Author: markt
Date: Thu Feb 11 10:37:24 2010
New Revision: 908917
URL: http://svn.apache.org/viewvc?rev=908917&view=rev
Log:
Add a note on where to find the "not a vulnerability section"
Add the missing severity and svn reference for CVE-2009-3555
Remove the reference to CVE-2009-3555 from the fixed in 6.0.24 section to keep
it consistent with the other non-Tomcat vulnerabilities
Modified:
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/xdocs/security-6.xml
Modified: tomcat/site/trunk/docs/security-6.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=908917&r1=908916&r2=908917&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Thu Feb 11 10:37:24 2010
@@ -3,18 +3,18 @@
<html>
<head>
<title>Apache Tomcat - Apache Tomcat 6.x vulnerabilities</title>
-<meta content="Apache Tomcat Project" name="author" />
-<link rel="stylesheet" href="stylesheets/tomcat.css" type="text/css" />
-<link media="print" rel="stylesheet" href="stylesheets/tomcat-printer.css"
type="text/css" />
+<meta name="author" content="Apache Tomcat Project"/>
+<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet"/>
+<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet"
media="print"/>
</head>
-<body vlink="#525D76" alink="#525D76" link="#525D76" text="#000000"
bgcolor="#ffffff">
-<table cellspacing="0" width="100%" border="0">
+<body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76"
vlink="#525D76">
+<table border="0" width="100%" cellspacing="0">
<!--PAGE HEADER-->
<tr>
<td>
<!--PROJECT LOGO-->
<a href="http://tomcat.apache.org/";>
-<img border="0" alt="Tomcat Logo" align="left" src="./images/tomcat10.jpg" />
+<img src="./images/tomcat10.jpg" align="left" alt="Tomcat Logo" border="0"/>
</a>
</td>
<td>
@@ -25,28 +25,28 @@
<td>
<!--APACHE LOGO-->
<a href="http://www.apache.org/";>
-<img border="0" alt="Apache Logo" align="right"
src="http://www.apache.org/images/asf-logo.gif"; />
+<img src="http://www.apache.org/images/asf-logo.gif"; align="right" alt="Apache
Logo" border="0"/>
</a>
</td>
</tr>
</table>
<div class="searchbox noPrint">
-<form method="get" action="http://www.google.com/search";>
-<input type="hidden" name="sitesearch" value="tomcat.apache.org" />
-<input type="text" id="query" name="q" size="25" value="Search the Site" />
-<input type="submit" value="Search Site" name="Search" />
+<form action="http://www.google.com/search"; method="get">
+<input value="tomcat.apache.org" name="sitesearch" type="hidden"/>
+<input value="Search the Site" size="25" name="q" id="query" type="text"/>
+<input name="Search" value="Search Site" type="submit"/>
</form>
</div>
-<table cellspacing="4" width="100%" border="0">
+<table border="0" width="100%" cellspacing="4">
<!--HEADER SEPARATOR-->
<tr>
<td colspan="2">
-<hr size="1" noshade="" />
+<hr noshade="" size="1"/>
</td>
</tr>
<tr>
<!--LEFT SIDE NAVIGATION-->
-<td class="noPrint" nowrap="true" valign="top" width="20%">
+<td width="20%" valign="top" nowrap="true" class="noPrint">
<p>
<strong>Apache Tomcat</strong>
</p>
@@ -172,11 +172,11 @@
</ul>
</td>
<!--RIGHT SIDE MAIN BODY-->
-<td id="mainBody" align="left" valign="top" width="80%">
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<td width="80%" valign="top" align="left" id="mainBody">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Apache Tomcat 6.x vulnerabilities">
<strong>Apache Tomcat 6.x vulnerabilities</strong>
</a>
@@ -195,6 +195,10 @@
is known to affect, and where a flaw has not been verified list the
version with a question mark.</p>
+ <p>Note: Vulnerabilities that are not Tomcat vulnerabilities but have
either
+ been incorrectly reported against Tomcat or where Tomcat provides a
+ workaround are listed at the end of this page.</p>
+
<p>Please send comments or corrections for these vulnerabilities to the
<a href="mailto:[email protected]";>Tomcat Security
Team</a>.</p>
@@ -204,14 +208,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.24">
<strong>Fixed in Apache Tomcat 6.0.24</strong>
</a>
@@ -303,37 +307,20 @@
<p>Affects: 6.0.0-6.0.20</p>
- <p>
-<strong>Medium: SSL MITN</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555";>
- CVE-2009-3555</a>
-</p>
-
- <p>See Not a vulnerability in Tomcat below</p>
-
- <p>This was worked-around in
- <a href="http://svn.apache.org/viewvc?rev=891292&view=rev";>
- revision 891292</a> and
- <a href="http://svn.apache.org/viewvc?rev=881774&view=rev";>
- revision 881774</a>.</p>
-
- <p>Affects: 6.0.0-6.0.20</p>
-
-
</blockquote>
</p>
</td>
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.20">
<strong>Fixed in Apache Tomcat 6.0.20</strong>
</a>
@@ -450,14 +437,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.18">
<strong>Fixed in Apache Tomcat 6.0.18</strong>
</a>
@@ -537,14 +524,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.16">
<strong>Fixed in Apache Tomcat 6.0.16</strong>
</a>
@@ -626,14 +613,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.14">
<strong>Fixed in Apache Tomcat 6.0.14</strong>
</a>
@@ -715,14 +702,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.11">
<strong>Fixed in Apache Tomcat 6.0.11</strong>
</a>
@@ -770,14 +757,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.10">
<strong>Fixed in Apache Tomcat 6.0.10</strong>
</a>
@@ -826,14 +813,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.9">
<strong>Fixed in Apache Tomcat 6.0.9</strong>
</a>
@@ -862,14 +849,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.6">
<strong>Fixed in Apache Tomcat 6.0.6</strong>
</a>
@@ -902,14 +889,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Not a vulnerability in Tomcat">
<strong>Not a vulnerability in Tomcat</strong>
</a>
@@ -922,7 +909,7 @@
<blockquote>
<p>
-<strong>TLS SSL Man In The Middle</strong>
+<strong>moderate: TLS SSL Man In The Middle</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555";>
CVE-2009-3555</a>
</p>
@@ -953,6 +940,10 @@
renegotiation may result in some clients being unable to access the
application.</p>
+ <p>This was worked-around in
+ <a href="http://svn.apache.org/viewvc?rev=891292&view=rev";>
+ revision 881774</a>.</p>
+
<p>
<strong>important: Directory traversal</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938";>
@@ -992,7 +983,7 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
@@ -1001,17 +992,17 @@
<!--FOOTER SEPARATOR-->
<tr>
<td colspan="2">
-<hr size="1" noshade="" />
+<hr noshade="" size="1"/>
</td>
</tr>
<!--PAGE FOOTER-->
<tr>
<td colspan="2">
<div align="center">
-<font size="-1" color="#525D76">
+<font color="#525D76" size="-1">
<em>
Copyright © 1999-2010, The Apache Software Foundation
- <br />
+ <br/>
"Apache", the Apache feather, and the Apache Tomcat logo are
trademarks of the Apache Software Foundation for our open source
software.
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=908917&r1=908916&r2=908917&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Thu Feb 11 10:37:24 2010
@@ -17,6 +17,10 @@
is known to affect, and where a flaw has not been verified list the
version with a question mark.</p>
+ <p>Note: Vulnerabilities that are not Tomcat vulnerabilities but have
either
+ been incorrectly reported against Tomcat or where Tomcat provides a
+ workaround are listed at the end of this page.</p>
+
<p>Please send comments or corrections for these vulnerabilities to the
<a href="mailto:[email protected]";>Tomcat Security
Team</a>.</p>
@@ -94,21 +98,6 @@
<p>Affects: 6.0.0-6.0.20</p>
- <p><strong>Medium: SSL MITN</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555";>
- CVE-2009-3555</a></p>
-
- <p>See Not a vulnerability in Tomcat below</p>
-
- <p>This was worked-around in
- <a href="http://svn.apache.org/viewvc?rev=891292&view=rev";>
- revision 891292</a> and
- <a href="http://svn.apache.org/viewvc?rev=881774&view=rev";>
- revision 881774</a>.</p>
-
- <p>Affects: 6.0.0-6.0.20</p>
-
-
</section>
<section name="Fixed in Apache Tomcat 6.0.20">
@@ -472,7 +461,7 @@
<section name="Not a vulnerability in Tomcat">
- <p><strong>TLS SSL Man In The Middle</strong>
+ <p><strong>moderate: TLS SSL Man In The Middle</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555";>
CVE-2009-3555</a></p>
@@ -502,6 +491,10 @@
renegotiation may result in some clients being unable to access the
application.</p>
+ <p>This was worked-around in
+ <a href="http://svn.apache.org/viewvc?rev=891292&view=rev";>
+ revision 881774</a>.</p>
+
<p><strong>important: Directory traversal</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938";>
CVE-2008-2938</a></p>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
![http://www.apache.org/images/asf-logo.gif"](http://www.apache.org/images/asf-logo.gif"){kind=link}