svn commit: r585934 - in /tomcat/tc6.0.x/trunk: STATUS java/org/apache/catalina/servlets/WebdavServlet.java webapps/docs/changelog.xml

Thu, 18 Oct 2007 04:45:53 -0700 

Author: markt
Date: Thu Oct 18 04:44:53 2007
New Revision: 585934

URL: http://svn.apache.org/viewvc?rev=585934&view=rev
Log:
Fix CVE-2007-5461.

Modified:
    tomcat/tc6.0.x/trunk/STATUS
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc6.0.x/trunk/STATUS
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS?rev=585934&r1=585933&r2=585934&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS (original)
+++ tomcat/tc6.0.x/trunk/STATUS Thu Oct 18 04:44:53 2007
@@ -42,11 +42,6 @@
   +1: fhanik,funkman
   -1: 
   
-* Fix important vulnerability when webdav is enabled for write
-  Patch: http://marc.info/?l=tomcat-dev&m=119245116910632&w=2
-  +1: markt, funkman, remm, fhanik
-  -1: 
-
 * Fix for JDT update: update jdt.jar in build.properties.default to:
   jdt.jar=${jdt.lib}/org.eclipse.jdt.core_3.3.1.v_780_R33x.jar
   +1: remm, fhanik,funkman, pero

Modified: 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java?rev=585934&r1=585933&r2=585934&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java 
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java 
Thu Oct 18 04:44:53 2007
@@ -243,6 +243,7 @@
         try {
             documentBuilderFactory = DocumentBuilderFactory.newInstance();
             documentBuilderFactory.setNamespaceAware(true);
+            documentBuilderFactory.setExpandEntityReferences(false);
             documentBuilder = documentBuilderFactory.newDocumentBuilder();
         } catch(ParserConfigurationException e) {
             throw new ServletException

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=585934&r1=585933&r2=585934&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Thu Oct 18 04:44:53 2007
@@ -159,6 +159,10 @@
         Fix WebDAV Servlet so it works correctly with MS clients. (markt)
       </fix>
       <fix>
+        Fix CVE-2007-5461, an important information disclosure vulnerability in
+        the WebDAV Servlet. (markt)
+      </fix>
+      <fix>
         <bug>42979</bug>: Update sample.war to include recent security fixes
         in the source code. (markt)
       </fix>



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to