tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1510686 - in /tomcat/site/trunk: docs/security-8.html docs/security.html xdocs/security-8.xml xdocs/security.xml
Date Mon, 05 Aug 2013 19:45:45 GMT
Author: markt
Date: Mon Aug  5 19:45:45 2013
New Revision: 1510686

URL: http://svn.apache.org/r1510686
Log:
Add Tomcat 8 security page

Added:
    tomcat/site/trunk/docs/security-8.html   (with props)
    tomcat/site/trunk/xdocs/security-8.xml
      - copied, changed from r1510677, tomcat/site/trunk/xdocs/security-7.xml
Modified:
    tomcat/site/trunk/docs/security.html
    tomcat/site/trunk/xdocs/security.xml

Added: tomcat/site/trunk/docs/security-8.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1510686&view=auto
==============================================================================
--- tomcat/site/trunk/docs/security-8.html (added)
+++ tomcat/site/trunk/docs/security-8.html Mon Aug  5 19:45:45 2013
@@ -0,0 +1,345 @@
+<html>
+<head>
+<META http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>Apache Tomcat - Apache Tomcat 8 vulnerabilities</title>
+<meta name="author" content="Apache Tomcat Project">
+<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet">
+<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet" media="print">
+</head>
+<body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76">
+<table border="0" width="100%" cellspacing="0">
+<!--PAGE HEADER-->
+<tr>
+<td>
+<!--PROJECT LOGO--><a href="http://tomcat.apache.org/"><img src="./images/tomcat.gif" align="left" alt="Tomcat Logo" border="0"></a></td><td><font face="arial,helvetica,sanserif">
+<h1>Apache Tomcat</h1>
+</font></td><td>
+<!--APACHE LOGO--><a href="http://www.apache.org/"><img src="http://www.apache.org/images/asf-logo.gif" align="right" alt="Apache Logo" border="0"></a></td>
+</tr>
+</table>
+<div class="searchbox noPrint">
+<form action="http://www.google.com/search" method="get">
+<input value="tomcat.apache.org" name="sitesearch" type="hidden"><input value="Search the Site" size="25" name="q" id="query" type="text"><input name="Search" value="Search Site" type="submit">
+</form>
+</div>
+<table border="0" width="100%" cellspacing="4">
+<!--HEADER SEPARATOR-->
+<tr>
+<td colspan="2">
+<hr noshade size="1">
+</td>
+</tr>
+<tr>
+<!--LEFT SIDE NAVIGATION-->
+<td width="20%" valign="top" nowrap="true" class="noPrint">
+<p>
+<strong>Apache Tomcat</strong>
+</p>
+<ul>
+<li>
+<a href="./index.html">Home</a>
+</li>
+<li>
+<a href="./taglibs/">Taglibs</a>
+</li>
+<li>
+<a href="./maven-plugin.html">Maven Plugin</a>
+</li>
+</ul>
+<p>
+<strong>Download</strong>
+</p>
+<ul>
+<li>
+<a href="./whichversion.html">Which version?</a>
+</li>
+<li>
+<a href="./download-70.cgi">Tomcat 7.0</a>
+</li>
+<li>
+<a href="./download-60.cgi">Tomcat 6.0</a>
+</li>
+<li>
+<a href="./download-connectors.cgi">Tomcat Connectors</a>
+</li>
+<li>
+<a href="./download-native.cgi">Tomcat Native</a>
+</li>
+<li>
+<a href="http://archive.apache.org/dist/tomcat/">Archives</a>
+</li>
+</ul>
+<p>
+<strong>Documentation</strong>
+</p>
+<ul>
+<li>
+<a href="./tomcat-7.0-doc/index.html">Tomcat 7.0</a>
+</li>
+<li>
+<a href="./tomcat-6.0-doc/index.html">Tomcat 6.0</a>
+</li>
+<li>
+<a href="./connectors-doc/">Tomcat Connectors</a>
+</li>
+<li>
+<a href="./native-doc/">Tomcat Native</a>
+</li>
+<li>
+<a href="http://wiki.apache.org/tomcat/FrontPage">Wiki</a>
+</li>
+<li>
+<a href="./migration.html">Migration Guide</a>
+</li>
+</ul>
+<p>
+<strong>Problems?</strong>
+</p>
+<ul>
+<li>
+<a href="./security.html">Security Reports</a>
+</li>
+<li>
+<a href="./findhelp.html">Find help</a>
+</li>
+<li>
+<a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a>
+</li>
+<li>
+<a href="./lists.html">Mailing Lists</a>
+</li>
+<li>
+<a href="./bugreport.html">Bug Database</a>
+</li>
+<li>
+<a href="./irc.html">IRC</a>
+</li>
+</ul>
+<p>
+<strong>Get Involved</strong>
+</p>
+<ul>
+<li>
+<a href="./getinvolved.html">Overview</a>
+</li>
+<li>
+<a href="./svn.html">SVN Repositories</a>
+</li>
+<li>
+<a href="./ci.html">Buildbot</a>
+</li>
+<li>
+<a href="https://reviews.apache.org/groups/tomcat/">Reviewboard</a>
+</li>
+<li>
+<a href="./tools.html">Tools</a>
+</li>
+</ul>
+<p>
+<strong>Media</strong>
+</p>
+<ul>
+<li>
+<a href="http://blogs.apache.org/tomcat/">Blog</a>
+</li>
+<li>
+<a href="http://twitter.com/theapachetomcat">Twitter</a>
+</li>
+</ul>
+<p>
+<strong>Misc</strong>
+</p>
+<ul>
+<li>
+<a href="./whoweare.html">Who We Are</a>
+</li>
+<li>
+<a href="./heritage.html">Heritage</a>
+</li>
+<li>
+<a href="http://www.apache.org">Apache Home</a>
+</li>
+<li>
+<a href="./resources.html">Resources</a>
+</li>
+<li>
+<a href="./contact.html">Contact</a>
+</li>
+<li>
+<a href="./legal.html">Legal</a>
+</li>
+<li>
+<a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a>
+</li>
+<li>
+<a href="http://www.apache.org/foundation/thanks.html">Thanks</a>
+</li>
+</ul>
+</td>
+<!--RIGHT SIDE MAIN BODY--><td width="80%" valign="top" align="left" id="mainBody">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Table of Contents">
+<!--()--></a><a name="Table_of_Contents"><strong>Table of Contents</strong></a></font></td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+
+<ul>
+<li>
+<a href="#Apache_Tomcat_8.x_vulnerabilities">Apache Tomcat 8.x vulnerabilities</a>
+</li>
+<li>
+<a href="#Fixed_in_Apache_Tomcat_8.0.0-RC1">Fixed in Apache Tomcat 8.0.0-RC1</a>
+</li>
+<li>
+<a href="#Not_a_vulnerability_in_Tomcat">Not a vulnerability in Tomcat</a>
+</li>
+</ul>
+
+</blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Apache Tomcat 8.x vulnerabilities">
+<!--()--></a><a name="Apache_Tomcat_8.x_vulnerabilities"><strong>Apache Tomcat 8.x vulnerabilities</strong></a></font></td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+    
+<p>This page lists all security vulnerabilities fixed in released versions
+       of Apache Tomcat 8.x. Each vulnerability is given a
+       <a href="security-impact.html">security impact rating</a> by the Apache
+       Tomcat security team &mdash; please note that this rating may vary from
+       platform to platform. We also list the versions of Apache Tomcat the flaw
+       is known to affect, and where a flaw has not been verified list the
+       version with a question mark.</p>
+
+    
+<p>
+<strong>Note:</strong> Vulnerabilities that are not Tomcat vulnerabilities
+       but have either been incorrectly reported against Tomcat or where Tomcat
+       provides a workaround are listed at the end of this page.</p>
+
+    
+<p>Please note that binary patches are never provided. If you need to
+       apply a source code patch, use the building instructions for the
+       Apache Tomcat version that you are using. For Tomcat 8.0 those are
+       <a href="/tomcat-8.0-doc/building.html"><code>building.html</code></a> and
+       <a href="/tomcat-8.0-doc/BUILDING.txt"><code>BUILDING.txt</code></a>.
+       Both files can be found in the <code>webapps/docs</code> subdirectory
+       of a binary distributive. You may also want to review the
+       <a href="/tomcat-8.0-doc/security-howto.html">Security Considerations</a>
+       page in the documentation.</p>
+
+    
+<p>If you need help on building or configuring Tomcat or other help on
+       following the instructions to mitigate the known vulnerabilities listed
+       here, please send your questions to the public
+       <a href="lists.html">Tomcat Users mailing list</a>
+    
+</p>
+
+    
+<p>If you have encountered an unlisted security vulnerability or other
+       unexpected behaviour that has <a href="security-impact.html">security
+       impact</a>, or if the descriptions here are incomplete,
+       please report them privately to the
+       <a href="security.html">Tomcat Security Team</a>. Thank you.
+    </p>
+
+  
+</blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Fixed in Apache Tomcat 8.0.0-RC1">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_8.0.0-RC1"><strong>Fixed in Apache Tomcat 8.0.0-RC1</strong></a></font></td><td align="right" bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><strong>released 1 August 2013</strong></font></td>
+</tr>
+<tr>
+<td colspan="2">
+<p>
+<blockquote>
+
+    
+<p>No reports</p>
+    
+  
+</blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a name="Not a vulnerability in Tomcat">
+<!--()--></a><a name="Not_a_vulnerability_in_Tomcat"><strong>Not a vulnerability in Tomcat</strong></a></font></td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+
+    
+<p>No reports</p>
+
+  
+</blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br>
+</td>
+</tr>
+</table>
+</td>
+</tr>
+<!--FOOTER SEPARATOR-->
+<tr>
+<td colspan="2">
+<hr noshade size="1">
+</td>
+</tr>
+<!--PAGE FOOTER-->
+<tr>
+<td colspan="2">
+<div align="center">
+<font color="#525D76" size="-1"><em>
+        Copyright &copy; 1999-2013, The Apache Software Foundation
+        <br>
+        Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat
+        project logo are trademarks of the Apache Software Foundation.
+        </em></font>
+</div>
+</td>
+</tr>
+</table>
+</body>
+</html>

Propchange: tomcat/site/trunk/docs/security-8.html
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: tomcat/site/trunk/docs/security.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security.html?rev=1510686&r1=1510685&r2=1510686&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security.html (original)
+++ tomcat/site/trunk/docs/security.html Mon Aug  5 19:45:45 2013
@@ -209,6 +209,11 @@
 <ul>
       
 <li>
+<a href="security-8.html">Apache Tomcat 8.x Security Vulnerabilities
+          </a>
+</li>
+      
+<li>
 <a href="security-7.html">Apache Tomcat 7.x Security Vulnerabilities
           </a>
 </li>

Copied: tomcat/site/trunk/xdocs/security-8.xml (from r1510677, tomcat/site/trunk/xdocs/security-7.xml)
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?p2=tomcat/site/trunk/xdocs/security-8.xml&p1=tomcat/site/trunk/xdocs/security-7.xml&r1=1510677&r2=1510686&rev=1510686&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-8.xml Mon Aug  5 19:45:45 2013
@@ -3,7 +3,7 @@
 
   <properties>
     <author>Apache Tomcat Project</author>
-    <title>Apache Tomcat 7 vulnerabilities</title>
+    <title>Apache Tomcat 8 vulnerabilities</title>
   </properties>
 
 <body>
@@ -12,9 +12,9 @@
 <toc/>
 </section>
 
-  <section name="Apache Tomcat 7.x vulnerabilities">
+  <section name="Apache Tomcat 8.x vulnerabilities">
     <p>This page lists all security vulnerabilities fixed in released versions
-       of Apache Tomcat 7.x. Each vulnerability is given a
+       of Apache Tomcat 8.x. Each vulnerability is given a
        <a href="security-impact.html">security impact rating</a> by the Apache
        Tomcat security team &#x2014; please note that this rating may vary from
        platform to platform. We also list the versions of Apache Tomcat the flaw
@@ -27,12 +27,12 @@
 
     <p>Please note that binary patches are never provided. If you need to
        apply a source code patch, use the building instructions for the
-       Apache Tomcat version that you are using. For Tomcat 7.0 those are
-       <a href="/tomcat-7.0-doc/building.html"><code>building.html</code></a> and
-       <a href="/tomcat-7.0-doc/BUILDING.txt"><code>BUILDING.txt</code></a>.
+       Apache Tomcat version that you are using. For Tomcat 8.0 those are
+       <a href="/tomcat-8.0-doc/building.html"><code>building.html</code></a> and
+       <a href="/tomcat-8.0-doc/BUILDING.txt"><code>BUILDING.txt</code></a>.
        Both files can be found in the <code>webapps/docs</code> subdirectory
        of a binary distributive. You may also want to review the
-       <a href="/tomcat-7.0-doc/security-howto.html">Security Considerations</a>
+       <a href="/tomcat-8.0-doc/security-howto.html">Security Considerations</a>
        page in the documentation.</p>
 
     <p>If you need help on building or configuring Tomcat or other help on
@@ -50,740 +50,15 @@
 
   </section>
 
-  <section name="Fixed in Apache Tomcat 7.0.40" rtext="released 9 May 2013">
-
-    <p><strong>Moderate: Information disclosure</strong>
-       <cve>CVE-2013-2071</cve></p>
-
-    <p>Bug <bug>54178</bug> described a scenario where elements of a previous
-       request may be exposed to a current request. This was very difficult to
-       exploit deliberately but fairly likely to happen unexpectedly if an
-       application used AsyncListeners that threw RuntimeExceptions.</p>
-
-    <p>This was fixed in revision <revlink rev="1471372">1471372</revlink>.</p>
-
-    <p>The root cause of the problem was identified as a Tomcat bug on 2 April
-       2013. The Tomcat security team identified the security implications on
-       24 April 2013 and made those details public on 10 May 2013.</p>
-
-    <p>Affects: 7.0.0-7.0.39</p>
-
-  </section>
-
-  <section name="Fixed in Apache Tomcat 7.0.33" rtext="released 21 Nov 2012">
-
-    <p><strong>Important: Session fixation</strong>
-       <cve>CVE-2013-2067</cve></p>
-
-    <p>FORM authentication associates the most recent request requiring
-       authentication with the current session. By repeatedly sending a request
-       for an authenticated resource while the victim is completing the login
-       form, an attacker could inject a request that would be executed using
-       the victim's credentials.</p>
-
-    <p>This was fixed in revision <revlink rev="1408044">1408044</revlink>.</p>
-
-    <p>This issue was identified by the Tomcat security team on 15 Oct 2012 and
-       made public on 10 May 2013.</p>
-
-    <p>Affects: 7.0.0-7.0.32</p>
-
-  </section>
-
-  <section name="Fixed in Apache Tomcat 7.0.32" rtext="released 9 Oct 2012">
-
-    <p><strong>Important: Bypass of CSRF prevention filter</strong>
-       <cve>CVE-2012-4431</cve></p>
-
-    <p>The CSRF prevention filter could be bypassed if a request was made to a
-       protected resource without a session identifier present in the request.
-    </p>
-
-    <p>This was fixed in revision <revlink rev="1393088">1393088</revlink>.</p>
-
-    <p>This issue was identified by the Tomcat security team on 8 September 2012
-       and made public on 4 December 2012.</p>
-
-    <p>Affects: 7.0.0-7.0.31</p>
-
-  </section>
-
-  <section name="Fixed in Apache Tomcat 7.0.30" rtext="released 6 Sep 2012">
-
-    <p><strong>Important: Denial of service</strong>
-       <cve>CVE-2012-3544</cve></p>
-
-    <p>When processing a request submitted using the chunked transfer encoding,
-       Tomcat ignored but did not limit any extensions that were included. This
-       allows a client to perform a limited DOS by streaming an unlimited
-       amount of data to the server.</p>
-
-    <p>This was fixed in revisions <revlink rev="1378702">1378702</revlink> and
-       <revlink rev="1378921">1378921</revlink>.</p>
-
-    <p>This issue was reported to the Tomcat security team on 10 November 2011
-       and made public on 10 May 2013.</p>
-
-    <p>Affects: 7.0.0-7.0.29</p>
-
-    <p><strong>Moderate: DIGEST authentication weakness</strong>
-       <cve>CVE-2012-3439</cve></p>
-
-    <p>Three weaknesses in Tomcat's implementation of DIGEST authentication
-       were identified and resolved:
-    </p>
-    <ol>
-      <li>Tomcat tracked client rather than server nonces and nonce count.</li>
-      <li>When a session ID was present, authentication was bypassed.</li>
-      <li>The user name and password were not checked before when indicating
-          that a nonce was stale.</li>
-    </ol>
-    <p>
-      These issues reduced the security of DIGEST authentication making
-      replay attacks possible in some circumstances.
-    </p>
-
-    <p>This was fixed in revision <revlink rev="1377807">1377807</revlink>.</p>
-
-    <p>The first issue was reported by Tilmann Kuhn to the Tomcat security team
-       on 19 July 2012. The second and third issues were discovered by the
-       Tomcat security team during the resulting code review. All three issues
-       were made public on 5 November 2012.</p>
-
-    <p>Affects: 7.0.0-7.0.29</p>
-
-    <p><strong>Important: Bypass of security constraints</strong>
-       <cve>CVE-2012-3546</cve></p>
-
-    <p>When using FORM authentication it was possible to bypass the security
-       constraint checks in the FORM authenticator by appending
-       <code>/j_security_check</code> to the end of the URL if some other
-       component (such as the Single-Sign-On valve) had called
-       <code>request.setUserPrincipal()</code> before the call to
-       <code>FormAuthenticator#authenticate()</code>.
-    </p>
-
-    <p>This was fixed in revision <revlink rev="1377892">1377892</revlink>.</p>
-
-    <p>This issue was identified by the Tomcat security team on 13 July 2012 and
-       made public on 4 December 2012.</p>
-
-    <p>Affects: 7.0.0-7.0.29</p>
-
-  </section>
-
-  <section name="Fixed in Apache Tomcat 7.0.28" rtext="released 19 Jun 2012">
-
-    <p><strong>Important: Denial of service</strong>
-       <cve>CVE-2012-2733</cve></p>
-
-    <p>The checks that limited the permitted size of request headers were
-       implemented too late in the request parsing process for the HTTP NIO
-       connector. This enabled a malicious user to trigger an
-       OutOfMemoryError by sending a single request with very large headers.
-    </p>
-
-    <p>This was fixed in revision <revlink rev="1350301">1350301</revlink>.</p>
-
-    <p>This was reported by Josh Spiewak to the Tomcat security team on 4 June
-       2012 and made public on 5 November 2012.</p>
-
-    <p>Affects: 7.0.0-7.0.27</p>
-
-    <p><strong>Important: Denial of service</strong>
-       <cve>CVE-2012-4534</cve></p>
-
-    <p>When using the NIO connector with sendfile and HTTPS enabled, if a client
-       breaks the connection while reading the response an infinite loop is
-       entered leading to a denial of service. This was originally reported as
-       <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=52858">bug
-       52858</a>.
-    </p>
-
-    <p>This was fixed in revision <revlink rev="1340218">1340218</revlink>.</p>
-
-    <p>The security implications of this bug were reported to the Tomcat
-       security team by Arun Neelicattu of the Red Hat Security Response Team on
-       3 October 2012 and made public on 4 December 2012.</p>
-
-    <p>Affects: 7.0.0-7.0.27</p>
-
-  </section>
-
-  <section name="Fixed in Apache Tomcat 7.0.23" rtext="released 25 Nov 2011">
-
-    <p><strong>Important: Denial of service</strong>
-       <cve>CVE-2012-0022</cve></p>
-
-    <p>Analysis of the recent hash collision vulnerability identified unrelated
-       inefficiencies with Apache Tomcat's handling of large numbers of
-       parameters and parameter values. These inefficiencies could allow an
-       attacker, via a specially crafted request, to cause large amounts of CPU
-       to be used which in turn could create a denial of service. The issue was
-       addressed by modifying the Tomcat parameter handling code to efficiently
-       process large numbers of parameters and parameter values.</p>
-
-    <p>This was fixed in revisions <revlink rev="1189899">1189899</revlink>,
-       <revlink rev="1190372">1190372</revlink>,
-       <revlink rev="1190482">1190482</revlink>,
-       <revlink rev="1194917">1194917</revlink>,
-       <revlink rev="1195225">1195225</revlink>,
-       <revlink rev="1195226">1195226</revlink>,
-       <revlink rev="1195537">1195537</revlink>,
-       <revlink rev="1195909">1195909</revlink>,
-       <revlink rev="1195944">1195944</revlink>,
-       <revlink rev="1195951">1195951</revlink>,
-       <revlink rev="1195977">1195977</revlink> and
-       <revlink rev="1198641">1198641</revlink>.</p>
-
-    <p>This was identified by the Tomcat security team on 21 October 2011 and
-       made public on 17 January 2012.</p>
-
-    <p>Affects: 7.0.0-7.0.22</p>
-
-  </section>
-
-  <section name="Fixed in Apache Tomcat 7.0.22" rtext="released 1 Oct 2011">
-
-    <p><strong>Important: Information disclosure</strong>
-       <cve>CVE-2011-3375</cve></p>
-
-    <p>For performance reasons, information parsed from a request is often
-       cached in two places: the internal request object and the internal
-       processor object. These objects are not recycled at exactly the same
-       time. When certain errors occur that needed to be added to the access
-       log, the access logging process triggers the re-population of the request
-       object after it has been recycled. However, the request object was not
-       recycled before being used for the next request. That lead to information
-       leakage (e.g. remote IP address, HTTP headers) from the previous request
-       to the next request. The issue was resolved be ensuring that the request
-       and response objects were recycled after being re-populated to generate
-       the necessary access log entries.</p>
-
-    <p>This was fixed in <revlink rev="1176592">revision 1176592</revlink>.</p>
-
-    <p>This was identified by the Tomcat security team on 22 September 2011 and
-       made public on 17 January 2012.</p>
-
-    <p>Affects: 7.0.0-7.0.21</p>
-
-    <p><strong>Low: Privilege Escalation</strong>
-       <cve>CVE-2011-3376</cve></p>
-
-    <p>This issue only affects environments running web applications that are
-       not trusted (e.g. shared hosting environments). The Servlets that
-       implement the functionality of the Manager application that ships with
-       Apache Tomcat should only be available to Contexts (web applications)
-       that are marked as privileged. However, this check was not being made.
-       This allowed an untrusted web application to use the functionality of the
-       Manager application. This could be used to obtain information on running
-       web applications as well as deploying additional web applications.
-    </p>
-
-    <p>This was fixed in <revlink rev="1176588">revision 1176588</revlink>.</p>
-
-    <p>This was identified by Ate Douma on 27 September 2011 and made public
-       on 8 November 2011.</p>
-
-    <p>Affects: 7.0.0-7.0.21</p>
-  
-  </section>
-
-  <section name="Fixed in Apache Tomcat 7.0.21" rtext="released 1 Sep 2011">
-
-    <p><strong>Important: Authentication bypass and information disclosure
-       </strong>
-       <cve>CVE-2011-3190</cve></p>
-
-    <p>Apache Tomcat supports the AJP protocol which is used with reverse
-       proxies to pass requests and associated data about the request from the
-       reverse proxy to Tomcat. The AJP protocol is designed so that when a
-       request includes a request body, an unsolicited AJP message is sent to
-       Tomcat that includes the first part (or possibly all) of the request
-       body. In certain circumstances, Tomcat did not process this message as a
-       request body but as a new request. This permitted an attacker to have
-       full control over the AJP message permitting authentication bypass and
-       information disclosure. This vulnerability only occurs when all of the
-       following are true:
-       <ul>
-         <li>The org.apache.jk.server.JkCoyoteHandler AJP connector is not used
-         </li>
-         <li>POST requests are accepted</li>
-         <li>The request body is not processed</li>
-       </ul>
-    </p>
-
-    <p>This was fixed in <revlink rev="1162958">revision 1162958</revlink>.</p>
-
-    <p>This was reported publicly on 20th August 2011.</p>
-
-    <p>Affects: 7.0.0-7.0.20</p>
-  
-    <p>Mitigation options:</p>  
-    <ul>
-      <li>Upgrade to Tomcat 7.0.21</li>
-      <li>Apply the appropriate <revlink rev="1162958">patch</revlink></li>
-      <li>Configure both Tomcat and the reverse proxy to use a shared secret.<br />
-       (It is "<code>requiredSecret</code>" attribute in AJP &lt;Connector&gt;,
-       "<code>worker.<i>workername</i>.secret</code>" directive for mod_jk.
-       The mod_proxy_ajp module currently does not support shared secrets).</li>
-    </ul>
-
-    <p>References:</p>
-    <ul>
-      <li><a href="/tomcat-7.0-doc/config/ajp.html">AJP Connector documentation (Tomcat 7.0)</a></li>
-      <li><a href="/connectors-doc/reference/workers.html">workers.properties configuration (mod_jk)</a></li>
-    </ul>
-  </section>
-
-  <section name="Fixed in Apache Tomcat 7.0.20" rtext="released 11 Aug 2011">
-
-    <p><strong>Important: Information disclosure</strong>
-       <cve>CVE-2011-2729</cve></p>
-
-    <p>Due to a bug in the capabilities code, jsvc (the service wrapper for
-       Linux that is part of the Commons Daemon project) does not drop
-       capabilities allowing the application to access files and directories
-       owned by superuser. This vulnerability only occurs when all of the
-       following are true:
-       <ul>
-         <li>Tomcat is running on a Linux operating system</li>
-         <li>jsvc was compiled with libcap</li>
-         <li>-user parameter is used</li>
-       </ul>
-       Affected Tomcat versions shipped with source files for jsvc that included
-       this vulnerability.
-    </p>
-
-    <p>This was fixed in <revlink rev="1153379">revision 1153379</revlink>.</p>
-
-    <p>This was identified by Wilfried Weissmann on 20 July 2011 and made public
-       on 12 August 2011.</p>
-
-    <p>Affects: 7.0.0-7.0.19</p>
-  
-  </section>
-
-  <section name="Fixed in Apache Tomcat 7.0.19" rtext="released 19 Jul 2011">
-
-    <p><strong>Low: Information disclosure</strong>
-       <cve>CVE-2011-2526</cve></p>
-
-    <p>Tomcat provides support for sendfile with the HTTP NIO and HTTP APR
-       connectors. sendfile is used automatically for content served via the
-       DefaultServlet and deployed web applications may use it directly via
-       setting request attributes. These request attributes were not validated.
-       When running under a security manager, this lack of validation allowed a
-       malicious web application to do one or more of the following that would
-       normally be prevented by a security manager:
-       <ul>
-         <li>return files to users that the security manager should make
-             inaccessible</li>
-         <li>terminate (via a crash) the JVM</li>
-       </ul>
-       Additionally, these vulnerabilities only occur when all of the following
-       are true:
-       <ul>
-         <li>untrusted web applications are being used</li>
-         <li>the SecurityManager is used to limit the untrusted web applications
-             </li>
-         <li>the HTTP NIO or HTTP APR connector is used</li>
-         <li>sendfile is enabled for the connector (this is the default)</li>
-       </ul>
-    </p>
-
-    <p>This was fixed in revisions
-       <revlink rev="1145383">1145383</revlink>,
-       <revlink rev="1145489">1145489</revlink>,
-       <revlink rev="1145571">1145571</revlink>,
-       <revlink rev="1145694">1145694</revlink> and
-       <revlink rev="1146005">1146005</revlink>.</p>
-
-    <p>This was identified by the Tomcat security team on 7 July 2011 and
-       made public on 13 July 2011.</p>
-
-    <p>Affects: 7.0.0-7.0.18</p>
-  
-    <p><i>Note: The issues below were fixed in Apache Tomcat 7.0.17 but the
-       release votes for the 7.0.17 and 7.0.18 release candidates did not pass.
-       Therefore, although users must download 7.0.19 to obtain a version that
-       includes a fix for these issues, versions 7.0.17 and 7.0.18 are not
-       included in the list of affected versions.</i></p>
-
-    <p><strong>Low: Information disclosure</strong>
-       <cve>CVE-2011-2204</cve></p>
-
-    <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
-       creating users via JMX, an exception during the user creation process may
-       trigger an error message in the JMX client that includes the user&apos;s
-       password. This error message is also written to the Tomcat logs. User
-       passwords are visible to administrators with JMX access and/or
-       administrators with read access to the tomcat-users.xml file. Users that
-       do not have these permissions but are able to read log files may be able
-       to discover a user&apos;s password.</p>
-
-    <p>This was fixed in <revlink rev="1140070">revision 1140070</revlink>.</p>
-
-    <p>This was identified by Polina Genova on 14 June 2011 and
-       made public on 27 June 2011.</p>
-
-    <p>Affects: 7.0.0-7.0.16</p>
-  
-    <p><strong>Low: Information disclosure</strong>
-       <cve>CVE-2011-2481</cve></p>
-
-    <p>The re-factoring of XML validation for Tomcat 7.0.x re-introduced the
-       vulnerability previously reported as <cve>CVE-2009-0783</cve>.
-       This was initially
-       <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=51395">
-       reported</a> as a memory leak. If a web application is the first web
-       application loaded, this bugs allows that web application to potentially
-       view and/or alter the web.xml, context.xml and tld files of other web
-       applications deployed on the Tomcat instance.</p>
-
-    <p>This was first fixed in
-       <revlink rev="1137753">revision 1137753</revlink>, 
-       but reverted in <revlink rev="1138776">revision 1138776</revlink> and
-       finally fixed in <revlink rev="1138788">revision 1138788</revlink>.</p>
-
-    <p>This was identified by the Tomcat security team on 20 June 2011 and
-       made public on 12 August 2011.</p>
-
-    <p>Affects: 7.0.0-7.0.16</p>
-  
-  </section>
-
-  <section name="Fixed in Apache Tomcat 7.0.14" rtext="released 12 May 2011">
-
-    <p><strong>Important: Security constraint bypass</strong>
-       <cve>CVE-2011-1582</cve></p>
-
-    <p>An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant that security
-       constraints configured via annotations were ignored on the first request
-       to a Servlet. Subsequent requests were secured correctly.</p>
-
-    <p>This was fixed in <revlink rev="1100832">revision 1100832</revlink>.</p>
-
-    <p>This was identified by the Tomcat security team on 13 April 2011 and
-       made public on 17 May 2011.</p>
-
-    <p>Affects: 7.0.12-7.0.13</p>
-  
-  </section>
-
-  <section name="Fixed in Apache Tomcat 7.0.12" rtext="released 6 Apr 2011">
-
-    <p><strong>Important: Information disclosure</strong>
-       <cve>CVE-2011-1475</cve></p>
-
-    <p>Changes introduced to the HTTP BIO connector to support Servlet 3.0
-       asynchronous requests did not fully account for HTTP pipelining. As a
-       result, when using HTTP pipelining a range of unexpected behaviours
-       occurred including the mixing up of responses between requests. While
-       the mix-up in responses was only observed between requests from the same
-       user, a mix-up of responses for requests from different users may also be
-       possible.</p>
-
-    <p>This was fixed in revisions <revlink rev="1086349">1086349</revlink> and
-       <revlink rev="1086352">1086352</revlink>.
-       (Note: HTTP pipelined requests are still likely to fail with the
-       HTTP BIO connector but will do so in a secure manner.)</p>
-
-    <p>This was reported publicly on the Tomcat Bugzilla issue tracker on 22 Mar
-       2011.</p>
-
-    <p>Affects: 7.0.0-7.0.11</p>
-
-    <p><strong>Moderate: Multiple weaknesses in HTTP DIGEST authentication</strong>
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184"
-       rel="nofollow">CVE-2011-1184</a></p>
-
-    <p>Note: Mitre elected to break this issue down into multiple issues and
-       have allocated the following additional references to parts of this
-       issue:
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5062"
-       rel="nofollow">CVE-2011-5062</a>,
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5063"
-       rel="nofollow">CVE-2011-5063</a> and
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5064"
-       rel="nofollow">CVE-2011-5064</a>. The Apache Tomcat security team will
-       continue to treat this as a single issue using the reference
-       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184"
-       rel="nofollow">CVE-2011-1184</a>.</p>
-
-    <p>The implementation of HTTP DIGEST authentication was discovered to have
-       several weaknesses:
-       <ul>
-         <li>replay attacks were permitted</li>
-         <li>server nonces were not checked</li>
-         <li>client nonce counts were not checked</li>
-         <li>qop values were not checked</li>
-         <li>realm values were not checked</li>
-         <li>the server secret was hard-coded to a known string</li>
-       </ul>
-       The result of these weaknesses is that DIGEST authentication was only as
-       secure as BASIC authentication.
-    </p>
-
-    <p>This was fixed in <revlink rev="1087655">revision 1087655</revlink>.</p>
-
-    <p>This was identified by the Tomcat security team on 16 March 2011 and
-       made public on 26 September 2011.</p>
-
-    <p>Affects: 7.0.0-7.0.11</p>
-
-    <p><strong>Important: Security constraint bypass</strong>
-       <cve>CVE-2011-1183</cve></p>
-
-    <p>A regression in the fix for CVE-2011-1088 meant that security constraints
-       were ignored when no login configuration was present in the web.xml and
-       the web application was marked as meta-data complete.</p>
-
-    <p>This was fixed in <revlink rev="1087643">revision 1087643</revlink>.</p>
-
-    <p>This was identified by the Tomcat security team on 17 March 2011 and
-       made public on 6 April 2011.</p>
-
-    <p>Affects: 7.0.11</p>
-
-  </section>
-
-  <section name="Fixed in Apache Tomcat 7.0.11" rtext="released 11 Mar 2011">
-
-    <p><strong>Important: Security constraint bypass</strong>
-       <cve>CVE-2011-1088</cve></p>
-
-    <p>When a web application was started, <code>ServletSecurity</code>
-       annotations were ignored. This meant that some areas of the application
-       may not have been protected as expected. This was partially fixed in
-       Apache Tomcat 7.0.10 and fully fixed in 7.0.11.</p>
-
-    <p>This was fixed in revisions <revlink rev="1076586">1076586</revlink>,
-       <revlink rev="1076587">1076587</revlink>,
-       <revlink rev="1077995">1077995</revlink> and
-       <revlink rev="1079752">1079752</revlink>.</p>
-
-    <p>This was reported publicly on the Tomcat users mailing list on 2 Mar
-       2011.</p>
-
-    <p>Affects: 7.0.0-7.0.10</p>
-
-  </section>
-
-  <section name="Fixed in Apache Tomcat 7.0.8" rtext="released 5 Feb 2011">
-
-    <p><i>Note: The issue below was fixed in Apache Tomcat 7.0.7 but the
-       release vote for the 7.0.7 release candidate did not pass. Therefore,
-       although users must download 7.0.8 to obtain a version that includes a
-       fix for this issue, version 7.0.7 is not included in the list of
-       affected versions.</i></p>
-
-    <p><strong>Important: Remote Denial Of Service</strong>
-       <cve>CVE-2011-0534</cve></p>
-
-    <p>The NIO connector expands its buffer endlessly during request line
-       processing. That behaviour can be used for a denial of service attack
-       using a carefully crafted request.</p>
-
-    <p>This was fixed in <revlink rev="1065939">revision 1065939</revlink>.</p>
-
-    <p>This was identified by the Tomcat security team on 27 Jan 2011 and
-       made public on 5 Feb 2011.</p>
-
-    <p>Affects: 7.0.0-7.0.6</p>
-
-  </section>
-
-  <section name="Fixed in Apache Tomcat 7.0.6" rtext="released 14 Jan 2011">
-  
-    <p><strong>Low: Cross-site scripting</strong>
-       <cve>CVE-2011-0013</cve></p>
-
-    <p>The HTML Manager interface displayed web application provided data, such
-       as display names, without filtering. A malicious web application could
-       trigger script execution by an administrative user when viewing the
-       manager pages.</p>
-
-    <p>This was fixed in <revlink rev="1057279">revision 1057279</revlink>.</p>
-
-    <p>This was identified by the Tomcat security team on 12 Nov 2010 and
-       made public on 5 Feb 2011.</p>
-
-    <p>Affects: 7.0.0-7.0.5</p>
-  
-  </section>
-
-  <section name="Fixed in Apache Tomcat 7.0.5" rtext="released 1 Dec 2010">
-  
-    <p><strong>Low: Cross-site scripting</strong>
-       <cve>CVE-2010-4172</cve></p>
-
-    <p>The Manager application used the user provided parameters sort and
-       orderBy directly without filtering thereby permitting cross-site
-       scripting. The CSRF protection, which is enabled by default, prevents an
-       attacker from exploiting this.</p>
-
-    <p>This was fixed in <revlink rev="1037778">revision 1037778</revlink>.</p>
-
-    <p>This was first reported to the Tomcat security team on 15 Nov 2010 and
-       made public on 22 Nov 2010.</p>
-
-    <p>Affects: 7.0.0-7.0.4</p>
-  
-  </section>
-
-  <section name="Fixed in Apache Tomcat 7.0.4" rtext="released 21 Oct 2010">
-
-    <p><strong>Low: SecurityManager file permission bypass</strong>
-       <cve>CVE-2010-3718</cve></p>
-
-    <p>When running under a SecurityManager, access to the file system is
-       limited but web applications are granted read/write permissions to the
-       work directory. This directory is used for a variety of temporary files
-       such as the intermediate files generated when compiling JSPs to Servlets.
-       The location of the work directory is specified by a ServletContect
-       attribute that is meant to be read-only to web applications. However,
-       due to a coding error, the read-only setting was not applied. Therefore,
-       a malicious web application may modify the attribute before Tomcat
-       applies the file permissions. This can be used to grant read/write
-       permissions to any area on the file system which a malicious web
-       application may then take advantage of. This vulnerability is only
-       applicable when hosting web applications from untrusted sources such as
-       shared hosting environments.</p>
-
-    <p>This was fixed in <revlink rev="1022134">revision 1022134</revlink>.</p>
-
-    <p>This was discovered by the Tomcat security team on 12 Oct 2010 and
-       made public on 5 Feb 2011.</p>
-
-    <p>Affects: 7.0.0-7.0.3</p>
-  
-  </section>
-
-  <section name="Fixed in Apache Tomcat 7.0.2" rtext="released 11 Aug 2010">
-  
-    <p><i>Note: The issue below was fixed in Apache Tomcat 7.0.1 but the
-       release vote for the 7.0.1 release candidate did not pass. Therefore,
-       although users must download 7.0.2 to obtain a version that includes a
-       fix for this issue, version 7.0.2 is not included in the list of
-       affected versions.</i></p>
-         
-    <p><strong>Important: Remote Denial Of Service and Information Disclosure
-       Vulnerability</strong>
-       <cve>CVE-2010-2227</cve></p>
-
-    <p>Several flaws in the handling of the 'Transfer-Encoding' header were
-       found that prevented the recycling of a buffer. A remote attacker could
-       trigger this flaw which would cause subsequent requests to fail and/or
-       information to leak between requests. This flaw is mitigated if Tomcat is
-       behind a reverse proxy (such as Apache httpd 2.2) as the proxy should
-       reject the invalid transfer encoding header.</p>
-       
-    <p>This was fixed in <revlink rev="958911">revision 958911</revlink>.</p>
-
-    <p>This was first reported to the Tomcat security team on 14 Jun 2010 and
-       made public on 9 Jul 2010.</p>
-
-    <p>Affects: 7.0.0</p>
+  <section name="Fixed in Apache Tomcat 8.0.0-RC1" rtext="released 1 August 2013">
 
+    <p>No reports</p>
+    
   </section>
 
   <section name="Not a vulnerability in Tomcat">
-  
-    <p><strong>Low: Denial Of Service</strong>
-       <cve>CVE-2012-5568</cve></p>
-
-    <p>Sending an HTTP request 1 byte at a time will consume a thread from the
-       connection pool until the request has been fully processed if using the
-       BIO or APR/native HTTP connectors. Multiple requests may be used to
-       consume all threads in the connection pool thereby creating a denial of
-       service.</p>
-
-    <p>Since the relationship between the client side resources and server side
-       resources is a linear one, this issue is not something that the Tomcat
-       Security Team views as a vulnerability. This is a generic DoS problem and
-       there is no magic solution. This issue has been discussed several times
-       on the Tomcat mailing lists. The best place to start to review these
-       discussions is the report for
-       <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=54263">bug
-       54236</a>.</p>
-
-    <p>This was first discussed on the public Tomcat users mailing list on 19
-       June 2009.</p>
-
-    <p>Affects: 7.0.0-7.0.x</p>
-
-    <p><strong>Important: Remote Denial Of Service</strong>
-       <cve>CVE-2010-4476</cve></p>
-
-    <p>A JVM bug could cause Double conversion to hang JVM when accessing to a
-       form based security constrained page or any page that calls
-       javax.servlet.ServletRequest.getLocale() or
-       javax.servlet.ServletRequest.getLocales(). A specially crafted request
-       can be used to trigger a denial of service.
-    </p>
 
-    <p>A work-around for this JVM bug was provided in 
-       <revlink rev="1066244">revision 1066244</revlink>.</p>
-
-    <p>This was first reported to the Tomcat security team on 01 Feb 2011 and
-       made public on 31 Jan 2011.</p>
-
-    <p>Affects: 7.0.0-7.0.6</p>
-
-    <p><strong>Moderate: TLS SSL Man In The Middle</strong>
-       <cve>CVE-2009-3555</cve></p>
-
-    <p>A vulnerability exists in the TLS protocol that allows an attacker to
-       inject arbitrary requests into an TLS stream during renegotiation.</p>
-    
-    <p>The TLS implementation used by Tomcat varies with connector. The blocking
-       IO (BIO) and non-blocking (NIO) connectors use the JSSE implementation
-       provided by the JVM. The APR/native connector uses OpenSSL.</p>
-       
-    <p>The BIO connector is vulnerable if the JSSE version used is vulnerable.
-       To workaround a vulnerable version of JSSE, use the connector attribute
-       <code>allowUnsafeLegacyRenegotiation</code>. It should be set to
-       <code>false</code> (the default) to protect against this vulnerability.
-       </p>
-       
-    <p>The NIO connector prior to 7.0.10 is not vulnerable as it does not
-       support renegotiation.</p>
-       
-    <p>The NIO connector is vulnerable from version 7.0.10 onwards if the JSSE
-       version used is vulnerable. To workaround a vulnerable version of JSSE,
-       use the connector attribute <code>allowUnsafeLegacyRenegotiation</code>.
-       It should be set to <code>false</code> (the default) to protect against
-       this vulnerability.</p>
-       
-    <p>The APR/native workarounds are detailed on the
-       <a href="security-native.html">APR/native connector security page</a>.
-       </p>
-       
-    <p>Users should be aware that the impact of disabling renegotiation will
-       vary with both application and client. In some circumstances disabling
-       renegotiation may result in some clients being unable to access the
-       application.</p>
-
-    <p>This was worked-around in
-       <revlink rev="882320">revision 891292</revlink>.</p>
-
-    <p>Support for the new TLS renegotiation protocol (RFC 5746) that does not
-       have this security issue:</p>
-
-    <ul>
-      <li>For connectors using JSSE implementation provided by JVM:
-        Added in Tomcat 7.0.8.<br />
-        Requires JRE that supports RFC 5746. For Oracle JRE that is
-        <a rel="nofollow"
-        href="http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html">known</a>
-        to be 6u22 or later.
-      </li>
-      <li>For connectors using APR and OpenSSL:<br />
-        TBD. See
-        <a href="security-native.html">APR/native connector security page</a>.
-      </li>
-    </ul>
+    <p>No reports</p>
 
   </section>
   

Modified: tomcat/site/trunk/xdocs/security.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security.xml?rev=1510686&r1=1510685&r2=1510686&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security.xml (original)
+++ tomcat/site/trunk/xdocs/security.xml Mon Aug  5 19:45:45 2013
@@ -25,6 +25,8 @@
     <p>Lists of security problems fixed in released versions of Apache Tomcat
        are available:</p>
     <ul>
+      <li><a href="security-8.html">Apache Tomcat 8.x Security Vulnerabilities
+          </a></li>
       <li><a href="security-7.html">Apache Tomcat 7.x Security Vulnerabilities
           </a></li>
       <li><a href="security-6.html">Apache Tomcat 6.x Security Vulnerabilities



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message