tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kkoli...@apache.org
Subject svn commit: r1174435 - in /tomcat/site/trunk: docs/security-5.html xdocs/security-5.xml
Date Thu, 22 Sep 2011 22:38:40 GMT
Author: kkolinko
Date: Thu Sep 22 22:38:40 2011
New Revision: 1174435

URL: http://svn.apache.org/viewvc?rev=1174435&view=rev
Log:
Simplify the markup

Modified:
    tomcat/site/trunk/docs/security-5.html
    tomcat/site/trunk/xdocs/security-5.xml

Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1174435&r1=1174434&r2=1174435&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Thu Sep 22 22:38:40 2011
@@ -924,9 +924,7 @@
        XSS attack, unfiltered user supplied data must be included in the message
        argument.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=680947&amp;view=rev">
-       revision 680947</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=680947">revision
680947</a>.</p>
 
     <p>This was first reported to the Tomcat security team on 24 Jan 2008 and
        made public on 1 Aug 2008.</p>
@@ -944,9 +942,7 @@
        out (closing the browser) of the application once the management tasks
        have been completed.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=662583&amp;view=rev">
-       revision 662583</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=662583">revision
662583</a>.</p>
 
     <p>This was first reported to the Tomcat security team on 15 May 2008 and
        made public on 28 May 2008.</p>
@@ -964,9 +960,7 @@
        protected by a security constraint or by locating it in under the WEB-INF 
        directory.</p>
 
-       <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=680949&amp;view=rev">
-       revision 680949</a>.</p>
+       <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=680949">revision
680949</a>.</p>
 
     <p>This was first reported to the Tomcat security team on 13 Jun 2008 and
        made public on 1 August 2008.</p>
@@ -1010,9 +1004,8 @@
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333" rel="nofollow">CVE-2007-5333</a>
 </p>
 
-    <p>The previous fix for
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385" rel="nofollow">CVE-2007-3385</a>
was incomplete. It did not consider the use of quotes
-       or %5C within a cookie value.</p>
+    <p>The previous fix for <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385"
rel="nofollow">CVE-2007-3385</a> was incomplete. It did
+       not consider the use of quotes or %5C within a cookie value.</p>
 
     <p>Affects: 5.5.0-5.5.25</p>
 
@@ -1274,8 +1267,8 @@
 </p>
 
     <p>The fix for this issue was insufficient. A fix was also required in the
-       JK connector module for httpd. See 
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860" rel="nofollow">CVE-2007-1860</a>
for further information.</p>
+       JK connector module for httpd. See <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860"
rel="nofollow">CVE-2007-1860</a> for further
+       information.</p>
 
     <p>Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used

        behind a proxy (including, but not limited to, Apache HTTP server with 
@@ -1582,7 +1575,7 @@
 
     <p>The root cause is the relatively expensive calls required to generate
        the content for the directory listings. If directory listings are
-       enabled, the number of files in each directory should be kepp to a
+       enabled, the number of files in each directory should be kept to a
        minimum. In response to this issue, directory listings were changed to
        be disabled by default. Additionally, a
        <a href="http://marc.info/?l=tomcat-dev&amp;m=113356822719767&amp;w=2">
@@ -1709,8 +1702,7 @@
     </p>
 
     <p>A work-around for this JVM bug was provided in 
-       <a href="http://svn.apache.org/viewvc?rev=1066318&amp;view=rev">
-       revision 1066318</a>.</p>
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1066318">revision
1066318</a>.</p>
 
     <p>This was first reported to the Tomcat security team on 01 Feb 2011 and
        made public on 31 Jan 2011.</p>
@@ -1748,8 +1740,8 @@
        application.</p>
 
     <p>A workaround was implemented in
-       <a href="http://svn.apache.org/viewvc?view=revision&amp;revision=904851">
-       revision 904851</a> that provided the new allowUnsafeLegacyRenegotiation
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=904851">revision
904851</a>
+       that provided the new <code>allowUnsafeLegacyRenegotiation</code>
        attribute. This work around will be included in Tomcat 5.5.29 onwards.</p>
 
     <p>
@@ -1793,8 +1785,8 @@
        status of this issue for your JVM, contact your JVM vendor.</p>
        
     <p>A workaround was implemented in
-       <a href="http://svn.apache.org/viewvc?rev=681029&amp;view=rev">
-       revision 681029</a> that protects against this and any similar character
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=681029">revision
681029</a>
+       that protects against this and any similar character
        encoding issues that may still exist in the JVM. This work around is
        included in Tomcat 5.5.27 onwards.</p>
 

Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=1174435&r1=1174434&r2=1174435&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Thu Sep 22 22:38:40 2011
@@ -418,8 +418,7 @@
   
   <section name="Fixed in Apache Tomcat 5.5.27" rtext="released 8 Sep 2008">
     <p><strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232"
-       rel="nofollow">CVE-2008-1232</a></p>
+       <cve>CVE-2008-1232</cve></p>
 
     <p>The message argument of HttpServletResponse.sendError() call is not only
        displayed on the error page, but is also used for the reason-phrase of
@@ -429,9 +428,7 @@
        XSS attack, unfiltered user supplied data must be included in the message
        argument.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=680947&amp;view=rev">
-       revision 680947</a>.</p>
+    <p>This was fixed in <revlink rev="680947">revision 680947</revlink>.</p>
 
     <p>This was first reported to the Tomcat security team on 24 Jan 2008 and
        made public on 1 Aug 2008.</p>
@@ -439,8 +436,7 @@
     <p>Affects: 5.5.0-5.5.26</p>
 
     <p><strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947"
-       rel="nofollow">CVE-2008-1947</a></p>
+       <cve>CVE-2008-1947</cve></p>
 
     <p>The Host Manager web application did not escape user provided data before
        including it in the output. This enabled a XSS attack. This application
@@ -448,9 +444,7 @@
        out (closing the browser) of the application once the management tasks
        have been completed.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=662583&amp;view=rev">
-       revision 662583</a>.</p>
+    <p>This was fixed in <revlink rev="662583">revision 662583</revlink>.</p>
 
     <p>This was first reported to the Tomcat security team on 15 May 2008 and
        made public on 28 May 2008.</p>
@@ -458,8 +452,7 @@
     <p>Affects: 5.5.9-5.5.26</p>
     
     <p><strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370"
-       rel="nofollow">CVE-2008-2370</a></p>
+       <cve>CVE-2008-2370</cve></p>
 
     <p>When using a RequestDispatcher the target path was normalised before the 
        query string was removed. A request that included a specially crafted 
@@ -467,9 +460,7 @@
        protected by a security constraint or by locating it in under the WEB-INF 
        directory.</p>
 
-       <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=680949&amp;view=rev">
-       revision 680949</a>.</p>
+       <p>This was fixed in <revlink rev="680949">revision 680949</revlink>.</p>
 
     <p>This was first reported to the Tomcat security team on 13 Jun 2008 and
        made public on 1 August 2008.</p>
@@ -480,19 +471,15 @@
 
   <section name="Fixed in Apache Tomcat 5.5.26" rtext="released 5 Feb 2008">
     <p><strong>low: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333"
-       rel="nofollow">CVE-2007-5333</a></p>
+       <cve>CVE-2007-5333</cve></p>
 
-    <p>The previous fix for
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385"
-       rel="nofollow">CVE-2007-3385</a> was incomplete. It did not consider the
use of quotes
-       or %5C within a cookie value.</p>
+    <p>The previous fix for <cve>CVE-2007-3385</cve> was incomplete. It
did
+       not consider the use of quotes or %5C within a cookie value.</p>
 
     <p>Affects: 5.5.0-5.5.25</p>
 
     <p><strong>low: Elevated privileges</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342"
-       rel="nofollow">CVE-2007-5342</a></p>
+       <cve>CVE-2007-5342</cve></p>
 
     <p>The JULI logging component allows web applications to provide their own
        logging configurations. The default security policy does not restrict
@@ -503,8 +490,7 @@
     <p>Affects: 5.5.9-5.5.25</p>
 
     <p><strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461"
-       rel="nofollow">CVE-2007-5461</a></p>
+       <cve>CVE-2007-5461</cve></p>
 
     <p>When Tomcat's WebDAV servlet is configured for use with a context and
        has been enabled for write, some WebDAV requests that specify an entity
@@ -514,8 +500,7 @@
     <p>Affects: 5.5.0-5.5.25</p>
 
     <p><strong>important: Data integrity</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286"
-       rel="nofollow">CVE-2007-6286</a></p>
+       <cve>CVE-2007-6286</cve></p>
 
     <p>When using the native (APR based) connector, connecting to the SSL port
        using netcat and then disconnecting without sending any data will cause
@@ -527,8 +512,7 @@
   <section name="Fixed in Apache Tomcat 5.5.25, 5.0.SVN"
           rtext="released 8 Sep 2007">
     <p><strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449"
-       rel="nofollow">CVE-2007-2449</a></p>
+       <cve>CVE-2007-2449</cve></p>
 
     <p>JSPs within the examples web application did not escape user provided
        data before including it in the output. This enabled a XSS attack. These
@@ -541,8 +525,7 @@
     <p>Affects: 5.0.0-5.0.30, 5.5.0-5.5.24</p>
 
     <p><strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450"
-       rel="nofollow">CVE-2007-2450</a></p>
+       <cve>CVE-2007-2450</cve></p>
 
     <p>The Manager and Host Manager web applications did not escape user
        provided data before including it in the output. This enabled a XSS
@@ -553,8 +536,7 @@
     <p>Affects: 5.0.0-5.0.30, 5.5.0-5.5.24</p>
 
     <p><strong>low: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382"
-       rel="nofollow">CVE-2007-3382</a></p>
+       <cve>CVE-2007-3382</cve></p>
 
     <p>Tomcat incorrectly treated a single quote character (') in a cookie
        value as a delimiter. In some circumstances this lead to the leaking of
@@ -563,8 +545,7 @@
     <p>Affects: 5.0.0-5.0.30, 5.5.0-5.5.24</p>
 
     <p><strong>low: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385"
-       rel="nofollow">CVE-2007-3385</a></p>
+       <cve>CVE-2007-3385</cve></p>
 
     <p>Tomcat incorrectly handled the character sequence \" in a cookie value.
        In some circumstances this lead to the leaking of information such as
@@ -573,8 +554,7 @@
     <p>Affects: 5.0.0-5.0.30, 5.5.0-5.5.24</p>
 
     <p><strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386"
-       rel="nofollow">CVE-2007-3386</a></p>
+       <cve>CVE-2007-3386</cve></p>
 
     <p>The Host Manager Servlet did not filter user supplied data before
        display. This enabled an XSS attack.</p>
@@ -585,8 +565,7 @@
 
   <section name="Fixed in Apache Tomcat 5.5.24, 5.0.SVN" rtext="Not released">
     <p><strong>moderate: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355"
-       rel="nofollow">CVE-2007-1355</a></p>
+       <cve>CVE-2007-1355</cve></p>
 
     <p>The JSP and Servlet included in the sample application within the Tomcat
        documentation webapp did not escape user provided data before including
@@ -600,8 +579,7 @@
   <section name="Fixed in Apache Tomcat 5.5.23, 5.0.SVN"
           rtext="released 9 Mar 2007">
     <p><strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090"
-       rel="nofollow">CVE-2005-2090</a></p>
+       <cve>CVE-2005-2090</cve></p>
 
     <p>Requests with multiple content-length headers should be rejected as
        invalid. When multiple components (firewalls, caches, proxies and Tomcat)
@@ -619,13 +597,11 @@
 
   <section name="Fixed in Apache Tomcat 5.5.22, 5.0.SVN" rtext="not released">
     <p><strong>important: Directory traversal</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450"
-       rel="nofollow">CVE-2007-0450</a></p>
+       <cve>CVE-2007-0450</cve></p>
 
     <p>The fix for this issue was insufficient. A fix was also required in the
-       JK connector module for httpd. See 
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860"
-       rel="nofollow">CVE-2007-1860</a> for further information.</p>
+       JK connector module for httpd. See <cve>CVE-2007-1860</cve> for further
+       information.</p>
 
     <p>Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is used

        behind a proxy (including, but not limited to, Apache HTTP server with 
@@ -657,8 +633,7 @@
 
   <section name="Fixed in Apache Tomcat 5.5.21, 5.0.SVN" rtext="not released">
     <p><strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358"
-       rel="nofollow">CVE-2007-1358</a></p>
+       <cve>CVE-2007-1358</cve></p>
 
     <p>Web pages that display the Accept-Language header value sent by the
        client are susceptible to a cross-site scripting attack if they assume
@@ -674,8 +649,7 @@
 
   <section name="Fixed in Apache Tomcat 5.5.21" rtext="not released">
     <p><strong>moderate: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128"
-       rel="nofollow">CVE-2008-0128</a></p>
+       <cve>CVE-2008-0128</cve></p>
 
     <p>When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is
        transmitted without the "secure" attribute, resulting in it being
@@ -685,8 +659,7 @@
     <p>Affects: 5.0.0-5.0.SVN, 5.5.0-5.5.20</p>
 
     <p><strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4308"
-       rel="nofollow">CVE-2008-4308</a></p>
+       <cve>CVE-2008-4308</cve></p>
 
     <p><a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=40771">Bug
     40771</a> may result in the disclosure of POSTed content from a previous
@@ -700,8 +673,7 @@
 
   <section name="Fixed in Apache Tomcat 5.5.18, 5.0.SVN" rtext="not released">
     <p><strong>moderate: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7195"
-       rel="nofollow">CVE-2006-7195</a></p>
+       <cve>CVE-2006-7195</cve></p>
 
     <p>The implicit-objects.jsp in the examples webapp displayed a number of
        unfiltered header values. This enabled a XSS attack. These values are now
@@ -713,8 +685,7 @@
   <section name="Fixed in Apache Tomcat 5.5.17, 5.0.SVN"
           rtext="released 27 Apr 2006">
     <p><strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1858"
-       rel="nofollow">CVE-2007-1858</a></p>
+       <cve>CVE-2007-1858</cve></p>
 
     <p>The default SSL configuration permitted the use of insecure cipher suites
        including the anonymous cipher suite. The default configuration no
@@ -726,8 +697,7 @@
   <section name="Fixed in Apache Tomcat 5.5.16, 5.0.SVN"
           rtext="released 15 Mar 2006">
     <p><strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7196"
-       rel="nofollow">CVE-2006-7196</a></p>
+       <cve>CVE-2006-7196</cve></p>
 
     <p>The calendar application included as part of the JSP examples is
        susceptible to a cross-site scripting attack as it does not escape
@@ -739,8 +709,7 @@
 
   <section name="Fixed in Apache Tomcat 5.5.13, 5.0.SVN">
     <p><strong>low: Directory listing</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3835"
-       rel="nofollow">CVE-2006-3835</a></p>
+       <cve>CVE-2006-3835</cve></p>
 
     <p>This is expected behaviour when directory listings are enabled. The
        semicolon (;) is the separator for path parameters so inserting one
@@ -752,12 +721,11 @@
     <p>Affects: 5.0.0-5.0.30, 5.5.0-5.5.12</p>
 
     <p><strong>important: Denial of service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3510"
-       rel="nofollow">CVE-2005-3510</a></p>
+       <cve>CVE-2005-3510</cve></p>
 
     <p>The root cause is the relatively expensive calls required to generate
        the content for the directory listings. If directory listings are
-       enabled, the number of files in each directory should be kepp to a
+       enabled, the number of files in each directory should be kept to a
        minimum. In response to this issue, directory listings were changed to
        be disabled by default. Additionally, a
        <a href="http://marc.info/?l=tomcat-dev&amp;m=113356822719767&amp;w=2">
@@ -769,8 +737,7 @@
 
   <section name="Fixed in Apache Tomcat 5.5.7, 5.0.SVN">
     <p><strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4838"
-       rel="nofollow">CVE-2005-4838</a></p>
+       <cve>CVE-2005-4838</cve></p>
 
     <p>Various JSPs included as part of the JSP examples and the Tomcat Manager
        are susceptible to a cross-site scripting attack as they do not escape
@@ -781,8 +748,7 @@
 
   <section name="Fixed in Apache Tomcat 5.5.1">
     <p><strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3271"
-       rel="nofollow">CVE-2008-3271</a></p>
+       <cve>CVE-2008-3271</cve></p>
 
     <p><a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=25835">
     Bug 25835</a> can, in rare circumstances - this has only been reproduced
@@ -797,8 +763,7 @@
   <section name="Not a vulnerability in Tomcat">
 
     <p><strong>Important: Remote Denial Of Service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476"
-       rel="nofollow">CVE-2010-4476</a></p>
+       <cve>CVE-2010-4476</cve></p>
 
     <p>A JVM bug could cause Double conversion to hang JVM when accessing to a
        form based security constrained page or any page that calls
@@ -808,8 +773,7 @@
     </p>
 
     <p>A work-around for this JVM bug was provided in 
-       <a href="http://svn.apache.org/viewvc?rev=1066318&amp;view=rev">
-       revision 1066318</a>.</p>
+       <revlink rev="1066318">revision 1066318</revlink>.</p>
 
     <p>This was first reported to the Tomcat security team on 01 Feb 2011 and
        made public on 31 Jan 2011.</p>
@@ -817,8 +781,7 @@
     <p>Affects: 5.5.0-5.5.32</p>
 
     <p><strong>moderate: TLS SSL Man In The Middle</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555"
-       rel="nofollow">CVE-2009-3555</a></p>
+       <cve>CVE-2009-3555</cve></p>
 
     <p>A vulnerability exists in the TLS protocol that allows an attacker to
        inject arbitrary requests into an TLS stream during renegotiation.</p>
@@ -846,25 +809,22 @@
        application.</p>
 
     <p>A workaround was implemented in
-       <a href="http://svn.apache.org/viewvc?view=revision&amp;revision=904851">
-       revision 904851</a> that provided the new allowUnsafeLegacyRenegotiation
+       <revlink rev="904851">revision 904851</revlink>
+       that provided the new <code>allowUnsafeLegacyRenegotiation</code>
        attribute. This work around will be included in Tomcat 5.5.29 onwards.</p>
 
     <p><strong>JavaMail information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1754"
-       rel="nofollow">CVE-2005-1754</a></p>
+       <cve>CVE-2005-1754</cve></p>
     <p>The vulnerability described is in the web application deployed on Tomcat
        rather than in Tomcat.</p>
 
     <p><strong>JavaMail information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1753"
-       rel="nofollow">CVE-2005-1753</a></p>
+       <cve>CVE-2005-1753</cve></p>
     <p>The vulnerability described is in the web application deployed on Tomcat
        rather than in Tomcat.</p>
 
     <p><strong>important: Directory traversal</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938"
-       rel="nofollow">CVE-2008-2938</a></p>
+       <cve>CVE-2008-2938</cve></p>
 
     <p>Originally reported as a Tomcat vulnerability the root cause of this
        issue is that the JVM does not correctly decode UTF-8 encoded URLs to
@@ -888,8 +848,8 @@
        status of this issue for your JVM, contact your JVM vendor.</p>
        
     <p>A workaround was implemented in
-       <a href="http://svn.apache.org/viewvc?rev=681029&amp;view=rev">
-       revision 681029</a> that protects against this and any similar character
+       <revlink rev="681029">revision 681029</revlink>
+       that protects against this and any similar character
        encoding issues that may still exist in the JVM. This work around is
        included in Tomcat 5.5.27 onwards.</p>
 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message