tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kkoli...@apache.org
Subject svn commit: r1174399 - in /tomcat/site/trunk: docs/security-5.html xdocs/security-5.xml
Date Thu, 22 Sep 2011 21:27:56 GMT
Author: kkolinko
Date: Thu Sep 22 21:27:56 2011
New Revision: 1174399

URL: http://svn.apache.org/viewvc?rev=1174399&view=rev
Log:
Simplify the markup

Modified:
    tomcat/site/trunk/docs/security-5.html
    tomcat/site/trunk/xdocs/security-5.xml

Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1174399&r1=1174398&r2=1174399&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Thu Sep 22 21:27:56 2011
@@ -373,9 +373,7 @@
        do not have these permissions but are able to read log files may be able
        to discover a user's password.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1140072&amp;view=rev">
-       revision 1140072</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1140072">revision
1140072</a>.</p>
 
     <p>This was identified by Polina Genova on 14 June 2011 and
        made public on 27 June 2011.</p>
@@ -410,9 +408,7 @@
        </ul>
     </p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1158244&amp;view=rev">
-       revision 1158244</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1158244">revision
1158244</a>.</p>
 
     <p>This was identified by the Tomcat security team on 7 July 2011 and
        made public on 13 July 2011.</p>
@@ -438,9 +434,7 @@
        this vulnerability.
     </p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1159346&amp;view=rev">
-       revision 1159346</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1159346">revision
1159346</a>.</p>
 
     <p>This was identified by Wilfried Weissmann on 20 July 2011 and made public
        on 12 August 2011.</p>
@@ -471,9 +465,7 @@
        </ul>
     </p>
 
-    <p>This was fixed in revision
-       <a href="http://svn.apache.org/viewvc?rev=1162960&amp;view=rev">
-       1162960</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1162960">revision
1162960</a>.</p>
 
     <p>This was reported publicly on 20th August 2011.</p>
 
@@ -548,9 +540,7 @@
        trigger script execution by an administrative user when viewing the
        manager pages.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1057518&amp;view=rev">
-       revision 1057518</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1057518">revision
1057518</a>.</p>
 
     <p>This was identified by the Tomcat security team on 12 Nov 2010 and
        made public on 5 Feb 2011.</p>
@@ -609,9 +599,7 @@
        applicable when hosting web applications from untrusted sources such as
        shared hosting environments.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1027610&amp;view=rev">
-       revision 1027610</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1027610">revision
1027610</a>.</p>
 
     <p>This was discovered by the Tomcat security team on 12 Oct 2010 and
        made public on 5 Feb 2011.</p>
@@ -630,11 +618,9 @@
        information to leak between requests. This flaw is mitigated if Tomcat is
        behind a reverse proxy (such as Apache httpd 2.2) as the proxy should
        reject the invalid transfer encoding header.</p>
-       
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=959428&amp;view=rev">
-       revision 959428</a>.</p>
-       
+
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=959428">revision
959428</a>.</p>
+
     <p>This was first reported to the Tomcat security team on 14 Jun 2010 and
        made public on 9 Jul 2010.</p>
 
@@ -654,11 +640,9 @@
        request.getServerPort()</code>. In some circumstances this can expose
        the local host name or IP address of the machine running Tomcat.
     </p>
-       
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=936541&amp;view=rev">
-       revision 936541</a>.</p>
-       
+
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=936541">revision
936541</a>.</p>
+
     <p>This was first reported to the Tomcat security team on 31 Dec 2009 and
        made public on 21 Apr 2010.</p>
 
@@ -706,11 +690,9 @@
        traversal attempts. This allows an attacker to create arbitrary content
        outside of the web root by including entries such as
        <code>../../bin/catalina.sh</code> in the WAR.</p>
-       
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=902650&amp;view=rev">
-       revision 902650</a>.</p>
-       
+
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=902650">revision
902650</a>.</p>
+
     <p>This was first reported to the Tomcat security team on 30 Jul 2009 and
        made public on 1 Mar 2010.</p>
 
@@ -729,11 +711,9 @@
        security constraints may be deployed without those security constraints,
        making them accessible without authentication. This issue only affects
        Windows platforms</p>
-       
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=902650&amp;view=rev">
-       revision 902650</a>.</p>
-       
+
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=902650">revision
902650</a>.</p>
+
     <p>This was first reported to the Tomcat security team on 30 Jul 2009 and
        made public on 1 Mar 2010.</p>
 
@@ -749,11 +729,9 @@
        <code>...war</code> allows an attacker to cause the deletion of the
        current contents of the host's work directory which may cause problems
        for currently running applications.</p>
-       
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=902650&amp;view=rev">
-       revision 902650</a>.</p>
-       
+
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=902650">revision
902650</a>.</p>
+
     <p>This was first reported to the Tomcat security team on 30 Jul 2009 and
        made public on 1 Mar 2010.</p>
 
@@ -774,9 +752,7 @@
     <p>This was first reported to the Tomcat security team on 26 Oct 2009 and
        made public on 9 Nov 2009.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=919006&amp;view=rev">
-       revision 919006</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=919006">revision
919006</a>.</p>
   </blockquote>
 </p>
 </td>
@@ -820,11 +796,8 @@
        content that would otherwise be protected by a security constraint or by
        locating it in under the WEB-INF directory.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=782757&amp;view=rev">
-       revision 782757</a> and
-       <a href="http://svn.apache.org/viewvc?rev=783291&amp;view=rev">
-       revision 783291</a>.</p>
+    <p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=782757">782757</a>
and
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=783291">783291</a>.</p>
 
     <p>This was first reported to the Tomcat security team on 11 Dec 2008 and
        made public on 8 Jun 2009.</p>
@@ -843,9 +816,7 @@
        from use for approximately one minute. Thus the behaviour can be used for
        a denial of service attack using a carefully crafted request.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=781362&amp;view=rev">
-       revision 781362</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=781362">revision
781362</a>.</p>
 
     <p>This was first reported to the Tomcat security team on 26 Jan 2009 and
        made public on 3 Jun 2009.</p>
@@ -864,9 +835,7 @@
        Note that in early versions, the DataSourceRealm and JDBCRealm were also
        affected.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=781379&amp;view=rev">
-       revision 781379</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=781379">revision
781379</a>.</p>
 
     <p>This was first reported to the Tomcat security team on 25 Feb 2009 and
        made public on 3 Jun 2009.</p>
@@ -883,9 +852,7 @@
        XSS flaw due to invalid HTML which renders the XSS filtering protection
        ineffective.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=750928&amp;view=rev">
-       revision 750928</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=750928">revision
750928</a>.</p>
 
     <p>This was first reported to the Tomcat security team on 5 Mar 2009 and
        made public on 3 Jun 2009.</p>
@@ -897,20 +864,15 @@
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783" rel="nofollow">CVE-2009-0783</a>
 </p>
 
-    <p>Bugs <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=29936">
-       29936</a> and
-       <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=45933">
-       45933</a> allowed a web application to replace the XML parser used by
+    <p>Bugs <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=29936">29936</a>
and <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=45933">45933</a>
allowed a web application
+       to replace the XML parser used by
        Tomcat to process web.xml, context.xml and tld files. In limited
        circumstances these bugs may allow a rogue web application to view and/or
        alter the web.xml, context.xml and tld files of other web applications
        deployed on the Tomcat instance.</p>
 
-    <p>This was fixed in revisions 
-       <a href="http://svn.apache.org/viewvc?rev=681156&amp;view=rev">
-       681156</a> and
-       <a href="http://svn.apache.org/viewvc?rev=781542&amp;view=rev">
-       781542</a>.</p>
+    <p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=681156">681156</a>
and
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=781542">781542</a>.</p>
 
     <p>This was first reported to the Tomcat security team on 2 Mar 2009 and
        made public on 4 Jun 2009.</p>

Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=1174399&r1=1174398&r2=1174399&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Thu Sep 22 21:27:56 2011
@@ -49,8 +49,7 @@
   <section name="Fixed in Apache Tomcat 5.5.34" rtext="released 22 Sep 2011">
 
     <p><strong>Low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204"
-       rel="nofollow">CVE-2011-2204</a></p>
+       <cve>CVE-2011-2204</cve></p>
 
     <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
        creating users via JMX, an exception during the user creation process may
@@ -61,9 +60,7 @@
        do not have these permissions but are able to read log files may be able
        to discover a user&apos;s password.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1140072&amp;view=rev">
-       revision 1140072</a>.</p>
+    <p>This was fixed in <revlink rev="1140072">revision 1140072</revlink>.</p>
 
     <p>This was identified by Polina Genova on 14 June 2011 and
        made public on 27 June 2011.</p>
@@ -71,8 +68,7 @@
     <p>Affects: 5.5.0-5.5.33</p>
   
     <p><strong>Low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526"
-       rel="nofollow">CVE-2011-2526</a></p>
+       <cve>CVE-2011-2526</cve></p>
 
     <p>Tomcat provides support for sendfile with the HTTP APR
        connector. sendfile is used automatically for content served via the
@@ -97,9 +93,7 @@
        </ul>
     </p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1158244&amp;view=rev">
-       revision 1158244</a>.</p>
+    <p>This was fixed in <revlink rev="1158244">revision 1158244</revlink>.</p>
 
     <p>This was identified by the Tomcat security team on 7 July 2011 and
        made public on 13 July 2011.</p>
@@ -107,8 +101,7 @@
     <p>Affects: 5.5.0-5.5.33</p>
 
     <p><strong>Important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729"
-       rel="nofollow">CVE-2011-2729</a></p>
+       <cve>CVE-2011-2729</cve></p>
 
     <p>Due to a bug in the capabilities code, jsvc (the service wrapper for
        Linux that is part of the Commons Daemon project) does not drop
@@ -124,9 +117,7 @@
        this vulnerability.
     </p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1159346&amp;view=rev">
-       revision 1159346</a>.</p>
+    <p>This was fixed in <revlink rev="1159346">revision 1159346</revlink>.</p>
 
     <p>This was identified by Wilfried Weissmann on 20 July 2011 and made public
        on 12 August 2011.</p>
@@ -135,8 +126,7 @@
     
     <p><strong>Important: Authentication bypass and information disclosure
        </strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3190"
-       rel="nofollow">CVE-2011-3190</a></p>
+       <cve>CVE-2011-3190</cve></p>
 
     <p>Apache Tomcat supports the AJP protocol which is used with reverse
        proxies to pass requests and associated data about the request from the
@@ -156,9 +146,7 @@
        </ul>
     </p>
 
-    <p>This was fixed in revision
-       <a href="http://svn.apache.org/viewvc?rev=1162960&amp;view=rev">
-       1162960</a>.</p>
+    <p>This was fixed in <revlink rev="1162960">revision 1162960</revlink>.</p>
 
     <p>This was reported publicly on 20th August 2011.</p>
 
@@ -191,17 +179,14 @@
   <section name="Fixed in Apache Tomcat 5.5.32" rtext="released 1 Feb 2011">
   
     <p><strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0013"
-       rel="nofollow">CVE-2011-0013</a></p>
+       <cve>CVE-2011-0013</cve></p>
 
     <p>The HTML Manager interface displayed web application provided data, such
        as display names, without filtering. A malicious web application could
        trigger script execution by an administrative user when viewing the
        manager pages.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1057518&amp;view=rev">
-       revision 1057518</a>.</p>
+    <p>This was fixed in <revlink rev="1057518">revision 1057518</revlink>.</p>
 
     <p>This was identified by the Tomcat security team on 12 Nov 2010 and
        made public on 5 Feb 2011.</p>
@@ -213,8 +198,7 @@
   <section name="Fixed in Apache Tomcat 5.5.30" rtext="released 9 Jul 2010">
   
     <p><strong>low: SecurityManager file permission bypass</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3718"
-       rel="nofollow">CVE-2010-3718</a></p>
+       <cve>CVE-2010-3718</cve></p>
 
     <p>When running under a SecurityManager, access to the file system is
        limited but web applications are granted read/write permissions to the
@@ -230,9 +214,7 @@
        applicable when hosting web applications from untrusted sources such as
        shared hosting environments.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=1027610&amp;view=rev">
-       revision 1027610</a>.</p>
+    <p>This was fixed in <revlink rev="1027610">revision 1027610</revlink>.</p>
 
     <p>This was discovered by the Tomcat security team on 12 Oct 2010 and
        made public on 5 Feb 2011.</p>
@@ -241,8 +223,7 @@
     
     <p><strong>Important: Remote Denial Of Service and Information Disclosure
        Vulnerability</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227"
-       rel="nofollow">CVE-2010-2227</a></p>
+       <cve>CVE-2010-2227</cve></p>
 
     <p>Several flaws in the handling of the 'Transfer-Encoding' header were
        found that prevented the recycling of a buffer. A remote attacker could
@@ -250,19 +231,16 @@
        information to leak between requests. This flaw is mitigated if Tomcat is
        behind a reverse proxy (such as Apache httpd 2.2) as the proxy should
        reject the invalid transfer encoding header.</p>
-       
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=959428&amp;view=rev">
-       revision 959428</a>.</p>
-       
+
+    <p>This was fixed in <revlink rev="959428">revision 959428</revlink>.</p>
+
     <p>This was first reported to the Tomcat security team on 14 Jun 2010 and
        made public on 9 Jul 2010.</p>
 
     <p>Affects: 5.5.0-5.5.29</p>
 
     <p><strong>Low: Information disclosure in authentication headers</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157"
-       rel="nofollow">CVE-2010-1157</a></p>
+       <cve>CVE-2010-1157</cve></p>
 
     <p>The <code>WWW-Authenticate</code> HTTP header for BASIC and DIGEST
        authentication includes a realm name. If a
@@ -273,11 +251,9 @@
        request.getServerPort()</code>. In some circumstances this can expose
        the local host name or IP address of the machine running Tomcat.
     </p>
-       
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=936541&amp;view=rev">
-       revision 936541</a>.</p>
-       
+
+    <p>This was fixed in <revlink rev="936541">revision 936541</revlink>.</p>
+
     <p>This was first reported to the Tomcat security team on 31 Dec 2009 and
        made public on 21 Apr 2010.</p>
 
@@ -288,26 +264,22 @@
   <section name="Fixed in Apache Tomcat 5.5.29" rtext="released 20 Apr 2010">
   
     <p><strong>Low: Arbitrary file deletion and/or alteration on deploy</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693"
-       rel="nofollow">CVE-2009-2693</a></p>
+       <cve>CVE-2009-2693</cve></p>
 
     <p>When deploying WAR files, the WAR files were not checked for directory
        traversal attempts. This allows an attacker to create arbitrary content
        outside of the web root by including entries such as
        <code>../../bin/catalina.sh</code> in the WAR.</p>
-       
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=902650&amp;view=rev">
-       revision 902650</a>.</p>
-       
+
+    <p>This was fixed in <revlink rev="902650">revision 902650</revlink>.</p>
+
     <p>This was first reported to the Tomcat security team on 30 Jul 2009 and
        made public on 1 Mar 2010.</p>
 
     <p>Affects: 5.5.0-5.5.28</p>
 
     <p><strong>Low: Insecure partial deploy after failed undeploy</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2901"
-       rel="nofollow">CVE-2009-2901</a></p>
+       <cve>CVE-2009-2901</cve></p>
 
     <p>By default, Tomcat automatically deploys any directories placed in a
        host's appBase. This behaviour is controlled by the autoDeploy attribute
@@ -317,38 +289,32 @@
        security constraints may be deployed without those security constraints,
        making them accessible without authentication. This issue only affects
        Windows platforms</p>
-       
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=902650&amp;view=rev">
-       revision 902650</a>.</p>
-       
+
+    <p>This was fixed in <revlink rev="902650">revision 902650</revlink>.</p>
+
     <p>This was first reported to the Tomcat security team on 30 Jul 2009 and
        made public on 1 Mar 2010.</p>
 
     <p>Affects: 5.5.0-5.5.28 (Windows only)</p>
     
     <p><strong>Low: Unexpected file deletion in work directory</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2902"
-       rel="nofollow">CVE-2009-2902</a></p>
+       <cve>CVE-2009-2902</cve></p>
 
     <p>When deploying WAR files, the WAR file names were not checked for
        directory traversal attempts. For example, deploying and undeploying
        <code>...war</code> allows an attacker to cause the deletion of the
        current contents of the host's work directory which may cause problems
        for currently running applications.</p>
-       
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=902650&amp;view=rev">
-       revision 902650</a>.</p>
-       
+
+    <p>This was fixed in <revlink rev="902650">revision 902650</revlink>.</p>
+
     <p>This was first reported to the Tomcat security team on 30 Jul 2009 and
        made public on 1 Mar 2010.</p>
 
     <p>Affects: 5.5.0-5.5.28</p>
 
     <p><strong>Low: Insecure default password</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548"
-       rel="nofollow">CVE-2009-3548</a></p>
+       <cve>CVE-2009-3548</cve></p>
 
     <p>The Windows installer defaults to a blank password for the administrative
        user. If this is not changed during the install process, then by default
@@ -360,15 +326,12 @@
     <p>This was first reported to the Tomcat security team on 26 Oct 2009 and
        made public on 9 Nov 2009.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=919006&amp;view=rev">
-       revision 919006</a>.</p>
+    <p>This was fixed in <revlink rev="919006">revision 919006</revlink>.</p>
   </section>
 
   <section name="Fixed in Apache Tomcat 5.5.28" rtext="released 4 Sep 2009">
     <p><strong>Important: Information Disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515"
-       rel="nofollow">CVE-2008-5515</a></p>
+       <cve>CVE-2008-5515</cve></p>
 
     <p>When using a RequestDispatcher obtained from the Request, the target path
        was normalised before the query string was removed. A request that
@@ -376,11 +339,8 @@
        content that would otherwise be protected by a security constraint or by
        locating it in under the WEB-INF directory.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=782757&amp;view=rev">
-       revision 782757</a> and
-       <a href="http://svn.apache.org/viewvc?rev=783291&amp;view=rev">
-       revision 783291</a>.</p>
+    <p>This was fixed in revisions <revlink rev="782757">782757</revlink>
and
+       <revlink rev="783291">783291</revlink>.</p>
 
     <p>This was first reported to the Tomcat security team on 11 Dec 2008 and
        made public on 8 Jun 2009.</p>
@@ -388,8 +348,7 @@
     <p>Affects: 5.5.0-5.5.27</p>
 
     <p><strong>Important: Denial of Service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033"
-       rel="nofollow">CVE-2009-0033</a></p>
+       <cve>CVE-2009-0033</cve></p>
 
     <p>If Tomcat receives a request with invalid headers via the Java AJP
        connector, it does not return an error and instead closes the AJP
@@ -398,9 +357,7 @@
        from use for approximately one minute. Thus the behaviour can be used for
        a denial of service attack using a carefully crafted request.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=781362&amp;view=rev">
-       revision 781362</a>.</p>
+    <p>This was fixed in <revlink rev="781362">revision 781362</revlink>.</p>
 
     <p>This was first reported to the Tomcat security team on 26 Jan 2009 and
        made public on 3 Jun 2009.</p>
@@ -408,8 +365,7 @@
     <p>Affects: 5.5.0-5.5.27</p>
  
     <p><strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580"
-       rel="nofollow">CVE-2009-0580</a></p>
+       <cve>CVE-2009-0580</cve></p>
 
     <p>Due to insufficient error checking in some authentication classes, Tomcat
        allows for the enumeration (brute force testing) of user names by
@@ -418,9 +374,7 @@
        Note that in early versions, the DataSourceRealm and JDBCRealm were also
        affected.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=781379&amp;view=rev">
-       revision 781379</a>.</p>
+    <p>This was fixed in <revlink rev="781379">revision 781379</revlink>.</p>
 
     <p>This was first reported to the Tomcat security team on 25 Feb 2009 and
        made public on 3 Jun 2009.</p>
@@ -429,16 +383,13 @@
        Realms)</p>
        
     <p><strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781"
-       rel="nofollow">CVE-2009-0781</a></p>
+       <cve>CVE-2009-0781</cve></p>
 
     <p>The calendar application in the examples web application contains an
        XSS flaw due to invalid HTML which renders the XSS filtering protection
        ineffective.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=750928&amp;view=rev">
-       revision 750928</a>.</p>
+    <p>This was fixed in <revlink rev="750928">revision 750928</revlink>.</p>
 
     <p>This was first reported to the Tomcat security team on 5 Mar 2009 and
        made public on 3 Jun 2009.</p>
@@ -446,23 +397,17 @@
     <p>Affects: 5.5.0-5.5.27</p>
 
     <p><strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783"
-       rel="nofollow">CVE-2009-0783</a></p>
+       <cve>CVE-2009-0783</cve></p>
 
-    <p>Bugs <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=29936">
-       29936</a> and
-       <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=45933">
-       45933</a> allowed a web application to replace the XML parser used by
+    <p>Bugs <bug>29936</bug> and <bug>45933</bug> allowed a
web application
+       to replace the XML parser used by
        Tomcat to process web.xml, context.xml and tld files. In limited
        circumstances these bugs may allow a rogue web application to view and/or
        alter the web.xml, context.xml and tld files of other web applications
        deployed on the Tomcat instance.</p>
 
-    <p>This was fixed in revisions 
-       <a href="http://svn.apache.org/viewvc?rev=681156&amp;view=rev">
-       681156</a> and
-       <a href="http://svn.apache.org/viewvc?rev=781542&amp;view=rev">
-       781542</a>.</p>
+    <p>This was fixed in revisions <revlink rev="681156">681156</revlink>
and
+       <revlink rev="781542">781542</revlink>.</p>
 
     <p>This was first reported to the Tomcat security team on 2 Mar 2009 and
        made public on 4 Jun 2009.</p>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message