Return-Path: 
 <dev-return-115595-apmail-tomcat-dev-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-dev-archive@www.apache.org
Received: (qmail 41896 invoked from network); 6 Apr 2011 17:13:07 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 6 Apr 2011 17:13:07 -0000
Received: (qmail 56412 invoked by uid 500); 6 Apr 2011 17:13:06 -0000
Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org
Received: (qmail 56345 invoked by uid 500); 6 Apr 2011 17:13:06 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@tomcat.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@tomcat.apache.org>
List-Post: <mailto:dev@tomcat.apache.org>
List-Id: <dev.tomcat.apache.org>
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 56336 invoked by uid 99); 6 Apr 2011 17:13:06 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Apr 2011 17:13:06 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Apr 2011 17:13:03 +0000
Received: by eris.apache.org (Postfix, from userid 65534)
	id D113B2388897; Wed,  6 Apr 2011 17:12:41 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1089538 - in /tomcat/site/trunk: docs/index.html
 docs/security-7.html xdocs/index.xml xdocs/security-7.xml
Date: Wed, 06 Apr 2011 17:12:41 -0000
To: dev@tomcat.apache.org
From: markt@apache.org
X-Mailer: svnmailer-1.0.8
Message-Id: <20110406171241.D113B2388897@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org

Author: markt
Date: Wed Apr  6 17:12:41 2011
New Revision: 1089538

URL: http://svn.apache.org/viewvc?rev=1089538&view=rev
Log:
Prep website ready for announcements

Modified:
    tomcat/site/trunk/docs/index.html
    tomcat/site/trunk/docs/security-7.html
    tomcat/site/trunk/xdocs/index.xml
    tomcat/site/trunk/xdocs/security-7.xml

Modified: tomcat/site/trunk/docs/index.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/index.html?rev=1089538&r1=1089537&r2=1089538&view=diff
==============================================================================
--- tomcat/site/trunk/docs/index.html (original)
+++ tomcat/site/trunk/docs/index.html Wed Apr  6 17:12:41 2011
@@ -266,8 +266,8 @@ project logo are trademarks of the Apach
 <blockquote>
 <p>
 The Apache Tomcat Project is proud to announce the release of version 7.0.12 of
-Apache Tomcat. This release includes bug fixes and the following new features
-compared to version 7.0.11:
+Apache Tomcat. This release includes bug fixes, security fixes and the following
+new features compared to version 7.0.11:
 <ul>
 <li>initial support for SPNEGO/Kerberos authentication (also referred to as
     Windows authentication);</li>

Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1089538&r1=1089537&r2=1089538&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Wed Apr  6 17:12:41 2011
@@ -215,6 +215,9 @@
 <a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x vulnerabilities</a>
 </li>
 <li>
+<a href="#Fixed_in_Apache_Tomcat_7.0.12_(released_6_Apr_2011)">Fixed in Apache Tomcat 7.0.12 (released 6 Apr 2011)</a>
+</li>
+<li>
 <a href="#Fixed_in_Apache_Tomcat_7.0.11_(released_11_Mar_2011)">Fixed in Apache Tomcat 7.0.11 (released 11 Mar 2011)</a>
 </li>
 <li>
@@ -287,6 +290,79 @@
 <tr>
 <td bgcolor="#525D76">
 <font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 7.0.12 (released 6 Apr 2011)">
+<!--()-->
+</a>
+<a name="Fixed_in_Apache_Tomcat_7.0.12_(released_6_Apr_2011)">
+<strong>Fixed in Apache Tomcat 7.0.12 (released 6 Apr 2011)</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+
+    <p>
+<strong>Important: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1475">
+       CVE-2011-1475</a>
+</p>
+
+    <p>Changes introduced to the HTTP BIO connector to support Servlet 3.0
+       asynchronous requests did not fully account for HTTP pipelining. As a
+       result, when using HTTP pipelining a range of unexpected behaviours
+       occurred including the mixing up of responses between requests. While
+       the mix-up in responses was only observed between requests from the same
+       user, a mix-up of responses for requests from different users may also be
+       possible.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=1086349&amp;view=rev">
+       revision 1086349</a> and
+       <a href="http://svn.apache.org/viewvc?rev=1086352&amp;view=rev">
+       revision 1086352</a>. (Note: HTTP pipelined requests are still likely to
+       fail with the HTTP BIO connector but will do so in a secure manner.)</p>
+
+    <p>This was reported publicly on the Tomcat Bugzilla issue tracker on 22 Mar
+       2011.</p>
+
+    <p>Affects: 7.0.10</p>
+
+    <p>
+<strong>Important: Security constraint bypass</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1183">
+       CVE-2011-1183</a>
+</p>
+
+    <p>A regression in the fix for CVE-2011-1088 meant that security constraints
+       were ignored when no login configuration was present in the web.xml and
+       the web application was marked as meta-data complete.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=1087643&amp;view=rev">
+       revision 1087643</a>.</p>
+
+    <p>This was identified by the Tomcat security team on 17 March 2011 and
+       made public on 6 April 2011.</p>
+
+    <p>Affects: 7.0.10</p>
+
+  </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
 <a name="Fixed in Apache Tomcat 7.0.11 (released 11 Mar 2011)">
 <!--()-->
 </a>

Modified: tomcat/site/trunk/xdocs/index.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/index.xml?rev=1089538&r1=1089537&r2=1089538&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/index.xml (original)
+++ tomcat/site/trunk/xdocs/index.xml Wed Apr  6 17:12:41 2011
@@ -36,8 +36,8 @@ project logo are trademarks of the Apach
 <section name="Tomcat 7.0.12 Released" rtext="2011-04-06">
 <p>
 The Apache Tomcat Project is proud to announce the release of version 7.0.12 of
-Apache Tomcat. This release includes bug fixes and the following new features
-compared to version 7.0.11:
+Apache Tomcat. This release includes bug fixes, security fixes and the following
+new features compared to version 7.0.11:
 <ul>
 <li>initial support for SPNEGO/Kerberos authentication (also referred to as
     Windows authentication);</li>

Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1089538&r1=1089537&r2=1089538&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Wed Apr  6 17:12:41 2011
@@ -25,6 +25,51 @@
        <a href="mailto:security@tomcat.apache.org">Tomcat Security Team</a>.</p>
   </section>
 
+  <section name="Fixed in Apache Tomcat 7.0.12 (released 6 Apr 2011)">
+
+    <p><strong>Important: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1475">
+       CVE-2011-1475</a></p>
+
+    <p>Changes introduced to the HTTP BIO connector to support Servlet 3.0
+       asynchronous requests did not fully account for HTTP pipelining. As a
+       result, when using HTTP pipelining a range of unexpected behaviours
+       occurred including the mixing up of responses between requests. While
+       the mix-up in responses was only observed between requests from the same
+       user, a mix-up of responses for requests from different users may also be
+       possible.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=1086349&amp;view=rev">
+       revision 1086349</a> and
+       <a href="http://svn.apache.org/viewvc?rev=1086352&amp;view=rev">
+       revision 1086352</a>. (Note: HTTP pipelined requests are still likely to
+       fail with the HTTP BIO connector but will do so in a secure manner.)</p>
+
+    <p>This was reported publicly on the Tomcat Bugzilla issue tracker on 22 Mar
+       2011.</p>
+
+    <p>Affects: 7.0.10</p>
+
+    <p><strong>Important: Security constraint bypass</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1183">
+       CVE-2011-1183</a></p>
+
+    <p>A regression in the fix for CVE-2011-1088 meant that security constraints
+       were ignored when no login configuration was present in the web.xml and
+       the web application was marked as meta-data complete.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=1087643&amp;view=rev">
+       revision 1087643</a>.</p>
+
+    <p>This was identified by the Tomcat security team on 17 March 2011 and
+       made public on 6 April 2011.</p>
+
+    <p>Affects: 7.0.10</p>
+
+  </section>
+
   <section name="Fixed in Apache Tomcat 7.0.11 (released 11 Mar 2011)">
 
     <p><strong>Important: Security constraint bypass</strong>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org