Author: markt
Date: Mon Mar 10 15:05:18 2008
New Revision: 635720
URL: http://svn.apache.org/viewvc?rev=635720&view=rev
Log:
Add CVE-2008-0128 which was missing.
Modified:
tomcat/site/trunk/docs/security-4.html
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/xdocs/security-4.xml
tomcat/site/trunk/xdocs/security-5.xml
tomcat/site/trunk/xdocs/security-6.xml
Modified: tomcat/site/trunk/docs/security-4.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?rev=635720&r1=635719&r2=635720&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Mon Mar 10 15:05:18 2008
@@ -3,19 +3,19 @@
<html>
<head>
<title>Apache Tomcat - Apache Tomcat 4.x vulnerabilities</title>
-<meta value="Apache Tomcat Project" name="author" />
-<meta value="" name="email" />
-<link rel="stylesheet" href="stylesheets/tomcat.css" type="text/css" />
-<link media="print" rel="stylesheet" href="stylesheets/tomcat-printer.css"
type="text/css" />
+<meta name="author" value="Apache Tomcat Project"/>
+<meta name="email" value=""/>
+<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet"/>
+<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet"
media="print"/>
</head>
-<body vlink="#525D76" alink="#525D76" link="#525D76" text="#000000"
bgcolor="#ffffff">
-<table cellspacing="0" width="100%" border="0">
+<body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76"
vlink="#525D76">
+<table border="0" width="100%" cellspacing="0">
<!--PAGE HEADER-->
<tr>
<td>
<!--PROJECT LOGO-->
<a href="http://tomcat.apache.org/";>
-<img border="0" alt="Tomcat Logo" align="left" src="./images/tomcat.gif" />
+<img src="./images/tomcat.gif" align="left" alt="Tomcat Logo" border="0"/>
</a>
</td>
<td>
@@ -26,28 +26,28 @@
<td>
<!--APACHE LOGO-->
<a href="http://www.apache.org/";>
-<img border="0" alt="Apache Logo" align="right"
src="http://www.apache.org/images/asf-logo.gif"; />
+<img src="http://www.apache.org/images/asf-logo.gif"; align="right" alt="Apache
Logo" border="0"/>
</a>
</td>
</tr>
</table>
<div class="searchbox noPrint">
-<form method="get" action="http://www.google.com/search";>
-<input type="hidden" name="sitesearch" value="tomcat.apache.org" />
-<input type="text" id="query" name="q" size="25" value="Search the Site" />
-<input type="submit" value="Search Site" name="Search" />
+<form action="http://www.google.com/search"; method="get">
+<input value="tomcat.apache.org" name="sitesearch" type="hidden"/>
+<input value="Search the Site" size="25" name="q" id="query" type="text"/>
+<input name="Search" value="Search Site" type="submit"/>
</form>
</div>
-<table cellspacing="4" width="100%" border="0">
+<table border="0" width="100%" cellspacing="4">
<!--HEADER SEPARATOR-->
<tr>
<td colspan="2">
-<hr size="1" noshade="" />
+<hr noshade="" size="1"/>
</td>
</tr>
<tr>
<!--LEFT SIDE NAVIGATION-->
-<td class="noPrint" nowrap="true" valign="top" width="20%">
+<td width="20%" valign="top" nowrap="true" class="noPrint">
<p>
<strong>Apache Tomcat</strong>
</p>
@@ -182,11 +182,11 @@
</ul>
</td>
<!--RIGHT SIDE MAIN BODY-->
-<td id="mainBody" align="left" valign="top" width="80%">
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<td width="80%" valign="top" align="left" id="mainBody">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Apache Tomcat 4.x vulnerabilities">
<strong>Apache Tomcat 4.x vulnerabilities</strong>
</a>
@@ -219,14 +219,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Will not be fixed in Apache Tomcat 4.1.x">
<strong>Will not be fixed in Apache Tomcat 4.1.x</strong>
</a>
@@ -259,14 +259,51 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Not fixed in Apache Tomcat 4.1.x">
+<strong>Not fixed in Apache Tomcat 4.1.x</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+ <p>
+<strong>moderate: Session hi-jacking</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128";>
+ CVE-2008-0128</a>
+</p>
+
+ <p>When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is
+ transmitted without the "secure" attribute, resulting in it being
+ transmitted to any content that is - by purpose or error - requested via
+ http from the same server. </p>
+
+ <p>Affects: 4.1.0-4.1.37</p>
+
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 4.1.37">
<strong>Fixed in Apache Tomcat 4.1.37</strong>
</a>
@@ -406,14 +443,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 4.1.36">
<strong>Fixed in Apache Tomcat 4.1.36</strong>
</a>
@@ -503,14 +540,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 4.1.32">
<strong>Fixed in Apache Tomcat 4.1.32</strong>
</a>
@@ -595,14 +632,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 4.1.29">
<strong>Fixed in Apache Tomcat 4.1.29</strong>
</a>
@@ -633,14 +670,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 4.1.13, 4.0.6">
<strong>Fixed in Apache Tomcat 4.1.13, 4.0.6</strong>
</a>
@@ -685,14 +722,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 4.1.12, 4.0.5">
<strong>Fixed in Apache Tomcat 4.1.12, 4.0.5</strong>
</a>
@@ -719,14 +756,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 4.1.3">
<strong>Fixed in Apache Tomcat 4.1.3</strong>
</a>
@@ -755,14 +792,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 4.1.0">
<strong>Fixed in Apache Tomcat 4.1.0</strong>
</a>
@@ -802,14 +839,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 4.0.2">
<strong>Fixed in Apache Tomcat 4.0.2</strong>
</a>
@@ -840,14 +877,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 4.0.0">
<strong>Fixed in Apache Tomcat 4.0.0</strong>
</a>
@@ -875,14 +912,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Unverified">
<strong>Unverified</strong>
</a>
@@ -899,7 +936,7 @@
CVE-2005-4703</a>,
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2008";>
CVE-2002-2008</a>
-<br />
+<br/>
</p>
<p>This issue only affects Windows operating systems. It can not be
@@ -915,7 +952,7 @@
<strong>important: Denial of service</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1895";>
CVE-2002-1895</a>
-<br />
+<br/>
</p>
<p>This issue only affects configurations that use IIS in conjunction with
@@ -931,14 +968,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Not a vulnerability in Tomcat">
<strong>Not a vulnerability in Tomcat</strong>
</a>
@@ -967,7 +1004,7 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
@@ -976,14 +1013,14 @@
<!--FOOTER SEPARATOR-->
<tr>
<td colspan="2">
-<hr size="1" noshade="" />
+<hr noshade="" size="1"/>
</td>
</tr>
<!--PAGE FOOTER-->
<tr>
<td colspan="2">
<div align="center">
-<font size="-1" color="#525D76">
+<font color="#525D76" size="-1">
<em>
Copyright © 1999-2007, The Apache Software Foundation
</em>
Modified: tomcat/site/trunk/docs/security-5.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=635720&r1=635719&r2=635720&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Mon Mar 10 15:05:18 2008
@@ -3,19 +3,19 @@
<html>
<head>
<title>Apache Tomcat - Apache Tomcat 5.x vulnerabilities</title>
-<meta value="Apache Tomcat Project" name="author" />
-<meta value="" name="email" />
-<link rel="stylesheet" href="stylesheets/tomcat.css" type="text/css" />
-<link media="print" rel="stylesheet" href="stylesheets/tomcat-printer.css"
type="text/css" />
+<meta name="author" value="Apache Tomcat Project"/>
+<meta name="email" value=""/>
+<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet"/>
+<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet"
media="print"/>
</head>
-<body vlink="#525D76" alink="#525D76" link="#525D76" text="#000000"
bgcolor="#ffffff">
-<table cellspacing="0" width="100%" border="0">
+<body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76"
vlink="#525D76">
+<table border="0" width="100%" cellspacing="0">
<!--PAGE HEADER-->
<tr>
<td>
<!--PROJECT LOGO-->
<a href="http://tomcat.apache.org/";>
-<img border="0" alt="Tomcat Logo" align="left" src="./images/tomcat.gif" />
+<img src="./images/tomcat.gif" align="left" alt="Tomcat Logo" border="0"/>
</a>
</td>
<td>
@@ -26,28 +26,28 @@
<td>
<!--APACHE LOGO-->
<a href="http://www.apache.org/";>
-<img border="0" alt="Apache Logo" align="right"
src="http://www.apache.org/images/asf-logo.gif"; />
+<img src="http://www.apache.org/images/asf-logo.gif"; align="right" alt="Apache
Logo" border="0"/>
</a>
</td>
</tr>
</table>
<div class="searchbox noPrint">
-<form method="get" action="http://www.google.com/search";>
-<input type="hidden" name="sitesearch" value="tomcat.apache.org" />
-<input type="text" id="query" name="q" size="25" value="Search the Site" />
-<input type="submit" value="Search Site" name="Search" />
+<form action="http://www.google.com/search"; method="get">
+<input value="tomcat.apache.org" name="sitesearch" type="hidden"/>
+<input value="Search the Site" size="25" name="q" id="query" type="text"/>
+<input name="Search" value="Search Site" type="submit"/>
</form>
</div>
-<table cellspacing="4" width="100%" border="0">
+<table border="0" width="100%" cellspacing="4">
<!--HEADER SEPARATOR-->
<tr>
<td colspan="2">
-<hr size="1" noshade="" />
+<hr noshade="" size="1"/>
</td>
</tr>
<tr>
<!--LEFT SIDE NAVIGATION-->
-<td class="noPrint" nowrap="true" valign="top" width="20%">
+<td width="20%" valign="top" nowrap="true" class="noPrint">
<p>
<strong>Apache Tomcat</strong>
</p>
@@ -182,11 +182,11 @@
</ul>
</td>
<!--RIGHT SIDE MAIN BODY-->
-<td id="mainBody" align="left" valign="top" width="80%">
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<td width="80%" valign="top" align="left" id="mainBody">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Apache Tomcat 5.x vulnerabilities">
<strong>Apache Tomcat 5.x vulnerabilities</strong>
</a>
@@ -220,14 +220,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 5.5.26">
<strong>Fixed in Apache Tomcat 5.5.26</strong>
</a>
@@ -295,14 +295,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 5.5.25, 5.0.SVN">
<strong>Fixed in Apache Tomcat 5.5.25, 5.0.SVN</strong>
</a>
@@ -384,14 +384,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 5.5.24, 5.0.SVN">
<strong>Fixed in Apache Tomcat 5.5.24, 5.0.SVN</strong>
</a>
@@ -421,14 +421,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 5.5.23, 5.0.SVN">
<strong>Fixed in Apache Tomcat 5.5.23, 5.0.SVN</strong>
</a>
@@ -463,14 +463,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 5.5.22, 5.0.SVN">
<strong>Fixed in Apache Tomcat 5.5.22, 5.0.SVN</strong>
</a>
@@ -524,14 +524,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 5.5.21, 5.0.SVN">
<strong>Fixed in Apache Tomcat 5.5.21, 5.0.SVN</strong>
</a>
@@ -564,14 +564,50 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 5.5.21">
+<strong>Fixed in Apache Tomcat 5.5.21</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+ <p>
+<strong>moderate: Session hi-jacking</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128";>
+ CVE-2008-0128</a>
+</p>
+
+ <p>When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is
+ transmitted without the "secure" attribute, resulting in it being
+ transmitted to any content that is - by purpose or error - requested via
+ http from the same server. </p>
+
+ <p>Affects: 5.0.0-5.0.SVN, 5.5.0-5.5.20</p>
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 5.5.18, 5.0.SVN">
<strong>Fixed in Apache Tomcat 5.5.18, 5.0.SVN</strong>
</a>
@@ -599,14 +635,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 5.5.17, 5.0.SVN">
<strong>Fixed in Apache Tomcat 5.5.17, 5.0.SVN</strong>
</a>
@@ -634,14 +670,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 5.5.16, 5.0.SVN">
<strong>Fixed in Apache Tomcat 5.5.16, 5.0.SVN</strong>
</a>
@@ -669,14 +705,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 5.5.13, 5.0.SVN">
<strong>Fixed in Apache Tomcat 5.5.13, 5.0.SVN</strong>
</a>
@@ -724,14 +760,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 5.5.7, 5.0.SVN">
<strong>Fixed in Apache Tomcat 5.5.7, 5.0.SVN</strong>
</a>
@@ -759,14 +795,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Not a vulnerability in Tomcat">
<strong>Not a vulnerability in Tomcat</strong>
</a>
@@ -799,7 +835,7 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
@@ -808,14 +844,14 @@
<!--FOOTER SEPARATOR-->
<tr>
<td colspan="2">
-<hr size="1" noshade="" />
+<hr noshade="" size="1"/>
</td>
</tr>
<!--PAGE FOOTER-->
<tr>
<td colspan="2">
<div align="center">
-<font size="-1" color="#525D76">
+<font color="#525D76" size="-1">
<em>
Copyright © 1999-2007, The Apache Software Foundation
</em>
Modified: tomcat/site/trunk/docs/security-6.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=635720&r1=635719&r2=635720&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Mar 10 15:05:18 2008
@@ -3,19 +3,19 @@
<html>
<head>
<title>Apache Tomcat - Apache Tomcat 6.x vulnerabilities</title>
-<meta value="Apache Tomcat Project" name="author" />
-<meta value="" name="email" />
-<link rel="stylesheet" href="stylesheets/tomcat.css" type="text/css" />
-<link media="print" rel="stylesheet" href="stylesheets/tomcat-printer.css"
type="text/css" />
+<meta name="author" value="Apache Tomcat Project"/>
+<meta name="email" value=""/>
+<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet"/>
+<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet"
media="print"/>
</head>
-<body vlink="#525D76" alink="#525D76" link="#525D76" text="#000000"
bgcolor="#ffffff">
-<table cellspacing="0" width="100%" border="0">
+<body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76"
vlink="#525D76">
+<table border="0" width="100%" cellspacing="0">
<!--PAGE HEADER-->
<tr>
<td>
<!--PROJECT LOGO-->
<a href="http://tomcat.apache.org/";>
-<img border="0" alt="Tomcat Logo" align="left" src="./images/tomcat.gif" />
+<img src="./images/tomcat.gif" align="left" alt="Tomcat Logo" border="0"/>
</a>
</td>
<td>
@@ -26,28 +26,28 @@
<td>
<!--APACHE LOGO-->
<a href="http://www.apache.org/";>
-<img border="0" alt="Apache Logo" align="right"
src="http://www.apache.org/images/asf-logo.gif"; />
+<img src="http://www.apache.org/images/asf-logo.gif"; align="right" alt="Apache
Logo" border="0"/>
</a>
</td>
</tr>
</table>
<div class="searchbox noPrint">
-<form method="get" action="http://www.google.com/search";>
-<input type="hidden" name="sitesearch" value="tomcat.apache.org" />
-<input type="text" id="query" name="q" size="25" value="Search the Site" />
-<input type="submit" value="Search Site" name="Search" />
+<form action="http://www.google.com/search"; method="get">
+<input value="tomcat.apache.org" name="sitesearch" type="hidden"/>
+<input value="Search the Site" size="25" name="q" id="query" type="text"/>
+<input name="Search" value="Search Site" type="submit"/>
</form>
</div>
-<table cellspacing="4" width="100%" border="0">
+<table border="0" width="100%" cellspacing="4">
<!--HEADER SEPARATOR-->
<tr>
<td colspan="2">
-<hr size="1" noshade="" />
+<hr noshade="" size="1"/>
</td>
</tr>
<tr>
<!--LEFT SIDE NAVIGATION-->
-<td class="noPrint" nowrap="true" valign="top" width="20%">
+<td width="20%" valign="top" nowrap="true" class="noPrint">
<p>
<strong>Apache Tomcat</strong>
</p>
@@ -182,11 +182,11 @@
</ul>
</td>
<!--RIGHT SIDE MAIN BODY-->
-<td id="mainBody" align="left" valign="top" width="80%">
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<td width="80%" valign="top" align="left" id="mainBody">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Apache Tomcat 6.x vulnerabilities">
<strong>Apache Tomcat 6.x vulnerabilities</strong>
</a>
@@ -214,14 +214,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.16">
<strong>Fixed in Apache Tomcat 6.0.16</strong>
</a>
@@ -303,14 +303,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.14">
<strong>Fixed in Apache Tomcat 6.0.14</strong>
</a>
@@ -392,14 +392,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.11">
<strong>Fixed in Apache Tomcat 6.0.11</strong>
</a>
@@ -447,14 +447,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.10">
<strong>Fixed in Apache Tomcat 6.0.10</strong>
</a>
@@ -503,14 +503,50 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 6.0.9">
+<strong>Fixed in Apache Tomcat 6.0.9</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+ <p>
+<strong>moderate: Session hi-jacking</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128";>
+ CVE-2008-0128</a>
+</p>
+
+ <p>When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is
+ transmitted without the "secure" attribute, resulting in it being
+ transmitted to any content that is - by purpose or error - requested via
+ http from the same server. </p>
+
+ <p>Affects: 6.0.0-6.0.8</p>
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.6">
<strong>Fixed in Apache Tomcat 6.0.6</strong>
</a>
@@ -543,7 +579,7 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
@@ -552,14 +588,14 @@
<!--FOOTER SEPARATOR-->
<tr>
<td colspan="2">
-<hr size="1" noshade="" />
+<hr noshade="" size="1"/>
</td>
</tr>
<!--PAGE FOOTER-->
<tr>
<td colspan="2">
<div align="center">
-<font size="-1" color="#525D76">
+<font color="#525D76" size="-1">
<em>
Copyright © 1999-2007, The Apache Software Foundation
</em>
Modified: tomcat/site/trunk/xdocs/security-4.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?rev=635720&r1=635719&r2=635720&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Mon Mar 10 15:05:18 2008
@@ -44,6 +44,20 @@
</section>
+ <section name="Not fixed in Apache Tomcat 4.1.x">
+ <p><strong>moderate: Session hi-jacking</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128";>
+ CVE-2008-0128</a></p>
+
+ <p>When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is
+ transmitted without the "secure" attribute, resulting in it being
+ transmitted to any content that is - by purpose or error - requested via
+ http from the same server. </p>
+
+ <p>Affects: 4.1.0-4.1.37</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 4.1.37">
<p><strong>important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3164";>
Modified: tomcat/site/trunk/xdocs/security-5.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=635720&r1=635719&r2=635720&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Mon Mar 10 15:05:18 2008
@@ -220,6 +220,19 @@
<p>Affects: 5.0.0-5.0.30, 5.5.0-5.5.20</p>
</section>
+ <section name="Fixed in Apache Tomcat 5.5.21">
+ <p><strong>moderate: Session hi-jacking</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128";>
+ CVE-2008-0128</a></p>
+
+ <p>When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is
+ transmitted without the "secure" attribute, resulting in it being
+ transmitted to any content that is - by purpose or error - requested via
+ http from the same server. </p>
+
+ <p>Affects: 5.0.0-5.0.SVN, 5.5.0-5.5.20</p>
+ </section>
+
<section name="Fixed in Apache Tomcat 5.5.18, 5.0.SVN">
<p><strong>moderate: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7195";>
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=635720&r1=635719&r2=635720&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon Mar 10 15:05:18 2008
@@ -201,6 +201,19 @@
<p>Affects: 6.0.0-6.0.9</p>
</section>
+ <section name="Fixed in Apache Tomcat 6.0.9">
+ <p><strong>moderate: Session hi-jacking</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0128";>
+ CVE-2008-0128</a></p>
+
+ <p>When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is
+ transmitted without the "secure" attribute, resulting in it being
+ transmitted to any content that is - by purpose or error - requested via
+ http from the same server. </p>
+
+ <p>Affects: 6.0.0-6.0.8</p>
+ </section>
+
<section name="Fixed in Apache Tomcat 6.0.6">
<p><strong>low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358";>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
![http://www.apache.org/images/asf-logo.gif"](http://www.apache.org/images/asf-logo.gif"){kind=link}