><strong>low: Cross-site scripting</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781">
        CVE-2009-0781</a></p>
@@ -36,7 +58,7 @@
        revision 750924</a>.</p>
 
     <p>Affects: 6.0.0-6.0.18</p>
-
+       
   </section>
   
   <section name="Fixed in Apache Tomcat 6.0.18">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message