svn commit: r908386 - in /tomcat/site/trunk: docs/security-6.html xdocs/security-6.xml

[jfclere]

Author: jfclere
Date: Wed Feb 10 08:32:11 2010
New Revision: 908386

URL: http://svn.apache.org/viewvc?rev=908386&view=rev
Log:
Just a ref to Not a vulnerability in Tomcat.

Modified:
    tomcat/site/trunk/docs/security-6.html
    tomcat/site/trunk/xdocs/security-6.xml

Modified: tomcat/site/trunk/docs/security-6.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=908386&r1=908385&r2=908386&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Wed Feb 10 08:32:11 2010
@@ -309,15 +309,9 @@
        CVE-2009-3555</a>
 </p>
 
-    <p>The TLS protocol, and the SSL protocol 3.0 and possibly earlier does not
-       properly associate renegotiation handshakes with an existing connection,
-       which allows man-in-the-middle attackers to insert data into HTTPS
-       sessions, and possibly other types of sessions protected by TLS or SSL,
-       by sending an unauthenticated request that is processed retroactively by
-       a server in a post-renegotiation context, related to a "plaintext
-       injection" attack, aka the "Project Mogul" issue.</p>
+    <p>See Not a vulnerability in Tomcat below</p>
 
-    <p>This was fixed in
+    <p>This was worked-around in
        <a href="http://svn.apache.org/viewvc?rev=891292&amp;view=rev";>
        revision 891292</a> and
        <a href="http://svn.apache.org/viewvc?rev=881774&amp;view=rev";>

Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=908386&r1=908385&r2=908386&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Wed Feb 10 08:32:11 2010
@@ -98,15 +98,9 @@
       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555";>
        CVE-2009-3555</a></p>
 
-    <p>The TLS protocol, and the SSL protocol 3.0 and possibly earlier does not
-       properly associate renegotiation handshakes with an existing connection,
-       which allows man-in-the-middle attackers to insert data into HTTPS
-       sessions, and possibly other types of sessions protected by TLS or SSL,
-       by sending an unauthenticated request that is processed retroactively by
-       a server in a post-renegotiation context, related to a "plaintext
-       injection" attack, aka the "Project Mogul" issue.</p>
+    <p>See Not a vulnerability in Tomcat below</p>
 
-    <p>This was fixed in
+    <p>This was worked-around in
        <a href="http://svn.apache.org/viewvc?rev=891292&amp;view=rev";>
        revision 891292</a> and
        <a href="http://svn.apache.org/viewvc?rev=881774&amp;view=rev";>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org