tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1175778 - in /tomcat/site/trunk: docs/security-5.html docs/security-6.html docs/security-7.html xdocs/security-5.xml xdocs/security-6.xml xdocs/security-7.xml
Date Mon, 26 Sep 2011 10:36:53 GMT
Author: markt
Date: Mon Sep 26 10:36:53 2011
New Revision: 1175778

URL: http://svn.apache.org/viewvc?rev=1175778&view=rev
Log:
Add CVE-2011-1184

Modified:
    tomcat/site/trunk/docs/security-5.html
    tomcat/site/trunk/docs/security-6.html
    tomcat/site/trunk/docs/security-7.html
    tomcat/site/trunk/xdocs/security-5.xml
    tomcat/site/trunk/xdocs/security-6.xml
    tomcat/site/trunk/xdocs/security-7.xml

Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1175778&r1=1175777&r2=1175778&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Mon Sep 26 10:36:53 2011
@@ -360,6 +360,32 @@
 <blockquote>
 
     <p>
+<strong>Moderate: Multiple weaknesses in HTTP DIGEST authentication</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184" rel="nofollow">CVE-2011-1184</a>
+</p>
+
+    <p>The implementation of HTTP DIGEST authentication was discovered to have
+       several weaknesses:
+       <ul>
+         <li>replay attacks were permitted</li>
+         <li>server nonces were not checked</li>
+         <li>client nonce counts were not checked</li>
+         <li>qop values were not checked</li>
+         <li>realm values were not checked</li>
+         <li>the server secret was hard-coded to a known string</li>
+       </ul>
+       The result of these weaknesses is that DIGEST authentication was only as
+       secure as BASIC authentication.
+    </p>
+
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1159309">revision
1159309</a>.</p>
+
+    <p>This was identified by the Tomcat security team on 16 March 2011 and
+       made public on 26 September 2011.</p>
+
+    <p>Affects: 5.5.0-5.5.33</p>
+
+    <p>
 <strong>Low: Information disclosure</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204" rel="nofollow">CVE-2011-2204</a>
 </p>

Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1175778&r1=1175777&r2=1175778&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Sep 26 10:36:53 2011
@@ -418,6 +418,32 @@
 <blockquote>
 
     <p>
+<strong>Moderate: Multiple weaknesses in HTTP DIGEST authentication</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184" rel="nofollow">CVE-2011-1184</a>
+</p>
+
+    <p>The implementation of HTTP DIGEST authentication was discovered to have
+       several weaknesses:
+       <ul>
+         <li>replay attacks were permitted</li>
+         <li>server nonces were not checked</li>
+         <li>client nonce counts were not checked</li>
+         <li>qop values were not checked</li>
+         <li>realm values were not checked</li>
+         <li>the server secret was hard-coded to a known string</li>
+       </ul>
+       The result of these weaknesses is that DIGEST authentication was only as
+       secure as BASIC authentication.
+    </p>
+
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1158180">revision
1158180</a>.</p>
+
+    <p>This was identified by the Tomcat security team on 16 March 2011 and
+       made public on 26 September 2011.</p>
+
+    <p>Affects: 6.0.0-6.0.32</p>
+
+    <p>
 <strong>Low: Information disclosure</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204" rel="nofollow">CVE-2011-2204</a>
 </p>

Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1175778&r1=1175777&r2=1175778&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Mon Sep 26 10:36:53 2011
@@ -665,6 +665,32 @@
     <p>Affects: 7.0.0-7.0.11</p>
 
     <p>
+<strong>Moderate: Multiple weaknesses in HTTP DIGEST authentication</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184" rel="nofollow">CVE-2011-1184</a>
+</p>
+
+    <p>The implementation of HTTP DIGEST authentication was discovered to have
+       several weaknesses:
+       <ul>
+         <li>replay attacks were permitted</li>
+         <li>server nonces were not checked</li>
+         <li>client nonce counts were not checked</li>
+         <li>qop values were not checked</li>
+         <li>realm values were not checked</li>
+         <li>the server secret was hard-coded to a known string</li>
+       </ul>
+       The result of these weaknesses is that DIGEST authentication was only as
+       secure as BASIC authentication.
+    </p>
+
+    <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1087655">revision
1087655</a>.</p>
+
+    <p>This was identified by the Tomcat security team on 16 March 2011 and
+       made public on 26 September 2011.</p>
+
+    <p>Affects: 7.0.0-7.0.11</p>
+
+    <p>
 <strong>Important: Security constraint bypass</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1183" rel="nofollow">CVE-2011-1183</a>
 </p>

Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=1175778&r1=1175777&r2=1175778&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Mon Sep 26 10:36:53 2011
@@ -48,6 +48,31 @@
 
   <section name="Fixed in Apache Tomcat 5.5.34" rtext="released 22 Sep 2011">
 
+    <p><strong>Moderate: Multiple weaknesses in HTTP DIGEST authentication</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184"
+       rel="nofollow">CVE-2011-1184</a></p>
+
+    <p>The implementation of HTTP DIGEST authentication was discovered to have
+       several weaknesses:
+       <ul>
+         <li>replay attacks were permitted</li>
+         <li>server nonces were not checked</li>
+         <li>client nonce counts were not checked</li>
+         <li>qop values were not checked</li>
+         <li>realm values were not checked</li>
+         <li>the server secret was hard-coded to a known string</li>
+       </ul>
+       The result of these weaknesses is that DIGEST authentication was only as
+       secure as BASIC authentication.
+    </p>
+
+    <p>This was fixed in <revlink rev="1159309">revision 1159309</revlink>.</p>
+
+    <p>This was identified by the Tomcat security team on 16 March 2011 and
+       made public on 26 September 2011.</p>
+
+    <p>Affects: 5.5.0-5.5.33</p>
+
     <p><strong>Low: Information disclosure</strong>
        <cve>CVE-2011-2204</cve></p>
 

Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1175778&r1=1175777&r2=1175778&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon Sep 26 10:36:53 2011
@@ -87,6 +87,31 @@
   
   <section name="Fixed in Apache Tomcat 6.0.33">
 
+    <p><strong>Moderate: Multiple weaknesses in HTTP DIGEST authentication</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184"
+       rel="nofollow">CVE-2011-1184</a></p>
+
+    <p>The implementation of HTTP DIGEST authentication was discovered to have
+       several weaknesses:
+       <ul>
+         <li>replay attacks were permitted</li>
+         <li>server nonces were not checked</li>
+         <li>client nonce counts were not checked</li>
+         <li>qop values were not checked</li>
+         <li>realm values were not checked</li>
+         <li>the server secret was hard-coded to a known string</li>
+       </ul>
+       The result of these weaknesses is that DIGEST authentication was only as
+       secure as BASIC authentication.
+    </p>
+
+    <p>This was fixed in <revlink rev="1158180">revision 1158180</revlink>.</p>
+
+    <p>This was identified by the Tomcat security team on 16 March 2011 and
+       made public on 26 September 2011.</p>
+
+    <p>Affects: 6.0.0-6.0.32</p>
+
     <p><strong>Low: Information disclosure</strong>
        <cve>CVE-2011-2204</cve></p>
 

Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1175778&r1=1175777&r2=1175778&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Mon Sep 26 10:36:53 2011
@@ -230,6 +230,31 @@
 
     <p>Affects: 7.0.0-7.0.11</p>
 
+    <p><strong>Moderate: Multiple weaknesses in HTTP DIGEST authentication</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184"
+       rel="nofollow">CVE-2011-1184</a></p>
+
+    <p>The implementation of HTTP DIGEST authentication was discovered to have
+       several weaknesses:
+       <ul>
+         <li>replay attacks were permitted</li>
+         <li>server nonces were not checked</li>
+         <li>client nonce counts were not checked</li>
+         <li>qop values were not checked</li>
+         <li>realm values were not checked</li>
+         <li>the server secret was hard-coded to a known string</li>
+       </ul>
+       The result of these weaknesses is that DIGEST authentication was only as
+       secure as BASIC authentication.
+    </p>
+
+    <p>This was fixed in <revlink rev="1087655">revision 1087655</revlink>.</p>
+
+    <p>This was identified by the Tomcat security team on 16 March 2011 and
+       made public on 26 September 2011.</p>
+
+    <p>Affects: 7.0.0-7.0.11</p>
+
     <p><strong>Important: Security constraint bypass</strong>
        <cve>CVE-2011-1183</cve></p>
 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message