tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r782559 - in /tomcat/site/trunk: docs/security-4.html docs/security-5.html docs/security-6.html xdocs/security-4.xml xdocs/security-5.xml xdocs/security-6.xml
Date Mon, 08 Jun 2009 08:39:27 GMT
Author: markt
Date: Mon Jun  8 08:39:25 2009
New Revision: 782559

URL: http://svn.apache.org/viewvc?rev=782559&view=rev
Log:
Update CVE-2009-0580

Modified:
    tomcat/site/trunk/docs/security-4.html
    tomcat/site/trunk/docs/security-5.html
    tomcat/site/trunk/docs/security-6.html
    tomcat/site/trunk/xdocs/security-4.xml
    tomcat/site/trunk/xdocs/security-5.xml
    tomcat/site/trunk/xdocs/security-6.xml

Modified: tomcat/site/trunk/docs/security-4.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?rev=782559&r1=782558&r2=782559&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Mon Jun  8 08:39:25 2009
@@ -298,14 +298,16 @@
     <p>Due to insufficient error checking in some authentication classes, Tomcat
        allows for the enumeration (brute force testing) of user names by
        supplying illegally URL encoded passwords. The attack is possible if FORM
-       based authenticiaton (j_security_check) with either the MemoryRealm,
-       DataSourceRealm or JDBCRealm.</p>
+       based authentication (j_security_check) is used with the MemoryRealm.
+       Note that in early versions, the DataSourceRealm and JDBCRealm were also
+       affected.</p>
 
     <p>This was fixed in
        <a href="http://svn.apache.org/viewvc?rev=781382&amp;view=rev">
        revision 781382</a>.</p>
 
-    <p>Affects: 4.1.0-4.1.39</p>
+    <p>Affects: 4.1.0-4.1.39 (Memory Realm), 4.1.0-4.1.31 (JDBC Realm),
+                4.1.17-4.1.31 (DataSource Realm)</p>
        
     <p>
 <strong>low: Cross-site scripting</strong>

Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=782559&r1=782558&r2=782559&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Mon Jun  8 08:39:25 2009
@@ -260,14 +260,16 @@
     <p>Due to insufficient error checking in some authentication classes, Tomcat
        allows for the enumeration (brute force testing) of user names by
        supplying illegally URL encoded passwords. The attack is possible if FORM
-       based authenticiaton (j_security_check) with either the MemoryRealm,
-       DataSourceRealm or JDBCRealm.</p>
+       based authentication (j_security_check) is used with the MemoryRealm.
+       Note that in early versions, the DataSourceRealm and JDBCRealm were also
+       affected.</p>
 
     <p>This was fixed in
        <a href="http://svn.apache.org/viewvc?rev=781379&amp;view=rev">
        revision 781379</a>.</p>
 
-    <p>Affects: 5.5.0-5.5.27</p>
+    <p>Affects: 5.5.0-5.5.27 (Memory Realm), 5.5.0-5.5.5 (DataSource and JDBC
+       Realms)</p>
        
     <p>
 <strong>low: Cross-site scripting</strong>

Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=782559&r1=782558&r2=782559&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Jun  8 08:39:25 2009
@@ -261,14 +261,13 @@
     <p>Due to insufficient error checking in some authentication classes, Tomcat
        allows for the enumeration (brute force testing) of user names by
        supplying illegally URL encoded passwords. The attack is possible if FORM
-       based authenticiaton (j_security_check) with either the MemoryRealm,
-       DataSourceRealm or JDBCRealm.</p>
+       based authentication (j_security_check) is used with the MemoryRealm.</p>
 
     <p>This was fixed in
        <a href="http://svn.apache.org/viewvc?rev=747840&amp;view=rev">
        revision 747840</a>.</p>
 
-    <p>Affects: 6.0.0-6.0.18</p>
+    <p>Affects: 6.0.0-6.0.18 (MemoryRealm), 6.0.0-</p>
        
     <p>
 <strong>low: Cross-site scripting</strong>

Modified: tomcat/site/trunk/xdocs/security-4.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?rev=782559&r1=782558&r2=782559&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Mon Jun  8 08:39:25 2009
@@ -68,14 +68,16 @@
     <p>Due to insufficient error checking in some authentication classes, Tomcat
        allows for the enumeration (brute force testing) of user names by
        supplying illegally URL encoded passwords. The attack is possible if FORM
-       based authenticiaton (j_security_check) with either the MemoryRealm,
-       DataSourceRealm or JDBCRealm.</p>
+       based authentication (j_security_check) is used with the MemoryRealm.
+       Note that in early versions, the DataSourceRealm and JDBCRealm were also
+       affected.</p>
 
     <p>This was fixed in
        <a href="http://svn.apache.org/viewvc?rev=781382&amp;view=rev">
        revision 781382</a>.</p>
 
-    <p>Affects: 4.1.0-4.1.39</p>
+    <p>Affects: 4.1.0-4.1.39 (Memory Realm), 4.1.0-4.1.31 (JDBC Realm),
+                4.1.17-4.1.31 (DataSource Realm)</p>
        
     <p><strong>low: Cross-site scripting</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781">

Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=782559&r1=782558&r2=782559&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Mon Jun  8 08:39:25 2009
@@ -53,14 +53,16 @@
     <p>Due to insufficient error checking in some authentication classes, Tomcat
        allows for the enumeration (brute force testing) of user names by
        supplying illegally URL encoded passwords. The attack is possible if FORM
-       based authenticiaton (j_security_check) with either the MemoryRealm,
-       DataSourceRealm or JDBCRealm.</p>
+       based authentication (j_security_check) is used with the MemoryRealm.
+       Note that in early versions, the DataSourceRealm and JDBCRealm were also
+       affected.</p>
 
     <p>This was fixed in
        <a href="http://svn.apache.org/viewvc?rev=781379&amp;view=rev">
        revision 781379</a>.</p>
 
-    <p>Affects: 5.5.0-5.5.27</p>
+    <p>Affects: 5.5.0-5.5.27 (Memory Realm), 5.5.0-5.5.5 (DataSource and JDBC
+       Realms)</p>
        
     <p><strong>low: Cross-site scripting</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781">

Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=782559&r1=782558&r2=782559&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon Jun  8 08:39:25 2009
@@ -52,14 +52,13 @@
     <p>Due to insufficient error checking in some authentication classes, Tomcat
        allows for the enumeration (brute force testing) of user names by
        supplying illegally URL encoded passwords. The attack is possible if FORM
-       based authenticiaton (j_security_check) with either the MemoryRealm,
-       DataSourceRealm or JDBCRealm.</p>
+       based authentication (j_security_check) is used with the MemoryRealm.</p>
 
     <p>This was fixed in
        <a href="http://svn.apache.org/viewvc?rev=747840&amp;view=rev">
        revision 747840</a>.</p>
 
-    <p>Affects: 6.0.0-6.0.18</p>
+    <p>Affects: 6.0.0-6.0.18 (MemoryRealm), 6.0.0-</p>
        
     <p><strong>low: Cross-site scripting</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message