Author: markt
Date: Sun Jul 21 08:23:20 2013
New Revision: 1505299
URL: http://svn.apache.org/r1505299
Log:
Clarify what was fixed for CVE-2007-1358
Modified:
tomcat/site/trunk/docs/security-4.html
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/xdocs/security-4.xml
tomcat/site/trunk/xdocs/security-5.xml
tomcat/site/trunk/xdocs/security-6.xml
Modified: tomcat/site/trunk/docs/security-4.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?rev=1505299&r1=1505298&r2=1505299&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Sun Jul 21 08:23:20 2013
@@ -785,9 +785,12 @@
the Accept-Language header value conforms to RFC 2616. Under normal
circumstances this would not be possible to exploit, however older
versions of Flash player were known to allow carefully crafted malicious
- Flash files to make requests with such custom headers. Tomcat now
ignores
- invalid values for Accept-Language headers that do not conform to RFC
- 2616.</p>
+ Flash files to make requests with such custom headers. When generating
+ the response for <code>getLocale()</code> and <code>getLocales()</code>,
+ Tomcat now ignores values for Accept-Language headers that do not
conform
+ to RFC 2616. Applications that use the raw header values directly should
+ not assume that the headers conform to RFC 2616 and should filter the
+ values appropriately.</p>
<p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.34</p>
Modified: tomcat/site/trunk/docs/security-5.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1505299&r1=1505298&r2=1505299&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Sun Jul 21 08:23:20 2013
@@ -1528,9 +1528,12 @@
the Accept-Language header value conforms to RFC 2616. Under normal
circumstances this would not be possible to exploit, however older
versions of Flash player were known to allow carefully crafted malicious
- Flash files to make requests with such custom headers. Tomcat now
ignores
- invalid values for Accept-Language headers that do not conform to RFC
- 2616.</p>
+ Flash files to make requests with such custom headers. When generating
+ the response for <code>getLocale()</code> and <code>getLocales()</code>,
+ Tomcat now ignores values for Accept-Language headers that do not
conform
+ to RFC 2616. Applications that use the raw header values directly should
+ not assume that the headers conform to RFC 2616 and should filter the
+ values appropriately.</p>
<p>Affects: 5.0.0-5.0.30, 5.5.0-5.5.20</p>
Modified: tomcat/site/trunk/docs/security-6.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1505299&r1=1505298&r2=1505299&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Sun Jul 21 08:23:20 2013
@@ -1838,9 +1838,12 @@
the Accept-Language header value conforms to RFC 2616. Under normal
circumstances this would not be possible to exploit, however older
versions of Flash player were known to allow carefully crafted malicious
- Flash files to make requests with such custom headers. Tomcat now
ignores
- invalid values for Accept-Language headers that do not conform to RFC
- 2616.</p>
+ Flash files to make requests with such custom headers. When generating
+ the response for <code>getLocale()</code> and <code>getLocales()</code>,
+ Tomcat now ignores values for Accept-Language headers that do not
conform
+ to RFC 2616. Applications that use the raw header values directly should
+ not assume that the headers conform to RFC 2616 and should filter the
+ values appropriately.</p>
<p>Affects: 6.0.0-6.0.5</p>
Modified: tomcat/site/trunk/xdocs/security-4.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?rev=1505299&r1=1505298&r2=1505299&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Sun Jul 21 08:23:20 2013
@@ -325,9 +325,12 @@
the Accept-Language header value conforms to RFC 2616. Under normal
circumstances this would not be possible to exploit, however older
versions of Flash player were known to allow carefully crafted malicious
- Flash files to make requests with such custom headers. Tomcat now
ignores
- invalid values for Accept-Language headers that do not conform to RFC
- 2616.</p>
+ Flash files to make requests with such custom headers. When generating
+ the response for <code>getLocale()</code> and <code>getLocales()</code>,
+ Tomcat now ignores values for Accept-Language headers that do not
conform
+ to RFC 2616. Applications that use the raw header values directly should
+ not assume that the headers conform to RFC 2616 and should filter the
+ values appropriately.</p>
<p>Affects: 4.0.0-4.0.6, 4.1.0-4.1.34</p>
</section>
Modified: tomcat/site/trunk/xdocs/security-5.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=1505299&r1=1505298&r2=1505299&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Sun Jul 21 08:23:20 2013
@@ -750,9 +750,12 @@
the Accept-Language header value conforms to RFC 2616. Under normal
circumstances this would not be possible to exploit, however older
versions of Flash player were known to allow carefully crafted malicious
- Flash files to make requests with such custom headers. Tomcat now
ignores
- invalid values for Accept-Language headers that do not conform to RFC
- 2616.</p>
+ Flash files to make requests with such custom headers. When generating
+ the response for <code>getLocale()</code> and <code>getLocales()</code>,
+ Tomcat now ignores values for Accept-Language headers that do not
conform
+ to RFC 2616. Applications that use the raw header values directly should
+ not assume that the headers conform to RFC 2616 and should filter the
+ values appropriately.</p>
<p>Affects: 5.0.0-5.0.30, 5.5.0-5.5.20</p>
</section>
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1505299&r1=1505298&r2=1505299&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Sun Jul 21 08:23:20 2013
@@ -941,9 +941,12 @@
the Accept-Language header value conforms to RFC 2616. Under normal
circumstances this would not be possible to exploit, however older
versions of Flash player were known to allow carefully crafted malicious
- Flash files to make requests with such custom headers. Tomcat now
ignores
- invalid values for Accept-Language headers that do not conform to RFC
- 2616.</p>
+ Flash files to make requests with such custom headers. When generating
+ the response for <code>getLocale()</code> and <code>getLocales()</code>,
+ Tomcat now ignores values for Accept-Language headers that do not
conform
+ to RFC 2616. Applications that use the raw header values directly should
+ not assume that the headers conform to RFC 2616 and should filter the
+ values appropriately.</p>
<p>Affects: 6.0.0-6.0.5</p>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
