Author: markt
Date: Thu Oct 9 15:39:48 2008
New Revision: 703284
URL: http://svn.apache.org/viewvc?rev=703284&view=rev
Log:
Update with details of CVE-2008-3271
Modified:
tomcat/site/trunk/docs/security-4.html
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/xdocs/security-4.xml
tomcat/site/trunk/xdocs/security-5.xml
Modified: tomcat/site/trunk/docs/security-4.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?rev=703284&r1=703283&r2=703284&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Thu Oct 9 15:39:48 2008
@@ -618,6 +618,22 @@
<blockquote>
<p>
+<strong>low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3271";>
+ CVE-2008-3271</a>
+</p>
+
+ <p>
+<a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=25835";>
+ Bug 25835</a> can, in rare circumstances - this has only been reproduced
+ using a debugger to force a particular processing sequence for two threads
-
+ allow a user from a non-premitted IP address to gain access to a context
+ that is protected with a valve that extends RemoteFilterValve. This
includes
+ the standard RemoteAddrValve and RemoteHostValve implementations.</p>
+
+ <p>Affects: 4.1.0-4.1.31</p>
+
+ <p>
<strong>important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1858";>
CVE-2007-1858</a>
Modified: tomcat/site/trunk/docs/security-5.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=703284&r1=703283&r2=703284&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Thu Oct 9 15:39:48 2008
@@ -899,6 +899,45 @@
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 5.5.1">
+<strong>Fixed in Apache Tomcat 5.5.1</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+ <p>
+<strong>low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3271";>
+ CVE-2008-3271</a>
+</p>
+
+ <p>
+<a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=25835";>
+ Bug 25835</a> can, in rare circumstances - this has only been reproduced
+ using a debugger to force a particular processing sequence for two threads
-
+ allow a user from a non-premitted IP address to gain access to a context
+ that is protected with a valve that extends RemoteFilterValve. This
includes
+ the standard RemoteAddrValve and RemoteHostValve implementations.</p>
+
+ <p>Affects: 5.5.0 (5.0.x unknown)</p>
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Not a vulnerability in Tomcat">
<strong>Not a vulnerability in Tomcat</strong>
</a>
Modified: tomcat/site/trunk/xdocs/security-4.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?rev=703284&r1=703283&r2=703284&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Thu Oct 9 15:39:48 2008
@@ -296,6 +296,19 @@
<section name="Fixed in Apache Tomcat 4.1.32">
+ <p><strong>low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3271";>
+ CVE-2008-3271</a></p>
+
+ <p><a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=25835";>
+ Bug 25835</a> can, in rare circumstances - this has only been reproduced
+ using a debugger to force a particular processing sequence for two threads
-
+ allow a user from a non-premitted IP address to gain access to a context
+ that is protected with a valve that extends RemoteFilterValve. This
includes
+ the standard RemoteAddrValve and RemoteHostValve implementations.</p>
+
+ <p>Affects: 4.1.0-4.1.31</p>
+
<p><strong>important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1858";>
CVE-2007-1858</a></p>
Modified: tomcat/site/trunk/xdocs/security-5.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=703284&r1=703283&r2=703284&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Thu Oct 9 15:39:48 2008
@@ -385,6 +385,21 @@
<p>Affects: 5.0.0-5.0.30, 5.5.0-5.5.6</p>
</section>
+ <section name="Fixed in Apache Tomcat 5.5.1">
+ <p><strong>low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3271";>
+ CVE-2008-3271</a></p>
+
+ <p><a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=25835";>
+ Bug 25835</a> can, in rare circumstances - this has only been reproduced
+ using a debugger to force a particular processing sequence for two threads
-
+ allow a user from a non-premitted IP address to gain access to a context
+ that is protected with a valve that extends RemoteFilterValve. This
includes
+ the standard RemoteAddrValve and RemoteHostValve implementations.</p>
+
+ <p>Affects: 5.5.0 (5.0.x unknown)</p>
+ </section>
+
<section name="Not a vulnerability in Tomcat">
<p><strong>JavaMail information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1754";>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
