Author: markt
Date: Mon Nov 5 22:57:58 2012
New Revision: 1406003
URL: http://svn.apache.org/viewvc?rev=1406003&view=rev
Log:
Publish details of two security vulnerabilities:
CVE-2012-2733 Apache Tomcat Denial of Service
CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses
Modified:
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/xdocs/security-5.xml
tomcat/site/trunk/xdocs/security-6.xml
tomcat/site/trunk/xdocs/security-7.xml
Modified: tomcat/site/trunk/docs/security-5.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1406003&r1=1406002&r2=1406003&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Mon Nov 5 22:57:58 2012
@@ -198,6 +198,9 @@
<a href="#Apache_Tomcat_5.x_vulnerabilities">Apache Tomcat 5.x
vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_5.5.36">Fixed in Apache Tomcat 5.5.36</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_5.5.35">Fixed in Apache Tomcat 5.5.35</a>
</li>
<li>
@@ -341,6 +344,66 @@
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a
name="Fixed in Apache Tomcat 5.5.36">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_5.5.36"><strong>Fixed in Apache
Tomcat 5.5.36</strong></a></font></td><td align="right" bgcolor="#525D76"><font
color="#ffffff" face="arial,helvetica.sanserif"><strong>released 10 Oct
2012</strong></font></td>
+</tr>
+<tr>
+<td colspan="2">
+<p>
+<blockquote>
+
+
+<p>
+<strong>Moderate: DIGEST authentication weakness</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3439";
rel="nofollow">CVE-2012-3439</a>
+</p>
+
+
+<p>Three weaknesses in Tomcat's implementation of DIGEST authentication
+ were identified and resolved:
+ </p>
+
+<ol>
+
+<li>Tomcat tracked client rather than server nonces and nonce count.</li>
+
+<li>When a session ID was present, authentication was bypassed.</li>
+
+<li>The user name and password were not checked before when indicating
+ that a nonce was stale.</li>
+
+</ol>
+
+<p>
+ These issues reduced the security of DIGEST authentication making
+ replay attacks possible in some circumstances.
+ </p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1392248";>1392248</a>.</p>
+
+
+<p>The first issue was reported by Tilmann Kuhn to the Tomcat security team
+ on 19 July 2012. The second and third issues were discovered by the
+ Tomcat security team during the resulting code review. All three issues
+ were made public on 5 November 2012.</p>
+
+
+<p>Affects: 5.5.0-5.5.35</p>
+
+
+</blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a
name="Fixed in Apache Tomcat 5.5.35">
<!--()--></a><a name="Fixed_in_Apache_Tomcat_5.5.35"><strong>Fixed in Apache
Tomcat 5.5.35</strong></a></font></td><td align="right" bgcolor="#525D76"><font
color="#ffffff" face="arial,helvetica.sanserif"><strong>released 16 Jan
2012</strong></font></td>
</tr>
Modified: tomcat/site/trunk/docs/security-6.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1406003&r1=1406002&r2=1406003&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Nov 5 22:57:58 2012
@@ -198,6 +198,9 @@
<a href="#Apache_Tomcat_6.x_vulnerabilities">Apache Tomcat 6.x
vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_6.0.36">Fixed in Apache Tomcat 6.0.36</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_6.0.35">Fixed in Apache Tomcat 6.0.35</a>
</li>
<li>
@@ -316,6 +319,89 @@
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a
name="Fixed in Apache Tomcat 6.0.36">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_6.0.36"><strong>Fixed in Apache
Tomcat 6.0.36</strong></a></font></td><td align="right" bgcolor="#525D76"><font
color="#ffffff" face="arial,helvetica.sanserif"><strong>released 19 Oct
2012</strong></font></td>
+</tr>
+<tr>
+<td colspan="2">
+<p>
+<blockquote>
+
+
+<p>
+<strong>Important: Denial of service</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2733";
rel="nofollow">CVE-2012-2733</a>
+</p>
+
+
+<p>The checks that limited the permitted size of request headers were
+ implemented too late in the request parsing process for the HTTP NIO
+ connector. This enabled a malicious user to trigger an
+ OutOfMemoryError by sending a single request with very large headers.
+ </p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1356208";>1356208</a>.</p>
+
+
+<p>This was reported by Josh Spiewak to the Tomcat security team on 4 June
+ 2012 and made public on 5 November 2012.</p>
+
+
+<p>Affects: 6.0.0-6.0.35</p>
+
+
+<p>
+<strong>Moderate: DIGEST authentication weakness</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3439";
rel="nofollow">CVE-2012-3439</a>
+</p>
+
+
+<p>Three weaknesses in Tomcat's implementation of DIGEST authentication
+ were identified and resolved:
+ </p>
+
+<ol>
+
+<li>Tomcat tracked client rather than server nonces and nonce count.</li>
+
+<li>When a session ID was present, authentication was bypassed.</li>
+
+<li>The user name and password were not checked before when indicating
+ that a nonce was stale.</li>
+
+</ol>
+
+<p>
+ These issues reduced the security of DIGEST authentication making
+ replay attacks possible in some circumstances.
+ </p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1380829";>1380829</a>.</p>
+
+
+<p>The first issue was reported by Tilmann Kuhn to the Tomcat security team
+ on 19 July 2012. The second and third issues were discovered by the
+ Tomcat security team during the resulting code review. All three issues
+ were made public on 5 November 2012.</p>
+
+
+<p>Affects: 6.0.0-6.0.35</p>
+
+
+</blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a
name="Fixed in Apache Tomcat 6.0.35">
<!--()--></a><a name="Fixed_in_Apache_Tomcat_6.0.35"><strong>Fixed in Apache
Tomcat 6.0.35</strong></a></font></td><td align="right" bgcolor="#525D76"><font
color="#ffffff" face="arial,helvetica.sanserif"><strong>released 5 Dec
2011</strong></font></td>
</tr>
Modified: tomcat/site/trunk/docs/security-7.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1406003&r1=1406002&r2=1406003&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Mon Nov 5 22:57:58 2012
@@ -198,6 +198,12 @@
<a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x
vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_7.0.30">Fixed in Apache Tomcat 7.0.30</a>
+</li>
+<li>
+<a href="#Fixed_in_Apache_Tomcat_7.0.28">Fixed in Apache Tomcat 7.0.28</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_7.0.23">Fixed in Apache Tomcat 7.0.23</a>
</li>
<li>
@@ -315,6 +321,110 @@
</table>
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a
name="Fixed in Apache Tomcat 7.0.30">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.30"><strong>Fixed in Apache
Tomcat 7.0.30</strong></a></font></td><td align="right" bgcolor="#525D76"><font
color="#ffffff" face="arial,helvetica.sanserif"><strong>released 6 Sep
2012</strong></font></td>
+</tr>
+<tr>
+<td colspan="2">
+<p>
+<blockquote>
+
+
+<p>
+<strong>Moderate: DIGEST authentication weakness</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3439";
rel="nofollow">CVE-2012-3439</a>
+</p>
+
+
+<p>Three weaknesses in Tomcat's implementation of DIGEST authentication
+ were identified and resolved:
+ </p>
+
+<ol>
+
+<li>Tomcat tracked client rather than server nonces and nonce count.</li>
+
+<li>When a session ID was present, authentication was bypassed.</li>
+
+<li>The user name and password were not checked before when indicating
+ that a nonce was stale.</li>
+
+</ol>
+
+<p>
+ These issues reduced the security of DIGEST authentication making
+ replay attacks possible in some circumstances.
+ </p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1377807";>1377807</a>.</p>
+
+
+<p>The first issue was reported by Tilmann Kuhn to the Tomcat security team
+ on 19 July 2012. The second and third issues were discovered by the
+ Tomcat security team during the resulting code review. All three issues
+ were made public on 5 November 2012.</p>
+
+
+<p>Affects: 7.0.0-7.0.29</p>
+
+
+</blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a
name="Fixed in Apache Tomcat 7.0.28">
+<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.28"><strong>Fixed in Apache
Tomcat 7.0.28</strong></a></font></td><td align="right" bgcolor="#525D76"><font
color="#ffffff" face="arial,helvetica.sanserif"><strong>released 19 Jun
2012</strong></font></td>
+</tr>
+<tr>
+<td colspan="2">
+<p>
+<blockquote>
+
+
+<p>
+<strong>Important: Denial of service</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2733";
rel="nofollow">CVE-2012-2733</a>
+</p>
+
+
+<p>The checks that limited the permitted size of request headers were
+ implemented too late in the request parsing process for the HTTP NIO
+ connector. This enabled a malicious user to trigger an
+ OutOfMemoryError by sending a single request with very large headers.
+ </p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1350301";>1350301</a>.</p>
+
+
+<p>This was reported by Josh Spiewak to the Tomcat security team on 4 June
+ 2012 and made public on 5 November 2012.</p>
+
+
+<p>Affects: 7.0.0-7.0.27</p>
+
+
+</blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
<td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica,sanserif"><a
name="Fixed in Apache Tomcat 7.0.23">
<!--()--></a><a name="Fixed_in_Apache_Tomcat_7.0.23"><strong>Fixed in Apache
Tomcat 7.0.23</strong></a></font></td><td align="right" bgcolor="#525D76"><font
color="#ffffff" face="arial,helvetica.sanserif"><strong>released 25 Nov
2011</strong></font></td>
</tr>
Modified: tomcat/site/trunk/xdocs/security-5.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=1406003&r1=1406002&r2=1406003&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Mon Nov 5 22:57:58 2012
@@ -64,6 +64,36 @@
</section>
-->
+ <section name="Fixed in Apache Tomcat 5.5.36" rtext="released 10 Oct 2012">
+
+ <p><strong>Moderate: DIGEST authentication weakness</strong>
+ <cve>CVE-2012-3439</cve></p>
+
+ <p>Three weaknesses in Tomcat's implementation of DIGEST authentication
+ were identified and resolved:
+ </p>
+ <ol>
+ <li>Tomcat tracked client rather than server nonces and nonce count.</li>
+ <li>When a session ID was present, authentication was bypassed.</li>
+ <li>The user name and password were not checked before when indicating
+ that a nonce was stale.</li>
+ </ol>
+ <p>
+ These issues reduced the security of DIGEST authentication making
+ replay attacks possible in some circumstances.
+ </p>
+
+ <p>This was fixed in revision <revlink rev="1392248">1392248</revlink>.</p>
+
+ <p>The first issue was reported by Tilmann Kuhn to the Tomcat security team
+ on 19 July 2012. The second and third issues were discovered by the
+ Tomcat security team during the resulting code review. All three issues
+ were made public on 5 November 2012.</p>
+
+ <p>Affects: 5.5.0-5.5.35</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 5.5.35" rtext="released 16 Jan 2012">
<p><strong>Important: Denial of service</strong>
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1406003&r1=1406002&r2=1406003&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon Nov 5 22:57:58 2012
@@ -48,6 +48,52 @@
</section>
+
+ <section name="Fixed in Apache Tomcat 6.0.36" rtext="released 19 Oct 2012">
+
+ <p><strong>Important: Denial of service</strong>
+ <cve>CVE-2012-2733</cve></p>
+
+ <p>The checks that limited the permitted size of request headers were
+ implemented too late in the request parsing process for the HTTP NIO
+ connector. This enabled a malicious user to trigger an
+ OutOfMemoryError by sending a single request with very large headers.
+ </p>
+
+ <p>This was fixed in revision <revlink rev="1356208">1356208</revlink>.</p>
+
+ <p>This was reported by Josh Spiewak to the Tomcat security team on 4 June
+ 2012 and made public on 5 November 2012.</p>
+
+ <p>Affects: 6.0.0-6.0.35</p>
+
+ <p><strong>Moderate: DIGEST authentication weakness</strong>
+ <cve>CVE-2012-3439</cve></p>
+
+ <p>Three weaknesses in Tomcat's implementation of DIGEST authentication
+ were identified and resolved:
+ </p>
+ <ol>
+ <li>Tomcat tracked client rather than server nonces and nonce count.</li>
+ <li>When a session ID was present, authentication was bypassed.</li>
+ <li>The user name and password were not checked before when indicating
+ that a nonce was stale.</li>
+ </ol>
+ <p>
+ These issues reduced the security of DIGEST authentication making
+ replay attacks possible in some circumstances.
+ </p>
+
+ <p>This was fixed in revision <revlink rev="1380829">1380829</revlink>.</p>
+
+ <p>The first issue was reported by Tilmann Kuhn to the Tomcat security team
+ on 19 July 2012. The second and third issues were discovered by the
+ Tomcat security team during the resulting code review. All three issues
+ were made public on 5 November 2012.</p>
+
+ <p>Affects: 6.0.0-6.0.35</p>
+
+ </section>
<section name="Fixed in Apache Tomcat 6.0.35" rtext="released 5 Dec 2011">
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1406003&r1=1406002&r2=1406003&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Mon Nov 5 22:57:58 2012
@@ -50,6 +50,56 @@
</section>
+ <section name="Fixed in Apache Tomcat 7.0.30" rtext="released 6 Sep 2012">
+
+ <p><strong>Moderate: DIGEST authentication weakness</strong>
+ <cve>CVE-2012-3439</cve></p>
+
+ <p>Three weaknesses in Tomcat's implementation of DIGEST authentication
+ were identified and resolved:
+ </p>
+ <ol>
+ <li>Tomcat tracked client rather than server nonces and nonce count.</li>
+ <li>When a session ID was present, authentication was bypassed.</li>
+ <li>The user name and password were not checked before when indicating
+ that a nonce was stale.</li>
+ </ol>
+ <p>
+ These issues reduced the security of DIGEST authentication making
+ replay attacks possible in some circumstances.
+ </p>
+
+ <p>This was fixed in revision <revlink rev="1377807">1377807</revlink>.</p>
+
+ <p>The first issue was reported by Tilmann Kuhn to the Tomcat security team
+ on 19 July 2012. The second and third issues were discovered by the
+ Tomcat security team during the resulting code review. All three issues
+ were made public on 5 November 2012.</p>
+
+ <p>Affects: 7.0.0-7.0.29</p>
+
+ </section>
+
+ <section name="Fixed in Apache Tomcat 7.0.28" rtext="released 19 Jun 2012">
+
+ <p><strong>Important: Denial of service</strong>
+ <cve>CVE-2012-2733</cve></p>
+
+ <p>The checks that limited the permitted size of request headers were
+ implemented too late in the request parsing process for the HTTP NIO
+ connector. This enabled a malicious user to trigger an
+ OutOfMemoryError by sending a single request with very large headers.
+ </p>
+
+ <p>This was fixed in revision <revlink rev="1350301">1350301</revlink>.</p>
+
+ <p>This was reported by Josh Spiewak to the Tomcat security team on 4 June
+ 2012 and made public on 5 November 2012.</p>
+
+ <p>Affects: 7.0.0-7.0.27</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 7.0.23" rtext="released 25 Nov 2011">
<p><strong>Important: Denial of service</strong>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
