tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kkoli...@apache.org
Subject svn commit: r1174306 - in /tomcat/site/trunk: docs/security-7.html xdocs/security-7.xml
Date Thu, 22 Sep 2011 18:34:50 GMT
Author: kkolinko
Date: Thu Sep 22 18:34:50 2011
New Revision: 1174306

URL: http://svn.apache.org/viewvc?rev=1174306&view=rev
Log:
Simplify the markup

Modified:
    tomcat/site/trunk/docs/security-7.html
    tomcat/site/trunk/xdocs/security-7.xml

Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1174306&r1=1174305&r2=1174306&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Thu Sep 22 18:34:50 2011
@@ -573,9 +573,7 @@
        constraints configured via annotations were ignored on the first request
        to a Servlet. Subsequent requests were secured correctly.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1100832&amp;view=rev">
-       revision 1100832</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1100832">revision
1100832</a>.</p>
 
     <p>This was identified by the Tomcat security team on 13 April 2011 and
        made public on 17 May 2011.</p>
@@ -623,12 +621,10 @@
        user, a mix-up of responses for requests from different users may also be
        possible.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1086349&amp;view=rev">
-       revision 1086349</a> and
-       <a href="http://svn.apache.org/viewvc?rev=1086352&amp;view=rev">
-       revision 1086352</a>. (Note: HTTP pipelined requests are still likely to
-       fail with the HTTP BIO connector but will do so in a secure manner.)</p>
+    <p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1086349">1086349</a>
and
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1086352">1086352</a>.
+       (Note: HTTP pipelined requests are still likely to fail with the
+       HTTP BIO connector but will do so in a secure manner.)</p>
 
     <p>This was reported publicly on the Tomcat Bugzilla issue tracker on 22 Mar
        2011.</p>
@@ -644,9 +640,7 @@
        were ignored when no login configuration was present in the web.xml and
        the web application was marked as meta-data complete.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1087643&amp;view=rev">
-       revision 1087643</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1087643">revision
1087643</a>.</p>
 
     <p>This was identified by the Tomcat security team on 17 March 2011 and
        made public on 6 April 2011.</p>
@@ -691,15 +685,10 @@
        may not have been protected as expected. This was partially fixed in
        Apache Tomcat 7.0.10 and fully fixed in 7.0.11.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1076586&amp;view=rev">
-       revision 1076586</a>,
-       <a href="http://svn.apache.org/viewvc?rev=1076587&amp;view=rev">
-       revision 1076587</a> and
-       <a href="http://svn.apache.org/viewvc?rev=1077995&amp;view=rev">
-       revision 1077995</a> and
-       <a href="http://svn.apache.org/viewvc?rev=1079752&amp;view=rev">
-       revision 1079752</a>.</p>
+    <p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1076586">1076586</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1076587">1076587</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1077995">1077995</a>
and
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1079752">1079752</a>.</p>
 
     <p>This was reported publicly on the Tomcat users mailing list on 2 Mar
        2011.</p>
@@ -751,9 +740,7 @@
        processing. That behaviour can be used for a denial of service attack
        using a carefully crafted request.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1065939&amp;view=rev">
-       revision 1065939</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1065939">revision
1065939</a>.</p>
 
     <p>This was identified by the Tomcat security team on 27 Jan 2011 and
        made public on 5 Feb 2011.</p>
@@ -798,9 +785,7 @@
        trigger script execution by an administrative user when viewing the
        manager pages.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1057279&amp;view=rev">
-       revision 1057279</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1057279">revision
1057279</a>.</p>
 
     <p>This was identified by the Tomcat security team on 12 Nov 2010 and
        made public on 5 Feb 2011.</p>
@@ -845,9 +830,7 @@
        scripting. The CSRF protection, which is enabled by default, prevents an
        attacker from exploiting this.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1037778&amp;view=rev">
-       revision 1037778</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1037778">revision
1037778</a>.</p>
 
     <p>This was first reported to the Tomcat security team on 15 Nov 2010 and
        made public on 22 Nov 2010.</p>
@@ -901,9 +884,7 @@
        applicable when hosting web applications from untrusted sources such as
        shared hosting environments.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1022134&amp;view=rev">
-       revision 1022134</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1022134">revision
1022134</a>.</p>
 
     <p>This was discovered by the Tomcat security team on 12 Oct 2010 and
        made public on 5 Feb 2011.</p>
@@ -959,10 +940,8 @@
        behind a reverse proxy (such as Apache httpd 2.2) as the proxy should
        reject the invalid transfer encoding header.</p>
        
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=958911&amp;view=rev">
-       revision 958911</a>.</p>
-       
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=958911">revision
958911</a>.</p>
+
     <p>This was first reported to the Tomcat security team on 14 Jun 2010 and
        made public on 9 Jul 2010.</p>
 
@@ -1009,8 +988,7 @@
     </p>
 
     <p>A work-around for this JVM bug was provided in 
-       <a href="http://svn.apache.org/viewvc?rev=1066244&amp;view=rev">
-       revision 1066244</a>.</p>
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1066244">revision
1066244</a>.</p>
 
     <p>This was first reported to the Tomcat security team on 01 Feb 2011 and
        made public on 31 Jan 2011.</p>
@@ -1048,8 +1026,7 @@
        application.</p>
 
     <p>This was worked-around in
-       <a href="http://svn.apache.org/viewvc?rev=882320&amp;view=rev">
-       revision 891292</a>.</p>
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=882320">revision
891292</a>.</p>
 
   </blockquote>
 </p>

Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1174306&r1=1174305&r2=1174306&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Thu Sep 22 18:34:50 2011
@@ -188,16 +188,13 @@
   <section name="Fixed in Apache Tomcat 7.0.14 (released 12 May 2011)">
 
     <p><strong>Important: Security constraint bypass</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1582"
-       rel="nofollow">CVE-2011-1582</a></p>
+       <cve>CVE-2011-1582</cve></p>
 
     <p>An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant that security
        constraints configured via annotations were ignored on the first request
        to a Servlet. Subsequent requests were secured correctly.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1100832&amp;view=rev">
-       revision 1100832</a>.</p>
+    <p>This was fixed in <revlink rev="1100832">revision 1100832</revlink>.</p>
 
     <p>This was identified by the Tomcat security team on 13 April 2011 and
        made public on 17 May 2011.</p>
@@ -209,8 +206,7 @@
   <section name="Fixed in Apache Tomcat 7.0.12 (released 6 Apr 2011)">
 
     <p><strong>Important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1475"
-       rel="nofollow">CVE-2011-1475</a></p>
+       <cve>CVE-2011-1475</cve></p>
 
     <p>Changes introduced to the HTTP BIO connector to support Servlet 3.0
        asynchronous requests did not fully account for HTTP pipelining. As a
@@ -220,12 +216,10 @@
        user, a mix-up of responses for requests from different users may also be
        possible.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1086349&amp;view=rev">
-       revision 1086349</a> and
-       <a href="http://svn.apache.org/viewvc?rev=1086352&amp;view=rev">
-       revision 1086352</a>. (Note: HTTP pipelined requests are still likely to
-       fail with the HTTP BIO connector but will do so in a secure manner.)</p>
+    <p>This was fixed in revisions <revlink rev="1086349">1086349</revlink>
and
+       <revlink rev="1086352">1086352</revlink>.
+       (Note: HTTP pipelined requests are still likely to fail with the
+       HTTP BIO connector but will do so in a secure manner.)</p>
 
     <p>This was reported publicly on the Tomcat Bugzilla issue tracker on 22 Mar
        2011.</p>
@@ -233,16 +227,13 @@
     <p>Affects: 7.0.0-7.0.11</p>
 
     <p><strong>Important: Security constraint bypass</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1183"
-       rel="nofollow">CVE-2011-1183</a></p>
+       <cve>CVE-2011-1183</cve></p>
 
     <p>A regression in the fix for CVE-2011-1088 meant that security constraints
        were ignored when no login configuration was present in the web.xml and
        the web application was marked as meta-data complete.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1087643&amp;view=rev">
-       revision 1087643</a>.</p>
+    <p>This was fixed in <revlink rev="1087643">revision 1087643</revlink>.</p>
 
     <p>This was identified by the Tomcat security team on 17 March 2011 and
        made public on 6 April 2011.</p>
@@ -254,23 +245,17 @@
   <section name="Fixed in Apache Tomcat 7.0.11 (released 11 Mar 2011)">
 
     <p><strong>Important: Security constraint bypass</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1088"
-       rel="nofollow">CVE-2011-1088</a></p>
+       <cve>CVE-2011-1088</cve></p>
 
     <p>When a web application was started, <code>ServletSecurity</code>
        annotations were ignored. This meant that some areas of the application
        may not have been protected as expected. This was partially fixed in
        Apache Tomcat 7.0.10 and fully fixed in 7.0.11.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1076586&amp;view=rev">
-       revision 1076586</a>,
-       <a href="http://svn.apache.org/viewvc?rev=1076587&amp;view=rev">
-       revision 1076587</a> and
-       <a href="http://svn.apache.org/viewvc?rev=1077995&amp;view=rev">
-       revision 1077995</a> and
-       <a href="http://svn.apache.org/viewvc?rev=1079752&amp;view=rev">
-       revision 1079752</a>.</p>
+    <p>This was fixed in revisions <revlink rev="1076586">1076586</revlink>,
+       <revlink rev="1076587">1076587</revlink>,
+       <revlink rev="1077995">1077995</revlink> and
+       <revlink rev="1079752">1079752</revlink>.</p>
 
     <p>This was reported publicly on the Tomcat users mailing list on 2 Mar
        2011.</p>
@@ -288,16 +273,13 @@
        affected versions.</i></p>
 
     <p><strong>Important: Remote Denial Of Service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0534"
-       rel="nofollow">CVE-2011-0534</a></p>
+       <cve>CVE-2011-0534</cve></p>
 
     <p>The NIO connector expands its buffer endlessly during request line
        processing. That behaviour can be used for a denial of service attack
        using a carefully crafted request.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1065939&amp;view=rev">
-       revision 1065939</a>.</p>
+    <p>This was fixed in <revlink rev="1065939">revision 1065939</revlink>.</p>
 
     <p>This was identified by the Tomcat security team on 27 Jan 2011 and
        made public on 5 Feb 2011.</p>
@@ -309,17 +291,14 @@
   <section name="Fixed in Apache Tomcat 7.0.6 (released 14 Jan 2011)">
   
     <p><strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0013"
-       rel="nofollow">CVE-2011-0013</a></p>
+       <cve>CVE-2011-0013</cve></p>
 
     <p>The HTML Manager interface displayed web application provided data, such
        as display names, without filtering. A malicious web application could
        trigger script execution by an administrative user when viewing the
        manager pages.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1057279&amp;view=rev">
-       revision 1057279</a>.</p>
+    <p>This was fixed in <revlink rev="1057279">revision 1057279</revlink>.</p>
 
     <p>This was identified by the Tomcat security team on 12 Nov 2010 and
        made public on 5 Feb 2011.</p>
@@ -331,17 +310,14 @@
   <section name="Fixed in Apache Tomcat 7.0.5 (released 1 Dec 2010)">
   
     <p><strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4172"
-       rel="nofollow">CVE-2010-4172</a></p>
+       <cve>CVE-2010-4172</cve></p>
 
     <p>The Manager application used the user provided parameters sort and
        orderBy directly without filtering thereby permitting cross-site
        scripting. The CSRF protection, which is enabled by default, prevents an
        attacker from exploiting this.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1037778&amp;view=rev">
-       revision 1037778</a>.</p>
+    <p>This was fixed in <revlink rev="1037778">revision 1037778</revlink>.</p>
 
     <p>This was first reported to the Tomcat security team on 15 Nov 2010 and
        made public on 22 Nov 2010.</p>
@@ -353,8 +329,7 @@
   <section name="Fixed in Apache Tomcat 7.0.4 (released 21 Oct 2010)">
 
     <p><strong>low: SecurityManager file permission bypass</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3718"
-       rel="nofollow">CVE-2010-3718</a></p>
+       <cve>CVE-2010-3718</cve></p>
 
     <p>When running under a SecurityManager, access to the file system is
        limited but web applications are granted read/write permissions to the
@@ -370,9 +345,7 @@
        applicable when hosting web applications from untrusted sources such as
        shared hosting environments.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1022134&amp;view=rev">
-       revision 1022134</a>.</p>
+    <p>This was fixed in <revlink rev="1022134">revision 1022134</revlink>.</p>
 
     <p>This was discovered by the Tomcat security team on 12 Oct 2010 and
        made public on 5 Feb 2011.</p>
@@ -391,8 +364,7 @@
          
     <p><strong>Important: Remote Denial Of Service and Information Disclosure
        Vulnerability</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227"
-       rel="nofollow">CVE-2010-2227</a></p>
+       <cve>CVE-2010-2227</cve></p>
 
     <p>Several flaws in the handling of the 'Transfer-Encoding' header were
        found that prevented the recycling of a buffer. A remote attacker could
@@ -401,10 +373,8 @@
        behind a reverse proxy (such as Apache httpd 2.2) as the proxy should
        reject the invalid transfer encoding header.</p>
        
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=958911&amp;view=rev">
-       revision 958911</a>.</p>
-       
+    <p>This was fixed in <revlink rev="958911">revision 958911</revlink>.</p>
+
     <p>This was first reported to the Tomcat security team on 14 Jun 2010 and
        made public on 9 Jul 2010.</p>
 
@@ -415,8 +385,7 @@
   <section name="Not a vulnerability in Tomcat">
   
     <p><strong>Important: Remote Denial Of Service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476"
-       rel="nofollow">CVE-2010-4476</a></p>
+       <cve>CVE-2010-4476</cve></p>
 
     <p>A JVM bug could cause Double conversion to hang JVM when accessing to a
        form based security constrained page or any page that calls
@@ -426,8 +395,7 @@
     </p>
 
     <p>A work-around for this JVM bug was provided in 
-       <a href="http://svn.apache.org/viewvc?rev=1066244&amp;view=rev">
-       revision 1066244</a>.</p>
+       <revlink rev="1066244">revision 1066244</revlink>.</p>
 
     <p>This was first reported to the Tomcat security team on 01 Feb 2011 and
        made public on 31 Jan 2011.</p>
@@ -435,8 +403,7 @@
     <p>Affects: 7.0.0-7.0.6</p>
 
     <p><strong>moderate: TLS SSL Man In The Middle</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555"
-       rel="nofollow">CVE-2009-3555</a></p>
+       <cve>CVE-2009-3555</cve></p>
 
     <p>A vulnerability exists in the TLS protocol that allows an attacker to
        inject arbitrary requests into an TLS stream during renegotiation.</p>
@@ -464,8 +431,7 @@
        application.</p>
 
     <p>This was worked-around in
-       <a href="http://svn.apache.org/viewvc?rev=882320&amp;view=rev">
-       revision 891292</a>.</p>
+       <revlink rev="882320">revision 891292</revlink>.</p>
 
   </section>
   



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message