Author: markt
Date: Tue Nov 22 09:42:06 2016
New Revision: 1770815
URL: http://svn.apache.org/viewvc?rev=1770815&view=rev
Log:
Publish:
CVE-2016-6816
CVE-2016-6817
CVE-2016-8735
Modified:
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/docs/security-8.html
tomcat/site/trunk/docs/security-9.html
tomcat/site/trunk/xdocs/security-6.xml
tomcat/site/trunk/xdocs/security-7.xml
tomcat/site/trunk/xdocs/security-8.xml
tomcat/site/trunk/xdocs/security-9.xml
Modified: tomcat/site/trunk/docs/security-6.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1770815&r1=1770814&r2=1770815&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Tue Nov 22 09:42:06 2016
@@ -219,6 +219,9 @@
<a href="#Apache_Tomcat_6.x_vulnerabilities">Apache Tomcat 6.x
vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_6.0.48">Fixed in Apache Tomcat 6.0.48</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_6.0.47">Fixed in Apache Tomcat 6.0.47</a>
</li>
<li>
@@ -334,6 +337,61 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_6.0.48">
+<span style="float: right;">15 November 2016</span> Fixed in Apache Tomcat
6.0.48</h3>
+<div class="text">
+
+
+<p>
+<strong>Important: Remote Code Execution</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735";
rel="nofollow">CVE-2016-8735</a>
+</p>
+
+
+<p>The <code>JmxRemoteLifecycleListener</code> was not updated to take
+ account of Oracle's fix for <a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427";
rel="nofollow">CVE-2016-3427</a>. Therefore, Tomcat
+ installations using this listener remained vulnerable to a similar
remote
+ code execution vulnerability. This issue has been rated as important
+ rather than critical due to the small number of installations using this
+ listener and that it would be highly unusual for the JMX ports to be
+ accessible to an attacker even when the listener is used.</p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1767684";>1767684</a>.</p>
+
+
+<p>This issue was reported to the Apache Tomcat Security Team on 19 October
+ 2016 and made public on 22 November 2016.</p>
+
+
+<p>Affects: 6.0.0 to 6.0.47</p>
+
+
+<p>
+<strong>Important: Information Disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816";
rel="nofollow">CVE-2016-6816</a>
+</p>
+
+
+<p>The code that parsed the HTTP request line permitted invalid characters.
+ This could be exploited, in conjunction with a proxy that also permitted
+ the invalid characters but with a different interpretation, to inject
+ data into the HTTP response. By manipulating the HTTP response the
+ attacker could poison a web-cache, perform an XSS attack and/or obtain
+ sensitive information from requests other then their own.</p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1767683";>1767683</a>.</p>
+
+
+<p>This issue was reported to the Apache Tomcat Security Team on 11
+ October 2016 and made public on 22 November 2016.</p>
+
+
+<p>Affects: 6.0.0 to 6.0.47</p>
+
+
+</div>
<h3 id="Fixed_in_Apache_Tomcat_6.0.47">
<span style="float: right;">16 October 2016</span> Fixed in Apache Tomcat
6.0.47</h3>
<div class="text">
Modified: tomcat/site/trunk/docs/security-7.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1770815&r1=1770814&r2=1770815&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Tue Nov 22 09:42:06 2016
@@ -219,6 +219,9 @@
<a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x
vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_7.0.73">Fixed in Apache Tomcat 7.0.73</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_7.0.72">Fixed in Apache Tomcat 7.0.72</a>
</li>
<li>
@@ -360,6 +363,61 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_7.0.73">
+<span style="float: right;">14 November 2016</span> Fixed in Apache Tomcat
7.0.73</h3>
+<div class="text">
+
+
+<p>
+<strong>Important: Remote Code Execution</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735";
rel="nofollow">CVE-2016-8735</a>
+</p>
+
+
+<p>The <code>JmxRemoteLifecycleListener</code> was not updated to take
+ account of Oracle's fix for <a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427";
rel="nofollow">CVE-2016-3427</a>. Therefore, Tomcat
+ installations using this listener remained vulnerable to a similar
remote
+ code execution vulnerability. This issue has been rated as important
+ rather than critical due to the small number of installations using this
+ listener and that it would be highly unusual for the JMX ports to be
+ accessible to an attacker even when the listener is used.</p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1767676";>1767676</a>.</p>
+
+
+<p>This issue was reported to the Apache Tomcat Security Team on 19 October
+ 2016 and made public on 22 November 2016.</p>
+
+
+<p>Affects: 7.0.0 to 7.0.72</p>
+
+
+<p>
+<strong>Important: Information Disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816";
rel="nofollow">CVE-2016-6816</a>
+</p>
+
+
+<p>The code that parsed the HTTP request line permitted invalid characters.
+ This could be exploited, in conjunction with a proxy that also permitted
+ the invalid characters but with a different interpretation, to inject
+ data into the HTTP response. By manipulating the HTTP response the
+ attacker could poison a web-cache, perform an XSS attack and/or obtain
+ sensitive information from requests other then their own.</p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1767675";>1767675</a>.</p>
+
+
+<p>This issue was reported to the Apache Tomcat Security Team on 11
+ October 2016 and made public on 22 November 2016.</p>
+
+
+<p>Affects: 7.0.0 to 7.0.72</p>
+
+
+</div>
<h3 id="Fixed_in_Apache_Tomcat_7.0.72">
<span style="float: right;">19 September 2016</span> Fixed in Apache Tomcat
7.0.72</h3>
<div class="text">
Modified: tomcat/site/trunk/docs/security-8.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1770815&r1=1770814&r2=1770815&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-8.html (original)
+++ tomcat/site/trunk/docs/security-8.html Tue Nov 22 09:42:06 2016
@@ -219,6 +219,12 @@
<a href="#Apache_Tomcat_8.x_vulnerabilities">Apache Tomcat 8.x
vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_8.0.39">Fixed in Apache Tomcat 8.0.39</a>
+</li>
+<li>
+<a href="#Fixed_in_Apache_Tomcat_8.5.8">Fixed in Apache Tomcat 8.5.8</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37">Fixed in Apache Tomcat
8.5.5 and 8.0.37</a>
</li>
<li>
@@ -306,6 +312,147 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_8.0.39">
+<span style="float: right;">14 November 2016</span> Fixed in Apache Tomcat
8.0.39</h3>
+<div class="text">
+
+
+<p>
+<strong>Important: Remote Code Execution</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735";
rel="nofollow">CVE-2016-8735</a>
+</p>
+
+
+<p>The <code>JmxRemoteLifecycleListener</code> was not updated to take
+ account of Oracle's fix for <a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427";
rel="nofollow">CVE-2016-3427</a>. Therefore, Tomcat
+ installations using this listener remained vulnerable to a similar
remote
+ code execution vulnerability. This issue has been rated as important
+ rather than critical due to the small number of installations using this
+ listener and that it would be highly unusual for the JMX ports to be
+ accessible to an attacker even when the listener is used.</p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1767656";>1767656</a>.</p>
+
+
+<p>This issue was reported to the Apache Tomcat Security Team on 19 October
+ 2016 and made public on 22 November 2016.</p>
+
+
+<p>Affects: 8.0.0.RC1 to 8.0.38</p>
+
+
+<p>
+<strong>Important: Information Disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816";
rel="nofollow">CVE-2016-6816</a>
+</p>
+
+
+<p>The code that parsed the HTTP request line permitted invalid characters.
+ This could be exploited, in conjunction with a proxy that also permitted
+ the invalid characters but with a different interpretation, to inject
+ data into the HTTP response. By manipulating the HTTP response the
+ attacker could poison a web-cache, perform an XSS attack and/or obtain
+ sensitive information from requests other then their own.</p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1767653";>1767653</a>.</p>
+
+
+<p>This issue was reported to the Apache Tomcat Security Team on 11
+ October 2016 and made public on 22 November 2016.</p>
+
+
+<p>Affects: 8.0.0.RC1 to 8.0.38</p>
+
+
+</div>
+<h3 id="Fixed_in_Apache_Tomcat_8.5.8">
+<span style="float: right;">8 November 2016</span> Fixed in Apache Tomcat
8.5.8</h3>
+<div class="text">
+
+
+<p>
+<i>Note: The issues below were fixed in Apache Tomcat 8.5.7 but the
+ release vote for the 8.5.7 release candidate did not pass. Therefore,
+ although users must download 8.5.8 to obtain a version that includes
+ fixes for these issues, version 8.5.7 is not included in the list of
+ affected versions.</i>
+</p>
+
+
+<p>
+<strong>Important: Remote Code Execution</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735";
rel="nofollow">CVE-2016-8735</a>
+</p>
+
+
+<p>The <code>JmxRemoteLifecycleListener</code> was not updated to take
+ account of Oracle's fix for <a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427";
rel="nofollow">CVE-2016-3427</a>. Therefore, Tomcat
+ installations using this listener remained vulnerable to a similar
remote
+ code execution vulnerability. This issue has been rated as important
+ rather than critical due to the small number of installations using this
+ listener and that it would be highly unusual for the JMX ports to be
+ accessible to an attacker even when the listener is used.</p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1767646";>1767646</a>.</p>
+
+
+<p>This issue was reported to the Apache Tomcat Security Team on 19 October
+ 2016 and made public on 22 November 2016.</p>
+
+
+<p>Affects: 8.5.0 to 8.5.6</p>
+
+
+<p>
+<strong>Important: Denial of Service</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6817";
rel="nofollow">CVE-2016-6817</a>
+</p>
+
+
+<p>The HTTP/2 header parser entered an infinite loop if a header was
+ received that was larger than the available buffer. This made a denial
of
+ service attack possible.</p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1765798";>1765798</a>.</p>
+
+
+<p>This issue was reported as <a
href="https://bz.apache.org/bugzilla/show_bug.cgi?id=60232";>60232</a> on 10
October 2016 and the
+ security implications identified by the Apache Tomcat Security Team on
+ the same day. It was made public on 22 November 2016.</p>
+
+
+<p>Affects: 8.5.0 to 8.5.6</p>
+
+
+<p>
+<strong>Important: Information Disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816";
rel="nofollow">CVE-2016-6816</a>
+</p>
+
+
+<p>The code that parsed the HTTP request line permitted invalid characters.
+ This could be exploited, in conjunction with a proxy that also permitted
+ the invalid characters but with a different interpretation, to inject
+ data into the HTTP response. By manipulating the HTTP response the
+ attacker could poison a web-cache, perform an XSS attack and/or obtain
+ sensitive information from requests other then their own.</p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1767645";>1767645</a>.</p>
+
+
+<p>This issue was reported to the Apache Tomcat Security Team on 11
+ October 2016 and made public on 22 November 2016.</p>
+
+
+<p>Affects: 8.5.0 to 8.5.6</p>
+
+
+</div>
<h3 id="Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37">
<span style="float: right;">5 September 2016</span> Fixed in Apache Tomcat
8.5.5 and 8.0.37</h3>
<div class="text">
Modified: tomcat/site/trunk/docs/security-9.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-9.html?rev=1770815&r1=1770814&r2=1770815&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-9.html (original)
+++ tomcat/site/trunk/docs/security-9.html Tue Nov 22 09:42:06 2016
@@ -219,6 +219,9 @@
<a href="#Apache_Tomcat_9.x_vulnerabilities">Apache Tomcat 9.x
vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_9.0.0.M13">Fixed in Apache Tomcat
9.0.0.M13</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_9.0.0.M10">Fixed in Apache Tomcat
9.0.0.M10</a>
</li>
<li>
@@ -276,6 +279,92 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_9.0.0.M13">
+<span style="float: right;">8 November 2016</span> Fixed in Apache Tomcat
9.0.0.M13</h3>
+<div class="text">
+
+
+<p>
+<i>Note: The issues below were fixed in Apache Tomcat 9.0.0.M12 but the
+ release vote for the 9.0.0.M12 release candidate did not pass.
Therefore,
+ although users must download 9.0.0.M13 to obtain a version that includes
+ fixes for these issues, version 9.0.0.M12 is not included in the list of
+ affected versions.</i>
+</p>
+
+
+<p>
+<strong>Important: Remote Code Execution</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735";
rel="nofollow">CVE-2016-8735</a>
+</p>
+
+
+<p>The <code>JmxRemoteLifecycleListener</code> was not updated to take
+ account of Oracle's fix for <a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427";
rel="nofollow">CVE-2016-3427</a>. Therefore, Tomcat
+ installations using this listener remained vulnerable to a similar
remote
+ code execution vulnerability. This issue has been rated as important
+ rather than critical due to the small number of installations using this
+ listener and that it would be highly unusual for the JMX ports to be
+ accessible to an attacker even when the listener is used.</p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1767644";>1767644</a>.</p>
+
+
+<p>This issue was reported to the Apache Tomcat Security Team on 19 October
+ 2016 and made public on 22 November 2016.</p>
+
+
+<p>Affects: 9.0.0.M1 to 9.0.0.M11</p>
+
+
+<p>
+<strong>Important: Denial of Service</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6817";
rel="nofollow">CVE-2016-6817</a>
+</p>
+
+
+<p>The HTTP/2 header parser entered an infinite loop if a header was
+ received that was larger than the available buffer. This made a denial
of
+ service attack possible.</p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1765794";>1765794</a>.</p>
+
+
+<p>This issue was reported as <a
href="https://bz.apache.org/bugzilla/show_bug.cgi?id=60232";>60232</a> on 10
October 2016 and the
+ security implications identified by the Apache Tomcat Security Team on
+ the same day. It was made public on 22 November 2016.</p>
+
+
+<p>Affects: 9.0.0.M1 to 9.0.0.M11</p>
+
+
+<p>
+<strong>Important: Information Disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816";
rel="nofollow">CVE-2016-6816</a>
+</p>
+
+
+<p>The code that parsed the HTTP request line permitted invalid characters.
+ This could be exploited, in conjunction with a proxy that also permitted
+ the invalid characters but with a different interpretation, to inject
+ data into the HTTP response. By manipulating the HTTP response the
+ attacker could poison a web-cache, perform an XSS attack and/or obtain
+ sensitive information from requests other then their own.</p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1767641";>1767641</a>.</p>
+
+
+<p>This issue was reported to the Apache Tomcat Security Team on 11 October
+ 2016 and made public on 22 November 2016.</p>
+
+
+<p>Affects: 9.0.0.M1 to 9.0.0.M11</p>
+
+
+</div>
<h3 id="Fixed_in_Apache_Tomcat_9.0.0.M10">
<span style="float: right;">5 September 2016</span> Fixed in Apache Tomcat
9.0.0.M10</h3>
<div class="text">
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1770815&r1=1770814&r2=1770815&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Tue Nov 22 09:42:06 2016
@@ -48,6 +48,45 @@
</section>
+ <section name="Fixed in Apache Tomcat 6.0.48" rtext="15 November 2016">
+
+ <p><strong>Important: Remote Code Execution</strong>
+ <cve>CVE-2016-8735</cve></p>
+
+ <p>The <code>JmxRemoteLifecycleListener</code> was not updated to take
+ account of Oracle's fix for <cve>CVE-2016-3427</cve>. Therefore, Tomcat
+ installations using this listener remained vulnerable to a similar
remote
+ code execution vulnerability. This issue has been rated as important
+ rather than critical due to the small number of installations using this
+ listener and that it would be highly unusual for the JMX ports to be
+ accessible to an attacker even when the listener is used.</p>
+
+ <p>This was fixed in revision <revlink rev="1767684">1767684</revlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team on 19 October
+ 2016 and made public on 22 November 2016.</p>
+
+ <p>Affects: 6.0.0 to 6.0.47</p>
+
+ <p><strong>Important: Information Disclosure</strong>
+ <cve>CVE-2016-6816</cve></p>
+
+ <p>The code that parsed the HTTP request line permitted invalid characters.
+ This could be exploited, in conjunction with a proxy that also permitted
+ the invalid characters but with a different interpretation, to inject
+ data into the HTTP response. By manipulating the HTTP response the
+ attacker could poison a web-cache, perform an XSS attack and/or obtain
+ sensitive information from requests other then their own.</p>
+
+ <p>This was fixed in revision <revlink rev="1767683">1767683</revlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team on 11
+ October 2016 and made public on 22 November 2016.</p>
+
+ <p>Affects: 6.0.0 to 6.0.47</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 6.0.47" rtext="16 October 2016">
<p><i>Note: The issues below were fixed in Apache Tomcat 6.0.46 but the
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1770815&r1=1770814&r2=1770815&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Tue Nov 22 09:42:06 2016
@@ -50,6 +50,45 @@
</section>
+ <section name="Fixed in Apache Tomcat 7.0.73" rtext="14 November 2016">
+
+ <p><strong>Important: Remote Code Execution</strong>
+ <cve>CVE-2016-8735</cve></p>
+
+ <p>The <code>JmxRemoteLifecycleListener</code> was not updated to take
+ account of Oracle's fix for <cve>CVE-2016-3427</cve>. Therefore, Tomcat
+ installations using this listener remained vulnerable to a similar
remote
+ code execution vulnerability. This issue has been rated as important
+ rather than critical due to the small number of installations using this
+ listener and that it would be highly unusual for the JMX ports to be
+ accessible to an attacker even when the listener is used.</p>
+
+ <p>This was fixed in revision <revlink rev="1767676">1767676</revlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team on 19 October
+ 2016 and made public on 22 November 2016.</p>
+
+ <p>Affects: 7.0.0 to 7.0.72</p>
+
+ <p><strong>Important: Information Disclosure</strong>
+ <cve>CVE-2016-6816</cve></p>
+
+ <p>The code that parsed the HTTP request line permitted invalid characters.
+ This could be exploited, in conjunction with a proxy that also permitted
+ the invalid characters but with a different interpretation, to inject
+ data into the HTTP response. By manipulating the HTTP response the
+ attacker could poison a web-cache, perform an XSS attack and/or obtain
+ sensitive information from requests other then their own.</p>
+
+ <p>This was fixed in revision <revlink rev="1767675">1767675</revlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team on 11
+ October 2016 and made public on 22 November 2016.</p>
+
+ <p>Affects: 7.0.0 to 7.0.72</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 7.0.72" rtext="19 September 2016">
<p><i>Note: The issues below were fixed in Apache Tomcat 7.0.71 but the
Modified: tomcat/site/trunk/xdocs/security-8.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1770815&r1=1770814&r2=1770815&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-8.xml (original)
+++ tomcat/site/trunk/xdocs/security-8.xml Tue Nov 22 09:42:06 2016
@@ -50,6 +50,105 @@
</section>
+ <section name="Fixed in Apache Tomcat 8.0.39" rtext="14 November 2016">
+
+ <p><strong>Important: Remote Code Execution</strong>
+ <cve>CVE-2016-8735</cve></p>
+
+ <p>The <code>JmxRemoteLifecycleListener</code> was not updated to take
+ account of Oracle's fix for <cve>CVE-2016-3427</cve>. Therefore, Tomcat
+ installations using this listener remained vulnerable to a similar
remote
+ code execution vulnerability. This issue has been rated as important
+ rather than critical due to the small number of installations using this
+ listener and that it would be highly unusual for the JMX ports to be
+ accessible to an attacker even when the listener is used.</p>
+
+ <p>This was fixed in revision <revlink rev="1767656">1767656</revlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team on 19 October
+ 2016 and made public on 22 November 2016.</p>
+
+ <p>Affects: 8.0.0.RC1 to 8.0.38</p>
+
+ <p><strong>Important: Information Disclosure</strong>
+ <cve>CVE-2016-6816</cve></p>
+
+ <p>The code that parsed the HTTP request line permitted invalid characters.
+ This could be exploited, in conjunction with a proxy that also permitted
+ the invalid characters but with a different interpretation, to inject
+ data into the HTTP response. By manipulating the HTTP response the
+ attacker could poison a web-cache, perform an XSS attack and/or obtain
+ sensitive information from requests other then their own.</p>
+
+ <p>This was fixed in revision <revlink rev="1767653">1767653</revlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team on 11
+ October 2016 and made public on 22 November 2016.</p>
+
+ <p>Affects: 8.0.0.RC1 to 8.0.38</p>
+
+ </section>
+
+ <section name="Fixed in Apache Tomcat 8.5.8" rtext="8 November 2016">
+
+ <p><i>Note: The issues below were fixed in Apache Tomcat 8.5.7 but the
+ release vote for the 8.5.7 release candidate did not pass. Therefore,
+ although users must download 8.5.8 to obtain a version that includes
+ fixes for these issues, version 8.5.7 is not included in the list of
+ affected versions.</i></p>
+
+ <p><strong>Important: Remote Code Execution</strong>
+ <cve>CVE-2016-8735</cve></p>
+
+ <p>The <code>JmxRemoteLifecycleListener</code> was not updated to take
+ account of Oracle's fix for <cve>CVE-2016-3427</cve>. Therefore, Tomcat
+ installations using this listener remained vulnerable to a similar
remote
+ code execution vulnerability. This issue has been rated as important
+ rather than critical due to the small number of installations using this
+ listener and that it would be highly unusual for the JMX ports to be
+ accessible to an attacker even when the listener is used.</p>
+
+ <p>This was fixed in revision <revlink rev="1767646">1767646</revlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team on 19 October
+ 2016 and made public on 22 November 2016.</p>
+
+ <p>Affects: 8.5.0 to 8.5.6</p>
+
+ <p><strong>Important: Denial of Service</strong>
+ <cve>CVE-2016-6817</cve></p>
+
+ <p>The HTTP/2 header parser entered an infinite loop if a header was
+ received that was larger than the available buffer. This made a denial
of
+ service attack possible.</p>
+
+ <p>This was fixed in revision <revlink rev="1765798">1765798</revlink>.</p>
+
+ <p>This issue was reported as <bug>60232</bug> on 10 October 2016 and the
+ security implications identified by the Apache Tomcat Security Team on
+ the same day. It was made public on 22 November 2016.</p>
+
+ <p>Affects: 8.5.0 to 8.5.6</p>
+
+ <p><strong>Important: Information Disclosure</strong>
+ <cve>CVE-2016-6816</cve></p>
+
+ <p>The code that parsed the HTTP request line permitted invalid characters.
+ This could be exploited, in conjunction with a proxy that also permitted
+ the invalid characters but with a different interpretation, to inject
+ data into the HTTP response. By manipulating the HTTP response the
+ attacker could poison a web-cache, perform an XSS attack and/or obtain
+ sensitive information from requests other then their own.</p>
+
+ <p>This was fixed in revision <revlink rev="1767645">1767645</revlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team on 11
+ October 2016 and made public on 22 November 2016.</p>
+
+ <p>Affects: 8.5.0 to 8.5.6</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 8.5.5 and 8.0.37" rtext="5 September
2016">
<p><strong>Low: Unrestricted Access to Global Resources</strong>
Modified: tomcat/site/trunk/xdocs/security-9.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-9.xml?rev=1770815&r1=1770814&r2=1770815&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-9.xml (original)
+++ tomcat/site/trunk/xdocs/security-9.xml Tue Nov 22 09:42:06 2016
@@ -50,6 +50,66 @@
</section>
+ <section name="Fixed in Apache Tomcat 9.0.0.M13" rtext="8 November 2016">
+
+ <p><i>Note: The issues below were fixed in Apache Tomcat 9.0.0.M12 but the
+ release vote for the 9.0.0.M12 release candidate did not pass.
Therefore,
+ although users must download 9.0.0.M13 to obtain a version that includes
+ fixes for these issues, version 9.0.0.M12 is not included in the list of
+ affected versions.</i></p>
+
+ <p><strong>Important: Remote Code Execution</strong>
+ <cve>CVE-2016-8735</cve></p>
+
+ <p>The <code>JmxRemoteLifecycleListener</code> was not updated to take
+ account of Oracle's fix for <cve>CVE-2016-3427</cve>. Therefore, Tomcat
+ installations using this listener remained vulnerable to a similar
remote
+ code execution vulnerability. This issue has been rated as important
+ rather than critical due to the small number of installations using this
+ listener and that it would be highly unusual for the JMX ports to be
+ accessible to an attacker even when the listener is used.</p>
+
+ <p>This was fixed in revision <revlink rev="1767644">1767644</revlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team on 19 October
+ 2016 and made public on 22 November 2016.</p>
+
+ <p>Affects: 9.0.0.M1 to 9.0.0.M11</p>
+
+ <p><strong>Important: Denial of Service</strong>
+ <cve>CVE-2016-6817</cve></p>
+
+ <p>The HTTP/2 header parser entered an infinite loop if a header was
+ received that was larger than the available buffer. This made a denial
of
+ service attack possible.</p>
+
+ <p>This was fixed in revision <revlink rev="1765794">1765794</revlink>.</p>
+
+ <p>This issue was reported as <bug>60232</bug> on 10 October 2016 and the
+ security implications identified by the Apache Tomcat Security Team on
+ the same day. It was made public on 22 November 2016.</p>
+
+ <p>Affects: 9.0.0.M1 to 9.0.0.M11</p>
+
+ <p><strong>Important: Information Disclosure</strong>
+ <cve>CVE-2016-6816</cve></p>
+
+ <p>The code that parsed the HTTP request line permitted invalid characters.
+ This could be exploited, in conjunction with a proxy that also permitted
+ the invalid characters but with a different interpretation, to inject
+ data into the HTTP response. By manipulating the HTTP response the
+ attacker could poison a web-cache, perform an XSS attack and/or obtain
+ sensitive information from requests other then their own.</p>
+
+ <p>This was fixed in revision <revlink rev="1767641">1767641</revlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team on 11 October
+ 2016 and made public on 22 November 2016.</p>
+
+ <p>Affects: 9.0.0.M1 to 9.0.0.M11</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 9.0.0.M10" rtext="5 September 2016">
<p><strong>Low: Unrestricted Access to Global Resources</strong>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
