tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1406003 - in /tomcat/site/trunk: docs/security-5.html docs/security-6.html docs/security-7.html xdocs/security-5.xml xdocs/security-6.xml xdocs/security-7.xml
Date Mon, 05 Nov 2012 22:57:59 GMT
Author: markt
Date: Mon Nov  5 22:57:58 2012
New Revision: 1406003

URL: http://svn.apache.org/viewvc?rev=1406003&view=rev
Log:
Publish details of two security vulnerabilities:
CVE-2012-2733 Apache Tomcat Denial of Service
CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses

Modified:
    tomcat/site/trunk/docs/security-5.html
    tomcat/site/trunk/docs/security-6.html
    tomcat/site/trunk/docs/security-7.html
    tomcat/site/trunk/xdocs/security-5.xml
    tomcat/site/trunk/xdocs/security-6.xml
    tomcat/site/trunk/xdocs/security-7.xml

Modified: tomcat/site/trunk/docs/security-5.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1406003&r1=1406002&r2=1406003&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Mon Nov  5 22:57:58 2012
@@ -198,6 +198,9 @@
 <a href="#Apache_Tomcat_5.x_vulnerabilities">Apache Tomcat 5.x vulnerabilities</a>
 </li>
 <li>
+<a href="#Fixed_in_Apache_Tomcat_5.5.36">Fixed in Apache Tomcat 5.5.36</a>
+</li>
+<li>
 <a href="#Fixed_in_Apache_Tomcat_5.5.35">Fixed in Apache Tomcat 5.5.35</a>
 </li>
 <li>
@@ -341,6 +344,66 @@
 </table>
 <table border="0" cellspacing="0" cellpadding="2" width="100%">
 <tr>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a
name="Fixed in Apache Tomcat 5.5.36">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_5.5.36"><strong>Fixed
in Apache Tomcat 5.5.36</strong></a></font></td><td align="right"
bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released
10 Oct 2012</strong></font></td>
+</tr>
+<tr>
+<td colspan="2">
+<p>
+<blockquote>
+  
+    
+<p>
+<strong>Moderate: DIGEST authentication weakness</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3439" rel="nofollow">CVE-2012-3439</a>
+</p>
+
+    
+<p>Three weaknesses in Tomcat's implementation of DIGEST authentication
+       were identified and resolved:
+    </p>
+    
+<ol>
+      
+<li>Tomcat tracked client rather than server nonces and nonce count.</li>
+      
+<li>When a session ID was present, authentication was bypassed.</li>
+      
+<li>The user name and password were not checked before when indicating
+          that a nonce was stale.</li>
+    
+</ol>
+    
+<p>
+      These issues reduced the security of DIGEST authentication making
+      replay attacks possible in some circumstances.
+    </p>
+
+    
+<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1392248">1392248</a>.</p>
+
+    
+<p>The first issue was reported by Tilmann Kuhn to the Tomcat security team
+       on 19 July 2012. The second and third issues were discovered by the
+       Tomcat security team during the resulting code review. All three issues
+       were made public on 5 November 2012.</p>
+
+    
+<p>Affects: 5.5.0-5.5.35</p>
+  
+  
+</blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
 <td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a
name="Fixed in Apache Tomcat 5.5.35">
 <!--()--></a><a name="Fixed_in_Apache_Tomcat_5.5.35"><strong>Fixed
in Apache Tomcat 5.5.35</strong></a></font></td><td align="right"
bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released
16 Jan 2012</strong></font></td>
 </tr>

Modified: tomcat/site/trunk/docs/security-6.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1406003&r1=1406002&r2=1406003&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Nov  5 22:57:58 2012
@@ -198,6 +198,9 @@
 <a href="#Apache_Tomcat_6.x_vulnerabilities">Apache Tomcat 6.x vulnerabilities</a>
 </li>
 <li>
+<a href="#Fixed_in_Apache_Tomcat_6.0.36">Fixed in Apache Tomcat 6.0.36</a>
+</li>
+<li>
 <a href="#Fixed_in_Apache_Tomcat_6.0.35">Fixed in Apache Tomcat 6.0.35</a>
 </li>
 <li>
@@ -316,6 +319,89 @@
 </table>
 <table border="0" cellspacing="0" cellpadding="2" width="100%">
 <tr>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a
name="Fixed in Apache Tomcat 6.0.36">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_6.0.36"><strong>Fixed
in Apache Tomcat 6.0.36</strong></a></font></td><td align="right"
bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released
19 Oct 2012</strong></font></td>
+</tr>
+<tr>
+<td colspan="2">
+<p>
+<blockquote>
+  
+    
+<p>
+<strong>Important: Denial of service</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2733" rel="nofollow">CVE-2012-2733</a>
+</p>
+
+    
+<p>The checks that limited the permitted size of request headers were
+       implemented too late in the request parsing process for the HTTP NIO
+       connector. This enabled a malicious user to trigger an
+       OutOfMemoryError by sending a single request with very large headers.
+    </p>
+
+    
+<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1356208">1356208</a>.</p>
+
+    
+<p>This was reported by Josh Spiewak to the Tomcat security team on 4 June
+       2012 and made public on 5 November 2012.</p>
+
+    
+<p>Affects: 6.0.0-6.0.35</p>
+    
+    
+<p>
+<strong>Moderate: DIGEST authentication weakness</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3439" rel="nofollow">CVE-2012-3439</a>
+</p>
+
+    
+<p>Three weaknesses in Tomcat's implementation of DIGEST authentication
+       were identified and resolved:
+    </p>
+    
+<ol>
+      
+<li>Tomcat tracked client rather than server nonces and nonce count.</li>
+      
+<li>When a session ID was present, authentication was bypassed.</li>
+      
+<li>The user name and password were not checked before when indicating
+          that a nonce was stale.</li>
+    
+</ol>
+    
+<p>
+      These issues reduced the security of DIGEST authentication making
+      replay attacks possible in some circumstances.
+    </p>
+
+    
+<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1380829">1380829</a>.</p>
+
+    
+<p>The first issue was reported by Tilmann Kuhn to the Tomcat security team
+       on 19 July 2012. The second and third issues were discovered by the
+       Tomcat security team during the resulting code review. All three issues
+       were made public on 5 November 2012.</p>
+
+    
+<p>Affects: 6.0.0-6.0.35</p>
+        
+  
+</blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
 <td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a
name="Fixed in Apache Tomcat 6.0.35">
 <!--()--></a><a name="Fixed_in_Apache_Tomcat_6.0.35"><strong>Fixed
in Apache Tomcat 6.0.35</strong></a></font></td><td align="right"
bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released
5 Dec 2011</strong></font></td>
 </tr>

Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1406003&r1=1406002&r2=1406003&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Mon Nov  5 22:57:58 2012
@@ -198,6 +198,12 @@
 <a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x vulnerabilities</a>
 </li>
 <li>
+<a href="#Fixed_in_Apache_Tomcat_7.0.30">Fixed in Apache Tomcat 7.0.30</a>
+</li>
+<li>
+<a href="#Fixed_in_Apache_Tomcat_7.0.28">Fixed in Apache Tomcat 7.0.28</a>
+</li>
+<li>
 <a href="#Fixed_in_Apache_Tomcat_7.0.23">Fixed in Apache Tomcat 7.0.23</a>
 </li>
 <li>
@@ -315,6 +321,110 @@
 </table>
 <table border="0" cellspacing="0" cellpadding="2" width="100%">
 <tr>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a
name="Fixed in Apache Tomcat 7.0.30">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.30"><strong>Fixed
in Apache Tomcat 7.0.30</strong></a></font></td><td align="right"
bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released
6 Sep 2012</strong></font></td>
+</tr>
+<tr>
+<td colspan="2">
+<p>
+<blockquote>
+
+    
+<p>
+<strong>Moderate: DIGEST authentication weakness</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3439" rel="nofollow">CVE-2012-3439</a>
+</p>
+
+    
+<p>Three weaknesses in Tomcat's implementation of DIGEST authentication
+       were identified and resolved:
+    </p>
+    
+<ol>
+      
+<li>Tomcat tracked client rather than server nonces and nonce count.</li>
+      
+<li>When a session ID was present, authentication was bypassed.</li>
+      
+<li>The user name and password were not checked before when indicating
+          that a nonce was stale.</li>
+    
+</ol>
+    
+<p>
+      These issues reduced the security of DIGEST authentication making
+      replay attacks possible in some circumstances.
+    </p>
+
+    
+<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1377807">1377807</a>.</p>
+
+    
+<p>The first issue was reported by Tilmann Kuhn to the Tomcat security team
+       on 19 July 2012. The second and third issues were discovered by the
+       Tomcat security team during the resulting code review. All three issues
+       were made public on 5 November 2012.</p>
+
+    
+<p>Affects: 7.0.0-7.0.29</p>
+
+  
+</blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a
name="Fixed in Apache Tomcat 7.0.28">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.28"><strong>Fixed
in Apache Tomcat 7.0.28</strong></a></font></td><td align="right"
bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released
19 Jun 2012</strong></font></td>
+</tr>
+<tr>
+<td colspan="2">
+<p>
+<blockquote>
+
+    
+<p>
+<strong>Important: Denial of service</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2733" rel="nofollow">CVE-2012-2733</a>
+</p>
+
+    
+<p>The checks that limited the permitted size of request headers were
+       implemented too late in the request parsing process for the HTTP NIO
+       connector. This enabled a malicious user to trigger an
+       OutOfMemoryError by sending a single request with very large headers.
+    </p>
+
+    
+<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1350301">1350301</a>.</p>
+
+    
+<p>This was reported by Josh Spiewak to the Tomcat security team on 4 June
+       2012 and made public on 5 November 2012.</p>
+
+    
+<p>Affects: 7.0.0-7.0.27</p>
+
+  
+</blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
 <td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a
name="Fixed in Apache Tomcat 7.0.23">
 <!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.23"><strong>Fixed
in Apache Tomcat 7.0.23</strong></a></font></td><td align="right"
bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released
25 Nov 2011</strong></font></td>
 </tr>

Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=1406003&r1=1406002&r2=1406003&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Mon Nov  5 22:57:58 2012
@@ -64,6 +64,36 @@
   </section>
  -->
 
+  <section name="Fixed in Apache Tomcat 5.5.36" rtext="released 10 Oct 2012">
+  
+    <p><strong>Moderate: DIGEST authentication weakness</strong>
+       <cve>CVE-2012-3439</cve></p>
+
+    <p>Three weaknesses in Tomcat's implementation of DIGEST authentication
+       were identified and resolved:
+    </p>
+    <ol>
+      <li>Tomcat tracked client rather than server nonces and nonce count.</li>
+      <li>When a session ID was present, authentication was bypassed.</li>
+      <li>The user name and password were not checked before when indicating
+          that a nonce was stale.</li>
+    </ol>
+    <p>
+      These issues reduced the security of DIGEST authentication making
+      replay attacks possible in some circumstances.
+    </p>
+
+    <p>This was fixed in revision <revlink rev="1392248">1392248</revlink>.</p>
+
+    <p>The first issue was reported by Tilmann Kuhn to the Tomcat security team
+       on 19 July 2012. The second and third issues were discovered by the
+       Tomcat security team during the resulting code review. All three issues
+       were made public on 5 November 2012.</p>
+
+    <p>Affects: 5.5.0-5.5.35</p>
+  
+  </section>
+
   <section name="Fixed in Apache Tomcat 5.5.35" rtext="released 16 Jan 2012">
 
     <p><strong>Important: Denial of service</strong>

Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1406003&r1=1406002&r2=1406003&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon Nov  5 22:57:58 2012
@@ -48,6 +48,52 @@
 
   </section>
 
+
+  <section name="Fixed in Apache Tomcat 6.0.36" rtext="released 19 Oct 2012">
+  
+    <p><strong>Important: Denial of service</strong>
+       <cve>CVE-2012-2733</cve></p>
+
+    <p>The checks that limited the permitted size of request headers were
+       implemented too late in the request parsing process for the HTTP NIO
+       connector. This enabled a malicious user to trigger an
+       OutOfMemoryError by sending a single request with very large headers.
+    </p>
+
+    <p>This was fixed in revision <revlink rev="1356208">1356208</revlink>.</p>
+
+    <p>This was reported by Josh Spiewak to the Tomcat security team on 4 June
+       2012 and made public on 5 November 2012.</p>
+
+    <p>Affects: 6.0.0-6.0.35</p>
+    
+    <p><strong>Moderate: DIGEST authentication weakness</strong>
+       <cve>CVE-2012-3439</cve></p>
+
+    <p>Three weaknesses in Tomcat's implementation of DIGEST authentication
+       were identified and resolved:
+    </p>
+    <ol>
+      <li>Tomcat tracked client rather than server nonces and nonce count.</li>
+      <li>When a session ID was present, authentication was bypassed.</li>
+      <li>The user name and password were not checked before when indicating
+          that a nonce was stale.</li>
+    </ol>
+    <p>
+      These issues reduced the security of DIGEST authentication making
+      replay attacks possible in some circumstances.
+    </p>
+
+    <p>This was fixed in revision <revlink rev="1380829">1380829</revlink>.</p>
+
+    <p>The first issue was reported by Tilmann Kuhn to the Tomcat security team
+       on 19 July 2012. The second and third issues were discovered by the
+       Tomcat security team during the resulting code review. All three issues
+       were made public on 5 November 2012.</p>
+
+    <p>Affects: 6.0.0-6.0.35</p>
+        
+  </section>
   
   <section name="Fixed in Apache Tomcat 6.0.35" rtext="released 5 Dec 2011">
 

Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1406003&r1=1406002&r2=1406003&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Mon Nov  5 22:57:58 2012
@@ -50,6 +50,56 @@
 
   </section>
 
+  <section name="Fixed in Apache Tomcat 7.0.30" rtext="released 6 Sep 2012">
+
+    <p><strong>Moderate: DIGEST authentication weakness</strong>
+       <cve>CVE-2012-3439</cve></p>
+
+    <p>Three weaknesses in Tomcat's implementation of DIGEST authentication
+       were identified and resolved:
+    </p>
+    <ol>
+      <li>Tomcat tracked client rather than server nonces and nonce count.</li>
+      <li>When a session ID was present, authentication was bypassed.</li>
+      <li>The user name and password were not checked before when indicating
+          that a nonce was stale.</li>
+    </ol>
+    <p>
+      These issues reduced the security of DIGEST authentication making
+      replay attacks possible in some circumstances.
+    </p>
+
+    <p>This was fixed in revision <revlink rev="1377807">1377807</revlink>.</p>
+
+    <p>The first issue was reported by Tilmann Kuhn to the Tomcat security team
+       on 19 July 2012. The second and third issues were discovered by the
+       Tomcat security team during the resulting code review. All three issues
+       were made public on 5 November 2012.</p>
+
+    <p>Affects: 7.0.0-7.0.29</p>
+
+  </section>
+
+  <section name="Fixed in Apache Tomcat 7.0.28" rtext="released 19 Jun 2012">
+
+    <p><strong>Important: Denial of service</strong>
+       <cve>CVE-2012-2733</cve></p>
+
+    <p>The checks that limited the permitted size of request headers were
+       implemented too late in the request parsing process for the HTTP NIO
+       connector. This enabled a malicious user to trigger an
+       OutOfMemoryError by sending a single request with very large headers.
+    </p>
+
+    <p>This was fixed in revision <revlink rev="1350301">1350301</revlink>.</p>
+
+    <p>This was reported by Josh Spiewak to the Tomcat security team on 4 June
+       2012 and made public on 5 November 2012.</p>
+
+    <p>Affects: 7.0.0-7.0.27</p>
+
+  </section>
+
   <section name="Fixed in Apache Tomcat 7.0.23" rtext="released 25 Nov 2011">
 
     <p><strong>Important: Denial of service</strong>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message