tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r936542 - in /tomcat/site/trunk: docs/security-5.html docs/security-6.html xdocs/security-5.xml xdocs/security-6.xml
Date Wed, 21 Apr 2010 22:15:47 GMT
Author: markt
Date: Wed Apr 21 22:15:46 2010
New Revision: 936542

URL: http://svn.apache.org/viewvc?rev=936542&view=rev
Log:
Add CVE-2010-1157

Modified:
    tomcat/site/trunk/docs/security-5.html
    tomcat/site/trunk/docs/security-6.html
    tomcat/site/trunk/xdocs/security-5.xml
    tomcat/site/trunk/xdocs/security-6.xml

Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=936542&r1=936541&r2=936542&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Wed Apr 21 22:15:46 2010
@@ -192,6 +192,9 @@
 <a href="#Apache Tomcat 5.x vulnerabilities">Apache Tomcat 5.x vulnerabilities</a>
 </li>
 <li>
+<a href="#Fixed in subversion for Apache Tomcat 5.5.x">Fixed in subversion for Apache
Tomcat 5.5.x</a>
+</li>
+<li>
 <a href="#Fixed in Apache Tomcat 5.5.29">Fixed in Apache Tomcat 5.5.29</a>
 </li>
 <li>
@@ -302,6 +305,56 @@
 <tr>
 <td bgcolor="#525D76">
 <font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in subversion for Apache Tomcat 5.5.x">
+<strong>Fixed in subversion for Apache Tomcat 5.5.x</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+  
+    <p>
+<i>Note: These issues will be fixed in 5.5.30 but that version has not
+       yet been released.</i>
+</p>
+
+    <p>
+<strong>Low: Information disclosure in authentication headers</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157">
+       CVE-2010-1157</a>
+</p>
+
+    <p>The <code>WWW-Authenticate</code> HTTP header for BASIC and DIGEST
+       authentication includes a realm name. If a
+       <code>&lt;realm-name&gt;</code> element is specified for the application
+       in web.xml it will be used. However, a <code>&lt;realm-name&gt;</code>
+       is not specified then Tomcat will generate realm name using the code
+       snippet <code>request.getServerName() + ":" +
+       request.getServerPort()</code>. In some circumstances this can expose
+       the local host name or IP address of the machine running Tomcat.
+    </p>
+       
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=936541&amp;view=rev">
+       revision 936541</a>.</p>
+       
+  </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
 <a name="Fixed in Apache Tomcat 5.5.29">
 <strong>Fixed in Apache Tomcat 5.5.29</strong>
 </a>

Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=936542&r1=936541&r2=936542&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Wed Apr 21 22:15:46 2010
@@ -192,6 +192,9 @@
 <a href="#Apache Tomcat 6.x vulnerabilities">Apache Tomcat 6.x vulnerabilities</a>
 </li>
 <li>
+<a href="#Fixed in subversion for Apache Tomcat 6.0.x">Fixed in subversion for Apache
Tomcat 6.0.x</a>
+</li>
+<li>
 <a href="#Fixed in Apache Tomcat 6.0.24">Fixed in Apache Tomcat 6.0.24</a>
 </li>
 <li>
@@ -275,6 +278,56 @@
 <tr>
 <td bgcolor="#525D76">
 <font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in subversion for Apache Tomcat 6.0.x">
+<strong>Fixed in subversion for Apache Tomcat 6.0.x</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+  
+    <p>
+<i>Note: These issues will be fixed in 6.0.27 but that version has not
+       yet been released.</i>
+</p>
+
+    <p>
+<strong>Low: Information disclosure in authentication headers</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157">
+       CVE-2010-1157</a>
+</p>
+
+    <p>The <code>WWW-Authenticate</code> HTTP header for BASIC and DIGEST
+       authentication includes a realm name. If a
+       <code>&lt;realm-name&gt;</code> element is specified for the application
+       in web.xml it will be used. However, a <code>&lt;realm-name&gt;</code>
+       is not specified then Tomcat will generate realm name using the code
+       snippet <code>request.getServerName() + ":" +
+       request.getServerPort()</code>. In some circumstances this can expose
+       the local host name or IP address of the machine running Tomcat.
+    </p>
+       
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=936540&amp;view=rev">
+       revision 936540</a>.</p>
+       
+  </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
 <a name="Fixed in Apache Tomcat 6.0.24">
 <strong>Fixed in Apache Tomcat 6.0.24</strong>
 </a>

Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=936542&r1=936541&r2=936542&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Wed Apr 21 22:15:46 2010
@@ -46,6 +46,31 @@
   </section>
  -->
 
+  <section name="Fixed in subversion for Apache Tomcat 5.5.x">
+  
+    <p><i>Note: These issues will be fixed in 5.5.30 but that version has not
+       yet been released.</i></p>
+
+    <p><strong>Low: Information disclosure in authentication headers</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157">
+       CVE-2010-1157</a></p>
+
+    <p>The <code>WWW-Authenticate</code> HTTP header for BASIC and DIGEST
+       authentication includes a realm name. If a
+       <code>&lt;realm-name&gt;</code> element is specified for the application
+       in web.xml it will be used. However, a <code>&lt;realm-name&gt;</code>
+       is not specified then Tomcat will generate realm name using the code
+       snippet <code>request.getServerName() + ":" +
+       request.getServerPort()</code>. In some circumstances this can expose
+       the local host name or IP address of the machine running Tomcat.
+    </p>
+       
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=936541&amp;view=rev">
+       revision 936541</a>.</p>
+       
+  </section>
+
   <section name="Fixed in Apache Tomcat 5.5.29">
   
     <p><strong>Low: Arbitrary file deletion and/or alteration on deploy</strong>

Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=936542&r1=936541&r2=936542&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Wed Apr 21 22:15:46 2010
@@ -30,6 +30,31 @@
 
   </section>
 
+  <section name="Fixed in subversion for Apache Tomcat 6.0.x">
+  
+    <p><i>Note: These issues will be fixed in 6.0.27 but that version has not
+       yet been released.</i></p>
+
+    <p><strong>Low: Information disclosure in authentication headers</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157">
+       CVE-2010-1157</a></p>
+
+    <p>The <code>WWW-Authenticate</code> HTTP header for BASIC and DIGEST
+       authentication includes a realm name. If a
+       <code>&lt;realm-name&gt;</code> element is specified for the application
+       in web.xml it will be used. However, a <code>&lt;realm-name&gt;</code>
+       is not specified then Tomcat will generate realm name using the code
+       snippet <code>request.getServerName() + ":" +
+       request.getServerPort()</code>. In some circumstances this can expose
+       the local host name or IP address of the machine running Tomcat.
+    </p>
+       
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=936540&amp;view=rev">
+       revision 936540</a>.</p>
+       
+  </section>
+
   <section name="Fixed in Apache Tomcat 6.0.24">
       <p><i>Note: These issues were fixed in Apache Tomcat 6.0.21 but the
          release votes for the 6.0.21, 6.0.22 and 6.0.23 release candidates did



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message