2010/2/11 <ma...@apache.org>: > Author: markt > Date: Thu Feb 11 10:37:24 2010 > New Revision: 908917 > > URL: http://svn.apache.org/viewvc?rev=908917&view=rev > Log: > Add a note on where to find the "not a vulnerability section" > Add the missing severity and svn reference for CVE-2009-3555 > Remove the reference to CVE-2009-3555 from the fixed in 6.0.24 section to > keep it consistent with the other non-Tomcat vulnerabilities > > Modified: > tomcat/site/trunk/docs/security-6.html > tomcat/site/trunk/xdocs/security-6.xml >
> - <p><strong>Medium: SSL MITN</strong> > - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555";> > - CVE-2009-3555</a></p> > - > - <p>See Not a vulnerability in Tomcat below</p> > - > - <p>This was worked-around in > - <a href="http://svn.apache.org/viewvc?rev=891292&view=rev";> > - revision 891292</a> and > - <a href="http://svn.apache.org/viewvc?rev=881774&view=rev";> > - revision 881774</a>.</p> > - > - <p>Affects: 6.0.0-6.0.20</p> > - > - > </section> > > + <p>This was worked-around in > + <a href="http://svn.apache.org/viewvc?rev=891292&view=rev";> > + revision 881774</a>.</p> > + 1. rev.881774 mentioned in the text, but the link points to rev.891292. Actually the fix is a combination of both those revisions. (E.g. allowUnsafeLegacyRenegotiation field introduced in the first one is still used in the second). 2. With this change now there is no information about what TC release includes the workaround. It requires some experience to derive that from revision numbers. Though everyone can look in the changelog. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
