Return-Path: X-Original-To: apmail-tomcat-dev-archive@www.apache.org Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0A09092F6 for ; Sun, 25 Sep 2011 16:11:23 +0000 (UTC) Received: (qmail 82919 invoked by uid 500); 25 Sep 2011 16:11:22 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 82839 invoked by uid 500); 25 Sep 2011 16:11:22 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 82829 invoked by uid 99); 25 Sep 2011 16:11:22 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 25 Sep 2011 16:11:22 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 25 Sep 2011 16:11:20 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 80F812388847 for ; Sun, 25 Sep 2011 16:11:00 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1175421 - in /tomcat/site/trunk: docs/security-5.html docs/security-6.html docs/security-7.html xdocs/security-5.xml xdocs/security-6.xml xdocs/security-7.xml Date: Sun, 25 Sep 2011 16:11:00 -0000 To: dev@tomcat.apache.org From: kkolinko@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20110925161100.80F812388847@eris.apache.org> Author: kkolinko Date: Sun Sep 25 16:10:59 2011 New Revision: 1175421 URL: http://svn.apache.org/viewvc?rev=1175421&view=rev Log: Mention when support for RFC 5746 was added. As far as I am reading Tomcat-Navive changelog, it does not have implementation for this new renegotiation protocol. Modified: tomcat/site/trunk/docs/security-5.html tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/xdocs/security-5.xml tomcat/site/trunk/xdocs/security-6.xml tomcat/site/trunk/xdocs/security-7.xml Modified: tomcat/site/trunk/docs/security-5.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1175421&r1=1175420&r2=1175421&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-5.html (original) +++ tomcat/site/trunk/docs/security-5.html Sun Sep 25 16:10:59 2011 @@ -1745,6 +1745,22 @@ that provided the new allowUnsafeLegacyRenegotiation attribute. This work around is included in Tomcat 5.5.29 onwards.

Support for the new TLS renegotiation protocol (RFC 5746) that does not + have this security issue:

+ +

For connectors using JSSE implementation provided by JVM: + Added in Tomcat 5.5.33.
+ Requires JRE that supports RFC 5746. For Oracle JRE that is + known + to be 6u22 or later. +
For connectors using APR and OpenSSL:
+ Not implemented. See + APR/native connector security page. +

important: Directory traversal CVE-2008-2938 Modified: tomcat/site/trunk/docs/security-6.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1175421&r1=1175420&r2=1175421&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-6.html (original) +++ tomcat/site/trunk/docs/security-6.html Sun Sep 25 16:10:59 2011 @@ -1547,7 +1547,23 @@ revision 891292 that provided the new allowUnsafeLegacyRenegotiation attribute. This work around is included in Tomcat 6.0.21 onwards.

- + +

Support for the new TLS renegotiation protocol (RFC 5746) that does not + have this security issue:

+ +

For connectors using JSSE implementation provided by JVM: + Added in Tomcat 6.0.32.
+ Requires JRE that supports RFC 5746. For Oracle JRE that is + known + to be 6u22 or later. +
For connectors using APR and OpenSSL:
+ Not implemented. See + APR/native connector security page. +

important: Directory traversal CVE-2008-2938 Modified: tomcat/site/trunk/docs/security-7.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1175421&r1=1175420&r2=1175421&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-7.html (original) +++ tomcat/site/trunk/docs/security-7.html Sun Sep 25 16:10:59 2011 @@ -1091,6 +1091,22 @@

This was worked-around in revision 891292.

Support for the new TLS renegotiation protocol (RFC 5746) that does not + have this security issue:

+ +

For connectors using JSSE implementation provided by JVM: + Added in Tomcat 7.0.8.
+ Requires JRE that supports RFC 5746. For Oracle JRE that is + known + to be 6u22 or later. +
For connectors using APR and OpenSSL:
+ Not implemented. See + APR/native connector security page. +

Modified: tomcat/site/trunk/xdocs/security-5.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=1175421&r1=1175420&r2=1175421&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-5.xml (original) +++ tomcat/site/trunk/xdocs/security-5.xml Sun Sep 25 16:10:59 2011 @@ -814,6 +814,23 @@ that provided the new allowUnsafeLegacyRenegotiation attribute. This work around is included in Tomcat 5.5.29 onwards.

Support for the new TLS renegotiation protocol (RFC 5746) that does not + have this security issue:

+ +

For connectors using JSSE implementation provided by JVM: + Added in Tomcat 5.5.33.
+ Requires JRE that supports RFC 5746. For Oracle JRE that is + known + to be 6u22 or later. +
For connectors using APR and OpenSSL:
+ Not implemented. See + APR/native connector security page. +

important: Directory traversal CVE-2008-2938

Modified: tomcat/site/trunk/xdocs/security-6.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1175421&r1=1175420&r2=1175421&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-6.xml (original) +++ tomcat/site/trunk/xdocs/security-6.xml Sun Sep 25 16:10:59 2011 @@ -760,7 +760,24 @@ revision 891292 that provided the new allowUnsafeLegacyRenegotiation attribute. This work around is included in Tomcat 6.0.21 onwards.

- + +

Support for the new TLS renegotiation protocol (RFC 5746) that does not + have this security issue:

+ +

For connectors using JSSE implementation provided by JVM: + Added in Tomcat 6.0.32.
+ Requires JRE that supports RFC 5746. For Oracle JRE that is + known + to be 6u22 or later. +
For connectors using APR and OpenSSL:
+ Not implemented. See + APR/native connector security page. +

important: Directory traversal CVE-2008-2938

Modified: tomcat/site/trunk/xdocs/security-7.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1175421&r1=1175420&r2=1175421&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-7.xml (original) +++ tomcat/site/trunk/xdocs/security-7.xml Sun Sep 25 16:10:59 2011 @@ -437,6 +437,23 @@

This was worked-around in revision 891292.

Support for the new TLS renegotiation protocol (RFC 5746) that does not + have this security issue:

+ +

For connectors using JSSE implementation provided by JVM: + Added in Tomcat 7.0.8.
+ Requires JRE that supports RFC 5746. For Oracle JRE that is + known + to be 6u22 or later. +
For connectors using APR and OpenSSL:
+ Not implemented. See + APR/native connector security page. +

+ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org