tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kkoli...@apache.org
Subject svn commit: r1174453 - in /tomcat/site/trunk: docs/security-3.html docs/security-4.html xdocs/security-3.xml xdocs/security-4.xml
Date Thu, 22 Sep 2011 23:51:23 GMT
Author: kkolinko
Date: Thu Sep 22 23:51:23 2011
New Revision: 1174453

URL: http://svn.apache.org/viewvc?rev=1174453&view=rev
Log:
Simplify the markup
Rearranged entries in "not in Tomcat" section in security-4.xml: newer ones are at the top.

Modified:
    tomcat/site/trunk/docs/security-3.html
    tomcat/site/trunk/docs/security-4.html
    tomcat/site/trunk/xdocs/security-3.xml
    tomcat/site/trunk/xdocs/security-4.xml

Modified: tomcat/site/trunk/docs/security-3.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-3.html?rev=1174453&r1=1174452&r2=1174453&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-3.html (original)
+++ tomcat/site/trunk/docs/security-3.html Thu Sep 22 23:51:23 2011
@@ -284,8 +284,8 @@
        <a href="mailto:security@tomcat.apache.org">Tomcat Security Team</a>.</p>
 
     <p>Please note that Tomcat 3 is no longer supported. Further vulnerabilities
-       in the 3.x branches will not be fixed. Users should upgrade to 5.5.x or
-       6.x to obtain security fixes.</p>
+       in the 3.x branches will not be fixed. Users should upgrade to 5.5.x,
+       6.x or 7.x to obtain security fixes.</p>
 
   </blockquote>
 </p>
@@ -611,7 +611,6 @@
     <p>
 <strong>moderate: Information disclosure</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0590" rel="nofollow">CVE-2001-0590</a>
-<br/>
 </p>
 
     <p>A specially crafted URL can be used to obtain the source for JSPs.</p>
@@ -647,7 +646,6 @@
     <p>
 <strong>low: Information disclosure</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0759" rel="nofollow">CVE-2000-0759</a>
-<br/>
 </p>
 
     <p>Requesting a JSP that does not exist results in an error page that
@@ -658,7 +656,6 @@
     <p>
 <strong>important: Information disclosure</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0672" rel="nofollow">CVE-2000-0672</a>
-<br/>
 </p>
 
     <p>Access to the admin context is not protected. This context allows an
@@ -697,7 +694,6 @@
     <p>
 <strong>important: Information disclosure</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1210" rel="nofollow">CVE-2000-1210</a>
-<br/>
 </p>
 
     <p>source.jsp, provided as part of the examples, allows an attacker to read

Modified: tomcat/site/trunk/docs/security-4.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?rev=1174453&r1=1174452&r2=1174453&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Thu Sep 22 23:51:23 2011
@@ -306,7 +306,7 @@
 
     <p>Please note that Tomcat 4.0.x and 4.1.x are no longer supported. Further
        vulnerabilities in the 4.0.x and 4.1.x branches will not be fixed. Users
-       should upgrade to 5.5.x or 6.x to obtain security fixes.</p>
+       should upgrade to 5.5.x, 6.x or 7.x to obtain security fixes.</p>
 
   </blockquote>
 </p>
@@ -388,11 +388,8 @@
        content that would otherwise be protected by a security constraint or by
        locating it in under the WEB-INF directory.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=782763&amp;view=rev">
-       revision 782763</a> and
-       <a href="http://svn.apache.org/viewvc?rev=783292&amp;view=rev">
-       revision 783292</a>.</p>
+    <p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=782763">782763</a>
and
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=783292">783292</a>.</p>
 
     <p>Affects: 4.1.0-4.1.39</p>
 
@@ -408,9 +405,7 @@
        from use for approximately one minute. Thus the behaviour can be used for
        a denial of service attack using a carefully crafted request.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=781362&amp;view=rev">
-       revision 781362</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=781362">revision
781362</a>.</p>
 
     <p>Affects: 4.1.0-4.1.39</p>
  
@@ -426,9 +421,7 @@
        Note that in early versions, the DataSourceRealm and JDBCRealm were also
        affected.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=781382&amp;view=rev">
-       revision 781382</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=781382">revision
781382</a>.</p>
 
     <p>Affects: 4.1.0-4.1.39 (Memory Realm), 4.1.0-4.1.31 (JDBC Realm),
                 4.1.17-4.1.31 (DataSource Realm)</p>
@@ -442,9 +435,7 @@
        XSS flaw due to invalid HTML which renders the XSS filtering protection
        ineffective.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=750927&amp;view=rev">
-       revision 750927</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=750927">revision
750927</a>.</p>
 
     <p>Affects: 4.1.0-4.1.39</p>
 
@@ -453,18 +444,14 @@
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783" rel="nofollow">CVE-2009-0783</a>
 </p>
 
-    <p>Bugs <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=29936">
-       29936</a> and
-       <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=45933">
-       45933</a> allowed a web application to replace the XML parser used by
+    <p>Bugs <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=29936">29936</a>
and <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=45933">45933</a>
+       allowed a web application to replace the XML parser used by
        Tomcat to process web.xml and tld files. In limited circumstances these
        bugs may allow a rogue web application to view and/or alter the web.xml
        and tld files of other web applications deployed on the Tomcat instance.
        </p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=781708&amp;view=rev">
-       revision 781708</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=781708">revision
781708</a>.</p>
 
     <p>Affects: 4.1.0-4.1.39</p>
        
@@ -506,9 +493,7 @@
        transmitted to any content that is - by purpose or error - requested via
        http from the same server. </p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=684900&amp;view=rev">
-       revision 684900</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=684900">revision
684900</a>.</p>
 
     <p>Affects: 4.1.0-4.1.37</p>
 
@@ -525,9 +510,7 @@
        XSS attack, unfiltered user supplied data must be included in the message
        argument.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=680947&amp;view=rev">
-       revision 680947</a>.</p>
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=680947">revision
680947</a>.</p>
 
     <p>Affects: 4.1.0-4.1.37</p>
 
@@ -542,9 +525,7 @@
        protected by a security constraint or by locating it in under the WEB-INF 
        directory.</p>
 
-       <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=680950&amp;view=rev">
-       revision 680950</a>.</p>
+       <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=680950">revision
680950</a>.</p>
 
     <p>Affects: 4.1.0-4.1.37</p>
     
@@ -1252,7 +1233,6 @@
 <strong>low: Installation path disclosure</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4703" rel="nofollow">CVE-2005-4703</a>,

        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2008" rel="nofollow">CVE-2002-2008</a>
-<br/>
 </p>
 
     <p>This issue only affects Windows operating systems. It can not be
@@ -1267,7 +1247,6 @@
     <p>
 <strong>important: Denial of service</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1895" rel="nofollow">CVE-2002-1895</a>
-<br/>
 </p>
 
     <p>This issue only affects configurations that use IIS in conjunction with
@@ -1305,17 +1284,6 @@
 <p>
 <blockquote>
     <p>
-<strong>Denial of service vulnerability</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0936" rel="nofollow">CVE-2002-0936</a>
-</p>
-
-    <p>The issue described requires an attacker to be able to plant a JSP page
-       on the Tomcat server. If an attacker can do this then the server is
-       already compromised. In this case an attacker could just as easily add a
-       page that called System.exit(1) rather than relying on a bug in an
-       internal Sun class.</p>
-
-    <p>
 <strong>important: Directory traversal</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938" rel="nofollow">CVE-2008-2938</a>
 </p>
@@ -1342,11 +1310,22 @@
        status of this issue for your JVM, contact your JVM vendor.</p>
        
     <p>A workaround was implemented in
-       <a href="http://svn.apache.org/viewvc?rev=681065&amp;view=rev">
-       revision 681065</a> that protects against this and any similar character
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=681065">revision
681065</a>
+       that protects against this and any similar character
        encoding issues that may still exist in the JVM. This work around is
        included in Tomcat 4.1.39 onwards.</p>
 
+    <p>
+<strong>Denial of service vulnerability</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0936" rel="nofollow">CVE-2002-0936</a>
+</p>
+
+    <p>The issue described requires an attacker to be able to plant a JSP page
+       on the Tomcat server. If an attacker can do this then the server is
+       already compromised. In this case an attacker could just as easily add a
+       page that called System.exit(1) rather than relying on a bug in an
+       internal Sun class.</p>
+
   </blockquote>
 </p>
 </td>

Modified: tomcat/site/trunk/xdocs/security-3.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-3.xml?rev=1174453&r1=1174452&r2=1174453&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-3.xml (original)
+++ tomcat/site/trunk/xdocs/security-3.xml Thu Sep 22 23:51:23 2011
@@ -25,15 +25,14 @@
        <a href="mailto:security@tomcat.apache.org">Tomcat Security Team</a>.</p>
 
     <p>Please note that Tomcat 3 is no longer supported. Further vulnerabilities
-       in the 3.x branches will not be fixed. Users should upgrade to 5.5.x or
-       6.x to obtain security fixes.</p>
+       in the 3.x branches will not be fixed. Users should upgrade to 5.5.x,
+       6.x or 7.x to obtain security fixes.</p>
 
   </section>
 
   <section name="Not fixed in Apache Tomcat 3.x">
     <p><strong>important: Denial of service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0808"
-       rel="nofollow">CVE-2005-0808</a></p>
+       <cve>CVE-2005-0808</cve></p>
 
     <p>Tomcat 3.x can be remotely caused to crash or shutdown by a connection
        sending the right sequence of bytes to the AJP12 protocol port (TCP 8007
@@ -44,8 +43,7 @@
     <p>Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3a-3.3.2</p>
 
     <p><strong>low: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382"
-       rel="nofollow">CVE-2007-3382</a></p>
+       <cve>CVE-2007-3382</cve></p>
 
     <p>Tomcat incorrectly treated a single quote character (') in a cookie
        value as a delimiter. In some circumstances this lead to the leaking of
@@ -54,8 +52,7 @@
     <p>Affects: 3.3-3.3.2</p>
 
     <p><strong>low: Cross site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3384"
-       rel="nofollow">CVE-2007-3384</a></p>
+       <cve>CVE-2007-3384</cve></p>
 
     <p>When reporting error messages, Tomcat does not filter user supplied data
        before display. This enables an XSS attack. A source patch is available
@@ -66,8 +63,7 @@
     <p>Affects: 3.3-3.3.2</p>
 
     <p><strong>low: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385"
-       rel="nofollow">CVE-2007-3385</a></p>
+       <cve>CVE-2007-3385</cve></p>
 
     <p>Tomcat incorrectly handled the character sequence \" in a cookie value.
        In some circumstances this lead to the leaking of information such as
@@ -79,8 +75,7 @@
 
   <section name="Fixed in Apache Tomcat 3.3.2">
     <p><strong>moderate: Cross site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0044"
-       rel="nofollow">CVE-2003-0044</a></p>
+       <cve>CVE-2003-0044</cve></p>
 
     <p>The root web application and the examples web application contained a
        number a cross-site scripting vulnerabilities. Note that is it
@@ -92,8 +87,7 @@
 
   <section name="Fixed in Apache Tomcat 3.3.1a">
     <p><strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0043"
-       rel="nofollow">CVE-2003-0043</a></p>
+       <cve>CVE-2003-0043</cve></p>
 
     <p>When used with JDK 1.3.1 or earlier, web.xml files were read with
        trusted privileges enabling files outside of the web application to be
@@ -102,8 +96,7 @@
     <p>Affects: 3.0, 3.1-3.1.1, 3.2-3.2.4, 3.3a-3.3.1</p>
 
     <p><strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0042"
-       rel="nofollow">CVE-2003-0042</a></p>
+       <cve>CVE-2003-0042</cve></p>
 
     <p>URLs containing null characters could result in file contents being
        returned or a directory listing being returned even when a welcome file
@@ -114,8 +107,7 @@
 
   <section name="Fixed in Apache Tomcat 3.3.1">
     <p><strong>important: Denial of service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0045"
-       rel="nofollow">CVE-2003-0045</a></p>
+       <cve>CVE-2003-0045</cve></p>
 
     <p>JSP page names that match a Windows DOS device name, such as aux.jsp, may
        cause the thread processing the request to become unresponsive. A
@@ -127,8 +119,7 @@
 
   <section name="Fixed in Apache Tomcat 3.3a">
     <p><strong>moderate: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2007"
-       rel="nofollow">CVE-2002-2007</a></p>
+       <cve>CVE-2002-2007</cve></p>
 
     <p>Non-standard requests to the sample applications installed by default
        could result in unexpected directory listings or disclosure of the full
@@ -137,10 +128,8 @@
     <p>Affects: 3.2.3-3.2.4</p>
 
     <p><strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2006"
-       rel="nofollow">CVE-2002-2006</a>,
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0760"
-       rel="nofollow">CVE-2000-0760</a></p>
+       <cve>CVE-2002-2006</cve>,
+       <cve>CVE-2000-0760</cve></p>
 
     <p>The snoop servlet installed as part of the examples includes output that
        identifies the Tomcat installation path. There are no plans to issue a an
@@ -151,8 +140,7 @@
 
   <section name="Fixed in Apache Tomcat 3.2.4">
     <p><strong>moderate: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1563"
-       rel="nofollow">CVE-2001-1563</a><br/></p>
+       <cve>CVE-2001-1563</cve><br/></p>
 
     <p>No specifics are provided in the vulnerability report. This may be a
        summary of other issues reported against 3.2.x</p>
@@ -162,8 +150,7 @@
 
   <section name="Fixed in Apache Tomcat 3.2.2">
     <p><strong>moderate: Cross site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0829"
-       rel="nofollow">CVE-2001-0829</a></p>
+       <cve>CVE-2001-0829</cve></p>
 
     <p>The default 404 error page does not escape URLs. This allows XSS
        attacks using specially crafted URLs.</p>
@@ -171,8 +158,7 @@
     <p>Affects: 3.0, 3.1-3.1.1, 3.2-3.2.1</p>
 
     <p><strong>moderate: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0590"
-       rel="nofollow">CVE-2001-0590</a><br/></p>
+       <cve>CVE-2001-0590</cve></p>
 
     <p>A specially crafted URL can be used to obtain the source for JSPs.</p>
 
@@ -181,8 +167,7 @@
 
   <section name="Fixed in Apache Tomcat 3.2">
     <p><strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0759"
-       rel="nofollow">CVE-2000-0759</a><br/></p>
+       <cve>CVE-2000-0759</cve></p>
 
     <p>Requesting a JSP that does not exist results in an error page that
        includes the full file system page of the current context.</p>
@@ -190,8 +175,7 @@
     <p>Affects: 3.1</p>
 
     <p><strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0672"
-       rel="nofollow">CVE-2000-0672</a><br/></p>
+       <cve>CVE-2000-0672</cve></p>
 
     <p>Access to the admin context is not protected. This context allows an
        attacker to mount an arbitary file system path as a context. Any files
@@ -203,8 +187,7 @@
 
   <section name="Fixed in Apache Tomcat 3.1">
     <p><strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1210"
-       rel="nofollow">CVE-2000-1210</a><br/></p>
+       <cve>CVE-2000-1210</cve></p>
 
     <p>source.jsp, provided as part of the examples, allows an attacker to read
        arbitrary files via a .. (dot dot) in the argument to source.jsp.</p>

Modified: tomcat/site/trunk/xdocs/security-4.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?rev=1174453&r1=1174452&r2=1174453&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Thu Sep 22 23:51:23 2011
@@ -26,14 +26,13 @@
 
     <p>Please note that Tomcat 4.0.x and 4.1.x are no longer supported. Further
        vulnerabilities in the 4.0.x and 4.1.x branches will not be fixed. Users
-       should upgrade to 5.5.x or 6.x to obtain security fixes.</p>
+       should upgrade to 5.5.x, 6.x or 7.x to obtain security fixes.</p>
 
   </section>
 
   <section name="Will not be fixed in Apache Tomcat 4.1.x">
     <p><strong>moderate: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4836"
-       rel="nofollow">CVE-2005-4836</a></p>
+       <cve>CVE-2005-4836</cve></p>
 
     <p>The deprecated HTTP/1.1 connector does not reject request URIs containing
        null bytes when used with contexts that are configured with
@@ -49,8 +48,7 @@
 
   <section name="Fixed in Apache Tomcat 4.1.40">
     <p><strong>Important: Information Disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515"
-       rel="nofollow">CVE-2008-5515</a></p>
+       <cve>CVE-2008-5515</cve></p>
 
     <p>When using a RequestDispatcher obtained from the Request, the target path
        was normalised before the query string was removed. A request that
@@ -58,17 +56,13 @@
        content that would otherwise be protected by a security constraint or by
        locating it in under the WEB-INF directory.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=782763&amp;view=rev">
-       revision 782763</a> and
-       <a href="http://svn.apache.org/viewvc?rev=783292&amp;view=rev">
-       revision 783292</a>.</p>
+    <p>This was fixed in revisions <revlink rev="782763">782763</revlink>
and
+       <revlink rev="783292">783292</revlink>.</p>
 
     <p>Affects: 4.1.0-4.1.39</p>
 
     <p><strong>Important: Denial of Service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033"
-       rel="nofollow">CVE-2009-0033</a></p>
+       <cve>CVE-2009-0033</cve></p>
 
     <p>If Tomcat receives a request with invalid headers via the Java AJP
        connector, it does not return an error and instead closes the AJP
@@ -77,15 +71,12 @@
        from use for approximately one minute. Thus the behaviour can be used for
        a denial of service attack using a carefully crafted request.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=781362&amp;view=rev">
-       revision 781362</a>.</p>
+    <p>This was fixed in <revlink rev="781362">revision 781362</revlink>.</p>
 
     <p>Affects: 4.1.0-4.1.39</p>
  
     <p><strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580"
-       rel="nofollow">CVE-2009-0580</a></p>
+       <cve>CVE-2009-0580</cve></p>
 
     <p>Due to insufficient error checking in some authentication classes, Tomcat
        allows for the enumeration (brute force testing) of user names by
@@ -94,43 +85,33 @@
        Note that in early versions, the DataSourceRealm and JDBCRealm were also
        affected.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=781382&amp;view=rev">
-       revision 781382</a>.</p>
+    <p>This was fixed in <revlink rev="781382">revision 781382</revlink>.</p>
 
     <p>Affects: 4.1.0-4.1.39 (Memory Realm), 4.1.0-4.1.31 (JDBC Realm),
                 4.1.17-4.1.31 (DataSource Realm)</p>
        
     <p><strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781"
-       rel="nofollow">CVE-2009-0781</a></p>
+       <cve>CVE-2009-0781</cve></p>
 
     <p>The calendar application in the examples web application contains an
        XSS flaw due to invalid HTML which renders the XSS filtering protection
        ineffective.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=750927&amp;view=rev">
-       revision 750927</a>.</p>
+    <p>This was fixed in <revlink rev="750927">revision 750927</revlink>.</p>
 
     <p>Affects: 4.1.0-4.1.39</p>
 
     <p><strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783"
-       rel="nofollow">CVE-2009-0783</a></p>
+       <cve>CVE-2009-0783</cve></p>
 
-    <p>Bugs <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=29936">
-       29936</a> and
-       <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=45933">
-       45933</a> allowed a web application to replace the XML parser used by
+    <p>Bugs <bug>29936</bug> and <bug>45933</bug>
+       allowed a web application to replace the XML parser used by
        Tomcat to process web.xml and tld files. In limited circumstances these
        bugs may allow a rogue web application to view and/or alter the web.xml
        and tld files of other web applications deployed on the Tomcat instance.
        </p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=781708&amp;view=rev">
-       revision 781708</a>.</p>
+    <p>This was fixed in <revlink rev="781708">revision 781708</revlink>.</p>
 
     <p>Affects: 4.1.0-4.1.39</p>
        
@@ -139,23 +120,19 @@
   <section name="Fixed in Apache Tomcat 4.1.39">
 
     <p><strong>moderate: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128"
-       rel="nofollow">CVE-2008-0128</a></p>
+       <cve>CVE-2008-0128</cve></p>
 
     <p>When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is
        transmitted without the "secure" attribute, resulting in it being
        transmitted to any content that is - by purpose or error - requested via
        http from the same server. </p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=684900&amp;view=rev">
-       revision 684900</a>.</p>
+    <p>This was fixed in <revlink rev="684900">revision 684900</revlink>.</p>
 
     <p>Affects: 4.1.0-4.1.37</p>
 
     <p><strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232"
-       rel="nofollow">CVE-2008-1232</a></p>
+       <cve>CVE-2008-1232</cve></p>
 
     <p>The message argument of HttpServletResponse.sendError() call is not only
        displayed on the error page, but is also used for the reason-phrase of
@@ -165,15 +142,12 @@
        XSS attack, unfiltered user supplied data must be included in the message
        argument.</p>
 
-    <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=680947&amp;view=rev">
-       revision 680947</a>.</p>
+    <p>This was fixed in <revlink rev="680947">revision 680947</revlink>.</p>
 
     <p>Affects: 4.1.0-4.1.37</p>
 
     <p><strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370"
-       rel="nofollow">CVE-2008-2370</a></p>
+       <cve>CVE-2008-2370</cve></p>
 
     <p>When using a RequestDispatcher the target path was normalised before the 
        query string was removed. A request that included a specially crafted 
@@ -181,9 +155,7 @@
        protected by a security constraint or by locating it in under the WEB-INF 
        directory.</p>
 
-       <p>This was fixed in
-       <a href="http://svn.apache.org/viewvc?rev=680950&amp;view=rev">
-       revision 680950</a>.</p>
+       <p>This was fixed in <revlink rev="680950">revision 680950</revlink>.</p>
 
     <p>Affects: 4.1.0-4.1.37</p>
     
@@ -191,8 +163,7 @@
 
   <section name="Fixed in Apache Tomcat 4.1.37">
     <p><strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3164"
-       rel="nofollow">CVE-2005-3164</a></p>
+       <cve>CVE-2005-3164</cve></p>
 
     <p>If a client specifies a Content-Length but disconnects before sending
        any of the request body, the deprecated AJP connector processes the
@@ -203,8 +174,7 @@
     <p>Affects: 4.0.1-4.0.6, 4.1.0-4.1.36</p>
 
     <p><strong>moderate: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355"
-       rel="nofollow">CVE-2007-1355</a></p>
+       <cve>CVE-2007-1355</cve></p>
 
     <p>The JSP and Servlet included in the sample application within the Tomcat
        documentation webapp did not escape user provided data before including
@@ -214,8 +184,7 @@
     <p>Affects: 4.0.1-4.0.6, 4.1.0-4.1.36</p>
 
     <p><strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449"
-       rel="nofollow">CVE-2007-2449</a></p>
+       <cve>CVE-2007-2449</cve></p>
 
     <p>JSPs within the examples web application did not escape user provided
        data before including it in the output. This enabled a XSS attack. These
@@ -228,8 +197,7 @@
     <p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.36</p>
 
     <p><strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450"
-       rel="nofollow">CVE-2007-2450</a></p>
+       <cve>CVE-2007-2450</cve></p>
 
     <p>The Manager web application did not escape user provided data before
        including it in the output. This enabled a XSS attack. This application
@@ -240,8 +208,7 @@
     <p>Affects: 4.0.1-4.0.6, 4.1.0-4.1.36</p>
 
     <p><strong>low: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382"
-       rel="nofollow">CVE-2007-3382</a></p>
+       <cve>CVE-2007-3382</cve></p>
 
     <p>Tomcat incorrectly treated a single quote character (') in a cookie
        value as a delimiter. In some circumstances this lead to the leaking of
@@ -250,8 +217,7 @@
     <p>Affects: 4.1.0-4.1.36</p>
 
     <p><strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3383"
-       rel="nofollow">CVE-2007-3383</a></p>
+       <cve>CVE-2007-3383</cve></p>
 
     <p>When reporting error messages, the SendMailServlet (part of the examples
        web application) did not escape user provided data before including it in
@@ -264,8 +230,7 @@
     <p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.36</p>
 
     <p><strong>low: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385"
-       rel="nofollow">CVE-2007-3385</a></p>
+       <cve>CVE-2007-3385</cve></p>
 
     <p>Tomcat incorrectly handled the character sequence \" in a cookie value.
        In some circumstances this lead to the leaking of information such as
@@ -274,19 +239,16 @@
     <p>Affects: 4.1.0-4.1.36</p>
 
     <p><strong>low: Session hi-jacking</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333"
-       rel="nofollow">CVE-2007-5333</a></p>
+       <cve>CVE-2007-5333</cve></p>
 
     <p>The previous fix for
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385"
-       rel="nofollow">CVE-2007-3385</a> was incomplete. It did not consider the
+       <cve>CVE-2007-3385</cve> was incomplete. It did not consider the
        use of quotes or %5C within a cookie value.</p>
 
     <p>Affects: 4.1.0-4.1.36</p>
 
     <p><strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461"
-       rel="nofollow">CVE-2007-5461</a></p>
+       <cve>CVE-2007-5461</cve></p>
 
     <p>When Tomcat's WebDAV servlet is configured for use with a context and
        has been enabled for write, some WebDAV requests that specify an entity
@@ -299,8 +261,7 @@
 
   <section name="Fixed in Apache Tomcat 4.1.36">
     <p><strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090"
-       rel="nofollow">CVE-2005-2090</a></p>
+       <cve>CVE-2005-2090</cve></p>
 
     <p>Requests with multiple content-length headers should be rejected as
        invalid. When multiple components (firewalls, caches, proxies and Tomcat)
@@ -316,13 +277,11 @@
     <p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.34</p>
 
     <p><strong>important: Directory traversal</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450"
-       rel="nofollow">CVE-2007-0450</a></p>
+       <cve>CVE-2007-0450</cve></p>
 
     <p>The fix for this issue was insufficient. A fix was also required in the
        JK connector module for httpd. See 
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860"
-       rel="nofollow">CVE-2007-1860</a> for further information.</p>
+       <cve>CVE-2007-1860</cve> for further information.</p>
 
     <p>Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is
        used behind a proxy (including, but not limited to, Apache HTTP server
@@ -355,8 +314,7 @@
     <p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.34</p>
 
     <p><strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358"
-       rel="nofollow">CVE-2007-1358</a></p>
+       <cve>CVE-2007-1358</cve></p>
 
     <p>Web pages that display the Accept-Language header value sent by the
        client are susceptible to a cross-site scripting attack if they assume
@@ -373,8 +331,7 @@
   <section name="Fixed in Apache Tomcat 4.1.35">
 
     <p><strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4308"
-       rel="nofollow">CVE-2008-4308</a></p>
+       <cve>CVE-2008-4308</cve></p>
 
     <p><a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=40771">Bug
     40771</a> may result in the disclosure of POSTed content from a previous
@@ -389,8 +346,7 @@
   <section name="Fixed in Apache Tomcat 4.1.32">
 
     <p><strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3271"
-       rel="nofollow">CVE-2008-3271</a></p>
+       <cve>CVE-2008-3271</cve></p>
 
     <p><a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=25835">
     Bug 25835</a> can, in rare circumstances - this has only been reproduced
@@ -402,8 +358,7 @@
     <p>Affects: 4.1.0-4.1.31</p>
 
     <p><strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1858"
-       rel="nofollow">CVE-2007-1858</a></p>
+       <cve>CVE-2007-1858</cve></p>
 
     <p>The default SSL configuration permitted the use of insecure cipher suites
        including the anonymous cipher suite. The default configuration no
@@ -412,8 +367,7 @@
     <p>Affects: 4.1.28-4.1.31</p>
 
     <p><strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7196"
-       rel="nofollow">CVE-2006-7196</a></p>
+       <cve>CVE-2006-7196</cve></p>
 
     <p>The calendar application included as part of the JSP examples is
        susceptible to a cross-site scripting attack as it does not escape
@@ -422,8 +376,7 @@
     <p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.31</p>
 
     <p><strong>low: Directory listing</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3835"
-       rel="nofollow">CVE-2006-3835</a></p>
+       <cve>CVE-2006-3835</cve></p>
 
     <p>This is expected behaviour when directory listings are enabled. The
        semicolon (;) is the separator for path parameters so inserting one
@@ -435,8 +388,7 @@
     <p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.31</p>
 
     <p><strong>low: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4838"
-       rel="nofollow">CVE-2005-4838</a></p>
+       <cve>CVE-2005-4838</cve></p>
 
     <p>Various JSPs included as part of the JSP examples and the Tomcat Manager
        are susceptible to a cross-site scripting attack as they do not escape
@@ -445,8 +397,7 @@
     <p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.31</p>
 
     <p><strong>important: Denial of service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3510"
-       rel="nofollow">CVE-2005-3510</a></p>
+       <cve>CVE-2005-3510</cve></p>
 
     <p>The root cause is the relatively expensive calls required to generate
        the content for the directory listings. If directory listings are
@@ -462,8 +413,7 @@
 
   <section name="Fixed in Apache Tomcat 4.1.29">
     <p><strong>moderate: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1567"
-       rel="nofollow">CVE-2002-1567</a></p>
+       <cve>CVE-2002-1567</cve></p>
 
     <p>The unmodified requested URL is included in the 404 response header. The
        new lines in this URL appear to the client to be the end of the header
@@ -477,22 +427,19 @@
 
   <section name="Fixed in Apache Tomcat 4.1.13, 4.0.6">
     <p><strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1394"
-       rel="nofollow">CVE-2002-1394</a></p>
+       <cve>CVE-2002-1394</cve></p>
 
     <p>A specially crafted URL using the invoker servlet in conjunction with the
        default servlet can enable an attacker to obtain the source of JSP pages
        or, under special circumstances, a static resource that would otherwise
        have been protected by a security constraint without the need to be
        properly authenticated. This is a variation of
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1148"
-       rel="nofollow">CVE-2002-1148</a></p>
+       <cve>CVE-2002-1148</cve></p>
 
     <p>Affects: 4.0.0-4.0.5, 4.1.0-4.1.12</p>
 
     <p><strong>moderate: Cross-site scripting</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0682"
-       rel="nofollow">CVE-2002-0682</a></p>
+       <cve>CVE-2002-0682</cve></p>
 
     <p>A specially crafted URL using the invoker servlet and various internal
        classess causes Tomcat to throw an exception that includes unescaped
@@ -503,8 +450,7 @@
 
   <section name="Fixed in Apache Tomcat 4.1.12, 4.0.5">
     <p><strong>important: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1148"
-       rel="nofollow">CVE-2002-1148</a></p>
+       <cve>CVE-2002-1148</cve></p>
 
     <p>A specially crafted URL using the default servlet can enable an attacker
        to obtain the source of JSP pages.</p>
@@ -514,8 +460,7 @@
 
   <section name="Fixed in Apache Tomcat 4.1.3">
     <p><strong>important: Denial of service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0935"
-       rel="nofollow">CVE-2002-0935</a></p>
+       <cve>CVE-2002-0935</cve></p>
 
     <p>A malformed HTTP request can cause the request processing thread to
        become unresponsive. A sequence of such requests will cause all request
@@ -527,8 +472,7 @@
 
   <section name="Fixed in Apache Tomcat 4.1.0">
     <p><strong>important: Denial of service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0866"
-       rel="nofollow">CVE-2003-0866</a></p>
+       <cve>CVE-2003-0866</cve></p>
 
     <p>A malformed HTTP request can cause the request processing thread to
        become unresponsive. A sequence of such requests will cause all request
@@ -537,8 +481,7 @@
     <p>Affects: 4.0.0-4.0.6</p>
 
     <p><strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2006"
-       rel="nofollow">CVE-2002-2006</a></p>
+       <cve>CVE-2002-2006</cve></p>
 
     <p>The snoop and trouble shooting servlets installed as part of the examples
        include output that identifies the Tomcat installation path.</p>
@@ -549,10 +492,8 @@
 
   <section name="Fixed in Apache Tomcat 4.0.2">
     <p><strong>low: Information disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2009"
-       rel="nofollow">CVE-2002-2009</a>,
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0917"
-       rel="nofollow">CVE-2001-0917</a></p>
+       <cve>CVE-2002-2009</cve>,
+       <cve>CVE-2001-0917</cve></p>
 
     <p>Requests for JSP files where the file name is preceded by '+/', '&gt;/',
        '&lt;/' or '%20/' or a request for a JSP with a long file name would
@@ -564,8 +505,7 @@
 
   <section name="Fixed in Apache Tomcat 4.0.0">
     <p><strong>moderate: Security manager bypass</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0493"
-       rel="nofollow">CVE-2002-0493</a></p>
+       <cve>CVE-2002-0493</cve></p>
 
     <p>If errors are encountered during the parsing of web.xml and Tomcat is
        configured to use a security manager it is possible for Tomcat to start
@@ -576,10 +516,8 @@
 
   <section name="Unverified">
     <p><strong>low: Installation path disclosure</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4703"
-       rel="nofollow">CVE-2005-4703</a>, 
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2008"
-       rel="nofollow">CVE-2002-2008</a><br/></p>
+       <cve>CVE-2005-4703</cve>, 
+       <cve>CVE-2002-2008</cve></p>
 
     <p>This issue only affects Windows operating systems. It can not be
        reproduced on Windows XP Home with JDKs 1.3.1, 1.4.2, 1.5.0 or 1.6.0.
@@ -591,8 +529,7 @@
     <p>Affects: 4.0.3?</p>
 
     <p><strong>important: Denial of service</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1895"
-       rel="nofollow">CVE-2002-1895</a><br/></p>
+       <cve>CVE-2002-1895</cve></p>
 
     <p>This issue only affects configurations that use IIS in conjunction with
        Tomcat and the AJP1.3 connector. It can not be reproduced using Windows
@@ -604,19 +541,8 @@
   </section>
 
   <section name="Not a vulnerability in Tomcat">
-    <p><strong>Denial of service vulnerability</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0936"
-       rel="nofollow">CVE-2002-0936</a></p>
-
-    <p>The issue described requires an attacker to be able to plant a JSP page
-       on the Tomcat server. If an attacker can do this then the server is
-       already compromised. In this case an attacker could just as easily add a
-       page that called System.exit(1) rather than relying on a bug in an
-       internal Sun class.</p>
-
     <p><strong>important: Directory traversal</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938"
-       rel="nofollow">CVE-2008-2938</a></p>
+       <cve>CVE-2008-2938</cve></p>
 
     <p>Originally reported as a Tomcat vulnerability the root cause of this
        issue is that the JVM does not correctly decode UTF-8 encoded URLs to
@@ -640,11 +566,20 @@
        status of this issue for your JVM, contact your JVM vendor.</p>
        
     <p>A workaround was implemented in
-       <a href="http://svn.apache.org/viewvc?rev=681065&amp;view=rev">
-       revision 681065</a> that protects against this and any similar character
+       <revlink rev="681065">revision 681065</revlink>
+       that protects against this and any similar character
        encoding issues that may still exist in the JVM. This work around is
        included in Tomcat 4.1.39 onwards.</p>
 
+    <p><strong>Denial of service vulnerability</strong>
+       <cve>CVE-2002-0936</cve></p>
+
+    <p>The issue described requires an attacker to be able to plant a JSP page
+       on the Tomcat server. If an attacker can do this then the server is
+       already compromised. In this case an attacker could just as easily add a
+       page that called System.exit(1) rather than relying on a bug in an
+       internal Sun class.</p>
+
   </section>
 
 </body>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message