Author: markt
Date: Wed Jan 31 10:21:58 2018
New Revision: 1822784
URL: http://svn.apache.org/viewvc?rev=1822784&view=rev
Log:
Make CVE-2017-15698 and CVE-2017-15706 public
Modified:
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/docs/security-8.html
tomcat/site/trunk/docs/security-9.html
tomcat/site/trunk/docs/security-native.html
tomcat/site/trunk/xdocs/security-7.xml
tomcat/site/trunk/xdocs/security-8.xml
tomcat/site/trunk/xdocs/security-9.xml
tomcat/site/trunk/xdocs/security-native.xml
Modified: tomcat/site/trunk/docs/security-7.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1822784&r1=1822783&r2=1822784&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Wed Jan 31 10:21:58 2018
@@ -208,6 +208,9 @@
<a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x
vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_7.0.84">Fixed in Apache Tomcat 7.0.84</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_7.0.82">Fixed in Apache Tomcat 7.0.82</a>
</li>
<li>
@@ -373,6 +376,46 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_7.0.84">
+<span class="pull-right">24 January 2018</span> Fixed in Apache Tomcat
7.0.84</h3>
+<div class="text">
+
+
+<p>
+<strong>Low: Incorrectly documented CGI search algorithm</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15706";
rel="nofollow">CVE-2017-15706</a>
+</p>
+
+
+<p>
+<i>Note: The issue below was fixed in Apache Tomcat 7.0.83 but the
+ release vote for the 7.0.83 release candidate did not pass. Therefore,
+ although users must download 7.0.84 to obtain a version that includes
+ the fix for this issue, version 7.0.83 is not included in the list of
+ affected versions.</i>
+</p>
+
+
+<p>As part of the fix for bug <a
href="https://bz.apache.org/bugzilla/show_bug.cgi?id=61201";>61201</a>, the
description of the
+ search algorithm used by the CGI Servlet to identify which script to
+ execute was updated. The update was not correct. As a result, some
+ scripts may have failed to execute as expected and other scripts may
have
+ been executed unexpectedly. Note that the behaviour of the CGI servlet
+ has remained unchanged in this regard. It is only the documentation of
+ the behaviour that was wrong and has been corrected.</p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1814828";>1814828</a>.</p>
+
+
+<p>This issue was reported to the Apache Tomcat Security Team by Michael
+ Grenier on 17 September 2017 and made public on 31 January 2018.</p>
+
+
+<p>Affects: 7.0.79 to 7.0.82</p>
+
+
+</div>
<h3 id="Fixed_in_Apache_Tomcat_7.0.82">
<span class="pull-right">4 October 2017</span> Fixed in Apache Tomcat
7.0.82</h3>
<div class="text">
Modified: tomcat/site/trunk/docs/security-8.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1822784&r1=1822783&r2=1822784&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-8.html (original)
+++ tomcat/site/trunk/docs/security-8.html Wed Jan 31 10:21:58 2018
@@ -208,6 +208,12 @@
<a href="#Apache_Tomcat_8.x_vulnerabilities">Apache Tomcat 8.x
vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_8.0.48">Fixed in Apache Tomcat 8.0.48</a>
+</li>
+<li>
+<a href="#Fixed_in_Apache_Tomcat_8.5.24">Fixed in Apache Tomcat 8.5.24</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_8.0.47">Fixed in Apache Tomcat 8.0.47</a>
</li>
<li>
@@ -340,6 +346,68 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_8.0.48">
+<span class="pull-right">12 December 2017</span> Fixed in Apache Tomcat
8.0.48</h3>
+<div class="text">
+
+
+<p>
+<strong>Low: Incorrectly documented CGI search algorithm</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15706";
rel="nofollow">CVE-2017-15706</a>
+</p>
+
+
+<p>As part of the fix for bug <a
href="https://bz.apache.org/bugzilla/show_bug.cgi?id=61201";>61201</a>, the
description of the
+ search algorithm used by the CGI Servlet to identify which script to
+ execute was updated. The update was not correct. As a result, some
+ scripts may have failed to execute as expected and other scripts may
have
+ been executed unexpectedly. Note that the behaviour of the CGI servlet
+ has remained unchanged in this regard. It is only the documentation of
+ the behaviour that was wrong and has been corrected.</p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1814827";>1814827</a>.</p>
+
+
+<p>This issue was reported to the Apache Tomcat Security Team by Michael
+ Grenier on 17 September 2017 and made public on 31 January 2018.</p>
+
+
+<p>Affects: 8.0.45 to 8.0.47</p>
+
+
+</div>
+<h3 id="Fixed_in_Apache_Tomcat_8.5.24">
+<span class="pull-right">30 November 2017</span> Fixed in Apache Tomcat
8.5.24</h3>
+<div class="text">
+
+
+<p>
+<strong>Low: Incorrectly documented CGI search algorithm</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15706";
rel="nofollow">CVE-2017-15706</a>
+</p>
+
+
+<p>As part of the fix for bug <a
href="https://bz.apache.org/bugzilla/show_bug.cgi?id=61201";>61201</a>, the
description of the
+ search algorithm used by the CGI Servlet to identify which script to
+ execute was updated. The update was not correct. As a result, some
+ scripts may have failed to execute as expected and other scripts may
have
+ been executed unexpectedly. Note that the behaviour of the CGI servlet
+ has remained unchanged in this regard. It is only the documentation of
+ the behaviour that was wrong and has been corrected.</p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1814826";>1814826</a>.</p>
+
+
+<p>This issue was reported to the Apache Tomcat Security Team by Michael
+ Grenier on 17 September 2017 and made public on 31 January 2018.</p>
+
+
+<p>Affects: 8.5.16 to 8.5.23</p>
+
+
+</div>
<h3 id="Fixed_in_Apache_Tomcat_8.0.47">
<span class="pull-right">4 October 2017</span> Fixed in Apache Tomcat
8.0.47</h3>
<div class="text">
Modified: tomcat/site/trunk/docs/security-9.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-9.html?rev=1822784&r1=1822783&r2=1822784&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-9.html (original)
+++ tomcat/site/trunk/docs/security-9.html Wed Jan 31 10:21:58 2018
@@ -208,6 +208,9 @@
<a href="#Apache_Tomcat_9.x_vulnerabilities">Apache Tomcat 9.x
vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_9.0.2">Fixed in Apache Tomcat 9.0.2</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_9.0.1">Fixed in Apache Tomcat 9.0.1</a>
</li>
<li>
@@ -289,6 +292,37 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_9.0.2">
+<span class="pull-right">30 November 2017</span> Fixed in Apache Tomcat
9.0.2</h3>
+<div class="text">
+
+
+<p>
+<strong>Low: Incorrectly documented CGI search algorithm</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15706";
rel="nofollow">CVE-2017-15706</a>
+</p>
+
+
+<p>As part of the fix for bug <a
href="https://bz.apache.org/bugzilla/show_bug.cgi?id=61201";>61201</a>, the
description of the
+ search algorithm used by the CGI Servlet to identify which script to
+ execute was updated. The update was not correct. As a result, some
+ scripts may have failed to execute as expected and other scripts may
have
+ been executed unexpectedly. Note that the behaviour of the CGI servlet
+ has remained unchanged in this regard. It is only the documentation of
+ the behaviour that was wrong and has been corrected.</p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1814825";>1814825</a>.</p>
+
+
+<p>This issue was reported to the Apache Tomcat Security Team by Michael
+ Grenier on 17 September 2017 and made public on 31 January 2018.</p>
+
+
+<p>Affects: 9.0.0.M22 to 9.0.1</p>
+
+
+</div>
<h3 id="Fixed_in_Apache_Tomcat_9.0.1">
<span class="pull-right">30 September 2017</span> Fixed in Apache Tomcat
9.0.1</h3>
<div class="text">
Modified: tomcat/site/trunk/docs/security-native.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-native.html?rev=1822784&r1=1822783&r2=1822784&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-native.html (original)
+++ tomcat/site/trunk/docs/security-native.html Wed Jan 31 10:21:58 2018
@@ -208,6 +208,9 @@
<a href="#Apache_Tomcat_APR/native_Connector_vulnerabilities">Apache Tomcat
APR/native Connector vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_Native_Connector_1.2.16">Fixed in Apache
Tomcat Native Connector 1.2.16</a>
+</li>
+<li>
<a href="#Not_a_vulnerability_in_the_Apache_Tomcat_APR/native_Connector">Not a
vulnerability in the Apache Tomcat APR/native Connector</a>
</li>
</ul>
@@ -238,6 +241,46 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_Native_Connector_1.2.16">Fixed in Apache Tomcat
Native Connector 1.2.16</h3>
+<div class="text">
+
+
+<p>
+<i>Note: The issue below was fixed in Apache Tomcat Native Connector
+ 1.2.15 but the release vote for the 1.2.15 release candidate did not
+ pass. Therefore, although users must download 1.2.16 to obtain a version
+ that includes the fix for this issue, version 1.2.15 is not included in
+ the list of affected versions.</i>
+</p>
+
+
+<p>
+<strong>Moderate: OCSP check omitted</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15698";
rel="nofollow">CVE-2017-15698</a>
+</p>
+
+
+<p>When parsing the AIA-Extension field of a client certificate, the Apache
+ Tomcat Native Connector did not correctly handle fields longer than 127
+ bytes. The result of the parsing error was to skip the OCSP check. It
was
+ therefore possible for client certificates that should have been
rejected
+ (if the OCSP check had been made) to be accepted. Users not using OCSP
+ checks are not affected by this vulnerability.
+ </p>
+
+
+<p>This was fixed in revisions <a
href="http://svn.apache.org/viewvc?view=rev&rev=1815200";>1815200</a> and
+ <a
href="http://svn.apache.org/viewvc?view=rev&rev=1815218";>1815218</a>.</p>
+
+
+<p>This issue was reported to the Apache Tomcat Security Team by Jonas
+ Klempel on 6 November 2017 and made public on 31 January 2018.</p>
+
+
+<p>Affects: 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34</p>
+
+
+</div>
<h3 id="Not_a_vulnerability_in_the_Apache_Tomcat_APR/native_Connector">Not a
vulnerability in the Apache Tomcat APR/native Connector</h3>
<div class="text">
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1822784&r1=1822783&r2=1822784&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Wed Jan 31 10:21:58 2018
@@ -50,6 +50,35 @@
</section>
+ <section name="Fixed in Apache Tomcat 7.0.84" rtext="24 January 2018">
+
+ <p><strong>Low: Incorrectly documented CGI search algorithm</strong>
+ <cve>CVE-2017-15706</cve></p>
+
+ <p><i>Note: The issue below was fixed in Apache Tomcat 7.0.83 but the
+ release vote for the 7.0.83 release candidate did not pass. Therefore,
+ although users must download 7.0.84 to obtain a version that includes
+ the fix for this issue, version 7.0.83 is not included in the list of
+ affected versions.</i></p>
+
+ <p>As part of the fix for bug <bug>61201</bug>, the description of the
+ search algorithm used by the CGI Servlet to identify which script to
+ execute was updated. The update was not correct. As a result, some
+ scripts may have failed to execute as expected and other scripts may
have
+ been executed unexpectedly. Note that the behaviour of the CGI servlet
+ has remained unchanged in this regard. It is only the documentation of
+ the behaviour that was wrong and has been corrected.</p>
+
+ <p>This was fixed in revision <revlink rev="1814828">1814828</revlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by Michael
+ Grenier on 17 September 2017 and made public on 31 January 2018.</p>
+
+ <p>Affects: 7.0.79 to 7.0.82</p>
+
+ </section>
+
+
<section name="Fixed in Apache Tomcat 7.0.82" rtext="4 October 2017">
<p><strong>Important: Remote Code Execution</strong>
Modified: tomcat/site/trunk/xdocs/security-8.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1822784&r1=1822783&r2=1822784&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-8.xml (original)
+++ tomcat/site/trunk/xdocs/security-8.xml Wed Jan 31 10:21:58 2018
@@ -50,6 +50,50 @@
</section>
+ <section name="Fixed in Apache Tomcat 8.0.48" rtext="12 December 2017">
+
+ <p><strong>Low: Incorrectly documented CGI search algorithm</strong>
+ <cve>CVE-2017-15706</cve></p>
+
+ <p>As part of the fix for bug <bug>61201</bug>, the description of the
+ search algorithm used by the CGI Servlet to identify which script to
+ execute was updated. The update was not correct. As a result, some
+ scripts may have failed to execute as expected and other scripts may
have
+ been executed unexpectedly. Note that the behaviour of the CGI servlet
+ has remained unchanged in this regard. It is only the documentation of
+ the behaviour that was wrong and has been corrected.</p>
+
+ <p>This was fixed in revision <revlink rev="1814827">1814827</revlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by Michael
+ Grenier on 17 September 2017 and made public on 31 January 2018.</p>
+
+ <p>Affects: 8.0.45 to 8.0.47</p>
+
+ </section>
+
+ <section name="Fixed in Apache Tomcat 8.5.24" rtext="30 November 2017">
+
+ <p><strong>Low: Incorrectly documented CGI search algorithm</strong>
+ <cve>CVE-2017-15706</cve></p>
+
+ <p>As part of the fix for bug <bug>61201</bug>, the description of the
+ search algorithm used by the CGI Servlet to identify which script to
+ execute was updated. The update was not correct. As a result, some
+ scripts may have failed to execute as expected and other scripts may
have
+ been executed unexpectedly. Note that the behaviour of the CGI servlet
+ has remained unchanged in this regard. It is only the documentation of
+ the behaviour that was wrong and has been corrected.</p>
+
+ <p>This was fixed in revision <revlink rev="1814826">1814826</revlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by Michael
+ Grenier on 17 September 2017 and made public on 31 January 2018.</p>
+
+ <p>Affects: 8.5.16 to 8.5.23</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 8.0.47" rtext="4 October 2017">
<p><strong>Important: Remote Code Execution</strong>
Modified: tomcat/site/trunk/xdocs/security-9.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-9.xml?rev=1822784&r1=1822783&r2=1822784&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-9.xml (original)
+++ tomcat/site/trunk/xdocs/security-9.xml Wed Jan 31 10:21:58 2018
@@ -50,6 +50,28 @@
</section>
+ <section name="Fixed in Apache Tomcat 9.0.2" rtext="30 November 2017">
+
+ <p><strong>Low: Incorrectly documented CGI search algorithm</strong>
+ <cve>CVE-2017-15706</cve></p>
+
+ <p>As part of the fix for bug <bug>61201</bug>, the description of the
+ search algorithm used by the CGI Servlet to identify which script to
+ execute was updated. The update was not correct. As a result, some
+ scripts may have failed to execute as expected and other scripts may
have
+ been executed unexpectedly. Note that the behaviour of the CGI servlet
+ has remained unchanged in this regard. It is only the documentation of
+ the behaviour that was wrong and has been corrected.</p>
+
+ <p>This was fixed in revision <revlink rev="1814825">1814825</revlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by Michael
+ Grenier on 17 September 2017 and made public on 31 January 2018.</p>
+
+ <p>Affects: 9.0.0.M22 to 9.0.1</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 9.0.1" rtext="30 September 2017">
<p><strong>Important: Remote Code Execution</strong>
Modified: tomcat/site/trunk/xdocs/security-native.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-native.xml?rev=1822784&r1=1822783&r2=1822784&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-native.xml (original)
+++ tomcat/site/trunk/xdocs/security-native.xml Wed Jan 31 10:21:58 2018
@@ -32,6 +32,35 @@
</section>
+ <section name="Fixed in Apache Tomcat Native Connector 1.2.16">
+
+ <p><i>Note: The issue below was fixed in Apache Tomcat Native Connector
+ 1.2.15 but the release vote for the 1.2.15 release candidate did not
+ pass. Therefore, although users must download 1.2.16 to obtain a version
+ that includes the fix for this issue, version 1.2.15 is not included in
+ the list of affected versions.</i></p>
+
+ <p><strong>Moderate: OCSP check omitted</strong>
+ <cve>CVE-2017-15698</cve></p>
+
+ <p>When parsing the AIA-Extension field of a client certificate, the Apache
+ Tomcat Native Connector did not correctly handle fields longer than 127
+ bytes. The result of the parsing error was to skip the OCSP check. It
was
+ therefore possible for client certificates that should have been
rejected
+ (if the OCSP check had been made) to be accepted. Users not using OCSP
+ checks are not affected by this vulnerability.
+ </p>
+
+ <p>This was fixed in revisions <revlink rev="1815200">1815200</revlink> and
+ <revlink rev="1815218">1815218</revlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by Jonas
+ Klempel on 6 November 2017 and made public on 31 January 2018.</p>
+
+ <p>Affects: 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34</p>
+
+ </section>
+
<section name="Not a vulnerability in the Apache Tomcat APR/native
Connector">
<p><strong>TLS SSL Man In The Middle</strong>
<cve>CVE-2009-3555</cve></p>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
