tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1140074 - in /tomcat/site/trunk: docs/security-5.html docs/security-6.html docs/security-7.html xdocs/security-5.xml xdocs/security-6.xml xdocs/security-7.xml
Date Mon, 27 Jun 2011 09:31:00 GMT
Author: markt
Date: Mon Jun 27 09:30:59 2011
New Revision: 1140074

URL: http://svn.apache.org/viewvc?rev=1140074&view=rev
Log:
Updates for CVE-2011-2204

Modified:
    tomcat/site/trunk/docs/security-5.html
    tomcat/site/trunk/docs/security-6.html
    tomcat/site/trunk/docs/security-7.html
    tomcat/site/trunk/xdocs/security-5.xml
    tomcat/site/trunk/xdocs/security-6.xml
    tomcat/site/trunk/xdocs/security-7.xml

Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1140074&r1=1140073&r2=1140074&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Mon Jun 27 09:30:59 2011
@@ -215,6 +215,9 @@
 <a href="#Apache_Tomcat_5.x_vulnerabilities">Apache Tomcat 5.x vulnerabilities</a>
 </li>
 <li>
+<a href="#Fixed_in_Apache_Tomcat_5.5.34_(not_yet_released)">Fixed in Apache Tomcat
5.5.34 (not yet released)</a>
+</li>
+<li>
 <a href="#Fixed_in_Apache_Tomcat_5.5.32">Fixed in Apache Tomcat 5.5.32</a>
 </li>
 <li>
@@ -334,6 +337,58 @@
 <tr>
 <td bgcolor="#525D76">
 <font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 5.5.34 (not yet released)">
+<!--()-->
+</a>
+<a name="Fixed_in_Apache_Tomcat_5.5.34_(not_yet_released)">
+<strong>Fixed in Apache Tomcat 5.5.34 (not yet released)</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+
+    <p>
+<strong>Low: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204">
+       CVE-2011-2204</a>
+</p>
+
+    <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
+       creating users via JMX, an exception during the user creation process may
+       trigger an error message in the JMX client that includes the user's
+       password. This error message is also written to the Tomcat logs. User
+       passwords are visible to administrators with JMX access and/or
+       administrators with read access to the tomcat-users.xml file. Users that
+       do not have these permissions but are able to read log files may be able
+       to discover a user's password.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=1140072&amp;view=rev">
+       revision 1140072</a>.</p>
+
+    <p>This was identified by Polina Genova on 14 June 2011 and
+       made public on 27 June 2011.</p>
+
+    <p>Affects: 5.5.0-5.5.33</p>
+  
+  </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
 <a name="Fixed in Apache Tomcat 5.5.32">
 <!--()-->
 </a>

Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1140074&r1=1140073&r2=1140074&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Jun 27 09:30:59 2011
@@ -215,6 +215,9 @@
 <a href="#Apache_Tomcat_6.x_vulnerabilities">Apache Tomcat 6.x vulnerabilities</a>
 </li>
 <li>
+<a href="#Fixed_in_Apache_Tomcat_6.0.33_(not_yet_released)">Fixed in Apache Tomcat
6.0.33 (not yet released)</a>
+</li>
+<li>
 <a href="#Fixed_in_Apache_Tomcat_6.0.32">Fixed in Apache Tomcat 6.0.32</a>
 </li>
 <li>
@@ -310,6 +313,58 @@
 <tr>
 <td bgcolor="#525D76">
 <font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 6.0.33 (not yet released)">
+<!--()-->
+</a>
+<a name="Fixed_in_Apache_Tomcat_6.0.33_(not_yet_released)">
+<strong>Fixed in Apache Tomcat 6.0.33 (not yet released)</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+
+    <p>
+<strong>Low: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204">
+       CVE-2011-2204</a>
+</p>
+
+    <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
+       creating users via JMX, an exception during the user creation process may
+       trigger an error message in the JMX client that includes the user's
+       password. This error message is also written to the Tomcat logs. User
+       passwords are visible to administrators with JMX access and/or
+       administrators with read access to the tomcat-users.xml file. Users that
+       do not have these permissions but are able to read log files may be able
+       to discover a user's password.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=1140071&amp;view=rev">
+       revision 1140071</a>.</p>
+
+    <p>This was identified by Polina Genova on 14 June 2011 and
+       made public on 27 June 2011.</p>
+
+    <p>Affects: 6.0.0-6.0.32</p>
+  
+  </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
 <a name="Fixed in Apache Tomcat 6.0.32">
 <!--()-->
 </a>

Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1140074&r1=1140073&r2=1140074&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Mon Jun 27 09:30:59 2011
@@ -215,6 +215,9 @@
 <a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x vulnerabilities</a>
 </li>
 <li>
+<a href="#Fixed_in_Apache_Tomcat_7.0.17_(not_yet_released)">Fixed in Apache Tomcat
7.0.17 (not yet released)</a>
+</li>
+<li>
 <a href="#Fixed_in_Apache_Tomcat_7.0.14_(released_12_May_2011)">Fixed in Apache Tomcat
7.0.14 (released 12 May 2011)</a>
 </li>
 <li>
@@ -293,6 +296,58 @@
 <tr>
 <td bgcolor="#525D76">
 <font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 7.0.17 (not yet released)">
+<!--()-->
+</a>
+<a name="Fixed_in_Apache_Tomcat_7.0.17_(not_yet_released)">
+<strong>Fixed in Apache Tomcat 7.0.17 (not yet released)</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+
+    <p>
+<strong>Low: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204">
+       CVE-2011-2204</a>
+</p>
+
+    <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
+       creating users via JMX, an exception during the user creation process may
+       trigger an error message in the JMX client that includes the user's
+       password. This error message is also written to the Tomcat logs. User
+       passwords are visible to administrators with JMX access and/or
+       administrators with read access to the tomcat-users.xml file. Users that
+       do not have these permissions but are able to read log files may be able
+       to discover a user's password.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=1140070&amp;view=rev">
+       revision 1140070</a>.</p>
+
+    <p>This was identified by Polina Genova on 14 June 2011 and
+       made public on 27 June 2011.</p>
+
+    <p>Affects: 7.0.0-7.0.16</p>
+  
+  </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
 <a name="Fixed in Apache Tomcat 7.0.14 (released 12 May 2011)">
 <!--()-->
 </a>

Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=1140074&r1=1140073&r2=1140074&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Mon Jun 27 09:30:59 2011
@@ -46,6 +46,32 @@
   </section>
  -->
 
+  <section name="Fixed in Apache Tomcat 5.5.34 (not yet released)">
+
+    <p><strong>Low: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204">
+       CVE-2011-2204</a></p>
+
+    <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
+       creating users via JMX, an exception during the user creation process may
+       trigger an error message in the JMX client that includes the user&apos;s
+       password. This error message is also written to the Tomcat logs. User
+       passwords are visible to administrators with JMX access and/or
+       administrators with read access to the tomcat-users.xml file. Users that
+       do not have these permissions but are able to read log files may be able
+       to discover a user&apos;s password.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=1140072&amp;view=rev">
+       revision 1140072</a>.</p>
+
+    <p>This was identified by Polina Genova on 14 June 2011 and
+       made public on 27 June 2011.</p>
+
+    <p>Affects: 5.5.0-5.5.33</p>
+  
+  </section>
+
   <section name="Fixed in Apache Tomcat 5.5.32" rtext="released 1 Feb 2011">
   
     <p><strong>low: Cross-site scripting</strong>

Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1140074&r1=1140073&r2=1140074&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon Jun 27 09:30:59 2011
@@ -30,6 +30,32 @@
 
   </section>
 
+  <section name="Fixed in Apache Tomcat 6.0.33 (not yet released)">
+
+    <p><strong>Low: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204">
+       CVE-2011-2204</a></p>
+
+    <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
+       creating users via JMX, an exception during the user creation process may
+       trigger an error message in the JMX client that includes the user&apos;s
+       password. This error message is also written to the Tomcat logs. User
+       passwords are visible to administrators with JMX access and/or
+       administrators with read access to the tomcat-users.xml file. Users that
+       do not have these permissions but are able to read log files may be able
+       to discover a user&apos;s password.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=1140071&amp;view=rev">
+       revision 1140071</a>.</p>
+
+    <p>This was identified by Polina Genova on 14 June 2011 and
+       made public on 27 June 2011.</p>
+
+    <p>Affects: 6.0.0-6.0.32</p>
+  
+  </section>
+
   <section name="Fixed in Apache Tomcat 6.0.32" rtext="released 03 Feb 2011">
 
     <p><i>Note: The issue below was fixed in Apache Tomcat 6.0.31 but the

Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1140074&r1=1140073&r2=1140074&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Mon Jun 27 09:30:59 2011
@@ -25,6 +25,32 @@
        <a href="mailto:security@tomcat.apache.org">Tomcat Security Team</a>.</p>
   </section>
 
+  <section name="Fixed in Apache Tomcat 7.0.17 (not yet released)">
+
+    <p><strong>Low: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204">
+       CVE-2011-2204</a></p>
+
+    <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
+       creating users via JMX, an exception during the user creation process may
+       trigger an error message in the JMX client that includes the user&apos;s
+       password. This error message is also written to the Tomcat logs. User
+       passwords are visible to administrators with JMX access and/or
+       administrators with read access to the tomcat-users.xml file. Users that
+       do not have these permissions but are able to read log files may be able
+       to discover a user&apos;s password.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=1140070&amp;view=rev">
+       revision 1140070</a>.</p>
+
+    <p>This was identified by Polina Genova on 14 June 2011 and
+       made public on 27 June 2011.</p>
+
+    <p>Affects: 7.0.0-7.0.16</p>
+  
+  </section>
+
   <section name="Fixed in Apache Tomcat 7.0.14 (released 12 May 2011)">
 
     <p><strong>Important: Security constraint bypass</strong>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message