Return-Path: 
 <announce-return-1087-apmail-announce-archive=apache.org@apache.org>
Delivered-To: apmail-announce-archive@www.apache.org
Received: (qmail 70717 invoked from network); 15 Mar 2011 09:44:11 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 15 Mar 2011 09:44:11 -0000
Received: (qmail 33204 invoked by uid 500); 15 Mar 2011 09:43:58 -0000
Delivered-To: apmail-announce-archive@apache.org
Received: (qmail 32912 invoked by uid 500); 15 Mar 2011 09:43:57 -0000
Mailing-List: contact announce-help@apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:announce-help@apache.org>
List-Unsubscribe: <mailto:announce-unsubscribe@apache.org>
List-Post: <mailto:announce@apache.org>
List-Id: <announce.apache.org>
Delivered-To: mailing list announce@apache.org
Delivered-To: moderator for announce@apache.org
Received: (qmail 51931 invoked by uid 99); 15 Mar 2011 08:45:56 -0000
X-ASF-Spam-Status: No, hits=0.0 required=5.0
	tests=
X-Spam-Check-By: apache.org
Message-ID: <4D7F2726.20706@apache.org>
Date: Tue, 15 Mar 2011 08:45:26 +0000
From: Mark Thomas <markt@apache.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB;
 rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
CC: announce@tomcat.apache.org, announce@apache.org,
 Tomcat Developers List <dev@tomcat.apache.org>,
 full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Subject: [SECURITY] CVE-2011-1088 Apache Tomcat security constraint bypass
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2011-1088 Apache Tomcat security constraint bypass

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.0 to 7.0.10
- - Earlier versions are not affected

Description:
When a web application was started, @ServletSecurity annotations were
ignored. This meant that some areas of the application may not have been
protected as expected.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Upgrade to a Tomcat version where this issue is fixed
- - Define security constraints via an alternative mechanism such as web.xml

Credit:
This issue was reported publicly on the Tomcat users mailing list.
The Apache Tomcat security requests that security vulnerability reports
are made privately to security@tomcat.apache.org in the first instance.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNfycmAAoJEBDAHFovYFnn3jgP/0aecIt4uUYHWbmzUPA0FNan
tzjVfPskwPYrSuNbHjHuxPknmxUPSFiCdO3V1LLtnCX2y5+cNancWRjLX7lDbt8H
sL+9AaoI8HDShG1wgYsnh/3fIKczhE28pTtyo0GtG4HpQVLcT/OH2Qhb6+mG3jwo
SCia1eSTJuhj5HM3n2fb5X33n/UEkX/cCALDrt1DRfKV69MaZbMiZh7XfpyVDpdN
LePYIeuOoxg9CVjkDYCVIaK5Bi0uzPD8yCc73dOU3YobgbDDaLSN7Awd1/RhO5TR
fpWVbl0gbmMlPnMy52B9qZL+H9HwcNnYPqbtpquE2a6ik29QT4LMTNo0mr25XxmP
K3Jb7VTcVb/P1pxFOsTyMWy25IFubMEBW4c3kafBZGUI3Q25QmNizBXZ5wvn1vex
kBzDZrnKmkzvhnCy6RnTKk9BYGRWEw9ImTqLOaLxmtXJw9bnWgoeusnje1k/24QI
3+pw/g5OjwG7hqtStrscFeo8tc/snXBojn1d21txsnLggQ0E6+9+vUVym5tBD16I
MfzN7FSd620AFSmVUo5mEfEpDe+RTkA8y/7BnYHoguBQ7WLlxejCgRpaf91vBns6
ZEQGntzx7EW7M+P2GNHy1mrVGTQ7Glk/5tnAFyqgMOHzYyN11Y3OWO1XBv+1um8q
kadENSXz4mY0vKtvaeuT
=i/HJ
-----END PGP SIGNATURE-----

--------------------------------------------------------------------- 
To unsubscribe, e-mail: announce-unsubscribe@apache.org 
For additional commands, e-mail: announce-help@apache.org