Modified: tomcat/site/trunk/xdocs/security-7.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1825106&r1=1825105&r2=1825106&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-7.xml (original) +++ tomcat/site/trunk/xdocs/security-7.xml Fri Feb 23 00:25:01 2018 @@ -50,6 +50,46 @@ </section> + <section name="Fixed in Apache Tomcat 7.0.85" rtext="13 February 2018"> + + <p><strong>High: Security constraint annotations applied too late</strong> + <cve>CVE-2018-1305</cve></p> + + <p>Security constraints defined by annotations of Servlets were only applied + once a Servlet had been loaded. Because security constraints defined in + this way apply to the URL pattern and any URLs below that point, it was + possible - depending on the order Servlets were loaded - for some + security constraints not to be applied. This could have exposed resources + to users who were not authorised to access them.</p> + + <p>This was fixed in revisions <revlink rev="1823322">1823322</revlink> and + <revlink rev="1824360">1824360</revlink>.</p> + + <p>This issue was by the Apache Tomcat Security on 1 February 2018 and made + public on 23 February 2018.</p> + + <p>Affects: 8.0.0.RC1 to 8.0.49</p> + + <p><strong>High: Security constraints mapped to context root are + ignored</strong> <cve>CVE-2018-1304</cve></p> + + <p>The URL pattern of "" (the empty string) which exactly maps to the + context root was not correctly handled when used as part of a security + constraint definition. This caused the constraint to be ignored. It was, + therefore, possible for unauthorised users to gain access to web + application resources that should have been protected. Only security + constraints with a URL pattern of the empty string were affected.</p> + + <p>This was fixed in revision <revlink rev="1823309">1823309</revlink>.</p> + + <p>This issue was reported publicly as <bug>62067</bug> on 31 January 2018 + and the security implications identified by the Apache Tomcat Security + Team the same day. It was made public on 23 February 2018.</p> + + <p>Affects: 7.0.0 to 7.0.84</p> + + </section> + <section name="Fixed in Apache Tomcat 7.0.84" rtext="24 January 2018"> <p><strong>Low: Incorrectly documented CGI search algorithm</strong>
Modified: tomcat/site/trunk/xdocs/security-8.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1825106&r1=1825105&r2=1825106&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-8.xml (original) +++ tomcat/site/trunk/xdocs/security-8.xml Fri Feb 23 00:25:01 2018 @@ -50,6 +50,86 @@ </section> + <section name="Fixed in Apache Tomcat 8.0.50" rtext="13 February 2018"> + + <p><strong>High: Security constraint annotations applied too late</strong> + <cve>CVE-2018-1305</cve></p> + + <p>Security constraints defined by annotations of Servlets were only applied + once a Servlet had been loaded. Because security constraints defined in + this way apply to the URL pattern and any URLs below that point, it was + possible - depending on the order Servlets were loaded - for some + security constraints not to be applied. This could have exposed resources + to users who were not authorised to access them.</p> + + <p>This was fixed in revisions <revlink rev="1823319">1823319</revlink> and + <revlink rev="1824359">1824359</revlink>.</p> + + <p>This issue was by the Apache Tomcat Security on 1 February 2018 and made + public on 23 February 2018.</p> + + <p>Affects: 8.0.0.RC1 to 8.0.49</p> + + <p><strong>High: Security constraints mapped to context root are + ignored</strong> <cve>CVE-2018-1304</cve></p> + + <p>The URL pattern of "" (the empty string) which exactly maps to the + context root was not correctly handled when used as part of a security + constraint definition. This caused the constraint to be ignored. It was, + therefore, possible for unauthorised users to gain access to web + application resources that should have been protected. Only security + constraints with a URL pattern of the empty string were affected.</p> + + <p>This was fixed in revision <revlink rev="1823308">1823308</revlink>.</p> + + <p>This issue was reported publicly as <bug>62067</bug> on 31 January 2018 + and the security implications identified by the Apache Tomcat Security + Team the same day. It was made public on 23 February 2018.</p> + + <p>Affects: 8.0.0.RC1 to 8.0.49</p> + + </section> + + <section name="Fixed in Apache Tomcat 8.5.28" rtext="11 February 2018"> + + <p><strong>High: Security constraint annotations applied too late</strong> + <cve>CVE-2018-1305</cve></p> + + <p>Security constraints defined by annotations of Servlets were only applied + once a Servlet had been loaded. Because security constraints defined in + this way apply to the URL pattern and any URLs below that point, it was + possible - depending on the order Servlets were loaded - for some + security constraints not to be applied. This could have exposed resources + to users who were not authorised to access them.</p> + + <p>This was fixed in revisions <revlink rev="1823314">1823314</revlink> and + <revlink rev="1824358">1824358</revlink>.</p> + + <p>This issue was by the Apache Tomcat Security on 1 February 2018 and made + public on 23 February 2018.</p> + + <p>Affects: 8.5.0 to 8.5.27</p> + + <p><strong>High: Security constraints mapped to context root are + ignored</strong> <cve>CVE-2018-1304</cve></p> + + <p>The URL pattern of "" (the empty string) which exactly maps to the + context root was not correctly handled when used as part of a security + constraint definition. This caused the constraint to be ignored. It was, + therefore, possible for unauthorised users to gain access to web + application resources that should have been protected. Only security + constraints with a URL pattern of the empty string were affected.</p> + + <p>This was fixed in revision <revlink rev="1823307">1823307</revlink>.</p> + + <p>This issue was reported publicly as <bug>62067</bug> on 31 January 2018 + and the security implications identified by the Apache Tomcat Security + Team the same day. It was made public on 23 February 2018.</p> + + <p>Affects: 8.5.0 to 8.5.27</p> + + </section> + <section name="Fixed in Apache Tomcat 8.0.48" rtext="12 December 2017"> <p><strong>Low: Incorrectly documented CGI search algorithm</strong> Modified: tomcat/site/trunk/xdocs/security-9.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-9.xml?rev=1825106&r1=1825105&r2=1825106&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-9.xml (original) +++ tomcat/site/trunk/xdocs/security-9.xml Fri Feb 23 00:25:01 2018 @@ -50,6 +50,46 @@ </section> + <section name="Fixed in Apache Tomcat 9.0.5" rtext="11 February 2018"> + + <p><strong>High: Security constraint annotations applied too late</strong> + <cve>CVE-2018-1305</cve></p> + + <p>Security constraints defined by annotations of Servlets were only applied + once a Servlet had been loaded. Because security constraints defined in + this way apply to the URL pattern and any URLs below that point, it was + possible - depending on the order Servlets were loaded - for some + security constraints not to be applied. This could have exposed resources + to users who were not authorised to access them.</p> + + <p>This was fixed in revisions <revlink rev="1823310">1823310</revlink> and + <revlink rev="1824323">1824323</revlink>.</p> + + <p>This issue was by the Apache Tomcat Security on 1 February 2018 and made + public on 23 February 2018.</p> + + <p>Affects: 9.0.0.M1 to 9.0.4</p> + + <p><strong>High: Security constraints mapped to context root are + ignored</strong> <cve>CVE-2018-1304</cve></p> + + <p>The URL pattern of "" (the empty string) which exactly maps to the + context root was not correctly handled when used as part of a security + constraint definition. This caused the constraint to be ignored. It was, + therefore, possible for unauthorised users to gain access to web + application resources that should have been protected. Only security + constraints with a URL pattern of the empty string were affected.</p> + + <p>This was fixed in revision <revlink rev="1823306">1823306</revlink>.</p> + + <p>This issue was reported publicly as <bug>62067</bug> on 31 January 2018 + and the security implications identified by the Apache Tomcat Security + Team the same day. It was made public on 23 February 2018.</p> + + <p>Affects: 9.0.0.M1 to 9.0.4</p> + + </section> + <section name="Fixed in Apache Tomcat 9.0.2" rtext="30 November 2017"> <p><strong>Low: Incorrectly documented CGI search algorithm</strong> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org