tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1145952 [1/2] - in /tomcat/site/trunk: docs/ xdocs/
Date Wed, 13 Jul 2011 10:58:00 GMT
Author: markt
Date: Wed Jul 13 10:57:59 2011
New Revision: 1145952

URL: http://svn.apache.org/viewvc?rev=1145952&view=rev
Log:
More nofollow and a few line lengths

Modified:
    tomcat/site/trunk/docs/security-3.html
    tomcat/site/trunk/docs/security-4.html
    tomcat/site/trunk/docs/security-5.html
    tomcat/site/trunk/docs/security-6.html
    tomcat/site/trunk/docs/security-7.html
    tomcat/site/trunk/docs/security-jk.html
    tomcat/site/trunk/docs/security-native.html
    tomcat/site/trunk/docs/security.html
    tomcat/site/trunk/docs/whoweare.html
    tomcat/site/trunk/xdocs/security-3.xml
    tomcat/site/trunk/xdocs/security-4.xml
    tomcat/site/trunk/xdocs/security-5.xml
    tomcat/site/trunk/xdocs/security-6.xml
    tomcat/site/trunk/xdocs/security-7.xml
    tomcat/site/trunk/xdocs/security-jk.xml
    tomcat/site/trunk/xdocs/security-native.xml
    tomcat/site/trunk/xdocs/security.xml
    tomcat/site/trunk/xdocs/whoweare.xml

Modified: tomcat/site/trunk/docs/security-3.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-3.html?rev=1145952&r1=1145951&r2=1145952&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-3.html (original)
+++ tomcat/site/trunk/docs/security-3.html Wed Jul 13 10:57:59 2011
@@ -313,8 +313,7 @@
 <blockquote>
     <p>
 <strong>important: Denial of service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0808">
-       CVE-2005-0808</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0808" rel="nofollow">CVE-2005-0808</a>
 </p>
 
     <p>Tomcat 3.x can be remotely caused to crash or shutdown by a connection
@@ -327,8 +326,7 @@
 
     <p>
 <strong>low: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382">
-       CVE-2007-3382</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382" rel="nofollow">CVE-2007-3382</a>
 </p>
 
     <p>Tomcat incorrectly treated a single quote character (') in a cookie
@@ -339,8 +337,7 @@
 
     <p>
 <strong>low: Cross site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3384">
-       CVE-2007-3384</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3384" rel="nofollow">CVE-2007-3384</a>
 </p>
 
     <p>When reporting error messages, Tomcat does not filter user supplied data
@@ -352,8 +349,7 @@
 
     <p>
 <strong>low: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385">
-       CVE-2007-3385</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385" rel="nofollow">CVE-2007-3385</a>
 </p>
 
     <p>Tomcat incorrectly handled the character sequence \" in a cookie value.
@@ -391,8 +387,7 @@
 <blockquote>
     <p>
 <strong>moderate: Cross site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0044">
-       CVE-2003-0044</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0044" rel="nofollow">CVE-2003-0044</a>
 </p>
 
     <p>The root web application and the examples web application contained a
@@ -430,8 +425,7 @@
 <blockquote>
     <p>
 <strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0043">
-       CVE-2003-0043</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0043" rel="nofollow">CVE-2003-0043</a>
 </p>
 
     <p>When used with JDK 1.3.1 or earlier, web.xml files were read with
@@ -442,8 +436,7 @@
 
     <p>
 <strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0042">
-       CVE-2003-0042</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0042" rel="nofollow">CVE-2003-0042</a>
 </p>
 
     <p>URLs containing null characters could result in file contents being
@@ -480,8 +473,7 @@
 <blockquote>
     <p>
 <strong>important: Denial of service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0045">
-       CVE-2003-0045</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0045" rel="nofollow">CVE-2003-0045</a>
 </p>
 
     <p>JSP page names that match a Windows DOS device name, such as aux.jsp, may
@@ -519,8 +511,7 @@
 <blockquote>
     <p>
 <strong>moderate: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2007">
-       CVE-2002-2007</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2007" rel="nofollow">CVE-2002-2007</a>
 </p>
 
     <p>Non-standard requests to the sample applications installed by default
@@ -531,10 +522,8 @@
 
     <p>
 <strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2006">
-       CVE-2002-2006</a>,
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0760">
-       CVE-2000-0760</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2006" rel="nofollow">CVE-2002-2006</a>,
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0760" rel="nofollow">CVE-2000-0760</a>
 </p>
 
     <p>The snoop servlet installed as part of the examples includes output that
@@ -571,8 +560,7 @@
 <blockquote>
     <p>
 <strong>moderate: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1563">
-       CVE-2001-1563</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1563" rel="nofollow">CVE-2001-1563</a>
 <br/>
 </p>
 
@@ -609,8 +597,7 @@
 <blockquote>
     <p>
 <strong>moderate: Cross site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0829">
-       CVE-2001-0829</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0829" rel="nofollow">CVE-2001-0829</a>
 </p>
 
     <p>The default 404 error page does not escape URLs. This allows XSS
@@ -620,8 +607,7 @@
 
     <p>
 <strong>moderate: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0590">
-       CVE-2001-0590</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0590" rel="nofollow">CVE-2001-0590</a>
 <br/>
 </p>
 
@@ -657,8 +643,7 @@
 <blockquote>
     <p>
 <strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0759">
-       CVE-2000-0759</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0759" rel="nofollow">CVE-2000-0759</a>
 <br/>
 </p>
 
@@ -669,8 +654,7 @@
 
     <p>
 <strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0672">
-       CVE-2000-0672</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0672" rel="nofollow">CVE-2000-0672</a>
 <br/>
 </p>
 
@@ -709,8 +693,7 @@
 <blockquote>
     <p>
 <strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1210">
-       CVE-2000-1210</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1210" rel="nofollow">CVE-2000-1210</a>
 <br/>
 </p>
 

Modified: tomcat/site/trunk/docs/security-4.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?rev=1145952&r1=1145951&r2=1145952&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Wed Jul 13 10:57:59 2011
@@ -334,8 +334,7 @@
 <blockquote>
     <p>
 <strong>moderate: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4836">
-       CVE-2005-4836</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4836" rel="nofollow">CVE-2005-4836</a>
 </p>
 
     <p>The deprecated HTTP/1.1 connector does not reject request URIs containing
@@ -377,8 +376,7 @@
 <blockquote>
     <p>
 <strong>Important: Information Disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515">
-       CVE-2008-5515</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515" rel="nofollow">CVE-2008-5515</a>
 </p>
 
     <p>When using a RequestDispatcher obtained from the Request, the target path
@@ -397,8 +395,7 @@
 
     <p>
 <strong>Important: Denial of Service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033">
-       CVE-2009-0033</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033" rel="nofollow">CVE-2009-0033</a>
 </p>
 
     <p>If Tomcat receives a request with invalid headers via the Java AJP
@@ -416,8 +413,7 @@
  
     <p>
 <strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580">
-       CVE-2009-0580</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580" rel="nofollow">CVE-2009-0580</a>
 </p>
 
     <p>Due to insufficient error checking in some authentication classes, Tomcat
@@ -436,8 +432,7 @@
        
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781">
-       CVE-2009-0781</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781" rel="nofollow">CVE-2009-0781</a>
 </p>
 
     <p>The calendar application in the examples web application contains an
@@ -452,8 +447,7 @@
 
     <p>
 <strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783">
-       CVE-2009-0783</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783" rel="nofollow">CVE-2009-0783</a>
 </p>
 
     <p>Bugs <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=29936">
@@ -501,8 +495,7 @@
 
     <p>
 <strong>moderate: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128">
-       CVE-2008-0128</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128" rel="nofollow">CVE-2008-0128</a>
 </p>
 
     <p>When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is
@@ -518,8 +511,7 @@
 
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232">
-       CVE-2008-1232</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232" rel="nofollow">CVE-2008-1232</a>
 </p>
 
     <p>The message argument of HttpServletResponse.sendError() call is not only
@@ -538,8 +530,7 @@
 
     <p>
 <strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370">
-       CVE-2008-2370</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370" rel="nofollow">CVE-2008-2370</a>
 </p>
 
     <p>When using a RequestDispatcher the target path was normalised before the 
@@ -583,8 +574,7 @@
 <blockquote>
     <p>
 <strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3164">
-       CVE-2005-3164</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3164" rel="nofollow">CVE-2005-3164</a>
 </p>
 
     <p>If a client specifies a Content-Length but disconnects before sending
@@ -597,8 +587,7 @@
 
     <p>
 <strong>moderate: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355">
-       CVE-2007-1355</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355" rel="nofollow">CVE-2007-1355</a>
 </p>
 
     <p>The JSP and Servlet included in the sample application within the Tomcat
@@ -610,8 +599,7 @@
 
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449">
-       CVE-2007-2449</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449" rel="nofollow">CVE-2007-2449</a>
 </p>
 
     <p>JSPs within the examples web application did not escape user provided
@@ -626,8 +614,7 @@
 
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450">
-       CVE-2007-2450</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450" rel="nofollow">CVE-2007-2450</a>
 </p>
 
     <p>The Manager web application did not escape user provided data before
@@ -640,8 +627,7 @@
 
     <p>
 <strong>low: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382">
-       CVE-2007-3382</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382" rel="nofollow">CVE-2007-3382</a>
 </p>
 
     <p>Tomcat incorrectly treated a single quote character (') in a cookie
@@ -652,8 +638,7 @@
 
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3383">
-       CVE-2007-3383</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3383" rel="nofollow">CVE-2007-3383</a>
 </p>
 
     <p>When reporting error messages, the SendMailServlet (part of the examples
@@ -668,8 +653,7 @@
 
     <p>
 <strong>low: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385">
-       CVE-2007-3385</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385" rel="nofollow">CVE-2007-3385</a>
 </p>
 
     <p>Tomcat incorrectly handled the character sequence \" in a cookie value.
@@ -680,21 +664,18 @@
 
     <p>
 <strong>low: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333">
-       CVE-2007-5333</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333" rel="nofollow">CVE-2007-5333</a>
 </p>
 
     <p>The previous fix for
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385">
-       CVE-2007-3385</a> was incomplete. It did not consider the use of quotes
-       or %5C within a cookie value.</p>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385" rel="nofollow">CVE-2007-3385</a> was incomplete. It did not consider the
+       use of quotes or %5C within a cookie value.</p>
 
     <p>Affects: 4.1.0-4.1.36</p>
 
     <p>
 <strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461">
-       CVE-2007-5461</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461" rel="nofollow">CVE-2007-5461</a>
 </p>
 
     <p>When Tomcat's WebDAV servlet is configured for use with a context and
@@ -733,8 +714,7 @@
 <blockquote>
     <p>
 <strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090">
-       CVE-2005-2090</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090" rel="nofollow">CVE-2005-2090</a>
 </p>
 
     <p>Requests with multiple content-length headers should be rejected as
@@ -752,46 +732,46 @@
 
     <p>
 <strong>important: Directory traversal</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450">
-       CVE-2007-0450</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450" rel="nofollow">CVE-2007-0450</a>
 </p>
 
     <p>The fix for this issue was insufficient. A fix was also required in the
        JK connector module for httpd. See 
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860">
-       CVE-2007-1860</a> for further information.</p>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860" rel="nofollow">CVE-2007-1860</a> for further information.</p>
 
-    <p>Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used 
-       behind a proxy (including, but not limited to, Apache HTTP server with 
-       mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP request 
-       containing strings like "/\../" may allow attackers to work around the context 
-       restriction of the proxy, and access the non-proxied contexts.
+    <p>Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is
+       used behind a proxy (including, but not limited to, Apache HTTP server
+       with mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP
+       request containing strings like "/\../" may allow attackers to work
+       around the context restriction of the proxy, and access the non-proxied
+       contexts.
     </p>
 
     <p>The following Java system properties have been added to Tomcat to provide 
-       additional control of the handling of path delimiters in URLs (both options 
-       default to false):
+       additional control of the handling of path delimiters in URLs (both
+       options default to false):
        <ul>
          <li>
-           <code>org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH</code>: <code>true|false</code>
+           <code>org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH</code>:
+           <code>true|false</code>
          </li>
          <li>
-           <code>org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH</code>: <code>true|false</code>
+           <code>org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH</code>:
+           <code>true|false</code>
          </li>
        </ul>
     </p>
 
-    <p>Due to the impossibility to guarantee that all URLs are handled by Tomcat as 
-       they are in proxy servers, Tomcat should always be secured as if no proxy 
-       restricting context access was used.
+    <p>Due to the impossibility to guarantee that all URLs are handled by Tomcat
+       as they are in proxy servers, Tomcat should always be secured as if no
+       proxy restricting context access was used.
     </p>
 
     <p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.34</p>
 
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358">
-       CVE-2007-1358</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358" rel="nofollow">CVE-2007-1358</a>
 </p>
 
     <p>Web pages that display the Accept-Language header value sent by the
@@ -834,8 +814,7 @@
 
     <p>
 <strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4308">
-       CVE-2008-4308</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4308" rel="nofollow">CVE-2008-4308</a>
 </p>
 
     <p>
@@ -877,8 +856,7 @@
 
     <p>
 <strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3271">
-       CVE-2008-3271</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3271" rel="nofollow">CVE-2008-3271</a>
 </p>
 
     <p>
@@ -893,8 +871,7 @@
 
     <p>
 <strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1858">
-       CVE-2007-1858</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1858" rel="nofollow">CVE-2007-1858</a>
 </p>
 
     <p>The default SSL configuration permitted the use of insecure cipher suites
@@ -905,8 +882,7 @@
 
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7196">
-       CVE-2006-7196</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7196" rel="nofollow">CVE-2006-7196</a>
 </p>
 
     <p>The calendar application included as part of the JSP examples is
@@ -917,8 +893,7 @@
 
     <p>
 <strong>low: Directory listing</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3835">
-       CVE-2006-3835</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3835" rel="nofollow">CVE-2006-3835</a>
 </p>
 
     <p>This is expected behaviour when directory listings are enabled. The
@@ -932,8 +907,7 @@
 
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4838">
-       CVE-2005-4838</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4838" rel="nofollow">CVE-2005-4838</a>
 </p>
 
     <p>Various JSPs included as part of the JSP examples and the Tomcat Manager
@@ -944,8 +918,7 @@
 
     <p>
 <strong>important: Denial of service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3510">
-       CVE-2005-3510</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3510" rel="nofollow">CVE-2005-3510</a>
 </p>
 
     <p>The root cause is the relatively expensive calls required to generate
@@ -987,8 +960,7 @@
 <blockquote>
     <p>
 <strong>moderate: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1567">
-       CVE-2002-1567</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1567" rel="nofollow">CVE-2002-1567</a>
 </p>
 
     <p>The unmodified requested URL is included in the 404 response header. The
@@ -1028,8 +1000,7 @@
 <blockquote>
     <p>
 <strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1394">
-       CVE-2002-1394</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1394" rel="nofollow">CVE-2002-1394</a>
 </p>
 
     <p>A specially crafted URL using the invoker servlet in conjunction with the
@@ -1037,16 +1008,14 @@
        or, under special circumstances, a static resource that would otherwise
        have been protected by a security constraint without the need to be
        properly authenticated. This is a variation of
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1148">
-       CVE-2002-1148</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1148" rel="nofollow">CVE-2002-1148</a>
 </p>
 
     <p>Affects: 4.0.0-4.0.5, 4.1.0-4.1.12</p>
 
     <p>
 <strong>moderate: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0682">
-       CVE-2002-0682</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0682" rel="nofollow">CVE-2002-0682</a>
 </p>
 
     <p>A specially crafted URL using the invoker servlet and various internal
@@ -1083,8 +1052,7 @@
 <blockquote>
     <p>
 <strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1148">
-       CVE-2002-1148</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1148" rel="nofollow">CVE-2002-1148</a>
 </p>
 
     <p>A specially crafted URL using the default servlet can enable an attacker
@@ -1120,8 +1088,7 @@
 <blockquote>
     <p>
 <strong>important: Denial of service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0935">
-       CVE-2002-0935</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0935" rel="nofollow">CVE-2002-0935</a>
 </p>
 
     <p>A malformed HTTP request can cause the request processing thread to
@@ -1159,8 +1126,7 @@
 <blockquote>
     <p>
 <strong>important: Denial of service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0866">
-       CVE-2003-0866</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0866" rel="nofollow">CVE-2003-0866</a>
 </p>
 
     <p>A malformed HTTP request can cause the request processing thread to
@@ -1171,8 +1137,7 @@
 
     <p>
 <strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2006">
-       CVE-2002-2006</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2006" rel="nofollow">CVE-2002-2006</a>
 </p>
 
     <p>The snoop and trouble shooting servlets installed as part of the examples
@@ -1209,10 +1174,8 @@
 <blockquote>
     <p>
 <strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2009">
-       CVE-2002-2009</a>,
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0917">
-       CVE-2001-0917</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2009" rel="nofollow">CVE-2002-2009</a>,
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0917" rel="nofollow">CVE-2001-0917</a>
 </p>
 
     <p>Requests for JSP files where the file name is preceded by '+/', '&gt;/',
@@ -1250,8 +1213,7 @@
 <blockquote>
     <p>
 <strong>moderate: Security manager bypass</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0493">
-       CVE-2002-0493</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0493" rel="nofollow">CVE-2002-0493</a>
 </p>
 
     <p>If errors are encountered during the parsing of web.xml and Tomcat is
@@ -1285,10 +1247,8 @@
 <blockquote>
     <p>
 <strong>low: Installation path disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4703">
-       CVE-2005-4703</a>, 
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2008">
-       CVE-2002-2008</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4703" rel="nofollow">CVE-2005-4703</a>, 
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2008" rel="nofollow">CVE-2002-2008</a>
 <br/>
 </p>
 
@@ -1303,8 +1263,7 @@
 
     <p>
 <strong>important: Denial of service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1895">
-       CVE-2002-1895</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1895" rel="nofollow">CVE-2002-1895</a>
 <br/>
 </p>
 
@@ -1344,8 +1303,7 @@
 <blockquote>
     <p>
 <strong>Denial of service vulnerability</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0936">
-       CVE-2002-0936</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0936" rel="nofollow">CVE-2002-0936</a>
 </p>
 
     <p>The issue described requires an attacker to be able to plant a JSP page
@@ -1356,8 +1314,7 @@
 
     <p>
 <strong>important: Directory traversal</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938">
-       CVE-2008-2938</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938" rel="nofollow">CVE-2008-2938</a>
 </p>
 
     <p>Originally reported as a Tomcat vulnerability the root cause of this

Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1145952&r1=1145951&r2=1145952&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Wed Jul 13 10:57:59 2011
@@ -353,8 +353,7 @@
 
     <p>
 <strong>Low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204">
-       CVE-2011-2204</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204" rel="nofollow">CVE-2011-2204</a>
 </p>
 
     <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
@@ -410,8 +409,7 @@
   
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0013">
-       CVE-2011-0013</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0013" rel="nofollow">CVE-2011-0013</a>
 </p>
 
     <p>The HTML Manager interface displayed web application provided data, such
@@ -463,8 +461,7 @@
   
     <p>
 <strong>low: SecurityManager file permission bypass</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3718">
-       CVE-2010-3718</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3718" rel="nofollow">CVE-2010-3718</a>
 </p>
 
     <p>When running under a SecurityManager, access to the file system is
@@ -493,8 +490,7 @@
     <p>
 <strong>Important: Remote Denial Of Service and Information Disclosure
        Vulnerability</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227">
-       CVE-2010-2227</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227" rel="nofollow">CVE-2010-2227</a>
 </p>
 
     <p>Several flaws in the handling of the 'Transfer-Encoding' header were
@@ -515,8 +511,7 @@
 
     <p>
 <strong>Low: Information disclosure in authentication headers</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157">
-       CVE-2010-1157</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157" rel="nofollow">CVE-2010-1157</a>
 </p>
 
     <p>The <code>WWW-Authenticate</code> HTTP header for BASIC and DIGEST
@@ -573,8 +568,7 @@
   
     <p>
 <strong>Low: Arbitrary file deletion and/or alteration on deploy</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693">
-       CVE-2009-2693</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693" rel="nofollow">CVE-2009-2693</a>
 </p>
 
     <p>When deploying WAR files, the WAR files were not checked for directory
@@ -593,8 +587,7 @@
 
     <p>
 <strong>Low: Insecure partial deploy after failed undeploy</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2901">
-       CVE-2009-2901</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2901" rel="nofollow">CVE-2009-2901</a>
 </p>
 
     <p>By default, Tomcat automatically deploys any directories placed in a
@@ -617,8 +610,7 @@
     
     <p>
 <strong>Low: Unexpected file deletion in work directory</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2902">
-       CVE-2009-2902</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2902" rel="nofollow">CVE-2009-2902</a>
 </p>
 
     <p>When deploying WAR files, the WAR file names were not checked for
@@ -638,8 +630,7 @@
 
     <p>
 <strong>Low: Insecure default password</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548">
-       CVE-2009-3548</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548" rel="nofollow">CVE-2009-3548</a>
 </p>
 
     <p>The Windows installer defaults to a blank password for the administrative
@@ -689,8 +680,7 @@
 <blockquote>
     <p>
 <strong>Important: Information Disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515">
-       CVE-2008-5515</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515" rel="nofollow">CVE-2008-5515</a>
 </p>
 
     <p>When using a RequestDispatcher obtained from the Request, the target path
@@ -712,8 +702,7 @@
 
     <p>
 <strong>Important: Denial of Service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033">
-       CVE-2009-0033</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033" rel="nofollow">CVE-2009-0033</a>
 </p>
 
     <p>If Tomcat receives a request with invalid headers via the Java AJP
@@ -734,8 +723,7 @@
  
     <p>
 <strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580">
-       CVE-2009-0580</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580" rel="nofollow">CVE-2009-0580</a>
 </p>
 
     <p>Due to insufficient error checking in some authentication classes, Tomcat
@@ -757,8 +745,7 @@
        
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781">
-       CVE-2009-0781</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781" rel="nofollow">CVE-2009-0781</a>
 </p>
 
     <p>The calendar application in the examples web application contains an
@@ -776,8 +763,7 @@
 
     <p>
 <strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783">
-       CVE-2009-0783</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783" rel="nofollow">CVE-2009-0783</a>
 </p>
 
     <p>Bugs <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=29936">
@@ -834,8 +820,7 @@
 <blockquote>
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232">
-       CVE-2008-1232</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232" rel="nofollow">CVE-2008-1232</a>
 </p>
 
     <p>The message argument of HttpServletResponse.sendError() call is not only
@@ -857,8 +842,7 @@
 
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947">
-       CVE-2008-1947</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947" rel="nofollow">CVE-2008-1947</a>
 </p>
 
     <p>The Host Manager web application did not escape user provided data before
@@ -878,8 +862,7 @@
     
     <p>
 <strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370">
-       CVE-2008-2370</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370" rel="nofollow">CVE-2008-2370</a>
 </p>
 
     <p>When using a RequestDispatcher the target path was normalised before the 
@@ -931,21 +914,18 @@
 <blockquote>
     <p>
 <strong>low: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333">
-       CVE-2007-5333</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333" rel="nofollow">CVE-2007-5333</a>
 </p>
 
     <p>The previous fix for
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385">
-       CVE-2007-3385</a> was incomplete. It did not consider the use of quotes
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385" rel="nofollow">CVE-2007-3385</a> was incomplete. It did not consider the use of quotes
        or %5C within a cookie value.</p>
 
     <p>Affects: 5.5.0-5.5.25</p>
 
     <p>
 <strong>low: Elevated privileges</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342">
-       CVE-2007-5342</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342" rel="nofollow">CVE-2007-5342</a>
 </p>
 
     <p>The JULI logging component allows web applications to provide their own
@@ -958,8 +938,7 @@
 
     <p>
 <strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461">
-       CVE-2007-5461</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461" rel="nofollow">CVE-2007-5461</a>
 </p>
 
     <p>When Tomcat's WebDAV servlet is configured for use with a context and
@@ -971,8 +950,7 @@
 
     <p>
 <strong>important: Data integrity</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286">
-       CVE-2007-6286</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286" rel="nofollow">CVE-2007-6286</a>
 </p>
 
     <p>When using the native (APR based) connector, connecting to the SSL port
@@ -1014,8 +992,7 @@
 <blockquote>
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449">
-       CVE-2007-2449</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449" rel="nofollow">CVE-2007-2449</a>
 </p>
 
     <p>JSPs within the examples web application did not escape user provided
@@ -1030,8 +1007,7 @@
 
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450">
-       CVE-2007-2450</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450" rel="nofollow">CVE-2007-2450</a>
 </p>
 
     <p>The Manager and Host Manager web applications did not escape user
@@ -1044,8 +1020,7 @@
 
     <p>
 <strong>low: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382">
-       CVE-2007-3382</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382" rel="nofollow">CVE-2007-3382</a>
 </p>
 
     <p>Tomcat incorrectly treated a single quote character (') in a cookie
@@ -1056,8 +1031,7 @@
 
     <p>
 <strong>low: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385">
-       CVE-2007-3385</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385" rel="nofollow">CVE-2007-3385</a>
 </p>
 
     <p>Tomcat incorrectly handled the character sequence \" in a cookie value.
@@ -1068,8 +1042,7 @@
 
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386">
-       CVE-2007-3386</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386" rel="nofollow">CVE-2007-3386</a>
 </p>
 
     <p>The Host Manager Servlet did not filter user supplied data before
@@ -1111,8 +1084,7 @@
 <blockquote>
     <p>
 <strong>moderate: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355">
-       CVE-2007-1355</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355" rel="nofollow">CVE-2007-1355</a>
 </p>
 
     <p>The JSP and Servlet included in the sample application within the Tomcat
@@ -1156,8 +1128,7 @@
 <blockquote>
     <p>
 <strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090">
-       CVE-2005-2090</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090" rel="nofollow">CVE-2005-2090</a>
 </p>
 
     <p>Requests with multiple content-length headers should be rejected as
@@ -1206,14 +1177,12 @@
 <blockquote>
     <p>
 <strong>important: Directory traversal</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450">
-       CVE-2007-0450</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450" rel="nofollow">CVE-2007-0450</a>
 </p>
 
     <p>The fix for this issue was insufficient. A fix was also required in the
        JK connector module for httpd. See 
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860">
-       CVE-2007-1860</a> for further information.</p>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860" rel="nofollow">CVE-2007-1860</a> for further information.</p>
 
     <p>Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used 
        behind a proxy (including, but not limited to, Apache HTTP server with 
@@ -1275,8 +1244,7 @@
 <blockquote>
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358">
-       CVE-2007-1358</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358" rel="nofollow">CVE-2007-1358</a>
 </p>
 
     <p>Web pages that display the Accept-Language header value sent by the
@@ -1323,8 +1291,7 @@
 <blockquote>
     <p>
 <strong>moderate: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128">
-       CVE-2008-0128</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128" rel="nofollow">CVE-2008-0128</a>
 </p>
 
     <p>When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is
@@ -1336,8 +1303,7 @@
 
     <p>
 <strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4308">
-       CVE-2008-4308</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4308" rel="nofollow">CVE-2008-4308</a>
 </p>
 
     <p>
@@ -1383,8 +1349,7 @@
 <blockquote>
     <p>
 <strong>moderate: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7195">
-       CVE-2006-7195</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7195" rel="nofollow">CVE-2006-7195</a>
 </p>
 
     <p>The implicit-objects.jsp in the examples webapp displayed a number of
@@ -1426,8 +1391,7 @@
 <blockquote>
     <p>
 <strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1858">
-       CVE-2007-1858</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1858" rel="nofollow">CVE-2007-1858</a>
 </p>
 
     <p>The default SSL configuration permitted the use of insecure cipher suites
@@ -1469,8 +1433,7 @@
 <blockquote>
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7196">
-       CVE-2006-7196</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7196" rel="nofollow">CVE-2006-7196</a>
 </p>
 
     <p>The calendar application included as part of the JSP examples is
@@ -1507,8 +1470,7 @@
 <blockquote>
     <p>
 <strong>low: Directory listing</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3835">
-       CVE-2006-3835</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3835" rel="nofollow">CVE-2006-3835</a>
 </p>
 
     <p>This is expected behaviour when directory listings are enabled. The
@@ -1522,8 +1484,7 @@
 
     <p>
 <strong>important: Denial of service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3510">
-       CVE-2005-3510</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3510" rel="nofollow">CVE-2005-3510</a>
 </p>
 
     <p>The root cause is the relatively expensive calls required to generate
@@ -1565,8 +1526,7 @@
 <blockquote>
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4838">
-       CVE-2005-4838</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4838" rel="nofollow">CVE-2005-4838</a>
 </p>
 
     <p>Various JSPs included as part of the JSP examples and the Tomcat Manager
@@ -1603,8 +1563,7 @@
 <blockquote>
     <p>
 <strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3271">
-       CVE-2008-3271</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3271" rel="nofollow">CVE-2008-3271</a>
 </p>
 
     <p>
@@ -1646,8 +1605,7 @@
 
     <p>
 <strong>Important: Remote Denial Of Service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476">
-       CVE-2010-4476</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476" rel="nofollow">CVE-2010-4476</a>
 </p>
 
     <p>A JVM bug could cause Double conversion to hang JVM when accessing to a
@@ -1668,8 +1626,7 @@
 
     <p>
 <strong>moderate: TLS SSL Man In The Middle</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
-       CVE-2009-3555</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555" rel="nofollow">CVE-2009-3555</a>
 </p>
 
     <p>A vulnerability exists in the TLS protocol that allows an attacker to
@@ -1704,24 +1661,21 @@
 
     <p>
 <strong>JavaMail information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1754">
-       CVE-2005-1754</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1754" rel="nofollow">CVE-2005-1754</a>
 </p>
     <p>The vulnerability described is in the web application deployed on Tomcat
        rather than in Tomcat.</p>
 
     <p>
 <strong>JavaMail information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1753">
-       CVE-2005-1753</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1753" rel="nofollow">CVE-2005-1753</a>
 </p>
     <p>The vulnerability described is in the web application deployed on Tomcat
        rather than in Tomcat.</p>
 
     <p>
 <strong>important: Directory traversal</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938">
-       CVE-2008-2938</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938" rel="nofollow">CVE-2008-2938</a>
 </p>
 
     <p>Originally reported as a Tomcat vulnerability the root cause of this

Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1145952&r1=1145951&r2=1145952&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Wed Jul 13 10:57:59 2011
@@ -329,8 +329,7 @@
 
     <p>
 <strong>Low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204">
-       CVE-2011-2204</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204" rel="nofollow">CVE-2011-2204</a>
 </p>
 
     <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
@@ -394,8 +393,7 @@
 
     <p>
 <strong>Important: Remote Denial Of Service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0534">
-       CVE-2011-0534</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0534" rel="nofollow">CVE-2011-0534</a>
 </p>
 
     <p>The NIO connector expands its buffer endlessly during request line
@@ -446,8 +444,7 @@
   
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0013">
-       CVE-2011-0013</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0013" rel="nofollow">CVE-2011-0013</a>
 </p>
 
     <p>The HTML Manager interface displayed web application provided data, such
@@ -466,8 +463,7 @@
 
     <p>
 <strong>moderate: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4172">
-       CVE-2010-4172</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4172" rel="nofollow">CVE-2010-4172</a>
 </p>
 
     <p>The Manager application used the user provided parameters sort and
@@ -485,8 +481,7 @@
 
     <p>
 <strong>low: SecurityManager file permission bypass</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3718">
-       CVE-2010-3718</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3718" rel="nofollow">CVE-2010-3718</a>
 </p>
 
     <p>When running under a SecurityManager, access to the file system is
@@ -548,8 +543,7 @@
     <p>
 <strong>Important: Remote Denial Of Service and Information Disclosure
        Vulnerability</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227">
-       CVE-2010-2227</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227" rel="nofollow">CVE-2010-2227</a>
 </p>
 
     <p>Several flaws in the handling of the 'Transfer-Encoding' header were
@@ -578,8 +572,7 @@
          
     <p>
 <strong>Low: Information disclosure in authentication headers</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157">
-       CVE-2010-1157</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157" rel="nofollow">CVE-2010-1157</a>
 </p>
 
     <p>The <code>WWW-Authenticate</code> HTTP header for BASIC and DIGEST
@@ -643,8 +636,7 @@
        
     <p>
 <strong>Low: Arbitrary file deletion and/or alteration on deploy</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693">
-       CVE-2009-2693</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693" rel="nofollow">CVE-2009-2693</a>
 </p>
 
     <p>When deploying WAR files, the WAR files were not checked for directory
@@ -663,8 +655,7 @@
 
     <p>
 <strong>Low: Insecure partial deploy after failed undeploy</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2901">
-       CVE-2009-2901</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2901" rel="nofollow">CVE-2009-2901</a>
 </p>
 
     <p>By default, Tomcat automatically deploys any directories placed in a
@@ -687,8 +678,7 @@
     
     <p>
 <strong>Low: Unexpected file deletion in work directory</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2902">
-       CVE-2009-2902</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2902" rel="nofollow">CVE-2009-2902</a>
 </p>
 
     <p>When deploying WAR files, the WAR file names were not checked for
@@ -708,8 +698,7 @@
     
     <p>
 <strong>Low: Insecure default password</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548">
-       CVE-2009-3548</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548" rel="nofollow">CVE-2009-3548</a>
 </p>
 
     <p>The Windows installer defaults to a blank password for the administrative
@@ -767,8 +756,7 @@
 
     <p>
 <strong>Important: Information Disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515">
-       CVE-2008-5515</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515" rel="nofollow">CVE-2008-5515</a>
 </p>
 
     <p>When using a RequestDispatcher obtained from the Request, the target path
@@ -788,8 +776,7 @@
 
     <p>
 <strong>Important: Denial of Service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033">
-       CVE-2009-0033</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033" rel="nofollow">CVE-2009-0033</a>
 </p>
 
     <p>If Tomcat receives a request with invalid headers via the Java AJP
@@ -810,8 +797,7 @@
 
     <p>
 <strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580">
-       CVE-2009-0580</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580" rel="nofollow">CVE-2009-0580</a>
 </p>
 
     <p>Due to insufficient error checking in some authentication classes, Tomcat
@@ -830,8 +816,7 @@
        
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781">
-       CVE-2009-0781</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781" rel="nofollow">CVE-2009-0781</a>
 </p>
 
     <p>The calendar application in the examples web application contains an
@@ -849,8 +834,7 @@
 
     <p>
 <strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783">
-       CVE-2009-0783</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783" rel="nofollow">CVE-2009-0783</a>
 </p>
 
     <p>Bugs <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=29936">
@@ -914,8 +898,7 @@
 
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232">
-       CVE-2008-1232</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232" rel="nofollow">CVE-2008-1232</a>
 </p>
 
     <p>The message argument of HttpServletResponse.sendError() call is not only
@@ -936,8 +919,7 @@
 
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947">
-       CVE-2008-1947</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947" rel="nofollow">CVE-2008-1947</a>
 </p>
 
     <p>The Host Manager web application did not escape user provided data before
@@ -957,8 +939,7 @@
 
     <p>
 <strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370">
-       CVE-2008-2370</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370" rel="nofollow">CVE-2008-2370</a>
 </p>
 
     <p>When using a RequestDispatcher the target path was normalised before the 
@@ -1010,21 +991,18 @@
 <blockquote>
     <p>
 <strong>low: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333">
-       CVE-2007-5333</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333" rel="nofollow">CVE-2007-5333</a>
 </p>
 
     <p>The previous fix for
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385">
-       CVE-2007-3385</a> was incomplete. It did not consider the use of quotes
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385" rel="nofollow">CVE-2007-3385</a> was incomplete. It did not consider the use of quotes
        or %5C within a cookie value.</p>
 
     <p>Affects: 6.0.0-6.0.14</p>
 
     <p>
 <strong>low: Elevated privileges</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342">
-       CVE-2007-5342</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342" rel="nofollow">CVE-2007-5342</a>
 </p>
 
     <p>The JULI logging component allows web applications to provide their own
@@ -1037,8 +1015,7 @@
 
     <p>
 <strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461">
-       CVE-2007-5461</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461" rel="nofollow">CVE-2007-5461</a>
 </p>
 
     <p>When Tomcat's WebDAV servlet is configured for use with a context and
@@ -1050,8 +1027,7 @@
 
     <p>
 <strong>important: Data integrity</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286">
-       CVE-2007-6286</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286" rel="nofollow">CVE-2007-6286</a>
 </p>
 
     <p>When using the native (APR based) connector, connecting to the SSL port
@@ -1062,8 +1038,7 @@
 
     <p>
 <strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0002">
-       CVE-2008-0002</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0002" rel="nofollow">CVE-2008-0002</a>
 </p>
 
     <p>If an exception occurs during the processing of parameters (eg if the
@@ -1107,8 +1082,7 @@
 <blockquote>
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449">
-       CVE-2007-2449</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449" rel="nofollow">CVE-2007-2449</a>
 </p>
 
     <p>JSPs within the examples web application did not escape user provided
@@ -1123,8 +1097,7 @@
 
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450">
-       CVE-2007-2450</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450" rel="nofollow">CVE-2007-2450</a>
 </p>
 
     <p>The Manager and Host Manager web applications did not escape user
@@ -1137,8 +1110,7 @@
 
     <p>
 <strong>low: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382">
-       CVE-2007-3382</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382" rel="nofollow">CVE-2007-3382</a>
 </p>
 
     <p>Tomcat incorrectly treated a single quote character (') in a cookie
@@ -1149,8 +1121,7 @@
 
     <p>
 <strong>low: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385">
-       CVE-2007-3385</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385" rel="nofollow">CVE-2007-3385</a>
 </p>
 
     <p>Tomcat incorrectly handled the character sequence \" in a cookie value.
@@ -1161,8 +1132,7 @@
 
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386">
-       CVE-2007-3386</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386" rel="nofollow">CVE-2007-3386</a>
 </p>
 
     <p>The Host Manager Servlet did not filter user supplied data before
@@ -1204,8 +1174,7 @@
 <blockquote>
     <p>
 <strong>moderate: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355">
-       CVE-2007-1355</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355" rel="nofollow">CVE-2007-1355</a>
 </p>
 
     <p>The JSP and Servlet included in the sample application within the Tomcat
@@ -1217,8 +1186,7 @@
 
     <p>
 <strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090">
-       CVE-2005-2090</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090" rel="nofollow">CVE-2005-2090</a>
 </p>
 
     <p>Requests with multiple content-length headers should be rejected as
@@ -1267,8 +1235,7 @@
 <blockquote>
     <p>
 <strong>important: Directory traversal</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450">
-       CVE-2007-0450</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450" rel="nofollow">CVE-2007-0450</a>
 </p>
 
     <p>Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used 
@@ -1331,8 +1298,7 @@
 <blockquote>
     <p>
 <strong>moderate: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128">
-       CVE-2008-0128</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128" rel="nofollow">CVE-2008-0128</a>
 </p>
 
     <p>When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is
@@ -1375,8 +1341,7 @@
 <blockquote>
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358">
-       CVE-2007-1358</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358" rel="nofollow">CVE-2007-1358</a>
 </p>
 
     <p>Web pages that display the Accept-Language header value sent by the
@@ -1419,8 +1384,7 @@
 
     <p>
 <strong>Important: Remote Denial Of Service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476">
-       CVE-2010-4476</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476" rel="nofollow">CVE-2010-4476</a>
 </p>
 
     <p>A JVM bug could cause Double conversion to hang JVM when accessing to a
@@ -1441,8 +1405,7 @@
 
     <p>
 <strong>moderate: TLS SSL Man In The Middle</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
-       CVE-2009-3555</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555" rel="nofollow">CVE-2009-3555</a>
 </p>
 
     <p>A vulnerability exists in the TLS protocol that allows an attacker to
@@ -1479,8 +1442,7 @@
        
     <p>
 <strong>important: Directory traversal</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938">
-       CVE-2008-2938</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938" rel="nofollow">CVE-2008-2938</a>
 </p>
 
     <p>Originally reported as a Tomcat vulnerability the root cause of this

Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1145952&r1=1145951&r2=1145952&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Wed Jul 13 10:57:59 2011
@@ -312,8 +312,7 @@
 
     <p>
 <strong>Low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204">
-       CVE-2011-2204</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204" rel="nofollow">CVE-2011-2204</a>
 </p>
 
     <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
@@ -364,8 +363,7 @@
 
     <p>
 <strong>Important: Security constraint bypass</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1582">
-       CVE-2011-1582</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1582" rel="nofollow">CVE-2011-1582</a>
 </p>
 
     <p>An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant that security
@@ -411,8 +409,7 @@
 
     <p>
 <strong>Important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1475">
-       CVE-2011-1475</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1475" rel="nofollow">CVE-2011-1475</a>
 </p>
 
     <p>Changes introduced to the HTTP BIO connector to support Servlet 3.0
@@ -437,8 +434,7 @@
 
     <p>
 <strong>Important: Security constraint bypass</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1183">
-       CVE-2011-1183</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1183" rel="nofollow">CVE-2011-1183</a>
 </p>
 
     <p>A regression in the fix for CVE-2011-1088 meant that security constraints
@@ -484,8 +480,7 @@
 
     <p>
 <strong>Important: Security constraint bypass</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1088">
-       CVE-2011-1088</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1088" rel="nofollow">CVE-2011-1088</a>
 </p>
 
     <p>When a web application was started, <code>ServletSecurity</code>
@@ -546,8 +541,7 @@
 
     <p>
 <strong>Important: Remote Denial Of Service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0534">
-       CVE-2011-0534</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0534" rel="nofollow">CVE-2011-0534</a>
 </p>
 
     <p>The NIO connector expands its buffer endlessly during request line
@@ -593,8 +587,7 @@
   
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0013">
-       CVE-2011-0013</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0013" rel="nofollow">CVE-2011-0013</a>
 </p>
 
     <p>The HTML Manager interface displayed web application provided data, such
@@ -641,8 +634,7 @@
   
     <p>
 <strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4172">
-       CVE-2010-4172</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4172" rel="nofollow">CVE-2010-4172</a>
 </p>
 
     <p>The Manager application used the user provided parameters sort and
@@ -689,8 +681,7 @@
 
     <p>
 <strong>low: SecurityManager file permission bypass</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3718">
-       CVE-2010-3718</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3718" rel="nofollow">CVE-2010-3718</a>
 </p>
 
     <p>When running under a SecurityManager, access to the file system is
@@ -755,8 +746,7 @@
     <p>
 <strong>Important: Remote Denial Of Service and Information Disclosure
        Vulnerability</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227">
-       CVE-2010-2227</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227" rel="nofollow">CVE-2010-2227</a>
 </p>
 
     <p>Several flaws in the handling of the 'Transfer-Encoding' header were
@@ -805,8 +795,7 @@
   
     <p>
 <strong>Important: Remote Denial Of Service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476">
-       CVE-2010-4476</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476" rel="nofollow">CVE-2010-4476</a>
 </p>
 
     <p>A JVM bug could cause Double conversion to hang JVM when accessing to a
@@ -827,8 +816,7 @@
 
     <p>
 <strong>moderate: TLS SSL Man In The Middle</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
-       CVE-2009-3555</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555" rel="nofollow">CVE-2009-3555</a>
 </p>
 
     <p>A vulnerability exists in the TLS protocol that allows an attacker to

Modified: tomcat/site/trunk/docs/security-jk.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-jk.html?rev=1145952&r1=1145951&r2=1145952&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-jk.html (original)
+++ tomcat/site/trunk/docs/security-jk.html Wed Jul 13 10:57:59 2011
@@ -296,8 +296,7 @@
 <blockquote>
     <p>
 <strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5519">
-       CVE-2008-5519</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5519" rel="nofollow">CVE-2008-5519</a>
 </p>
 
     <p>Situations where faulty clients set Content-Length without providing
@@ -342,13 +341,11 @@
 <blockquote>
     <p>
 <strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860">
-       CVE-2007-1860</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860" rel="nofollow">CVE-2007-1860</a>
 </p>
 
     <p>The issue is related to
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450">
-       CVE-2007-0450</a>, the patch for which was insufficient.</p>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450" rel="nofollow">CVE-2007-0450</a>, the patch for which was insufficient.</p>
 
     <p>When multiple components (firewalls, caches, proxies and Tomcat)
        process a request, the request URL should not get decoded multiple times
@@ -407,8 +404,7 @@
 <blockquote>
     <p>
 <strong>critical: Arbitrary code execution and denial of service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0774">
-       CVE-2007-0774</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0774" rel="nofollow">CVE-2007-0774</a>
 </p>
 
     <p>An unsafe memory copy in the URI handler for the native JK connector
@@ -447,8 +443,7 @@
 <blockquote>
     <p>
 <strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7197">
-       CVE-2006-7197</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7197" rel="nofollow">CVE-2006-7197</a>
 </p>
 
     <p>The Tomcat AJP connector contained a bug that sometimes set a too long

Modified: tomcat/site/trunk/docs/security-native.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-native.html?rev=1145952&r1=1145951&r2=1145952&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-native.html (original)
+++ tomcat/site/trunk/docs/security-native.html Wed Jul 13 10:57:59 2011
@@ -287,8 +287,7 @@
 <blockquote>
     <p>
 <strong>TLS SSL Man In The Middle</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">
-       CVE-2009-3555</a>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555" rel="nofollow">CVE-2009-3555</a>
 </p>
 
     <p>A vulnerability exists in the TLS protocol that allows an attacker to

Modified: tomcat/site/trunk/docs/security.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security.html?rev=1145952&r1=1145951&r2=1145952&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security.html (original)
+++ tomcat/site/trunk/docs/security.html Wed Jul 13 10:57:59 2011
@@ -244,8 +244,8 @@
           Vulnerabilities</a>
 </li>
       <li>
-<a href="security-native.html">Apache Tomcat APR/native Connector Security
-          Vulnerabilities</a>
+<a href="security-native.html">Apache Tomcat APR/native Connector
+          Security Vulnerabilities</a>
 </li>
     </ul>
 
@@ -294,7 +294,8 @@
        </p>
 
     <p>We strongly encourage folks to report such problems to our private
-       security mailing list first, before disclosing them in a public forum.</p>
+       security mailing list first, before disclosing them in a public forum.
+       </p>
 
     <p>
 <strong>Please note that the security mailing list should only be used

Modified: tomcat/site/trunk/docs/whoweare.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/whoweare.html?rev=1145952&r1=1145951&r2=1145952&view=diff
==============================================================================
--- tomcat/site/trunk/docs/whoweare.html (original)
+++ tomcat/site/trunk/docs/whoweare.html Wed Jul 13 10:57:59 2011
@@ -234,7 +234,8 @@ The following is a list of the Apache To
 short bios for some of them.</p>
 
 <p>
-A complete list of all the Apache Committers is <a href="http://www.apache.org/~jim/committers.html">also available</a>.
+A complete list of all the Apache Committers is
+<a href="http://www.apache.org/~jim/committers.html">also available</a>.
 (It's a long list, so please be patient.)
 </p>
 

Modified: tomcat/site/trunk/xdocs/security-3.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-3.xml?rev=1145952&r1=1145951&r2=1145952&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-3.xml (original)
+++ tomcat/site/trunk/xdocs/security-3.xml Wed Jul 13 10:57:59 2011
@@ -32,8 +32,8 @@
 
   <section name="Not fixed in Apache Tomcat 3.x">
     <p><strong>important: Denial of service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0808">
-       CVE-2005-0808</a></p>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0808"
+       rel="nofollow">CVE-2005-0808</a></p>
 
     <p>Tomcat 3.x can be remotely caused to crash or shutdown by a connection
        sending the right sequence of bytes to the AJP12 protocol port (TCP 8007
@@ -44,8 +44,8 @@
     <p>Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3a-3.3.2</p>
 
     <p><strong>low: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382">
-       CVE-2007-3382</a></p>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382"
+       rel="nofollow">CVE-2007-3382</a></p>
 
     <p>Tomcat incorrectly treated a single quote character (') in a cookie
        value as a delimiter. In some circumstances this lead to the leaking of
@@ -54,8 +54,8 @@
     <p>Affects: 3.3-3.3.2</p>
 
     <p><strong>low: Cross site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3384">
-       CVE-2007-3384</a></p>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3384"
+       rel="nofollow">CVE-2007-3384</a></p>
 
     <p>When reporting error messages, Tomcat does not filter user supplied data
        before display. This enables an XSS attack. A source patch is available
@@ -66,8 +66,8 @@
     <p>Affects: 3.3-3.3.2</p>
 
     <p><strong>low: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385">
-       CVE-2007-3385</a></p>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385"
+       rel="nofollow">CVE-2007-3385</a></p>
 
     <p>Tomcat incorrectly handled the character sequence \" in a cookie value.
        In some circumstances this lead to the leaking of information such as
@@ -79,8 +79,8 @@
 
   <section name="Fixed in Apache Tomcat 3.3.2">
     <p><strong>moderate: Cross site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0044">
-       CVE-2003-0044</a></p>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0044"
+       rel="nofollow">CVE-2003-0044</a></p>
 
     <p>The root web application and the examples web application contained a
        number a cross-site scripting vulnerabilities. Note that is it
@@ -92,8 +92,8 @@
 
   <section name="Fixed in Apache Tomcat 3.3.1a">
     <p><strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0043">
-       CVE-2003-0043</a></p>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0043"
+       rel="nofollow">CVE-2003-0043</a></p>
 
     <p>When used with JDK 1.3.1 or earlier, web.xml files were read with
        trusted privileges enabling files outside of the web application to be
@@ -102,8 +102,8 @@
     <p>Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3a-3.3.1</p>
 
     <p><strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0042">
-       CVE-2003-0042</a></p>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0042"
+       rel="nofollow">CVE-2003-0042</a></p>
 
     <p>URLs containing null characters could result in file contents being
        returned or a directory listing being returned even when a welcome file
@@ -114,8 +114,8 @@
 
   <section name="Fixed in Apache Tomcat 3.3.1">
     <p><strong>important: Denial of service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0045">
-       CVE-2003-0045</a></p>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0045"
+       rel="nofollow">CVE-2003-0045</a></p>
 
     <p>JSP page names that match a Windows DOS device name, such as aux.jsp, may
        cause the thread processing the request to become unresponsive. A
@@ -127,8 +127,8 @@
 
   <section name="Fixed in Apache Tomcat 3.3a">
     <p><strong>moderate: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2007">
-       CVE-2002-2007</a></p>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2007"
+       rel="nofollow">CVE-2002-2007</a></p>
 
     <p>Non-standard requests to the sample applications installed by default
        could result in unexpected directory listings or disclosure of the full
@@ -137,10 +137,10 @@
     <p>Affects: 3.2.3-3.2.4</p>
 
     <p><strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2006">
-       CVE-2002-2006</a>,
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0760">
-       CVE-2000-0760</a></p>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2006"
+       rel="nofollow">CVE-2002-2006</a>,
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0760"
+       rel="nofollow">CVE-2000-0760</a></p>
 
     <p>The snoop servlet installed as part of the examples includes output that
        identifies the Tomcat installation path. There are no plans to issue a an
@@ -151,8 +151,8 @@
 
   <section name="Fixed in Apache Tomcat 3.2.4">
     <p><strong>moderate: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1563">
-       CVE-2001-1563</a><br/></p>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1563"
+       rel="nofollow">CVE-2001-1563</a><br/></p>
 
     <p>No specifics are provided in the vulnerability report. This may be a
        summary of other issues reported against 3.2.x</p>
@@ -162,8 +162,8 @@
 
   <section name="Fixed in Apache Tomcat 3.2.2">
     <p><strong>moderate: Cross site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0829">
-       CVE-2001-0829</a></p>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0829"
+       rel="nofollow">CVE-2001-0829</a></p>
 
     <p>The default 404 error page does not escape URLs. This allows XSS
        attacks using specially crafted URLs.</p>
@@ -171,8 +171,8 @@
     <p>Affects: 3.0, 3.1-3.1.1, 3.2-3.2.1</p>
 
     <p><strong>moderate: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0590">
-       CVE-2001-0590</a><br/></p>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0590"
+       rel="nofollow">CVE-2001-0590</a><br/></p>
 
     <p>A specially crafted URL can be used to obtain the source for JSPs.</p>
 
@@ -181,8 +181,8 @@
 
   <section name="Fixed in Apache Tomcat 3.2">
     <p><strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0759">
-       CVE-2000-0759</a><br/></p>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0759"
+       rel="nofollow">CVE-2000-0759</a><br/></p>
 
     <p>Requesting a JSP that does not exist results in an error page that
        includes the full file system page of the current context.</p>
@@ -190,8 +190,8 @@
     <p>Affects: 3.1</p>
 
     <p><strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0672">
-       CVE-2000-0672</a><br/></p>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0672"
+       rel="nofollow">CVE-2000-0672</a><br/></p>
 
     <p>Access to the admin context is not protected. This context allows an
        attacker to mount an arbitary file system path as a context. Any files
@@ -203,8 +203,8 @@
 
   <section name="Fixed in Apache Tomcat 3.1">
     <p><strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1210">
-       CVE-2000-1210</a><br/></p>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1210"
+       rel="nofollow">CVE-2000-1210</a><br/></p>
 
     <p>source.jsp, provided as part of the examples, allows an attacker to read
        arbitrary files via a .. (dot dot) in the argument to source.jsp.</p>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message