tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r781388 - in /tomcat/site/trunk: docs/security-4.html docs/security-5.html docs/security-6.html xdocs/security-4.xml xdocs/security-5.xml xdocs/security-6.xml
Date Wed, 03 Jun 2009 14:10:45 GMT
Author: markt
Date: Wed Jun  3 14:10:45 2009
New Revision: 781388

URL: http://svn.apache.org/viewvc?rev=781388&view=rev
Log:
Add CVE-2009-0580

Modified:
    tomcat/site/trunk/docs/security-4.html
    tomcat/site/trunk/docs/security-5.html
    tomcat/site/trunk/docs/security-6.html
    tomcat/site/trunk/xdocs/security-4.xml
    tomcat/site/trunk/xdocs/security-5.xml
    tomcat/site/trunk/xdocs/security-6.xml

Modified: tomcat/site/trunk/docs/security-4.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?rev=781388&r1=781387&r2=781388&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Wed Jun  3 14:10:45 2009
@@ -290,6 +290,24 @@
     <p>Affects: 4.1.0-4.1.39</p>
  
     <p>
+<strong>low: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580">
+       CVE-2009-0580</a>
+</p>
+
+    <p>Due to insufficient error checking in some authentication classes, Tomcat
+       allows for the enumeration (brute force testing) of user names by
+       supplying illegally URL encoded passwords. The attack is possible if FORM
+       based authenticiaton (j_security_check) with either the MemoryRealm,
+       DataSourceRealm or JDBCRealm.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=781382&amp;view=rev">
+       revision 781382</a>.</p>
+
+    <p>Affects: 4.1.0-4.1.39</p>
+       
+    <p>
 <strong>low: Cross-site scripting</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781">
        CVE-2009-0781</a>

Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=781388&r1=781387&r2=781388&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Wed Jun  3 14:10:45 2009
@@ -252,6 +252,24 @@
     <p>Affects: 5.5.0-5.5.27</p>
  
     <p>
+<strong>low: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580">
+       CVE-2009-0580</a>
+</p>
+
+    <p>Due to insufficient error checking in some authentication classes, Tomcat
+       allows for the enumeration (brute force testing) of user names by
+       supplying illegally URL encoded passwords. The attack is possible if FORM
+       based authenticiaton (j_security_check) with either the MemoryRealm,
+       DataSourceRealm or JDBCRealm.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=781379&amp;view=rev">
+       revision 781379</a>.</p>
+
+    <p>Affects: 5.5.0-5.5.27</p>
+       
+    <p>
 <strong>low: Cross-site scripting</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781">
        CVE-2009-0781</a>

Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=781388&r1=781387&r2=781388&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Wed Jun  3 14:10:45 2009
@@ -253,6 +253,24 @@
     <p>Affects: 6.0.0-6.0.18</p>
 
     <p>
+<strong>low: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580">
+       CVE-2009-0580</a>
+</p>
+
+    <p>Due to insufficient error checking in some authentication classes, Tomcat
+       allows for the enumeration (brute force testing) of user names by
+       supplying illegally URL encoded passwords. The attack is possible if FORM
+       based authenticiaton (j_security_check) with either the MemoryRealm,
+       DataSourceRealm or JDBCRealm.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=747840&amp;view=rev">
+       revision 747840</a>.</p>
+
+    <p>Affects: 6.0.0-6.0.18</p>
+       
+    <p>
 <strong>low: Cross-site scripting</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781">
        CVE-2009-0781</a>

Modified: tomcat/site/trunk/xdocs/security-4.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?rev=781388&r1=781387&r2=781388&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Wed Jun  3 14:10:45 2009
@@ -61,6 +61,22 @@
 
     <p>Affects: 4.1.0-4.1.39</p>
  
+    <p><strong>low: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580">
+       CVE-2009-0580</a></p>
+
+    <p>Due to insufficient error checking in some authentication classes, Tomcat
+       allows for the enumeration (brute force testing) of user names by
+       supplying illegally URL encoded passwords. The attack is possible if FORM
+       based authenticiaton (j_security_check) with either the MemoryRealm,
+       DataSourceRealm or JDBCRealm.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=781382&amp;view=rev">
+       revision 781382</a>.</p>
+
+    <p>Affects: 4.1.0-4.1.39</p>
+       
     <p><strong>low: Cross-site scripting</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781">
        CVE-2009-0781</a></p>

Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=781388&r1=781387&r2=781388&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Wed Jun  3 14:10:45 2009
@@ -46,6 +46,22 @@
 
     <p>Affects: 5.5.0-5.5.27</p>
  
+    <p><strong>low: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580">
+       CVE-2009-0580</a></p>
+
+    <p>Due to insufficient error checking in some authentication classes, Tomcat
+       allows for the enumeration (brute force testing) of user names by
+       supplying illegally URL encoded passwords. The attack is possible if FORM
+       based authenticiaton (j_security_check) with either the MemoryRealm,
+       DataSourceRealm or JDBCRealm.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=781379&amp;view=rev">
+       revision 781379</a>.</p>
+
+    <p>Affects: 5.5.0-5.5.27</p>
+       
     <p><strong>low: Cross-site scripting</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781">
        CVE-2009-0781</a></p>

Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=781388&r1=781387&r2=781388&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Wed Jun  3 14:10:45 2009
@@ -45,6 +45,22 @@
 
     <p>Affects: 6.0.0-6.0.18</p>
 
+    <p><strong>low: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580">
+       CVE-2009-0580</a></p>
+
+    <p>Due to insufficient error checking in some authentication classes, Tomcat
+       allows for the enumeration (brute force testing) of user names by
+       supplying illegally URL encoded passwords. The attack is possible if FORM
+       based authenticiaton (j_security_check) with either the MemoryRealm,
+       DataSourceRealm or JDBCRealm.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=747840&amp;view=rev">
+       revision 747840</a>.</p>
+
+    <p>Affects: 6.0.0-6.0.18</p>
+       
     <p><strong>low: Cross-site scripting</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781">
        CVE-2009-0781</a></p>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message