Author: kkolinko
Date: Sun Sep 25 16:10:59 2011
New Revision: 1175421
URL: http://svn.apache.org/viewvc?rev=1175421&view=rev
Log:
Mention when support for RFC 5746 was added.
As far as I am reading Tomcat-Navive changelog,
it does not have implementation for this new renegotiation protocol.
Modified:
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/xdocs/security-5.xml
tomcat/site/trunk/xdocs/security-6.xml
tomcat/site/trunk/xdocs/security-7.xml
Modified: tomcat/site/trunk/docs/security-5.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1175421&r1=1175420&r2=1175421&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Sun Sep 25 16:10:59 2011
@@ -1745,6 +1745,22 @@
that provided the new <code>allowUnsafeLegacyRenegotiation</code>
attribute. This work around is included in Tomcat 5.5.29 onwards.</p>
+ <p>Support for the new TLS renegotiation protocol (RFC 5746) that does not
+ have this security issue:</p>
+
+ <ul>
+ <li>For connectors using JSSE implementation provided by JVM:
+ Added in Tomcat 5.5.33.<br/>
+ Requires JRE that supports RFC 5746. For Oracle JRE that is
+ <a rel="nofollow"
href="http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html";>known</a>
+ to be 6u22 or later.
+ </li>
+ <li>For connectors using APR and OpenSSL:<br/>
+ Not implemented. See
+ <a href="security-native.html">APR/native connector security page</a>.
+ </li>
+ </ul>
+
<p>
<strong>important: Directory traversal</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938";
rel="nofollow">CVE-2008-2938</a>
Modified: tomcat/site/trunk/docs/security-6.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1175421&r1=1175420&r2=1175421&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Sun Sep 25 16:10:59 2011
@@ -1547,7 +1547,23 @@
<a href="http://svn.apache.org/viewvc?view=rev&rev=891292";>revision
891292</a>
that provided the new <code>allowUnsafeLegacyRenegotiation</code>
attribute. This work around is included in Tomcat 6.0.21 onwards.</p>
-
+
+ <p>Support for the new TLS renegotiation protocol (RFC 5746) that does not
+ have this security issue:</p>
+
+ <ul>
+ <li>For connectors using JSSE implementation provided by JVM:
+ Added in Tomcat 6.0.32.<br/>
+ Requires JRE that supports RFC 5746. For Oracle JRE that is
+ <a rel="nofollow"
href="http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html";>known</a>
+ to be 6u22 or later.
+ </li>
+ <li>For connectors using APR and OpenSSL:<br/>
+ Not implemented. See
+ <a href="security-native.html">APR/native connector security page</a>.
+ </li>
+ </ul>
+
<p>
<strong>important: Directory traversal</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938";
rel="nofollow">CVE-2008-2938</a>
Modified: tomcat/site/trunk/docs/security-7.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1175421&r1=1175420&r2=1175421&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Sun Sep 25 16:10:59 2011
@@ -1091,6 +1091,22 @@
<p>This was worked-around in
<a href="http://svn.apache.org/viewvc?view=rev&rev=882320";>revision
891292</a>.</p>
+ <p>Support for the new TLS renegotiation protocol (RFC 5746) that does not
+ have this security issue:</p>
+
+ <ul>
+ <li>For connectors using JSSE implementation provided by JVM:
+ Added in Tomcat 7.0.8.<br/>
+ Requires JRE that supports RFC 5746. For Oracle JRE that is
+ <a rel="nofollow"
href="http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html";>known</a>
+ to be 6u22 or later.
+ </li>
+ <li>For connectors using APR and OpenSSL:<br/>
+ Not implemented. See
+ <a href="security-native.html">APR/native connector security page</a>.
+ </li>
+ </ul>
+
</blockquote>
</p>
</td>
Modified: tomcat/site/trunk/xdocs/security-5.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=1175421&r1=1175420&r2=1175421&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Sun Sep 25 16:10:59 2011
@@ -814,6 +814,23 @@
that provided the new <code>allowUnsafeLegacyRenegotiation</code>
attribute. This work around is included in Tomcat 5.5.29 onwards.</p>
+ <p>Support for the new TLS renegotiation protocol (RFC 5746) that does not
+ have this security issue:</p>
+
+ <ul>
+ <li>For connectors using JSSE implementation provided by JVM:
+ Added in Tomcat 5.5.33.<br />
+ Requires JRE that supports RFC 5746. For Oracle JRE that is
+ <a rel="nofollow"
+
href="http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html";>known</a>
+ to be 6u22 or later.
+ </li>
+ <li>For connectors using APR and OpenSSL:<br />
+ Not implemented. See
+ <a href="security-native.html">APR/native connector security page</a>.
+ </li>
+ </ul>
+
<p><strong>important: Directory traversal</strong>
<cve>CVE-2008-2938</cve></p>
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1175421&r1=1175420&r2=1175421&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Sun Sep 25 16:10:59 2011
@@ -760,7 +760,24 @@
<revlink rev="891292">revision 891292</revlink>
that provided the new <code>allowUnsafeLegacyRenegotiation</code>
attribute. This work around is included in Tomcat 6.0.21 onwards.</p>
-
+
+ <p>Support for the new TLS renegotiation protocol (RFC 5746) that does not
+ have this security issue:</p>
+
+ <ul>
+ <li>For connectors using JSSE implementation provided by JVM:
+ Added in Tomcat 6.0.32.<br />
+ Requires JRE that supports RFC 5746. For Oracle JRE that is
+ <a rel="nofollow"
+
href="http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html";>known</a>
+ to be 6u22 or later.
+ </li>
+ <li>For connectors using APR and OpenSSL:<br />
+ Not implemented. See
+ <a href="security-native.html">APR/native connector security page</a>.
+ </li>
+ </ul>
+
<p><strong>important: Directory traversal</strong>
<cve>CVE-2008-2938</cve></p>
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1175421&r1=1175420&r2=1175421&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Sun Sep 25 16:10:59 2011
@@ -437,6 +437,23 @@
<p>This was worked-around in
<revlink rev="882320">revision 891292</revlink>.</p>
+ <p>Support for the new TLS renegotiation protocol (RFC 5746) that does not
+ have this security issue:</p>
+
+ <ul>
+ <li>For connectors using JSSE implementation provided by JVM:
+ Added in Tomcat 7.0.8.<br />
+ Requires JRE that supports RFC 5746. For Oracle JRE that is
+ <a rel="nofollow"
+
href="http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html";>known</a>
+ to be 6u22 or later.
+ </li>
+ <li>For connectors using APR and OpenSSL:<br />
+ Not implemented. See
+ <a href="security-native.html">APR/native connector security page</a>.
+ </li>
+ </ul>
+
</section>
</body>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
