Return-Path: <dev-return-185993-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id D1882200D20
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Mon,  2 Oct 2017 11:59:53 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id D00EA1609DE; Mon,  2 Oct 2017 09:59:53 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 4DE8A1609EF
	for <archive-asf-public@cust-asf.ponee.io>; Mon,  2 Oct 2017 11:59:53 +0200 (CEST)
Received: (qmail 32049 invoked by uid 500); 2 Oct 2017 09:59:52 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@tomcat.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@tomcat.apache.org>
List-Post: <mailto:dev@tomcat.apache.org>
List-Id: <dev.tomcat.apache.org>
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 31860 invoked by uid 99); 2 Oct 2017 09:59:52 -0000
Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Oct 2017 09:59:52 +0000
Received: from [192.168.23.12] (host217-44-155-55.range217-44.btcentralplus.com [217.44.155.55])
	by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 09E191A0055
	for <dev@tomcat.apache.org>; Mon,  2 Oct 2017 09:59:50 +0000 (UTC)
Subject: Re: svn commit: r1810270 - in /tomcat/site/trunk:
 docs/security-7.html docs/security-8.html docs/security-9.html
 xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml
To: Tomcat Developers List <dev@tomcat.apache.org>
References: <20171001181048.4D4693A026E@svn01-us-west.apache.org>
 <cd6cd708-c102-6a25-3cb3-4cd3487ba9cd@kippdata.de>
From: Mark Thomas <markt@apache.org>
Message-ID: <4a704404-1984-41f6-28a0-44c06f20b043@apache.org>
Date: Mon, 2 Oct 2017 10:59:48 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <cd6cd708-c102-6a25-3cb3-4cd3487ba9cd@kippdata.de>
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
archived-at: Mon, 02 Oct 2017 09:59:54 -0000

On 02/10/17 10:13, Rainer Jung wrote:
> Am 01.10.2017 um 20:10 schrieb markt@apache.org:
>> Author: markt
>> Date: Sun Oct  1 18:10:45 2017
>> New Revision: 1810270
>>
>> URL: http://svn.apache.org/viewvc?rev=1810270&view=rev
>> Log:
>> Add CVE-2017-12617
>>
> ...
>> +<p>When running on Windows with HTTP PUTs enabled (e.g. via setting the
>> +       <code>readonly</code> initialisation parameter of the Default to false)
>> +       it was possible to upload a JSP file to the server via a specially
>> +       crafted request. This JSP could then be requested and any code it
>> +       contained would be executed by the server.</p>
> ...
> 
> It seems the description (for TC 7, 8 and 9) was copied from
> CVE-2017-12615, thus only refers to Windows and the Default servlet.
> Your original description of the topic was broader.

Indeed. I'll get that fixed. Thanks for catching that.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org