security-8.xml

jfclere Sun, 22 Jul 2018 00:26:16 -0700

Author: jfclere
Date: Sun Jul 22 07:26:01 2018
New Revision: 1836421

URL: http://svn.apache.org/viewvc?rev=1836421&view=rev
Log:
add the missing CVE to Tomcat 8.0.x release.


Modified:
    tomcat/site/trunk/docs/security-8.html
    tomcat/site/trunk/xdocs/security-8.xml

Modified: tomcat/site/trunk/docs/security-8.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1836421&r1=1836420&r2=1836421&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-8.html (original)
+++ tomcat/site/trunk/docs/security-8.html Sun Jul 22 07:26:01 2018
@@ -228,6 +228,9 @@
 <a href="#Fixed_in_Apache_Tomcat_8.5.32">Fixed in Apache Tomcat 8.5.32</a>
 </li>
 <li>
+<a href="#Fixed_in_Apache_Tomcat_8.0.52">Fixed in Apache Tomcat 8.0.52</a>
+</li>
+<li>
 <a href="#Fixed_in_Apache_Tomcat_8.0.50">Fixed in Apache Tomcat 8.0.50</a>
 </li>
 <li>
@@ -373,8 +376,28 @@
   
 </div>
 <h3 id="Fixed_in_Apache_Tomcat_8.0.53">
-<span class="pull-right">not yet released</span> Fixed in Apache Tomcat 
8.0.53</h3>
+<span class="pull-right">6 July 2018</span> Fixed in Apache Tomcat 8.0.53</h3>
 <div class="text">
+
+    
+<p>
+<strong>Low: host name verification missing in WebSocket client</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8034"; 
rel="nofollow">CVE-2018-8034</a>
+</p>
+
+    
+<p>The host name verification when using TLS with the WebSocket client was
+       missing. It is now enabled by default.</p>
+
+    
+<p>This was fixed in revision <a 
href="http://svn.apache.org/viewvc?view=rev&amp;rev=1833759";>1833759</a>.</p>
+
+    
+<p>This issue was reported publicly on 11 June 2018 and formally announced as
+       a vulnerability on 22 July 2018.</p>
+
+    
+<p>Affects:  8.0.0.RC1 to 8.0.52</p>
   
     
 <p>
@@ -399,7 +422,7 @@
   
 </div>
 <h3 id="Fixed_in_Apache_Tomcat_8.5.32">
-<span class="pull-right">not yet released</span> Fixed in Apache Tomcat 
8.5.32</h3>
+<span class="pull-right">26 June 2018</span> Fixed in Apache Tomcat 8.5.32</h3>
 <div class="text">
   
     
@@ -424,6 +447,33 @@
 
   
 </div>
+<h3 id="Fixed_in_Apache_Tomcat_8.0.52">
+<span class="pull-right">08 May 2018</span> Fixed in Apache Tomcat 8.0.52</h3>
+<div class="text">
+
+    
+<p>
+<strong>Important: A bug in the UTF-8 decoder can lead to DoS</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1336"; 
rel="nofollow">CVE-2018-1336</a>
+</p>
+ 
+    
+<p>An improper handing of overflow in the UTF-8 decoder with
+       supplementary characters can lead to an infinite loop in the
+       decoder causing a Denial of Service.</p>
+
+    
+<p>This was fixed in revision <a 
href="http://svn.apache.org/viewvc?view=rev&amp;rev=1830375";>1830375</a>.</p>
+
+    
+<p>This issue was reported publicly on 6 April 2018 and formally announced as
+       a vulnerability on 22 July 2018.</p>
+
+    
+<p>Affects: 8.0.0.RC1 to 8.0.51</p>
+
+  
+</div>
 <h3 id="Fixed_in_Apache_Tomcat_8.0.50">
 <span class="pull-right">13 February 2018</span> Fixed in Apache Tomcat 
8.0.50</h3>
 <div class="text">

Modified: tomcat/site/trunk/xdocs/security-8.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1836421&r1=1836420&r2=1836421&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-8.xml (original)
+++ tomcat/site/trunk/xdocs/security-8.xml Sun Jul 22 07:26:01 2018
@@ -50,7 +50,20 @@
 
   </section>
 
-  <section name="Fixed in Apache Tomcat 8.0.53" rtext="not yet released">
+  <section name="Fixed in Apache Tomcat 8.0.53" rtext="6 July 2018">
+
+    <p><strong>Low: host name verification missing in WebSocket client</strong>
+       <cve>CVE-2018-8034</cve></p>
+
+    <p>The host name verification when using TLS with the WebSocket client was
+       missing. It is now enabled by default.</p>
+
+    <p>This was fixed in revision <revlink rev="1833759">1833759</revlink>.</p>
+
+    <p>This issue was reported publicly on 11 June 2018 and formally announced 
as
+       a vulnerability on 22 July 2018.</p>
+
+    <p>Affects:  8.0.0.RC1 to 8.0.52</p>
   
     <p><strong>Low: CORS filter has insecure defaults</strong>
        <cve>CVE-2018-8014</cve></p>
@@ -68,7 +81,7 @@
 
   </section>
 
-  <section name="Fixed in Apache Tomcat 8.5.32" rtext="not yet released">
+  <section name="Fixed in Apache Tomcat 8.5.32" rtext="26 June 2018">
   
     <p><strong>Low: CORS filter has insecure defaults</strong>
        <cve>CVE-2018-8014</cve></p>
@@ -86,6 +99,24 @@
 
   </section>
 
+  <section name="Fixed in Apache Tomcat 8.0.52" rtext="08 May 2018">
+
+    <p><strong>Important: A bug in the UTF-8 decoder can lead to DoS</strong>
+       <cve>CVE-2018-1336</cve></p>
+ 
+    <p>An improper handing of overflow in the UTF-8 decoder with
+       supplementary characters can lead to an infinite loop in the
+       decoder causing a Denial of Service.</p>
+
+    <p>This was fixed in revision <revlink rev="1830375">1830375</revlink>.</p>
+
+    <p>This issue was reported publicly on 6 April 2018 and formally announced 
as
+       a vulnerability on 22 July 2018.</p>
+
+    <p>Affects: 8.0.0.RC1 to 8.0.51</p>
+
+  </section>
+
   <section name="Fixed in Apache Tomcat 8.0.50" rtext="13 February 2018">
   
     <p><strong>Important: Security constraint annotations applied too



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1836421 - in /tomcat/site/trunk: docs/security-8.html xdocs/security-8.xml

Reply via email to