Author: markt
Date: Mon Jun 27 09:30:59 2011
New Revision: 1140074
URL: http://svn.apache.org/viewvc?rev=1140074&view=rev
Log:
Updates for CVE-2011-2204
Modified:
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/xdocs/security-5.xml
tomcat/site/trunk/xdocs/security-6.xml
tomcat/site/trunk/xdocs/security-7.xml
Modified: tomcat/site/trunk/docs/security-5.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1140074&r1=1140073&r2=1140074&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Mon Jun 27 09:30:59 2011
@@ -215,6 +215,9 @@
<a href="#Apache_Tomcat_5.x_vulnerabilities">Apache Tomcat 5.x
vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_5.5.34_(not_yet_released)">Fixed in Apache
Tomcat 5.5.34 (not yet released)</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_5.5.32">Fixed in Apache Tomcat 5.5.32</a>
</li>
<li>
@@ -334,6 +337,58 @@
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 5.5.34 (not yet released)">
+<!--()-->
+</a>
+<a name="Fixed_in_Apache_Tomcat_5.5.34_(not_yet_released)">
+<strong>Fixed in Apache Tomcat 5.5.34 (not yet released)</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+
+ <p>
+<strong>Low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204";>
+ CVE-2011-2204</a>
+</p>
+
+ <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
+ creating users via JMX, an exception during the user creation process
may
+ trigger an error message in the JMX client that includes the user's
+ password. This error message is also written to the Tomcat logs. User
+ passwords are visible to administrators with JMX access and/or
+ administrators with read access to the tomcat-users.xml file. Users that
+ do not have these permissions but are able to read log files may be able
+ to discover a user's password.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=1140072&view=rev";>
+ revision 1140072</a>.</p>
+
+ <p>This was identified by Polina Genova on 14 June 2011 and
+ made public on 27 June 2011.</p>
+
+ <p>Affects: 5.5.0-5.5.33</p>
+
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 5.5.32">
<!--()-->
</a>
Modified: tomcat/site/trunk/docs/security-6.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1140074&r1=1140073&r2=1140074&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Jun 27 09:30:59 2011
@@ -215,6 +215,9 @@
<a href="#Apache_Tomcat_6.x_vulnerabilities">Apache Tomcat 6.x
vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_6.0.33_(not_yet_released)">Fixed in Apache
Tomcat 6.0.33 (not yet released)</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_6.0.32">Fixed in Apache Tomcat 6.0.32</a>
</li>
<li>
@@ -310,6 +313,58 @@
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 6.0.33 (not yet released)">
+<!--()-->
+</a>
+<a name="Fixed_in_Apache_Tomcat_6.0.33_(not_yet_released)">
+<strong>Fixed in Apache Tomcat 6.0.33 (not yet released)</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+
+ <p>
+<strong>Low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204";>
+ CVE-2011-2204</a>
+</p>
+
+ <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
+ creating users via JMX, an exception during the user creation process
may
+ trigger an error message in the JMX client that includes the user's
+ password. This error message is also written to the Tomcat logs. User
+ passwords are visible to administrators with JMX access and/or
+ administrators with read access to the tomcat-users.xml file. Users that
+ do not have these permissions but are able to read log files may be able
+ to discover a user's password.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=1140071&view=rev";>
+ revision 1140071</a>.</p>
+
+ <p>This was identified by Polina Genova on 14 June 2011 and
+ made public on 27 June 2011.</p>
+
+ <p>Affects: 6.0.0-6.0.32</p>
+
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.32">
<!--()-->
</a>
Modified: tomcat/site/trunk/docs/security-7.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1140074&r1=1140073&r2=1140074&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Mon Jun 27 09:30:59 2011
@@ -215,6 +215,9 @@
<a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x
vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_7.0.17_(not_yet_released)">Fixed in Apache
Tomcat 7.0.17 (not yet released)</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_7.0.14_(released_12_May_2011)">Fixed in
Apache Tomcat 7.0.14 (released 12 May 2011)</a>
</li>
<li>
@@ -293,6 +296,58 @@
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 7.0.17 (not yet released)">
+<!--()-->
+</a>
+<a name="Fixed_in_Apache_Tomcat_7.0.17_(not_yet_released)">
+<strong>Fixed in Apache Tomcat 7.0.17 (not yet released)</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+
+ <p>
+<strong>Low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204";>
+ CVE-2011-2204</a>
+</p>
+
+ <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
+ creating users via JMX, an exception during the user creation process
may
+ trigger an error message in the JMX client that includes the user's
+ password. This error message is also written to the Tomcat logs. User
+ passwords are visible to administrators with JMX access and/or
+ administrators with read access to the tomcat-users.xml file. Users that
+ do not have these permissions but are able to read log files may be able
+ to discover a user's password.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=1140070&view=rev";>
+ revision 1140070</a>.</p>
+
+ <p>This was identified by Polina Genova on 14 June 2011 and
+ made public on 27 June 2011.</p>
+
+ <p>Affects: 7.0.0-7.0.16</p>
+
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 7.0.14 (released 12 May 2011)">
<!--()-->
</a>
Modified: tomcat/site/trunk/xdocs/security-5.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=1140074&r1=1140073&r2=1140074&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Mon Jun 27 09:30:59 2011
@@ -46,6 +46,32 @@
</section>
-->
+ <section name="Fixed in Apache Tomcat 5.5.34 (not yet released)">
+
+ <p><strong>Low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204";>
+ CVE-2011-2204</a></p>
+
+ <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
+ creating users via JMX, an exception during the user creation process
may
+ trigger an error message in the JMX client that includes the user's
+ password. This error message is also written to the Tomcat logs. User
+ passwords are visible to administrators with JMX access and/or
+ administrators with read access to the tomcat-users.xml file. Users that
+ do not have these permissions but are able to read log files may be able
+ to discover a user's password.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=1140072&view=rev";>
+ revision 1140072</a>.</p>
+
+ <p>This was identified by Polina Genova on 14 June 2011 and
+ made public on 27 June 2011.</p>
+
+ <p>Affects: 5.5.0-5.5.33</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 5.5.32" rtext="released 1 Feb 2011">
<p><strong>low: Cross-site scripting</strong>
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1140074&r1=1140073&r2=1140074&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon Jun 27 09:30:59 2011
@@ -30,6 +30,32 @@
</section>
+ <section name="Fixed in Apache Tomcat 6.0.33 (not yet released)">
+
+ <p><strong>Low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204";>
+ CVE-2011-2204</a></p>
+
+ <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
+ creating users via JMX, an exception during the user creation process
may
+ trigger an error message in the JMX client that includes the user's
+ password. This error message is also written to the Tomcat logs. User
+ passwords are visible to administrators with JMX access and/or
+ administrators with read access to the tomcat-users.xml file. Users that
+ do not have these permissions but are able to read log files may be able
+ to discover a user's password.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=1140071&view=rev";>
+ revision 1140071</a>.</p>
+
+ <p>This was identified by Polina Genova on 14 June 2011 and
+ made public on 27 June 2011.</p>
+
+ <p>Affects: 6.0.0-6.0.32</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 6.0.32" rtext="released 03 Feb 2011">
<p><i>Note: The issue below was fixed in Apache Tomcat 6.0.31 but the
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1140074&r1=1140073&r2=1140074&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Mon Jun 27 09:30:59 2011
@@ -25,6 +25,32 @@
<a href="mailto:secur...@tomcat.apache.org";>Tomcat Security
Team</a>.</p>
</section>
+ <section name="Fixed in Apache Tomcat 7.0.17 (not yet released)">
+
+ <p><strong>Low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204";>
+ CVE-2011-2204</a></p>
+
+ <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and
+ creating users via JMX, an exception during the user creation process
may
+ trigger an error message in the JMX client that includes the user's
+ password. This error message is also written to the Tomcat logs. User
+ passwords are visible to administrators with JMX access and/or
+ administrators with read access to the tomcat-users.xml file. Users that
+ do not have these permissions but are able to read log files may be able
+ to discover a user's password.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=1140070&view=rev";>
+ revision 1140070</a>.</p>
+
+ <p>This was identified by Polina Genova on 14 June 2011 and
+ made public on 27 June 2011.</p>
+
+ <p>Affects: 7.0.0-7.0.16</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 7.0.14 (released 12 May 2011)">
<p><strong>Important: Security constraint bypass</strong>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
