Author: markt
Date: Thu Feb 11 10:40:47 2010
New Revision: 908918
URL: http://svn.apache.org/viewvc?rev=908918&view=rev
Log:
Add a page for Tomcat 7. Link it from the main pager and fix some typos
Move Tomcat 4 to archived list
Added:
tomcat/site/trunk/docs/security-7.html (with props)
tomcat/site/trunk/xdocs/security-7.xml (with props)
Modified:
tomcat/site/trunk/docs/security.html
tomcat/site/trunk/xdocs/security.xml
Added: tomcat/site/trunk/docs/security-7.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=908918&view=auto
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (added)
+++ tomcat/site/trunk/docs/security-7.html Thu Feb 11 10:40:47 2010
@@ -0,0 +1,300 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
+<html>
+<head>
+<title>Apache Tomcat - Apache Tomcat 6.x vulnerabilities</title>
+<meta name="author" content="Apache Tomcat Project"/>
+<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet"/>
+<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet"
media="print"/>
+</head>
+<body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76"
vlink="#525D76">
+<table border="0" width="100%" cellspacing="0">
+<!--PAGE HEADER-->
+<tr>
+<td>
+<!--PROJECT LOGO-->
+<a href="http://tomcat.apache.org/";>
+<img src="./images/tomcat10.jpg" align="left" alt="Tomcat Logo" border="0"/>
+</a>
+</td>
+<td>
+<font face="arial,helvetica,sanserif">
+<h1>Apache Tomcat</h1>
+</font>
+</td>
+<td>
+<!--APACHE LOGO-->
+<a href="http://www.apache.org/";>
+<img src="http://www.apache.org/images/asf-logo.gif"; align="right" alt="Apache
Logo" border="0"/>
+</a>
+</td>
+</tr>
+</table>
+<div class="searchbox noPrint">
+<form action="http://www.google.com/search"; method="get">
+<input value="tomcat.apache.org" name="sitesearch" type="hidden"/>
+<input value="Search the Site" size="25" name="q" id="query" type="text"/>
+<input name="Search" value="Search Site" type="submit"/>
+</form>
+</div>
+<table border="0" width="100%" cellspacing="4">
+<!--HEADER SEPARATOR-->
+<tr>
+<td colspan="2">
+<hr noshade="" size="1"/>
+</td>
+</tr>
+<tr>
+<!--LEFT SIDE NAVIGATION-->
+<td width="20%" valign="top" nowrap="true" class="noPrint">
+<p>
+<strong>Apache Tomcat</strong>
+</p>
+<ul>
+<li>
+<a href="./index.html">Home</a>
+</li>
+<li>
+<a href="./taglibs/">Taglibs</a>
+</li>
+</ul>
+<p>
+<strong>Download</strong>
+</p>
+<ul>
+<li>
+<a href="./whichversion.html">Which version?</a>
+</li>
+<li>
+<a href="./download-60.cgi">Tomcat 6.x</a>
+</li>
+<li>
+<a href="./download-55.cgi">Tomcat 5.5</a>
+</li>
+<li>
+<a href="./download-connectors.cgi">Tomcat Connectors</a>
+</li>
+<li>
+<a href="./download-native.cgi">Tomcat Native</a>
+</li>
+<li>
+<a href="http://archive.apache.org/dist/tomcat";>Archives</a>
+</li>
+</ul>
+<p>
+<strong>Documentation</strong>
+</p>
+<ul>
+<li>
+<a href="./tomcat-6.0-doc/index.html">Tomcat 6.0</a>
+</li>
+<li>
+<a href="./tomcat-5.5-doc/index.html">Tomcat 5.5</a>
+</li>
+<li>
+<a href="./connectors-doc">Tomcat Connectors</a>
+</li>
+<li>
+<a href="./native-doc">Tomcat Native</a>
+</li>
+<li>
+<a href="./migration.html">Migration Guide</a>
+</li>
+</ul>
+<p>
+<strong>Problems?</strong>
+</p>
+<ul>
+<li>
+<a href="./security.html">Security Reports</a>
+</li>
+<li>
+<a href="./findhelp.html">Find help</a>
+</li>
+<li>
+<a href="http://wiki.apache.org/tomcat/FAQ";>FAQ</a>
+</li>
+<li>
+<a href="./lists.html">Mailing Lists</a>
+</li>
+<li>
+<a href="./bugreport.html">Bug Database</a>
+</li>
+<li>
+<a href="./irc.html">IRC</a>
+</li>
+</ul>
+<p>
+<strong>Get Involved</strong>
+</p>
+<ul>
+<li>
+<a href="./getinvolved.html">Overview</a>
+</li>
+<li>
+<a href="./svn.html">SVN Repositories</a>
+</li>
+<li>
+<a href="./lists.html">Mailing Lists</a>
+</li>
+<li>
+<a href="http://wiki.apache.org/tomcat";>Wiki</a>
+</li>
+</ul>
+<p>
+<strong>Misc</strong>
+</p>
+<ul>
+<li>
+<a href="./whoweare.html">Who We Are</a>
+</li>
+<li>
+<a href="./heritage.html">Heritage</a>
+</li>
+<li>
+<a href="http://www.apache.org";>Apache Home</a>
+</li>
+<li>
+<a href="./resources.html">Resources</a>
+</li>
+<li>
+<a href="./contact.html">Contact</a>
+</li>
+<li>
+<a href="./legal.html">Legal</a>
+</li>
+<li>
+<a href="http://www.apache.org/foundation/sponsorship.html";>Sponsorship</a>
+</li>
+<li>
+<a href="http://www.apache.org/foundation/thanks.html";>Thanks</a>
+</li>
+</ul>
+</td>
+<!--RIGHT SIDE MAIN BODY-->
+<td width="80%" valign="top" align="left" id="mainBody">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Apache Tomcat 7.x vulnerabilities">
+<strong>Apache Tomcat 7.x vulnerabilities</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+ <p>This page lists all security vulnerabilities fixed in released versions
+ of Apache Tomcat 7.x. Each vulnerability is given a
+ <a href="security-impact.html">security impact rating</a> by the Apache
+ Tomcat security team - please note that this rating may vary from
+ platform to platform. We also list the versions of Apache Tomcat the
flaw
+ is known to affect, and where a flaw has not been verified list the
+ version with a question mark.</p>
+
+ <p>Please send comments or corrections for these vulnerabilities to the
+ <a href="mailto:[email protected]";>Tomcat Security
Team</a>.</p>
+
+ <p>
+<i>Note: Apache Tomcat 7.0.0 has yet to be released.</i>
+</p>
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Not a vulnerability in Tomcat">
+<strong>Not a vulnerability in Tomcat</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+
+ <p>
+<strong>moderate: TLS SSL Man In The Middle</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555";>
+ CVE-2009-3555</a>
+</p>
+
+ <p>A vulnerability exists in the TLS protocol that allows an attacker to
+ inject arbitrary requests into an TLS stream during renegotiation.</p>
+
+ <p>The TLS implementation used by Tomcat varies with connector. The
blocking
+ IO (BIO) and non-blocking (NIO) connectors use the JSSE implementation
+ provided by the JVM. The APR/native connector uses OpenSSL.</p>
+
+ <p>The BIO connector is vulnerable if the JSSE version used is vulnerable.
+ To workaround this until a fix is available in JSSE, use the connector
+ attribute <code>allowUnsafeLegacyRenegotiation</code>. It should be set
+ to <code>false</code> (the default) to protect against this
+ vulnerability.</p>
+
+ <p>The NIO connector is not vulnerable as it does not support
+ renegotiation.</p>
+
+ <p>The APR/native workarounds are detailed on the
+ <a href="security-native.html">APR/native connector security page</a>.
+ </p>
+
+ <p>Users should be aware that the impact of disabling renegotiation will
+ vary with both application and client. In some circumstances disabling
+ renegotiation may result in some clients being unable to access the
+ application.</p>
+
+ <p>This was worked-around in
+ <a href="http://svn.apache.org/viewvc?rev=882320&view=rev";>
+ revision 891292</a>.</p>
+
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+</td>
+</tr>
+<!--FOOTER SEPARATOR-->
+<tr>
+<td colspan="2">
+<hr noshade="" size="1"/>
+</td>
+</tr>
+<!--PAGE FOOTER-->
+<tr>
+<td colspan="2">
+<div align="center">
+<font color="#525D76" size="-1">
+<em>
+ Copyright © 1999-2010, The Apache Software Foundation
+ <br/>
+ "Apache", the Apache feather, and the Apache Tomcat logo are
+ trademarks of the Apache Software Foundation for our open source
+ software.
+ </em>
+</font>
+</div>
+</td>
+</tr>
+</table>
+</body>
+</html>
Propchange: tomcat/site/trunk/docs/security-7.html
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: tomcat/site/trunk/docs/security-7.html
------------------------------------------------------------------------------
svn:keywords = Date Author Id Revision
Modified: tomcat/site/trunk/docs/security.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security.html?rev=908918&r1=908917&r2=908918&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security.html (original)
+++ tomcat/site/trunk/docs/security.html Thu Feb 11 10:40:47 2010
@@ -205,24 +205,24 @@
are available:</p>
<ul>
<li>
-<a href="security-6.html">Apache Tomcat 6.x Security Vulnerabilitites
+<a href="security-7.html">Apache Tomcat 7.x Security Vulnerabilities
</a>
</li>
<li>
-<a href="security-5.html">Apache Tomcat 5.x Security Vulnerabilitites
+<a href="security-6.html">Apache Tomcat 6.x Security Vulnerabilities
</a>
</li>
<li>
-<a href="security-4.html">Apache Tomcat 4.x Security Vulnerabilitites
+<a href="security-5.html">Apache Tomcat 5.x Security Vulnerabilities
</a>
</li>
<li>
<a href="security-jk.html">Apache Tomcat JK Connectors Security
- Vulnerabilitites</a>
+ Vulnerabilities</a>
</li>
<li>
<a href="security-native.html">Apache Tomcat APR/native Connector Security
- Vulnerabilitites</a>
+ Vulnerabilities</a>
</li>
</ul>
@@ -230,7 +230,11 @@
be downloaded from the archives are also available:</p>
<ul>
<li>
-<a href="security-3.html">Apache Tomcat 3.x Security Vulnerabilitites
+<a href="security-4.html">Apache Tomcat 4.x Security Vulnerabilities
+ </a>
+</li>
+ <li>
+<a href="security-3.html">Apache Tomcat 3.x Security Vulnerabilities
</a>
</li>
</ul>
Added: tomcat/site/trunk/xdocs/security-7.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=908918&view=auto
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (added)
+++ tomcat/site/trunk/xdocs/security-7.xml Thu Feb 11 10:40:47 2010
@@ -0,0 +1,65 @@
+<?xml version="1.0"?>
+<document>
+
+ <properties>
+ <author>Apache Tomcat Project</author>
+ <title>Apache Tomcat 6.x vulnerabilities</title>
+ </properties>
+
+<body>
+
+ <section name="Apache Tomcat 7.x vulnerabilities">
+ <p>This page lists all security vulnerabilities fixed in released versions
+ of Apache Tomcat 7.x. Each vulnerability is given a
+ <a href="security-impact.html">security impact rating</a> by the Apache
+ Tomcat security team - please note that this rating may vary from
+ platform to platform. We also list the versions of Apache Tomcat the
flaw
+ is known to affect, and where a flaw has not been verified list the
+ version with a question mark.</p>
+
+ <p>Please send comments or corrections for these vulnerabilities to the
+ <a href="mailto:[email protected]";>Tomcat Security
Team</a>.</p>
+
+ <p><i>Note: Apache Tomcat 7.0.0 has yet to be released.</i></p>
+ </section>
+
+ <section name="Not a vulnerability in Tomcat">
+
+ <p><strong>moderate: TLS SSL Man In The Middle</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555";>
+ CVE-2009-3555</a></p>
+
+ <p>A vulnerability exists in the TLS protocol that allows an attacker to
+ inject arbitrary requests into an TLS stream during renegotiation.</p>
+
+ <p>The TLS implementation used by Tomcat varies with connector. The
blocking
+ IO (BIO) and non-blocking (NIO) connectors use the JSSE implementation
+ provided by the JVM. The APR/native connector uses OpenSSL.</p>
+
+ <p>The BIO connector is vulnerable if the JSSE version used is vulnerable.
+ To workaround this until a fix is available in JSSE, use the connector
+ attribute <code>allowUnsafeLegacyRenegotiation</code>. It should be set
+ to <code>false</code> (the default) to protect against this
+ vulnerability.</p>
+
+ <p>The NIO connector is not vulnerable as it does not support
+ renegotiation.</p>
+
+ <p>The APR/native workarounds are detailed on the
+ <a href="security-native.html">APR/native connector security page</a>.
+ </p>
+
+ <p>Users should be aware that the impact of disabling renegotiation will
+ vary with both application and client. In some circumstances disabling
+ renegotiation may result in some clients being unable to access the
+ application.</p>
+
+ <p>This was worked-around in
+ <a href="http://svn.apache.org/viewvc?rev=882320&view=rev";>
+ revision 891292</a>.</p>
+
+ </section>
+
+</body>
+</document>
+
Propchange: tomcat/site/trunk/xdocs/security-7.xml
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: tomcat/site/trunk/xdocs/security-7.xml
------------------------------------------------------------------------------
svn:keywords = Date Author Id Revision
Modified: tomcat/site/trunk/xdocs/security.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security.xml?rev=908918&r1=908917&r2=908918&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security.xml (original)
+++ tomcat/site/trunk/xdocs/security.xml Thu Feb 11 10:40:47 2010
@@ -25,22 +25,24 @@
<p>Lists of security problems fixed in released versions of Apache Tomcat
are available:</p>
<ul>
- <li><a href="security-6.html">Apache Tomcat 6.x Security Vulnerabilitites
+ <li><a href="security-7.html">Apache Tomcat 7.x Security Vulnerabilities
</a></li>
- <li><a href="security-5.html">Apache Tomcat 5.x Security Vulnerabilitites
+ <li><a href="security-6.html">Apache Tomcat 6.x Security Vulnerabilities
</a></li>
- <li><a href="security-4.html">Apache Tomcat 4.x Security Vulnerabilitites
+ <li><a href="security-5.html">Apache Tomcat 5.x Security Vulnerabilities
</a></li>
<li><a href="security-jk.html">Apache Tomcat JK Connectors Security
- Vulnerabilitites</a></li>
+ Vulnerabilities</a></li>
<li><a href="security-native.html">Apache Tomcat APR/native Connector
Security
- Vulnerabilitites</a></li>
+ Vulnerabilities</a></li>
</ul>
<p>Lists of security problems fixed in versions of Apache Tomcat that may
be downloaded from the archives are also available:</p>
<ul>
- <li><a href="security-3.html">Apache Tomcat 3.x Security Vulnerabilitites
+ <li><a href="security-4.html">Apache Tomcat 4.x Security Vulnerabilities
+ </a></li>
+ <li><a href="security-3.html">Apache Tomcat 3.x Security Vulnerabilities
</a></li>
</ul>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
![http://www.apache.org/images/asf-logo.gif"](http://www.apache.org/images/asf-logo.gif"){kind=link}