Author: markt
Date: Mon Jun 8 20:18:40 2009
New Revision: 782764
URL: http://svn.apache.org/viewvc?rev=782764&view=rev
Log:
Add CVE-2008-5515.
Modified:
tomcat/site/trunk/docs/security-4.html
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/xdocs/security-4.xml
tomcat/site/trunk/xdocs/security-5.xml
tomcat/site/trunk/xdocs/security-6.xml
Modified: tomcat/site/trunk/docs/security-4.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?rev=782764&r1=782763&r2=782764&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Mon Jun 8 20:18:40 2009
@@ -271,6 +271,24 @@
<p>
<blockquote>
<p>
+<strong>Important: Information Disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5515";>
+ CVE-2009-5515</a>
+</p>
+
+ <p>When using a RequestDispatcher obtained from the Request, the target
path
+ was normalised before the query string was removed. A request that
+ included a specially crafted request parameter could be used to access
+ content that would otherwise be protected by a security constraint or by
+ locating it in under the WEB-INF directory.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=782763&view=rev";>
+ revision 782763</a>.</p>
+
+ <p>Affects: 4.1.0-4.1.39</p>
+
+ <p>
<strong>Important: Denial of Service</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033";>
CVE-2009-0033</a>
Modified: tomcat/site/trunk/docs/security-5.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=782764&r1=782763&r2=782764&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Mon Jun 8 20:18:40 2009
@@ -233,6 +233,24 @@
<p>
<blockquote>
<p>
+<strong>Important: Information Disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5515";>
+ CVE-2009-5515</a>
+</p>
+
+ <p>When using a RequestDispatcher obtained from the Request, the target
path
+ was normalised before the query string was removed. A request that
+ included a specially crafted request parameter could be used to access
+ content that would otherwise be protected by a security constraint or by
+ locating it in under the WEB-INF directory.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=782757&view=rev";>
+ revision 782757</a>.</p>
+
+ <p>Affects: 5.5.0-5.5.27</p>
+
+ <p>
<strong>Important: Denial of Service</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033";>
CVE-2009-0033</a>
Modified: tomcat/site/trunk/docs/security-6.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=782764&r1=782763&r2=782764&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Jun 8 20:18:40 2009
@@ -234,6 +234,24 @@
</p>
<p>
+<strong>Important: Information Disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5515";>
+ CVE-2009-5515</a>
+</p>
+
+ <p>When using a RequestDispatcher obtained from the Request, the target
path
+ was normalised before the query string was removed. A request that
+ included a specially crafted request parameter could be used to access
+ content that would otherwise be protected by a security constraint or by
+ locating it in under the WEB-INF directory.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=734734&view=rev";>
+ revision 734734</a>.</p>
+
+ <p>Affects: 6.0.0-6.0.18</p>
+
+ <p>
<strong>Important: Denial of Service</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033";>
CVE-2009-0033</a>
@@ -267,7 +285,7 @@
<a href="http://svn.apache.org/viewvc?rev=747840&view=rev";>
revision 747840</a>.</p>
- <p>Affects: 6.0.0-6.0.18 (MemoryRealm)</p>
+ <p>Affects: 6.0.0-6.0.18</p>
<p>
<strong>low: Cross-site scripting</strong>
Modified: tomcat/site/trunk/xdocs/security-4.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?rev=782764&r1=782763&r2=782764&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Mon Jun 8 20:18:40 2009
@@ -44,6 +44,22 @@
</section>
<section name="Fixed in Apache Tomcat 4.1.SVN">
+ <p><strong>Important: Information Disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5515";>
+ CVE-2009-5515</a></p>
+
+ <p>When using a RequestDispatcher obtained from the Request, the target
path
+ was normalised before the query string was removed. A request that
+ included a specially crafted request parameter could be used to access
+ content that would otherwise be protected by a security constraint or by
+ locating it in under the WEB-INF directory.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=782763&view=rev";>
+ revision 782763</a>.</p>
+
+ <p>Affects: 4.1.0-4.1.39</p>
+
<p><strong>Important: Denial of Service</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033";>
CVE-2009-0033</a></p>
Modified: tomcat/site/trunk/xdocs/security-5.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=782764&r1=782763&r2=782764&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Mon Jun 8 20:18:40 2009
@@ -29,6 +29,22 @@
</section>
<section name="Fixed in Apache Tomcat 5.5.SVN">
+ <p><strong>Important: Information Disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5515";>
+ CVE-2009-5515</a></p>
+
+ <p>When using a RequestDispatcher obtained from the Request, the target
path
+ was normalised before the query string was removed. A request that
+ included a specially crafted request parameter could be used to access
+ content that would otherwise be protected by a security constraint or by
+ locating it in under the WEB-INF directory.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=782757&view=rev";>
+ revision 782757</a>.</p>
+
+ <p>Affects: 5.5.0-5.5.27</p>
+
<p><strong>Important: Denial of Service</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033";>
CVE-2009-0033</a></p>
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=782764&r1=782763&r2=782764&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon Jun 8 20:18:40 2009
@@ -28,6 +28,22 @@
must download 6.0.20 to obtain a version that includes fixes for these
issues, 6.0.19 is not included in the list of affected versions.</i></p>
+ <p><strong>Important: Information Disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5515";>
+ CVE-2009-5515</a></p>
+
+ <p>When using a RequestDispatcher obtained from the Request, the target
path
+ was normalised before the query string was removed. A request that
+ included a specially crafted request parameter could be used to access
+ content that would otherwise be protected by a security constraint or by
+ locating it in under the WEB-INF directory.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=734734&view=rev";>
+ revision 734734</a>.</p>
+
+ <p>Affects: 6.0.0-6.0.18</p>
+
<p><strong>Important: Denial of Service</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033";>
CVE-2009-0033</a></p>
@@ -58,7 +74,7 @@
<a href="http://svn.apache.org/viewvc?rev=747840&view=rev";>
revision 747840</a>.</p>
- <p>Affects: 6.0.0-6.0.18 (MemoryRealm)</p>
+ <p>Affects: 6.0.0-6.0.18</p>
<p><strong>low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781";>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
