Return-Path: 
 <announce-return-95-apmail-tomcat-announce-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-announce-archive@minotaur.apache.org
Delivered-To: apmail-tomcat-announce-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 39750D307
	for <apmail-tomcat-announce-archive@minotaur.apache.org>;
 Tue,  4 Dec 2012 20:00:03 +0000 (UTC)
Received: (qmail 31807 invoked by uid 500); 4 Dec 2012 20:00:00 -0000
Delivered-To: apmail-tomcat-announce-archive@tomcat.apache.org
Received: (qmail 31767 invoked by uid 500); 4 Dec 2012 20:00:00 -0000
Mailing-List: contact announce-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:announce-help@tomcat.apache.org>
List-Unsubscribe: <mailto:announce-unsubscribe@tomcat.apache.org>
List-Post: <mailto:announce@tomcat.apache.org>
List-Id: <announce.tomcat.apache.org>
Reply-To: announce@tomcat.apache.org
Delivered-To: mailing list announce@tomcat.apache.org
Delivered-To: moderator for announce@tomcat.apache.org
Received: (qmail 51907 invoked by uid 99); 4 Dec 2012 19:48:02 -0000
Message-ID: <50BE536F.6000705@apache.org>
Date: Tue, 04 Dec 2012 19:47:59 +0000
From: Mark Thomas <markt@apache.org>
User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64;
 rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
CC: Tomcat Announce List <announce@tomcat.apache.org>,
 announce@apache.org, Tomcat Developers List <dev@tomcat.apache.org>,
 bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Subject: CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.0 to 7.0.31
- - Tomcat 6.0.0 to 6.0.35

Description:
The CSRF prevention filter could be bypassed if a request was made to a
protected resource without a session identifier present in the request.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Tomcat 7.0.x users should upgrade to 7.0.32 or later
- - Tomcat 6.0.x users should upgrade to 6.0.36 or later

Credit:
This issue was identified by The Tomcat security team

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQvlNvAAoJEBDAHFovYFnnY80QAMvP1gIpG00vfIdiFabpJX55
UEmkPuTSefxZ6NMvAL8GkuUe8CoC6KinCgOx+s8eGlEiHtWFoYvM/Ckg8E3a8SY6
MfD8GLo2av/LdULGSCBrbaL2wFbgixPTBpgR9YS4bdpTK5nVqBZyZOjOzptqRDnE
BQXDLLKa65/z7cF57l+XcLs1+JW3KJGRiGJzBNUrJK1x/AzfgRgk4jgvYdyDWdpI
zuXKgwBbunblPL4sZhZA2mhoswBIMIJIaHXOAD28Ddt9IIae0UFptY6LmExOkSsa
PtshA4EBlO8JTPPcfwtqA/bkHAWCzB1QshkYD57rLF3t1ouDQWI6j8l+q3AYIxzv
a0Ix4qzE2hekcjGSCUMZUqNgcaGSjsggaOEo5zauM01osPQxbfpH41eH5fIWlMKi
vrxRjYJwLyLdkj3bZFuP7Uq1GL4BLjeKDfqsL4aqcfdBPZea6C9rToEkB8EjD4vf
DVdrX4Ivg3ImMMnL+gkX4+5aLp+jpw23G9gZbX1DJn+648iv3yFoK5ysOWy1GAAO
x1Iq3pa49NigJ0ipjZvxc07THIoiK/t49/3fWzMR1Xm819oJC2/Qf512l/FpEltK
kQ0y8BC4+7ypUZyhtwE3jzLW1x2j4ZBK8l1nX0X92WepJ6piro/7o80qiyDMfqPC
hbmBu213eSXnV9kRHveI
=jich
-----END PGP SIGNATURE-----