tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kkoli...@apache.org
Subject svn commit: r1175421 - in /tomcat/site/trunk: docs/security-5.html docs/security-6.html docs/security-7.html xdocs/security-5.xml xdocs/security-6.xml xdocs/security-7.xml
Date Sun, 25 Sep 2011 16:11:00 GMT
Author: kkolinko
Date: Sun Sep 25 16:10:59 2011
New Revision: 1175421

URL: http://svn.apache.org/viewvc?rev=1175421&view=rev
Log:
Mention when support for RFC 5746 was added.

As far as I am reading Tomcat-Navive changelog,
it does not have implementation for this new renegotiation protocol.

Modified:
    tomcat/site/trunk/docs/security-5.html
    tomcat/site/trunk/docs/security-6.html
    tomcat/site/trunk/docs/security-7.html
    tomcat/site/trunk/xdocs/security-5.xml
    tomcat/site/trunk/xdocs/security-6.xml
    tomcat/site/trunk/xdocs/security-7.xml

Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1175421&r1=1175420&r2=1175421&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Sun Sep 25 16:10:59 2011
@@ -1745,6 +1745,22 @@
        that provided the new <code>allowUnsafeLegacyRenegotiation</code>
        attribute. This work around is included in Tomcat 5.5.29 onwards.</p>
 
+    <p>Support for the new TLS renegotiation protocol (RFC 5746) that does not
+       have this security issue:</p>
+
+    <ul>
+      <li>For connectors using JSSE implementation provided by JVM:
+        Added in Tomcat 5.5.33.<br/>
+        Requires JRE that supports RFC 5746. For Oracle JRE that is
+        <a rel="nofollow" href="http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html">known</a>
+        to be 6u22 or later.
+      </li>
+      <li>For connectors using APR and OpenSSL:<br/>
+        Not implemented. See
+        <a href="security-native.html">APR/native connector security page</a>.
+      </li>
+    </ul>
+
     <p>
 <strong>important: Directory traversal</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938" rel="nofollow">CVE-2008-2938</a>

Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1175421&r1=1175420&r2=1175421&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Sun Sep 25 16:10:59 2011
@@ -1547,7 +1547,23 @@
        <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=891292">revision
891292</a>
        that provided the new <code>allowUnsafeLegacyRenegotiation</code>
        attribute. This work around is included in Tomcat 6.0.21 onwards.</p>
-       
+
+    <p>Support for the new TLS renegotiation protocol (RFC 5746) that does not
+       have this security issue:</p>
+
+    <ul>
+      <li>For connectors using JSSE implementation provided by JVM:
+        Added in Tomcat 6.0.32.<br/>
+        Requires JRE that supports RFC 5746. For Oracle JRE that is
+        <a rel="nofollow" href="http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html">known</a>
+        to be 6u22 or later.
+      </li>
+      <li>For connectors using APR and OpenSSL:<br/>
+        Not implemented. See
+        <a href="security-native.html">APR/native connector security page</a>.
+      </li>
+    </ul>
+
     <p>
 <strong>important: Directory traversal</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938" rel="nofollow">CVE-2008-2938</a>

Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1175421&r1=1175420&r2=1175421&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Sun Sep 25 16:10:59 2011
@@ -1091,6 +1091,22 @@
     <p>This was worked-around in
        <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=882320">revision
891292</a>.</p>
 
+    <p>Support for the new TLS renegotiation protocol (RFC 5746) that does not
+       have this security issue:</p>
+
+    <ul>
+      <li>For connectors using JSSE implementation provided by JVM:
+        Added in Tomcat 7.0.8.<br/>
+        Requires JRE that supports RFC 5746. For Oracle JRE that is
+        <a rel="nofollow" href="http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html">known</a>
+        to be 6u22 or later.
+      </li>
+      <li>For connectors using APR and OpenSSL:<br/>
+        Not implemented. See
+        <a href="security-native.html">APR/native connector security page</a>.
+      </li>
+    </ul>
+
   </blockquote>
 </p>
 </td>

Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=1175421&r1=1175420&r2=1175421&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Sun Sep 25 16:10:59 2011
@@ -814,6 +814,23 @@
        that provided the new <code>allowUnsafeLegacyRenegotiation</code>
        attribute. This work around is included in Tomcat 5.5.29 onwards.</p>
 
+    <p>Support for the new TLS renegotiation protocol (RFC 5746) that does not
+       have this security issue:</p>
+
+    <ul>
+      <li>For connectors using JSSE implementation provided by JVM:
+        Added in Tomcat 5.5.33.<br />
+        Requires JRE that supports RFC 5746. For Oracle JRE that is
+        <a rel="nofollow"
+        href="http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html">known</a>
+        to be 6u22 or later.
+      </li>
+      <li>For connectors using APR and OpenSSL:<br />
+        Not implemented. See
+        <a href="security-native.html">APR/native connector security page</a>.
+      </li>
+    </ul>
+
     <p><strong>important: Directory traversal</strong>
        <cve>CVE-2008-2938</cve></p>
 

Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1175421&r1=1175420&r2=1175421&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Sun Sep 25 16:10:59 2011
@@ -760,7 +760,24 @@
        <revlink rev="891292">revision 891292</revlink>
        that provided the new <code>allowUnsafeLegacyRenegotiation</code>
        attribute. This work around is included in Tomcat 6.0.21 onwards.</p>
-       
+
+    <p>Support for the new TLS renegotiation protocol (RFC 5746) that does not
+       have this security issue:</p>
+
+    <ul>
+      <li>For connectors using JSSE implementation provided by JVM:
+        Added in Tomcat 6.0.32.<br />
+        Requires JRE that supports RFC 5746. For Oracle JRE that is
+        <a rel="nofollow"
+        href="http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html">known</a>
+        to be 6u22 or later.
+      </li>
+      <li>For connectors using APR and OpenSSL:<br />
+        Not implemented. See
+        <a href="security-native.html">APR/native connector security page</a>.
+      </li>
+    </ul>
+
     <p><strong>important: Directory traversal</strong>
        <cve>CVE-2008-2938</cve></p>
 

Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1175421&r1=1175420&r2=1175421&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Sun Sep 25 16:10:59 2011
@@ -437,6 +437,23 @@
     <p>This was worked-around in
        <revlink rev="882320">revision 891292</revlink>.</p>
 
+    <p>Support for the new TLS renegotiation protocol (RFC 5746) that does not
+       have this security issue:</p>
+
+    <ul>
+      <li>For connectors using JSSE implementation provided by JVM:
+        Added in Tomcat 7.0.8.<br />
+        Requires JRE that supports RFC 5746. For Oracle JRE that is
+        <a rel="nofollow"
+        href="http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html">known</a>
+        to be 6u22 or later.
+      </li>
+      <li>For connectors using APR and OpenSSL:<br />
+        Not implemented. See
+        <a href="security-native.html">APR/native connector security page</a>.
+      </li>
+    </ul>
+
   </section>
   
 </body>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message