tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1089538 - in /tomcat/site/trunk: docs/index.html docs/security-7.html xdocs/index.xml xdocs/security-7.xml
Date Wed, 06 Apr 2011 17:12:41 GMT
Author: markt
Date: Wed Apr  6 17:12:41 2011
New Revision: 1089538

URL: http://svn.apache.org/viewvc?rev=1089538&view=rev
Log:
Prep website ready for announcements

Modified:
    tomcat/site/trunk/docs/index.html
    tomcat/site/trunk/docs/security-7.html
    tomcat/site/trunk/xdocs/index.xml
    tomcat/site/trunk/xdocs/security-7.xml

Modified: tomcat/site/trunk/docs/index.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/index.html?rev=1089538&r1=1089537&r2=1089538&view=diff
==============================================================================
--- tomcat/site/trunk/docs/index.html (original)
+++ tomcat/site/trunk/docs/index.html Wed Apr  6 17:12:41 2011
@@ -266,8 +266,8 @@ project logo are trademarks of the Apach
 <blockquote>
 <p>
 The Apache Tomcat Project is proud to announce the release of version 7.0.12 of
-Apache Tomcat. This release includes bug fixes and the following new features
-compared to version 7.0.11:
+Apache Tomcat. This release includes bug fixes, security fixes and the following
+new features compared to version 7.0.11:
 <ul>
 <li>initial support for SPNEGO/Kerberos authentication (also referred to as
     Windows authentication);</li>

Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1089538&r1=1089537&r2=1089538&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Wed Apr  6 17:12:41 2011
@@ -215,6 +215,9 @@
 <a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x vulnerabilities</a>
 </li>
 <li>
+<a href="#Fixed_in_Apache_Tomcat_7.0.12_(released_6_Apr_2011)">Fixed in Apache Tomcat
7.0.12 (released 6 Apr 2011)</a>
+</li>
+<li>
 <a href="#Fixed_in_Apache_Tomcat_7.0.11_(released_11_Mar_2011)">Fixed in Apache Tomcat
7.0.11 (released 11 Mar 2011)</a>
 </li>
 <li>
@@ -287,6 +290,79 @@
 <tr>
 <td bgcolor="#525D76">
 <font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 7.0.12 (released 6 Apr 2011)">
+<!--()-->
+</a>
+<a name="Fixed_in_Apache_Tomcat_7.0.12_(released_6_Apr_2011)">
+<strong>Fixed in Apache Tomcat 7.0.12 (released 6 Apr 2011)</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+
+    <p>
+<strong>Important: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1475">
+       CVE-2011-1475</a>
+</p>
+
+    <p>Changes introduced to the HTTP BIO connector to support Servlet 3.0
+       asynchronous requests did not fully account for HTTP pipelining. As a
+       result, when using HTTP pipelining a range of unexpected behaviours
+       occurred including the mixing up of responses between requests. While
+       the mix-up in responses was only observed between requests from the same
+       user, a mix-up of responses for requests from different users may also be
+       possible.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=1086349&amp;view=rev">
+       revision 1086349</a> and
+       <a href="http://svn.apache.org/viewvc?rev=1086352&amp;view=rev">
+       revision 1086352</a>. (Note: HTTP pipelined requests are still likely to
+       fail with the HTTP BIO connector but will do so in a secure manner.)</p>
+
+    <p>This was reported publicly on the Tomcat Bugzilla issue tracker on 22 Mar
+       2011.</p>
+
+    <p>Affects: 7.0.10</p>
+
+    <p>
+<strong>Important: Security constraint bypass</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1183">
+       CVE-2011-1183</a>
+</p>
+
+    <p>A regression in the fix for CVE-2011-1088 meant that security constraints
+       were ignored when no login configuration was present in the web.xml and
+       the web application was marked as meta-data complete.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=1087643&amp;view=rev">
+       revision 1087643</a>.</p>
+
+    <p>This was identified by the Tomcat security team on 17 March 2011 and
+       made public on 6 April 2011.</p>
+
+    <p>Affects: 7.0.10</p>
+
+  </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
 <a name="Fixed in Apache Tomcat 7.0.11 (released 11 Mar 2011)">
 <!--()-->
 </a>

Modified: tomcat/site/trunk/xdocs/index.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/index.xml?rev=1089538&r1=1089537&r2=1089538&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/index.xml (original)
+++ tomcat/site/trunk/xdocs/index.xml Wed Apr  6 17:12:41 2011
@@ -36,8 +36,8 @@ project logo are trademarks of the Apach
 <section name="Tomcat 7.0.12 Released" rtext="2011-04-06">
 <p>
 The Apache Tomcat Project is proud to announce the release of version 7.0.12 of
-Apache Tomcat. This release includes bug fixes and the following new features
-compared to version 7.0.11:
+Apache Tomcat. This release includes bug fixes, security fixes and the following
+new features compared to version 7.0.11:
 <ul>
 <li>initial support for SPNEGO/Kerberos authentication (also referred to as
     Windows authentication);</li>

Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1089538&r1=1089537&r2=1089538&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Wed Apr  6 17:12:41 2011
@@ -25,6 +25,51 @@
        <a href="mailto:security@tomcat.apache.org">Tomcat Security Team</a>.</p>
   </section>
 
+  <section name="Fixed in Apache Tomcat 7.0.12 (released 6 Apr 2011)">
+
+    <p><strong>Important: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1475">
+       CVE-2011-1475</a></p>
+
+    <p>Changes introduced to the HTTP BIO connector to support Servlet 3.0
+       asynchronous requests did not fully account for HTTP pipelining. As a
+       result, when using HTTP pipelining a range of unexpected behaviours
+       occurred including the mixing up of responses between requests. While
+       the mix-up in responses was only observed between requests from the same
+       user, a mix-up of responses for requests from different users may also be
+       possible.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=1086349&amp;view=rev">
+       revision 1086349</a> and
+       <a href="http://svn.apache.org/viewvc?rev=1086352&amp;view=rev">
+       revision 1086352</a>. (Note: HTTP pipelined requests are still likely to
+       fail with the HTTP BIO connector but will do so in a secure manner.)</p>
+
+    <p>This was reported publicly on the Tomcat Bugzilla issue tracker on 22 Mar
+       2011.</p>
+
+    <p>Affects: 7.0.10</p>
+
+    <p><strong>Important: Security constraint bypass</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1183">
+       CVE-2011-1183</a></p>
+
+    <p>A regression in the fix for CVE-2011-1088 meant that security constraints
+       were ignored when no login configuration was present in the web.xml and
+       the web application was marked as meta-data complete.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=1087643&amp;view=rev">
+       revision 1087643</a>.</p>
+
+    <p>This was identified by the Tomcat security team on 17 March 2011 and
+       made public on 6 April 2011.</p>
+
+    <p>Affects: 7.0.10</p>
+
+  </section>
+
   <section name="Fixed in Apache Tomcat 7.0.11 (released 11 Mar 2011)">
 
     <p><strong>Important: Security constraint bypass</strong>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message