tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r782764 - in /tomcat/site/trunk: docs/security-4.html docs/security-5.html docs/security-6.html xdocs/security-4.xml xdocs/security-5.xml xdocs/security-6.xml
Date Mon, 08 Jun 2009 20:18:40 GMT
Author: markt
Date: Mon Jun  8 20:18:40 2009
New Revision: 782764

URL: http://svn.apache.org/viewvc?rev=782764&view=rev
Log:
Add CVE-2008-5515.

Modified:
    tomcat/site/trunk/docs/security-4.html
    tomcat/site/trunk/docs/security-5.html
    tomcat/site/trunk/docs/security-6.html
    tomcat/site/trunk/xdocs/security-4.xml
    tomcat/site/trunk/xdocs/security-5.xml
    tomcat/site/trunk/xdocs/security-6.xml

Modified: tomcat/site/trunk/docs/security-4.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?rev=782764&r1=782763&r2=782764&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Mon Jun  8 20:18:40 2009
@@ -271,6 +271,24 @@
 <p>
 <blockquote>
     <p>
+<strong>Important: Information Disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5515">
+       CVE-2009-5515</a>
+</p>
+
+    <p>When using a RequestDispatcher obtained from the Request, the target path
+       was normalised before the query string was removed. A request that
+       included a specially crafted request parameter could be used to access
+       content that would otherwise be protected by a security constraint or by
+       locating it in under the WEB-INF directory.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=782763&amp;view=rev">
+       revision 782763</a>.</p>
+
+    <p>Affects: 4.1.0-4.1.39</p>
+
+    <p>
 <strong>Important: Denial of Service</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033">
        CVE-2009-0033</a>

Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=782764&r1=782763&r2=782764&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Mon Jun  8 20:18:40 2009
@@ -233,6 +233,24 @@
 <p>
 <blockquote>
     <p>
+<strong>Important: Information Disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5515">
+       CVE-2009-5515</a>
+</p>
+
+    <p>When using a RequestDispatcher obtained from the Request, the target path
+       was normalised before the query string was removed. A request that
+       included a specially crafted request parameter could be used to access
+       content that would otherwise be protected by a security constraint or by
+       locating it in under the WEB-INF directory.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=782757&amp;view=rev">
+       revision 782757</a>.</p>
+
+    <p>Affects: 5.5.0-5.5.27</p>
+
+    <p>
 <strong>Important: Denial of Service</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033">
        CVE-2009-0033</a>

Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=782764&r1=782763&r2=782764&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Jun  8 20:18:40 2009
@@ -234,6 +234,24 @@
 </p>
 
     <p>
+<strong>Important: Information Disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5515">
+       CVE-2009-5515</a>
+</p>
+
+    <p>When using a RequestDispatcher obtained from the Request, the target path
+       was normalised before the query string was removed. A request that
+       included a specially crafted request parameter could be used to access
+       content that would otherwise be protected by a security constraint or by
+       locating it in under the WEB-INF directory.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=734734&amp;view=rev">
+       revision 734734</a>.</p>
+
+    <p>Affects: 6.0.0-6.0.18</p>
+
+    <p>
 <strong>Important: Denial of Service</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033">
        CVE-2009-0033</a>
@@ -267,7 +285,7 @@
        <a href="http://svn.apache.org/viewvc?rev=747840&amp;view=rev">
        revision 747840</a>.</p>
 
-    <p>Affects: 6.0.0-6.0.18 (MemoryRealm)</p>
+    <p>Affects: 6.0.0-6.0.18</p>
        
     <p>
 <strong>low: Cross-site scripting</strong>

Modified: tomcat/site/trunk/xdocs/security-4.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?rev=782764&r1=782763&r2=782764&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Mon Jun  8 20:18:40 2009
@@ -44,6 +44,22 @@
   </section>
 
   <section name="Fixed in Apache Tomcat 4.1.SVN">
+    <p><strong>Important: Information Disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5515">
+       CVE-2009-5515</a></p>
+
+    <p>When using a RequestDispatcher obtained from the Request, the target path
+       was normalised before the query string was removed. A request that
+       included a specially crafted request parameter could be used to access
+       content that would otherwise be protected by a security constraint or by
+       locating it in under the WEB-INF directory.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=782763&amp;view=rev">
+       revision 782763</a>.</p>
+
+    <p>Affects: 4.1.0-4.1.39</p>
+
     <p><strong>Important: Denial of Service</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033">
        CVE-2009-0033</a></p>

Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=782764&r1=782763&r2=782764&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Mon Jun  8 20:18:40 2009
@@ -29,6 +29,22 @@
   </section>
 
   <section name="Fixed in Apache Tomcat 5.5.SVN">
+    <p><strong>Important: Information Disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5515">
+       CVE-2009-5515</a></p>
+
+    <p>When using a RequestDispatcher obtained from the Request, the target path
+       was normalised before the query string was removed. A request that
+       included a specially crafted request parameter could be used to access
+       content that would otherwise be protected by a security constraint or by
+       locating it in under the WEB-INF directory.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=782757&amp;view=rev">
+       revision 782757</a>.</p>
+
+    <p>Affects: 5.5.0-5.5.27</p>
+
     <p><strong>Important: Denial of Service</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033">
        CVE-2009-0033</a></p>

Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=782764&r1=782763&r2=782764&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon Jun  8 20:18:40 2009
@@ -28,6 +28,22 @@
        must download 6.0.20 to obtain a version that includes fixes for these
        issues, 6.0.19 is not included in the list of affected versions.</i></p>
 
+    <p><strong>Important: Information Disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5515">
+       CVE-2009-5515</a></p>
+
+    <p>When using a RequestDispatcher obtained from the Request, the target path
+       was normalised before the query string was removed. A request that
+       included a specially crafted request parameter could be used to access
+       content that would otherwise be protected by a security constraint or by
+       locating it in under the WEB-INF directory.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=734734&amp;view=rev">
+       revision 734734</a>.</p>
+
+    <p>Affects: 6.0.0-6.0.18</p>
+
     <p><strong>Important: Denial of Service</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033">
        CVE-2009-0033</a></p>
@@ -58,7 +74,7 @@
        <a href="http://svn.apache.org/viewvc?rev=747840&amp;view=rev">
        revision 747840</a>.</p>
 
-    <p>Affects: 6.0.0-6.0.18 (MemoryRealm)</p>
+    <p>Affects: 6.0.0-6.0.18</p>
        
     <p><strong>low: Cross-site scripting</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message