Return-Path: Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: (qmail 54010 invoked from network); 3 Jun 2009 13:30:47 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 3 Jun 2009 13:30:47 -0000 Received: (qmail 31185 invoked by uid 500); 3 Jun 2009 13:30:58 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 31091 invoked by uid 500); 3 Jun 2009 13:30:58 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 31080 invoked by uid 99); 3 Jun 2009 13:30:58 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Jun 2009 13:30:58 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Jun 2009 13:30:47 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id 4506A2388874; Wed, 3 Jun 2009 13:30:26 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r781365 - in /tomcat/site/trunk: docs/security-4.html docs/security-5.html docs/security-6.html xdocs/security-4.xml xdocs/security-5.xml xdocs/security-6.xml Date: Wed, 03 Jun 2009 13:30:25 -0000 To: dev@tomcat.apache.org From: markt@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20090603133026.4506A2388874@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: markt Date: Wed Jun 3 13:30:25 2009 New Revision: 781365 URL: http://svn.apache.org/viewvc?rev=781365&view=rev Log: Add CVE-2009-0033 Modified: tomcat/site/trunk/docs/security-4.html tomcat/site/trunk/docs/security-5.html tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/xdocs/security-4.xml tomcat/site/trunk/xdocs/security-5.xml tomcat/site/trunk/xdocs/security-6.xml Modified: tomcat/site/trunk/docs/security-4.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?rev=781365&r1=781364&r2=781365&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-4.html (original) +++ tomcat/site/trunk/docs/security-4.html Wed Jun 3 13:30:25 2009 @@ -271,6 +271,25 @@

+Important: Denial of Service + + CVE-2009-0033 +

+ +

If Tomcat receives a request with invalid headers via the Java AJP + connector, it does not return an error and instead closes the AJP + connection. In case this connector is member of a mod_jk load balancing + worker, this member will be put into an error state and will be blocked + from use for approximately one minute. Thus the behaviour can be used for + a denial of service attack using a carefully crafted request.

+ +

This was fixed in + + revision 781362.

+ +

Affects: 4.1.0-4.1.39

+ +

low: Cross-site scripting CVE-2009-0781 Modified: tomcat/site/trunk/docs/security-5.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=781365&r1=781364&r2=781365&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-5.html (original) +++ tomcat/site/trunk/docs/security-5.html Wed Jun 3 13:30:25 2009 @@ -233,6 +233,25 @@

+Important: Denial of Service + + CVE-2009-0033 +

+ +

If Tomcat receives a request with invalid headers via the Java AJP + connector, it does not return an error and instead closes the AJP + connection. In case this connector is member of a mod_jk load balancing + worker, this member will be put into an error state and will be blocked + from use for approximately one minute. Thus the behaviour can be used for + a denial of service attack using a carefully crafted request.

+ +

This was fixed in + + revision 781362.

+ +

Affects: 5.5.0-5.5.27

+ +

low: Cross-site scripting CVE-2009-0781 Modified: tomcat/site/trunk/docs/security-6.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=781365&r1=781364&r2=781365&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-6.html (original) +++ tomcat/site/trunk/docs/security-6.html Wed Jun 3 13:30:25 2009 @@ -216,8 +216,8 @@ - -Fixed in Apache Tomcat 6.0.SVN + +Fixed in Apache Tomcat 6.0.20 @@ -227,6 +227,32 @@

+Note: These issues were fixed in Apache Tomcat 6.0.19 but the release + vote for that release candidate did not pass. Therefore, although users + must download 6.0.20 to obtain a version that includes fixes for these + issues, 6.0.19 is not included in the list of affected versions. +

+ +

+Important: Denial of Service + + CVE-2009-0033 +

+ +

If Tomcat receives a request with invalid headers via the Java AJP + connector, it does not return an error and instead closes the AJP + connection. In case this connector is member of a mod_jk load balancing + worker, this member will be put into an error state and will be blocked + from use for approximately one minute. Thus the behaviour can be used for + a denial of service attack using a carefully crafted request.

+ +

This was fixed in + + revision 742915.

+ +

Affects: 6.0.0-6.0.18

+ +

low: Cross-site scripting CVE-2009-0781 @@ -241,7 +267,7 @@ revision 750924.

Affects: 6.0.0-6.0.18

- +

Modified: tomcat/site/trunk/xdocs/security-4.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?rev=781365&r1=781364&r2=781365&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-4.xml (original) +++ tomcat/site/trunk/xdocs/security-4.xml Wed Jun 3 13:30:25 2009 @@ -44,6 +44,23 @@
+

Important: Denial of Service + + CVE-2009-0033

+ +

If Tomcat receives a request with invalid headers via the Java AJP + connector, it does not return an error and instead closes the AJP + connection. In case this connector is member of a mod_jk load balancing + worker, this member will be put into an error state and will be blocked + from use for approximately one minute. Thus the behaviour can be used for + a denial of service attack using a carefully crafted request.

+ +

This was fixed in + + revision 781362.

+ +

Affects: 4.1.0-4.1.39

+

low: Cross-site scripting CVE-2009-0781

Modified: tomcat/site/trunk/xdocs/security-5.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=781365&r1=781364&r2=781365&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-5.xml (original) +++ tomcat/site/trunk/xdocs/security-5.xml Wed Jun 3 13:30:25 2009 @@ -29,6 +29,23 @@
+

Important: Denial of Service + + CVE-2009-0033

+ +

If Tomcat receives a request with invalid headers via the Java AJP + connector, it does not return an error and instead closes the AJP + connection. In case this connector is member of a mod_jk load balancing + worker, this member will be put into an error state and will be blocked + from use for approximately one minute. Thus the behaviour can be used for + a denial of service attack using a carefully crafted request.

+ +

This was fixed in + + revision 781362.

+ +

Affects: 5.5.0-5.5.27

+

low: Cross-site scripting CVE-2009-0781

Modified: tomcat/site/trunk/xdocs/security-6.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=781365&r1=781364&r2=781365&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-6.xml (original) +++ tomcat/site/trunk/xdocs/security-6.xml Wed Jun 3 13:30:25 2009 @@ -22,7 +22,29 @@
-
+
+

Note: These issues were fixed in Apache Tomcat 6.0.19 but the release + vote for that release candidate did not pass. Therefore, although users + must download 6.0.20 to obtain a version that includes fixes for these + issues, 6.0.19 is not included in the list of affected versions.

+ +

Important: Denial of Service + + CVE-2009-0033

+ +

If Tomcat receives a request with invalid headers via the Java AJP + connector, it does not return an error and instead closes the AJP + connection. In case this connector is member of a mod_jk load balancing + worker, this member will be put into an error state and will be blocked + from use for approximately one minute. Thus the behaviour can be used for + a denial of service attack using a carefully crafted request.

+ +

This was fixed in + + revision 742915.

+ +

Affects: 6.0.0-6.0.18

+

low: Cross-site scripting CVE-2009-0781

@@ -36,7 +58,7 @@ revision 750924.

Affects: 6.0.0-6.0.18

- +
--------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org