svn commit: r539752 - in /tomcat/site/trunk: docs/security-4.html docs/security-5.html docs/security-jk.html xdocs/security-4.xml xdocs/security-5.xml xdocs/security-jk.xml

Sat, 19 May 2007 06:39:49 -0700 

Author: markt
Date: Sat May 19 06:39:27 2007
New Revision: 539752

URL: http://svn.apache.org/viewvc?view=rev&rev=539752
Log:
Add cross-reference to CVE-2007-0450
Minor layout changes for consistency

Modified:
    tomcat/site/trunk/docs/security-4.html
    tomcat/site/trunk/docs/security-5.html
    tomcat/site/trunk/docs/security-jk.html
    tomcat/site/trunk/xdocs/security-4.xml
    tomcat/site/trunk/xdocs/security-5.xml
    tomcat/site/trunk/xdocs/security-jk.xml

Modified: tomcat/site/trunk/docs/security-4.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?view=diff&rev=539752&r1=539751&r2=539752
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Sat May 19 06:39:27 2007
@@ -322,6 +322,11 @@
        CVE-2007-0450</a>
 </p>
 
+    <p>The fix for this issue was insufficient. A fix was also required in the
+       JK connector module for httpd. See 
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860";>
+       CVE-2007-1860</a> for further information.</p>
+
     <p>Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is 
used 
        behind a proxy (including, but not limited to, Apache HTTP server with 
        mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP 
request 

Modified: tomcat/site/trunk/docs/security-5.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?view=diff&rev=539752&r1=539751&r2=539752
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Sat May 19 06:39:27 2007
@@ -269,6 +269,11 @@
        CVE-2007-0450</a>
 </p>
 
+    <p>The fix for this issue was insufficient. A fix was also required in the
+       JK connector module for httpd. See 
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860";>
+       CVE-2007-1860</a> for further information.</p>
+
     <p>Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is 
used 
        behind a proxy (including, but not limited to, Apache HTTP server with 
        mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP 
request 

Modified: tomcat/site/trunk/docs/security-jk.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-jk.html?view=diff&rev=539752&r1=539751&r2=539752
==============================================================================
--- tomcat/site/trunk/docs/security-jk.html (original)
+++ tomcat/site/trunk/docs/security-jk.html Sat May 19 06:39:27 2007
@@ -224,9 +224,13 @@
     <p>
 <strong>important: Information disclosure</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860";>
-       CVE-2007-1860 (patch for CVE-2007-0450 was insufficient)</a>
+       CVE-2007-1860</a>
 </p>
 
+    <p>The issue is related to
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450";>
+       CVE-2007-0450</a>, the patch for which was insufficient.</p>
+
     <p>When multiple components (firewalls, caches, proxies and Tomcat)
        process a request, the request URL should not get decoded multiple times
        in an iterative way by these components. Otherwise it might be possible
@@ -251,7 +255,9 @@
        interoperability with mod_rewrite.
        </p>
 
-    <p>Affects: All versions of JK, but only the Apache httpd mod_jk module</p>
+    <p>Affects: JK 1.2.0-1.2.22 (httpd mod_jk module only)<br/>
+       Source shipped with Tomcat 4.0.1-4.0.6, 4.1.0-4.1.36, 5.0.0-5.0.30,
+       5.5.0-5.5.23</p>
 
   </blockquote>
 </p>

Modified: tomcat/site/trunk/xdocs/security-4.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?view=diff&rev=539752&r1=539751&r2=539752
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Sat May 19 06:39:27 2007
@@ -76,6 +76,11 @@
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450";>
        CVE-2007-0450</a></p>
 
+    <p>The fix for this issue was insufficient. A fix was also required in the
+       JK connector module for httpd. See 
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860";>
+       CVE-2007-1860</a> for further information.</p>
+
     <p>Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is 
used 
        behind a proxy (including, but not limited to, Apache HTTP server with 
        mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP 
request 

Modified: tomcat/site/trunk/xdocs/security-5.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?view=diff&rev=539752&r1=539751&r2=539752
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Sat May 19 06:39:27 2007
@@ -48,6 +48,11 @@
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450";>
        CVE-2007-0450</a></p>
 
+    <p>The fix for this issue was insufficient. A fix was also required in the
+       JK connector module for httpd. See 
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860";>
+       CVE-2007-1860</a> for further information.</p>
+
     <p>Tomcat permits '\', '%2F' and '%5C' as path delimiters. When Tomcat is 
used 
        behind a proxy (including, but not limited to, Apache HTTP server with 
        mod_proxy and mod_jk) configured to only proxy some contexts, a HTTP 
request 

Modified: tomcat/site/trunk/xdocs/security-jk.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-jk.xml?view=diff&rev=539752&r1=539751&r2=539752
==============================================================================
--- tomcat/site/trunk/xdocs/security-jk.xml (original)
+++ tomcat/site/trunk/xdocs/security-jk.xml Sat May 19 06:39:27 2007
@@ -27,7 +27,11 @@
   <section name="Fixed in Apache Tomcat JK Connector 1.2.23">
     <p><strong>important: Information disclosure</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860";>
-       CVE-2007-1860 (patch for CVE-2007-0450 was insufficient)</a></p>
+       CVE-2007-1860</a></p>
+
+    <p>The issue is related to
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450";>
+       CVE-2007-0450</a>, the patch for which was insufficient.</p>
 
     <p>When multiple components (firewalls, caches, proxies and Tomcat)
        process a request, the request URL should not get decoded multiple times
@@ -53,7 +57,9 @@
        interoperability with mod_rewrite.
        </p>
 
-    <p>Affects: All versions of JK, but only the Apache httpd mod_jk module</p>
+    <p>Affects: JK 1.2.0-1.2.22 (httpd mod_jk module only)<br/>
+       Source shipped with Tomcat 4.0.1-4.0.6, 4.1.0-4.1.36, 5.0.0-5.0.30,
+       5.5.0-5.5.23</p>
 
   </section>
 



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to