tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1810270 - in /tomcat/site/trunk: docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml
Date Sun, 01 Oct 2017 18:10:45 GMT
Author: markt
Date: Sun Oct  1 18:10:45 2017
New Revision: 1810270

URL: http://svn.apache.org/viewvc?rev=1810270&view=rev
Log:
Add CVE-2017-12617

Modified:
    tomcat/site/trunk/docs/security-7.html
    tomcat/site/trunk/docs/security-8.html
    tomcat/site/trunk/docs/security-9.html
    tomcat/site/trunk/xdocs/security-7.xml
    tomcat/site/trunk/xdocs/security-8.xml
    tomcat/site/trunk/xdocs/security-9.xml

Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1810270&r1=1810269&r2=1810270&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Sun Oct  1 18:10:45 2017
@@ -218,6 +218,9 @@
 <a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x vulnerabilities</a>
 </li>
 <li>
+<a href="#Fixed_in_Apache_Tomcat_7.0.82">Fixed in Apache Tomcat 7.0.82</a>
+</li>
+<li>
 <a href="#Fixed_in_Apache_Tomcat_7.0.81">Fixed in Apache Tomcat 7.0.81</a>
 </li>
 <li>
@@ -380,6 +383,38 @@
 
   
 </div>
+<h3 id="Fixed_in_Apache_Tomcat_7.0.82">
+<span style="float: right;">TBD October 2017</span> Fixed in Apache Tomcat 7.0.82</h3>
+<div class="text">
+
+    
+<p>
+<strong>Important: Remote Code Execution</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617" rel="nofollow">CVE-2017-12617</a>
+</p>
+
+    
+<p>When running on Windows with HTTP PUTs enabled (e.g. via setting the
+       <code>readonly</code> initialisation parameter of the Default to false)
+       it was possible to upload a JSP file to the server via a specially
+       crafted request. This JSP could then be requested and any code it
+       contained would be executed by the server.</p>
+
+    
+<p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1809978">1809978</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1809992">1809992</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1810014">1810014</a>
and
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1810026">1810026</a>.</p>
+
+    
+<p>This issue was first reported publicly followed by multiple reports to
+       the Apache Tomcat Security Team on 20 September 2017.</p>
+
+    
+<p>Affects: 8.0.0.RC1 to 8.0.46</p>
+
+  
+</div>
 <h3 id="Fixed_in_Apache_Tomcat_7.0.81">
 <span style="float: right;">16 August 2017</span> Fixed in Apache Tomcat 7.0.81</h3>
 <div class="text">

Modified: tomcat/site/trunk/docs/security-8.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1810270&r1=1810269&r2=1810270&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-8.html (original)
+++ tomcat/site/trunk/docs/security-8.html Sun Oct  1 18:10:45 2017
@@ -218,6 +218,12 @@
 <a href="#Apache_Tomcat_8.x_vulnerabilities">Apache Tomcat 8.x vulnerabilities</a>
 </li>
 <li>
+<a href="#Fixed_in_Apache_Tomcat_8.0.47">Fixed in Apache Tomcat 8.0.47</a>
+</li>
+<li>
+<a href="#Fixed_in_Apache_Tomcat_8.5.23">Fixed in Apache Tomcat 8.5.23</a>
+</li>
+<li>
 <a href="#Fixed_in_Apache_Tomcat_8.0.45">Fixed in Apache Tomcat 8.0.45</a>
 </li>
 <li>
@@ -344,6 +350,66 @@
 
   
 </div>
+<h3 id="Fixed_in_Apache_Tomcat_8.0.47">
+<span style="float: right;">TBD October 2017</span> Fixed in Apache Tomcat 8.0.47</h3>
+<div class="text">
+
+    
+<p>
+<strong>Important: Remote Code Execution</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617" rel="nofollow">CVE-2017-12617</a>
+</p>
+
+    
+<p>When running on Windows with HTTP PUTs enabled (e.g. via setting the
+       <code>readonly</code> initialisation parameter of the Default to false)
+       it was possible to upload a JSP file to the server via a specially
+       crafted request. This JSP could then be requested and any code it
+       contained would be executed by the server.</p>
+
+    
+<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1809921">1809921</a>.</p>
+
+    
+<p>This issue was first reported publicly followed by multiple reports to
+       the Apache Tomcat Security Team on 20 September 2017.</p>
+
+    
+<p>Affects: 8.0.0.RC1 to 8.0.46</p>
+
+  
+</div>
+<h3 id="Fixed_in_Apache_Tomcat_8.5.23">
+<span style="float: right;">1 October 2017</span> Fixed in Apache Tomcat 8.5.23</h3>
+<div class="text">
+
+    
+<p>
+<strong>Important: Remote Code Execution</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617" rel="nofollow">CVE-2017-12617</a>
+</p>
+
+    
+<p>When running on Windows with HTTP PUTs enabled (e.g. via setting the
+       <code>readonly</code> initialisation parameter of the Default to false)
+       it was possible to upload a JSP file to the server via a specially
+       crafted request. This JSP could then be requested and any code it
+       contained would be executed by the server.</p>
+
+    
+<p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1809673">1809673</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1809675">1809675</a>
and
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1809896">1809896</a>.</p>
+
+    
+<p>This issue was first reported publicly followed by multiple reports to
+       the Apache Tomcat Security Team on 20 September 2017.</p>
+
+    
+<p>Affects: 8.5.0 to 8.5.22</p>
+
+  
+</div>
 <h3 id="Fixed_in_Apache_Tomcat_8.0.45">
 <span style="float: right;">1 July 2017</span> Fixed in Apache Tomcat 8.0.45</h3>
 <div class="text">

Modified: tomcat/site/trunk/docs/security-9.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-9.html?rev=1810270&r1=1810269&r2=1810270&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-9.html (original)
+++ tomcat/site/trunk/docs/security-9.html Sun Oct  1 18:10:45 2017
@@ -218,6 +218,9 @@
 <a href="#Apache_Tomcat_9.x_vulnerabilities">Apache Tomcat 9.x vulnerabilities</a>
 </li>
 <li>
+<a href="#Fixed_in_Apache_Tomcat_9.0.1">Fixed in Apache Tomcat 9.0.1</a>
+</li>
+<li>
 <a href="#Fixed_in_Apache_Tomcat_9.0.0.M22">Fixed in Apache Tomcat 9.0.0.M22</a>
 </li>
 <li>
@@ -296,6 +299,38 @@
 
   
 </div>
+<h3 id="Fixed_in_Apache_Tomcat_9.0.1">
+<span style="float: right;">30 September 2017</span> Fixed in Apache Tomcat 9.0.1</h3>
+<div class="text">
+
+    
+<p>
+<strong>Important: Remote Code Execution</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617" rel="nofollow">CVE-2017-12617</a>
+</p>
+
+    
+<p>When running on Windows with HTTP PUTs enabled (e.g. via setting the
+       <code>readonly</code> initialisation parameter of the Default to false)
+       it was possible to upload a JSP file to the server via a specially
+       crafted request. This JSP could then be requested and any code it
+       contained would be executed by the server.</p>
+
+    
+<p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1809669">1809669</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1809674">1809674</a>,
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1809684">1809684</a>
and
+       <a href="http://svn.apache.org/viewvc?view=rev&amp;rev=1809711">1809711</a>.</p>
+
+    
+<p>This issue was first reported publicly followed by multiple reports to
+       the Apache Tomcat Security Team on 20 September 2017.</p>
+
+    
+<p>Affects: 9.0.0.M1 to 9.0.0</p>
+
+  
+</div>
 <h3 id="Fixed_in_Apache_Tomcat_9.0.0.M22">
 <span style="float: right;">26 June 2017</span> Fixed in Apache Tomcat 9.0.0.M22</h3>
 <div class="text">

Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1810270&r1=1810269&r2=1810270&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Sun Oct  1 18:10:45 2017
@@ -50,6 +50,29 @@
 
   </section>
 
+  <section name="Fixed in Apache Tomcat 7.0.82" rtext="TBD October 2017">
+
+    <p><strong>Important: Remote Code Execution</strong>
+       <cve>CVE-2017-12617</cve></p>
+
+    <p>When running on Windows with HTTP PUTs enabled (e.g. via setting the
+       <code>readonly</code> initialisation parameter of the Default to false)
+       it was possible to upload a JSP file to the server via a specially
+       crafted request. This JSP could then be requested and any code it
+       contained would be executed by the server.</p>
+
+    <p>This was fixed in revisions <revlink rev="1809978">1809978</revlink>,
+       <revlink rev="1809992">1809992</revlink>,
+       <revlink rev="1810014">1810014</revlink> and
+       <revlink rev="1810026">1810026</revlink>.</p>
+
+    <p>This issue was first reported publicly followed by multiple reports to
+       the Apache Tomcat Security Team on 20 September 2017.</p>
+
+    <p>Affects: 8.0.0.RC1 to 8.0.46</p>
+
+  </section>
+
   <section name="Fixed in Apache Tomcat 7.0.81" rtext="16 August 2017">
 
     <p><strong>Important: Information Disclosure</strong>

Modified: tomcat/site/trunk/xdocs/security-8.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1810270&r1=1810269&r2=1810270&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-8.xml (original)
+++ tomcat/site/trunk/xdocs/security-8.xml Sun Oct  1 18:10:45 2017
@@ -50,6 +50,48 @@
 
   </section>
 
+  <section name="Fixed in Apache Tomcat 8.0.47" rtext="TBD October 2017">
+
+    <p><strong>Important: Remote Code Execution</strong>
+       <cve>CVE-2017-12617</cve></p>
+
+    <p>When running on Windows with HTTP PUTs enabled (e.g. via setting the
+       <code>readonly</code> initialisation parameter of the Default to false)
+       it was possible to upload a JSP file to the server via a specially
+       crafted request. This JSP could then be requested and any code it
+       contained would be executed by the server.</p>
+
+    <p>This was fixed in revision <revlink rev="1809921">1809921</revlink>.</p>
+
+    <p>This issue was first reported publicly followed by multiple reports to
+       the Apache Tomcat Security Team on 20 September 2017.</p>
+
+    <p>Affects: 8.0.0.RC1 to 8.0.46</p>
+
+  </section>
+
+  <section name="Fixed in Apache Tomcat 8.5.23" rtext="1 October 2017">
+
+    <p><strong>Important: Remote Code Execution</strong>
+       <cve>CVE-2017-12617</cve></p>
+
+    <p>When running on Windows with HTTP PUTs enabled (e.g. via setting the
+       <code>readonly</code> initialisation parameter of the Default to false)
+       it was possible to upload a JSP file to the server via a specially
+       crafted request. This JSP could then be requested and any code it
+       contained would be executed by the server.</p>
+
+    <p>This was fixed in revisions <revlink rev="1809673">1809673</revlink>,
+       <revlink rev="1809675">1809675</revlink> and
+       <revlink rev="1809896">1809896</revlink>.</p>
+
+    <p>This issue was first reported publicly followed by multiple reports to
+       the Apache Tomcat Security Team on 20 September 2017.</p>
+
+    <p>Affects: 8.5.0 to 8.5.22</p>
+
+  </section>
+
   <section name="Fixed in Apache Tomcat 8.0.45" rtext="1 July 2017">
 
     <p><strong>Moderate: Cache Poisoning</strong>

Modified: tomcat/site/trunk/xdocs/security-9.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-9.xml?rev=1810270&r1=1810269&r2=1810270&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-9.xml (original)
+++ tomcat/site/trunk/xdocs/security-9.xml Sun Oct  1 18:10:45 2017
@@ -50,6 +50,29 @@
 
   </section>
 
+  <section name="Fixed in Apache Tomcat 9.0.1" rtext="30 September 2017">
+
+    <p><strong>Important: Remote Code Execution</strong>
+       <cve>CVE-2017-12617</cve></p>
+
+    <p>When running on Windows with HTTP PUTs enabled (e.g. via setting the
+       <code>readonly</code> initialisation parameter of the Default to false)
+       it was possible to upload a JSP file to the server via a specially
+       crafted request. This JSP could then be requested and any code it
+       contained would be executed by the server.</p>
+
+    <p>This was fixed in revisions <revlink rev="1809669">1809669</revlink>,
+       <revlink rev="1809674">1809674</revlink>,
+       <revlink rev="1809684">1809684</revlink> and
+       <revlink rev="1809711">1809711</revlink>.</p>
+
+    <p>This issue was first reported publicly followed by multiple reports to
+       the Apache Tomcat Security Team on 20 September 2017.</p>
+
+    <p>Affects: 9.0.0.M1 to 9.0.0</p>
+
+  </section>
+
   <section name="Fixed in Apache Tomcat 9.0.0.M22" rtext="26 June 2017">
 
     <p><strong>Important: Security Constraint Bypass</strong>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message