Modified: tomcat/site/trunk/xdocs/security-7.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1842754&r1=1842753&r2=1842754&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-7.xml (original) +++ tomcat/site/trunk/xdocs/security-7.xml Wed Oct 3 19:49:05 2018 @@ -50,6 +50,25 @@ </section> + <section name="Fixed in Apache Tomcat 7.0.91" rtext="19 September 2018"> + + <p><strong>Moderate: Open Redirect</strong> + <cve>CVE-2018-11784</cve></p> + + <p>When the default servlet returned a redirect to a directory (e.g. + redirecting to <code>/foo/</code> when the user requested + <code>/foo</code>) a specially crafted URL could be used to cause the + redirect to be generated to any URI of the attackers choice.</p> + + <p>This was fixed in revision <revlink rev="1840057">1840057</revlink>.</p> + + <p>This issue was reported to the Apache Tomcat Security Team by Sergey + Bobrov on 28 August 2018 and made public on 3 October 2018.</p> + + <p>Affects: 7.0.23 to 7.0.90</p> + + </section> + <section name="Fixed in Apache Tomcat 7.0.90" rtext="7 July 2018"> <p><strong>Low: host name verification missing in WebSocket client</strong>
Modified: tomcat/site/trunk/xdocs/security-8.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1842754&r1=1842753&r2=1842754&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-8.xml (original) +++ tomcat/site/trunk/xdocs/security-8.xml Wed Oct 3 19:49:05 2018 @@ -50,6 +50,25 @@ </section> + <section name="Fixed in Apache Tomcat 8.5.34" rtext="10 September 2018"> + + <p><strong>Moderate: Open Redirect</strong> + <cve>CVE-2018-11784</cve></p> + + <p>When the default servlet returned a redirect to a directory (e.g. + redirecting to <code>/foo/</code> when the user requested + <code>/foo</code>) a specially crafted URL could be used to cause the + redirect to be generated to any URI of the attackers choice.</p> + + <p>This was fixed in revision <revlink rev="1840056">1840056</revlink>.</p> + + <p>This issue was reported to the Apache Tomcat Security Team by Sergey + Bobrov on 28 August 2018 and made public on 3 October 2018.</p> + + <p>Affects: 8.5.0 to 8.5.33</p> + + </section> + <section name="Fixed in Apache Tomcat 8.0.53" rtext="6 July 2018"> <p><strong>Low: host name verification missing in WebSocket client</strong> Modified: tomcat/site/trunk/xdocs/security-9.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-9.xml?rev=1842754&r1=1842753&r2=1842754&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-9.xml (original) +++ tomcat/site/trunk/xdocs/security-9.xml Wed Oct 3 19:49:05 2018 @@ -50,6 +50,25 @@ </section> + <section name="Fixed in Apache Tomcat 9.0.12" rtext="10 September 2018"> + + <p><strong>Moderate: Open Redirect</strong> + <cve>CVE-2018-11784</cve></p> + + <p>When the default servlet returned a redirect to a directory (e.g. + redirecting to <code>/foo/</code> when the user requested + <code>/foo</code>) a specially crafted URL could be used to cause the + redirect to be generated to any URI of the attackers choice.</p> + + <p>This was fixed in revision <revlink rev="1840055">1840055</revlink>.</p> + + <p>This issue was reported to the Apache Tomcat Security Team by Sergey + Bobrov on 28 August 2018 and made public on 3 October 2018.</p> + + <p>Affects: 9.0.0.M1 to 9.0.11</p> + + </section> + <section name="Fixed in Apache Tomcat 9.0.10" rtext="25 June 2018"> <p><strong>Low: host name verification missing in WebSocket client</strong> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
