security-7.xml

markt Fri, 12 Aug 2011 06:20:13 -0700

Author: markt
Date: Fri Aug 12 13:19:44 2011
New Revision: 1157093

URL: http://svn.apache.org/viewvc?rev=1157093&view=rev
Log:
Update site for CVE-2011-2481


Modified:
    tomcat/site/trunk/docs/security-7.html
    tomcat/site/trunk/xdocs/security-7.xml

Modified: tomcat/site/trunk/docs/security-7.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1157093&r1=1157092&r2=1157093&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Fri Aug 12 13:19:44 2011
@@ -415,11 +415,11 @@
     <p>Affects: 7.0.0-7.0.18</p>
   
     <p>
-<i>Note: The issue below was fixed in Apache Tomcat 7.0.17 but the
+<i>Note: The issues below were fixed in Apache Tomcat 7.0.17 but the
        release votes for the 7.0.17 and 7.0.18 release candidates did not pass.
        Therefore, although users must download 7.0.19 to obtain a version that
-       includes a fix for this issue, versions 7.0.17 and 7.0.18 is not 
included
-       in the list of affected versions.</i>
+       includes a fix for these issues, versions 7.0.17 and 7.0.18 are not
+       included in the list of affected versions.</i>
 </p>
 
     <p>
@@ -445,6 +445,31 @@
 
     <p>Affects: 7.0.0-7.0.16</p>
   
+    <p>
+<strong>Low: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2481"; 
rel="nofollow">CVE-2011-2481</a>
+</p>
+
+    <p>The re-factoring of XML validation for Tomcat 7.0.x re-introduced the
+       vulnerability previously reported as
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783"; 
rel="nofollow">CVE-2009-0783</a>. This was initially
+       <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=51395";>
+       reported</a> as a memory leak. If a web application is the first web
+       application loaded, this bugs allows that web application to potentially
+       view and/or alter the web.xml, context.xml and tld files of other web
+       applications deployed on the Tomcat instance.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=1137753&amp;view=rev";>
+       revision 1137753</a> and
+       <a href="http://svn.apache.org/viewvc?rev=1138788&amp;view=rev";>
+       revision 1138788</a> and .</p>
+
+    <p>This was identified by the Tomcat security team on 20 June 2011 and
+       made public on 12 August 2011.</p>
+
+    <p>Affects: 7.0.0-7.0.16</p>
+  
   </blockquote>
 </p>
 </td>

Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1157093&r1=1157092&r2=1157093&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Fri Aug 12 13:19:44 2011
@@ -102,11 +102,11 @@
 
     <p>Affects: 7.0.0-7.0.18</p>
   
-    <p><i>Note: The issue below was fixed in Apache Tomcat 7.0.17 but the
+    <p><i>Note: The issues below were fixed in Apache Tomcat 7.0.17 but the
        release votes for the 7.0.17 and 7.0.18 release candidates did not pass.
        Therefore, although users must download 7.0.19 to obtain a version that
-       includes a fix for this issue, versions 7.0.17 and 7.0.18 is not 
included
-       in the list of affected versions.</i></p>
+       includes a fix for these issues, versions 7.0.17 and 7.0.18 are not
+       included in the list of affected versions.</i></p>
 
     <p><strong>Low: Information disclosure</strong>
        <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204";
@@ -130,6 +130,31 @@
 
     <p>Affects: 7.0.0-7.0.16</p>
   
+    <p><strong>Low: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2481";
+       rel="nofollow">CVE-2011-2481</a></p>
+
+    <p>The re-factoring of XML validation for Tomcat 7.0.x re-introduced the
+       vulnerability previously reported as
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783";
+       rel="nofollow">CVE-2009-0783</a>. This was initially
+       <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=51395";>
+       reported</a> as a memory leak. If a web application is the first web
+       application loaded, this bugs allows that web application to potentially
+       view and/or alter the web.xml, context.xml and tld files of other web
+       applications deployed on the Tomcat instance.</p>
+
+    <p>This was fixed in
+       <a href="http://svn.apache.org/viewvc?rev=1137753&amp;view=rev";>
+       revision 1137753</a> and
+       <a href="http://svn.apache.org/viewvc?rev=1138788&amp;view=rev";>
+       revision 1138788</a> and .</p>
+
+    <p>This was identified by the Tomcat security team on 20 June 2011 and
+       made public on 12 August 2011.</p>
+
+    <p>Affects: 7.0.0-7.0.16</p>
+  
   </section>
 
   <section name="Fixed in Apache Tomcat 7.0.14 (released 12 May 2011)">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1157093 - in /tomcat/site/trunk: docs/security-7.html xdocs/security-7.xml

Reply via email to