security-7.xml

markt Mon, 22 Nov 2010 09:31:11 -0800

Author: markt
Date: Mon Nov 22 17:29:35 2010
New Revision: 1037784

URL: http://svn.apache.org/viewvc?rev=1037784&view=rev
Log:
Updates for CVE-2010-4172


Modified:
    tomcat/site/trunk/docs/security-6.html
    tomcat/site/trunk/docs/security-7.html
    tomcat/site/trunk/xdocs/security-6.xml
    tomcat/site/trunk/xdocs/security-7.xml

Modified: tomcat/site/trunk/docs/security-6.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1037784&r1=1037783&r2=1037784&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Nov 22 17:29:35 2010
@@ -201,6 +201,9 @@
 <a href="#Apache_Tomcat_6.x_vulnerabilities">Apache Tomcat 6.x 
vulnerabilities</a>
 </li>
 <li>
+<a href="#Fixed_in_SVN_for_Apache_Tomcat_6.0.30_(not_yet_released)">Fixed in 
SVN for Apache Tomcat 6.0.30 (not yet released)</a>
+</li>
+<li>
 <a href="#Fixed_in_Apache_Tomcat_6.0.28">Fixed in Apache Tomcat 6.0.28</a>
 </li>
 <li>
@@ -290,6 +293,50 @@
 <tr>
 <td bgcolor="#525D76">
 <font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in SVN for Apache Tomcat 6.0.30 (not yet released)">
+<!--()-->
+</a>
+<a name="Fixed_in_SVN_for_Apache_Tomcat_6.0.30_(not_yet_released)">
+<strong>Fixed in SVN for Apache Tomcat 6.0.30 (not yet released)</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+  
+      <p>
+<strong>moderate: Cross-site scripting</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4172";>
+       CVE-2010-4172</a>
+</p>
+
+    <p>The Manager application used the user provided parameters sort and
+       orderBy directly without filtering thereby permitting cross-site
+       scripting.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=1037779&amp;view=rev";>
+       revision 1037779</a>.</p>
+
+    <p>Affects: 6.0.12-6.0.29</p>
+  
+  </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
 <a name="Fixed in Apache Tomcat 6.0.28">
 <!--()-->
 </a>

Modified: tomcat/site/trunk/docs/security-7.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1037784&r1=1037783&r2=1037784&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Mon Nov 22 17:29:35 2010
@@ -201,6 +201,9 @@
 <a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x 
vulnerabilities</a>
 </li>
 <li>
+<a href="#Fixed_in_SVN_for_Apache_Tomcat_7.0.5_(not_yet_released)">Fixed in 
SVN for Apache Tomcat 7.0.5 (not yet released)</a>
+</li>
+<li>
 <a href="#Fixed_in_Apache_Tomcat_7.0.2">Fixed in Apache Tomcat 7.0.2</a>
 </li>
 <li>
@@ -258,6 +261,51 @@
 <tr>
 <td bgcolor="#525D76">
 <font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in SVN for Apache Tomcat 7.0.5 (not yet released)">
+<!--()-->
+</a>
+<a name="Fixed_in_SVN_for_Apache_Tomcat_7.0.5_(not_yet_released)">
+<strong>Fixed in SVN for Apache Tomcat 7.0.5 (not yet released)</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+  
+      <p>
+<strong>low: Cross-site scripting</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4172";>
+       CVE-2010-4172</a>
+</p>
+
+    <p>The Manager application used the user provided parameters sort and
+       orderBy directly without filtering thereby permitting cross-site
+       scripting. The CSRF protection, which is enabled by default, prevents an
+       attacker from exploiting this.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=1037778&amp;view=rev";>
+       revision 1037778</a>.</p>
+
+    <p>Affects: 7.0.0-7.0.4</p>
+  
+  </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
 <a name="Fixed in Apache Tomcat 7.0.2">
 <!--()-->
 </a>

Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1037784&r1=1037783&r2=1037784&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon Nov 22 17:29:35 2010
@@ -30,6 +30,24 @@
 
   </section>
 
+  <section name="Fixed in SVN for Apache Tomcat 6.0.30 (not yet released)">
+  
+      <p><strong>moderate: Cross-site scripting</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4172";>
+       CVE-2010-4172</a></p>
+
+    <p>The Manager application used the user provided parameters sort and
+       orderBy directly without filtering thereby permitting cross-site
+       scripting.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=1037779&amp;view=rev";>
+       revision 1037779</a>.</p>
+
+    <p>Affects: 6.0.12-6.0.29</p>
+  
+  </section>
+
   <section name="Fixed in Apache Tomcat 6.0.28">
   
     <p><strong>Important: Remote Denial Of Service and Information Disclosure

Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1037784&r1=1037783&r2=1037784&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Mon Nov 22 17:29:35 2010
@@ -25,6 +25,25 @@
        <a href="mailto:secur...@tomcat.apache.org";>Tomcat Security 
Team</a>.</p>
   </section>
 
+  <section name="Fixed in SVN for Apache Tomcat 7.0.5 (not yet released)">
+  
+      <p><strong>low: Cross-site scripting</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4172";>
+       CVE-2010-4172</a></p>
+
+    <p>The Manager application used the user provided parameters sort and
+       orderBy directly without filtering thereby permitting cross-site
+       scripting. The CSRF protection, which is enabled by default, prevents an
+       attacker from exploiting this.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=1037778&amp;view=rev";>
+       revision 1037778</a>.</p>
+
+    <p>Affects: 7.0.0-7.0.4</p>
+  
+  </section>
+
   <section name="Fixed in Apache Tomcat 7.0.2">
   
     <p><i>Note: The issue below was fixed in Apache Tomcat 7.0.1 but the



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1037784 - in /tomcat/site/trunk: docs/security-6.html docs/security-7.html xdocs/security-6.xml xdocs/security-7.xml

Reply via email to