Author: markt
Date: Tue Aug 16 12:53:02 2011
New Revision: 1158247
URL: http://svn.apache.org/viewvc?rev=1158247&view=rev
Log:
Update now patch has been applied to 5.5.x
Modified:
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/xdocs/security-5.xml
Modified: tomcat/site/trunk/docs/security-5.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1158247&r1=1158246&r2=1158247&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Tue Aug 16 12:53:02 2011
@@ -355,42 +355,6 @@
<blockquote>
<p>
-<strong>Low: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526";
rel="nofollow">CVE-2011-2526</a>
-</p>
-
- <p>Tomcat provides support for sendfile with the HTTP NIO and HTTP APR
- connectors. sendfile is used automatically for content served via the
- DefaultServlet and deployed web applications may use it directly via
- setting request attributes. These request attributes were not validated.
- When running under a security manager, this lack of validation allowed a
- malicious web application to do one or more of the following that would
- normally be prevented by a security manager:
- <ul>
- <li>return files to users that the security manager should make
- inaccessible</li>
- <li>terminate (via a crash) the JVM</li>
- </ul>
- Additionally, these vulnerabilities only occur when all of the following
- are true:
- <ul>
- <li>untrusted web applications are being used</li>
- <li>the SecurityManager is used to limit the untrusted web
applications
- </li>
- <li>the HTTP NIO or HTTP APR connector is used</li>
- <li>sendfile is enabled for the connector (this is the default)</li>
- </ul>
- </p>
-
- <p>There is a <a
href="http://people.apache.org/~markt/patches/2011-07-13-cve-2011-2526-tc5.patch";>
- proposed patch</a> for this issue.</p>
-
- <p>This was identified by the Tomcat security team on 7 July 2011 and
- made public on 13 July 2011.</p>
-
- <p>Affects: 5.5.0-5.5.33</p>
-
- <p>
<strong>Important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729";
rel="nofollow">CVE-2011-2729</a>
</p>
@@ -468,6 +432,43 @@
<p>Affects: 5.5.0-5.5.33</p>
+ <p>
+<strong>Low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526";
rel="nofollow">CVE-2011-2526</a>
+</p>
+
+ <p>Tomcat provides support for sendfile with the HTTP APR
+ connector. sendfile is used automatically for content served via the
+ DefaultServlet and deployed web applications may use it directly via
+ setting request attributes. These request attributes were not validated.
+ When running under a security manager, this lack of validation allowed a
+ malicious web application to do one or more of the following that would
+ normally be prevented by a security manager:
+ <ul>
+ <li>return files to users that the security manager should make
+ inaccessible</li>
+ <li>terminate (via a crash) the JVM</li>
+ </ul>
+ Additionally, these vulnerabilities only occur when all of the following
+ are true:
+ <ul>
+ <li>untrusted web applications are being used</li>
+ <li>the SecurityManager is used to limit the untrusted web
applications
+ </li>
+ <li>the HTTP APR connector is used</li>
+ <li>sendfile is enabled for the connector (this is the default)</li>
+ </ul>
+ </p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=1158244&view=rev";>
+ revision 1158244</a>.</p>
+
+ <p>This was identified by the Tomcat security team on 7 July 2011 and
+ made public on 13 July 2011.</p>
+
+ <p>Affects: 5.5.0-5.5.33</p>
+
</blockquote>
</p>
</td>
Modified: tomcat/site/trunk/xdocs/security-5.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=1158247&r1=1158246&r2=1158247&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Tue Aug 16 12:53:02 2011
@@ -48,41 +48,6 @@
<section name="To be fixed in Apache Tomcat 5.5.34 (not yet released)">
- <p><strong>Low: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526";
- rel="nofollow">CVE-2011-2526</a></p>
-
- <p>Tomcat provides support for sendfile with the HTTP NIO and HTTP APR
- connectors. sendfile is used automatically for content served via the
- DefaultServlet and deployed web applications may use it directly via
- setting request attributes. These request attributes were not validated.
- When running under a security manager, this lack of validation allowed a
- malicious web application to do one or more of the following that would
- normally be prevented by a security manager:
- <ul>
- <li>return files to users that the security manager should make
- inaccessible</li>
- <li>terminate (via a crash) the JVM</li>
- </ul>
- Additionally, these vulnerabilities only occur when all of the following
- are true:
- <ul>
- <li>untrusted web applications are being used</li>
- <li>the SecurityManager is used to limit the untrusted web
applications
- </li>
- <li>the HTTP NIO or HTTP APR connector is used</li>
- <li>sendfile is enabled for the connector (this is the default)</li>
- </ul>
- </p>
-
- <p>There is a <a
href="http://people.apache.org/~markt/patches/2011-07-13-cve-2011-2526-tc5.patch";>
- proposed patch</a> for this issue.</p>
-
- <p>This was identified by the Tomcat security team on 7 July 2011 and
- made public on 13 July 2011.</p>
-
- <p>Affects: 5.5.0-5.5.33</p>
-
<p><strong>Important: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729";
rel="nofollow">CVE-2011-2729</a></p>
@@ -135,6 +100,42 @@
<p>Affects: 5.5.0-5.5.33</p>
+ <p><strong>Low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526";
+ rel="nofollow">CVE-2011-2526</a></p>
+
+ <p>Tomcat provides support for sendfile with the HTTP APR
+ connector. sendfile is used automatically for content served via the
+ DefaultServlet and deployed web applications may use it directly via
+ setting request attributes. These request attributes were not validated.
+ When running under a security manager, this lack of validation allowed a
+ malicious web application to do one or more of the following that would
+ normally be prevented by a security manager:
+ <ul>
+ <li>return files to users that the security manager should make
+ inaccessible</li>
+ <li>terminate (via a crash) the JVM</li>
+ </ul>
+ Additionally, these vulnerabilities only occur when all of the following
+ are true:
+ <ul>
+ <li>untrusted web applications are being used</li>
+ <li>the SecurityManager is used to limit the untrusted web
applications
+ </li>
+ <li>the HTTP APR connector is used</li>
+ <li>sendfile is enabled for the connector (this is the default)</li>
+ </ul>
+ </p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=1158244&view=rev";>
+ revision 1158244</a>.</p>
+
+ <p>This was identified by the Tomcat security team on 7 July 2011 and
+ made public on 13 July 2011.</p>
+
+ <p>Affects: 5.5.0-5.5.33</p>
+
</section>
<section name="Fixed in Apache Tomcat 5.5.32" rtext="released 1 Feb 2011">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
