Author: kkolinko
Date: Fri May 30 22:09:51 2014
New Revision: 1598761
URL: http://svn.apache.org/r1598761
Log:
Add CVE numbers, correct typos.
Modified:
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1598761&r1=1598760&r2=1598761&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Fri May 30 22:09:51 2014
@@ -153,8 +153,13 @@
Based on the patch provided by Nick Bunn. (violetagg/kkolinko)
</add>
<fix>
+ Fix CVE-2014-0119:
Only create XML parsing objects if required and fix associated
potential
- memory leak in the default Servlet. (markt)
+ memory leak in the default Servlet.
+ Extend XML factory, parser etc. memory leak protection to cover some
+ additional locations where, theoretically, a memory leak could occur.
+ Ensure that a TLD parser obtained from the cache has the correct value
+ of <code>blockExternal</code>. (markt)
</fix>
<fix>
Modify generic exception handling so that
@@ -171,15 +176,6 @@
patterns of the form <code>*.a.b</code> which are not valid patterns
for
extension mappings. (markt)
</add>
- <add>
- Extend XML factory, parser etc. memory leak protection to cover some
- additional locations where, theoretically, a memory leak could occur.
- (markt)
- </add>
- <fix>
- Ensure that a TLD parser obtained from the cache has the correct value
- of <code>blockExternal</code>. (markt)
- </fix>
<fix>
<bug>56441</bug>: Raise the visibility of exceptions thrown when a
problem is encountered calling a getter or setter on a component
@@ -460,6 +456,7 @@
new version. (markt)
</fix>
<fix>
+ Fix CVE-2014-0096:
Redefine the <code>globalXsltFile</code> initialisation parameter of
the
DefaultServlet as relative to CATALINA_BASE/conf or CATALINA_HOME/conf.
Prevent user supplied XSLTs used by the DefaultServlet from defining
@@ -495,11 +492,13 @@
under heavy load. (markt)
</fix>
<fix>
+ Fix CVE-2014-0075:
Improve processing of chuck size from chunked headers. Avoid overflow
and use a bit shift instead of a multiplication as it is marginally
faster. (markt/kkolinko)
</fix>
<fix>
+ Fix CVE-2014-0099:
Fix possible overflow when parsing long values from a byte array.
(markt)
</fix>
@@ -3500,7 +3499,7 @@
<fix>
Remove the <code>socket.soTrafficClass</code> from the BIO and NIO
HTTP and AJP connectors because any use of the option is either ignored
- or in some cases (Java 7 with NIO) throws an Exception. (mark)
+ or in some cases (Java 7 with NIO) throws an Exception. (markt)
</fix>
<fix>
Prevent possible NPE when processing Comet requests during Connector
@@ -4520,7 +4519,7 @@
<fix>
<bug>52577</bug>: Fix a regression in the fix for <bug>52328</bug>.
Prevent output truncation when <code>reset()</code> is called on a
- response. (mark)
+ response. (markt)
</fix>
<fix>
<bug>52586</bug>: Remove an old and now unnecessary hack that modified
@@ -5638,7 +5637,7 @@
<changelog>
<fix>
<bug>51641</bug>: Use correct key when removing processor instances
from
- the connections map during clean-up. Patch provided by zhh. (mark)
+ the connections map during clean-up. Patch provided by zhh. (markt)
</fix>
<fix>
More changes to align the code between the different HTTP connectors.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
