Return-Path: 
 <announce-return-1105-apmail-announce-archive=apache.org@apache.org>
Delivered-To: apmail-announce-archive@www.apache.org
Received: (qmail 54706 invoked from network); 6 Apr 2011 20:18:43 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 6 Apr 2011 20:18:43 -0000
Received: (qmail 10050 invoked by uid 500); 6 Apr 2011 20:18:29 -0000
Delivered-To: apmail-announce-archive@apache.org
Received: (qmail 9752 invoked by uid 500); 6 Apr 2011 20:18:29 -0000
Mailing-List: contact announce-help@apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:announce-help@apache.org>
List-Unsubscribe: <mailto:announce-unsubscribe@apache.org>
List-Post: <mailto:announce@apache.org>
List-Id: <announce.apache.org>
Delivered-To: mailing list announce@apache.org
Delivered-To: moderator for announce@apache.org
Received: (qmail 93815 invoked by uid 99); 6 Apr 2011 17:29:01 -0000
X-ASF-Spam-Status: No, hits=0.0 required=5.0
	tests=
X-Spam-Check-By: apache.org
Message-ID: <4D9CA2BC.3070608@apache.org>
Date: Wed, 06 Apr 2011 18:28:28 +0100
From: Mark Thomas <markt@apache.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB;
 rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
CC: Tomcat Developers List <dev@tomcat.apache.org>,
 Tomcat Announce List <announce@tomcat.apache.org>,
 announce@apache.org, full-disclosure@lists.grok.org.uk,
 bugtraq@securityfocus.com
Subject: [SECURITY] CVE-2011-1183 Apache Tomcat security constraint bypass
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

CVE-2011-1183 Apache Tomcat security constraint bypass

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Tomcat 7.0.11
- Earlier versions are not affected

Description:
A regression in the fix for CVE-2011-1088 meant that security
constraints were ignored when no login configuration was present in the
web.xml and the web application was marked as meta-data complete.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- Upgrade to a Tomcat 7.0.12 or later
- Ensure a login configuration is defined in web.xml

Credit:
This issue was identified by the Apache Tomcat security team.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html

--------------------------------------------------------------------- 
To unsubscribe, e-mail: announce-unsubscribe@apache.org 
For additional commands, e-mail: announce-help@apache.org