svn commit: r1836400 - in /tomcat/site/trunk: docs/security-native.html xdocs/security-native.xml
Author: jfclere Date: Sat Jul 21 09:04:53 2018 New Revision: 1836400 URL: http://svn.apache.org/viewvc?rev=1836400&view=rev Log: Add the CVE fixed in 1.2.17 Modified: tomcat/site/trunk/docs/security-native.html tomcat/site/trunk/xdocs/security-native.xml Modified: tomcat/site/trunk/docs/security-native.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-native.html?rev=1836400&r1=1836399&r2=1836400&view=diff == --- tomcat/site/trunk/docs/security-native.html (original) +++ tomcat/site/trunk/docs/security-native.html Sat Jul 21 09:04:53 2018 @@ -222,6 +222,9 @@ Apache Tomcat APR/native Connector vulnerabilities +Fixed in Apache Tomcat Native Connector 1.2.17 + + Fixed in Apache Tomcat Native Connector 1.2.16 @@ -255,6 +258,48 @@ +Fixed in Apache Tomcat Native Connector 1.2.17 + + + + +Moderate: Mishandled OCSP invalid response + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8019"; rel="nofollow">CVE-2018-8019 + + +When using an OCSP responder Tomcat Native did not correctly handle + invalid responses. This allowed for revoked client certificates to + be incorrectly identified. It was therefore possible for users to + authenticate with revoked certificates when using mutual TLS. + + +This was fixed in revision http://svn.apache.org/viewvc?view=rev&rev=1832832";>1832832. + + +Affects: 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 + + + +Important: Mishandled OCSP responses can allow clients to + authenticate with revoked certificates + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8020"; rel="nofollow">CVE-2018-8020 + + + +Apache Tomcat Native has a flaw that does not properly check OCSP + pre-produced responses, which are lists (multiple entries) of + certificate statuses. Subsequently, revoked client certificates may not be + properly identified, allowing for users to authenticate with revoked + certicates to connections that require mutual TLS. + + +This was fixed in revision http://svn.apache.org/viewvc?view=rev&rev=1832863";>1832863. + + +Affects: 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 + + + Fixed in Apache Tomcat Native Connector 1.2.16 Modified: tomcat/site/trunk/xdocs/security-native.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-native.xml?rev=1836400&r1=1836399&r2=1836400&view=diff == --- tomcat/site/trunk/xdocs/security-native.xml (original) +++ tomcat/site/trunk/xdocs/security-native.xml Sat Jul 21 09:04:53 2018 @@ -32,6 +32,35 @@ + + +Moderate: Mishandled OCSP invalid response + CVE-2018-8019 +When using an OCSP responder Tomcat Native did not correctly handle + invalid responses. This allowed for revoked client certificates to + be incorrectly identified. It was therefore possible for users to + authenticate with revoked certificates when using mutual TLS. + +This was fixed in revision 1832832. + +Affects: 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 + +Important: Mishandled OCSP responses can allow clients to + authenticate with revoked certificates + CVE-2018-8020 + +Apache Tomcat Native has a flaw that does not properly check OCSP + pre-produced responses, which are lists (multiple entries) of + certificate statuses. Subsequently, revoked client certificates may not be + properly identified, allowing for users to authenticate with revoked + certicates to connections that require mutual TLS. + +This was fixed in revision 1832863. + +Affects: 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 + + + Note: The issue below was fixed in Apache Tomcat Native Connector - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2018-8019 Apache Tomcat Native Connector - Mishandled OCSP invalid response
CVE-2018-8019 Apache Tomcat Native Connector - Mishandled OCSP invalid response Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat Native 1.2.0 to 1.2.16 Apache Tomcat Native 1.1.23 to 1.1.34 Description: When using an OCSP responder Tomcat Native did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS. Users not using OCSP checks are not affected by this vulnerability. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 1.2.17 or later Note: This version was included in Apache Tomcat 9.0.10 onwards, 8.5.32 onwards, 8.0.53 onwards and 7.0.90 onwards. History: 2018-03-09 Original advisory References: [1] http://tomcat.apache.org/security-native.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2018-8020 Apache Tomcat Native Connector - Mishandled OCSP responses can allow clients to authenticate with revoked certificates
CVE-2018-8020 Apache Tomcat Native Connector - Mishandled OCSP responses can allow clients to authenticate with revoked certificates Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat Native 1.2.0 to 1.2.16 Apache Tomcat Native 1.1.23 to 1.1.34 Description: Apache Tomcat Native has a flaw that does not properly check OCSP pre-produced responses, which are lists (multiple entries) of certificate statuses. Subsequently, revoked client certificates may not be properly identified, allowing for users to authenticate with revoked certicates to connections that require mutual TLS. Users not using OCSP checks are not affected by this vulnerability. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 1.2.17 or later Note: This version was included in Apache Tomcat 9.0.10 onwards, 8.5.32 onwards, 8.0.53 onwards and 7.0.90 onwards. History: 2018-03-09 Original advisory References: [1] http://tomcat.apache.org/security-native.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 60762] Enhancement: Add support for runtime SNI changes in tomcat-embed
https://bz.apache.org/bugzilla/show_bug.cgi?id=60762 --- Comment #19 from Mark Thomas --- The Tomcat community does not use Bugzilla as a user support forum. Questions relating to the usage of Apache Tomcat are very unlikely to receive an answer here and should be directed to the Apache Tomcat users mailing list. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: JDK 11 is now in Rampdown Phase one
Hi Chris, Please do let us know how your testing goes, if you find bugs we want to know about them as early as possible. I'm out next week but Muneer will be glad to help. Rgds,Rory On 20/07/2018 22:22, Christopher Schultz wrote: Rory, On 7/2/18 5:33 AM, Rory O'Donnell wrote: Since our last email the following JEPs have been targeted to JDK 11 : * [...] * 332: Transport Layer Security (TLS) 1.3 /me claps enthusiastically! I'll be very happy to start playing around with this. -chris -- Rgds,Rory O'Donnell Quality Engineering Manager Oracle EMEA, Dublin,Ireland - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62559] New: Add "jaxb-*.jar" to tomcat.util.scan.StandardJarScanFilter.jarsToSkip
https://bz.apache.org/bugzilla/show_bug.cgi?id=62559 Bug ID: 62559 Summary: Add "jaxb-*.jar" to tomcat.util.scan.StandardJarScanFilter.jarsToSkip Product: Tomcat 8 Version: 8.5.x-trunk Hardware: All OS: All Status: NEW Severity: enhancement Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: 1983-01...@gmx.net Target Milestone: Unfortunately, Glassfish JAXB JARs contain "Class-Path" manifest entries. They shall be excluded to have JAXB RI JARs available once per VM via common loader for all apps. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62560] New: Add "oraclepki.jar" to tomcat.util.scan.StandardJarScanFilter.jarsToSkip
https://bz.apache.org/bugzilla/show_bug.cgi?id=62560 Bug ID: 62560 Summary: Add "oraclepki.jar" to tomcat.util.scan.StandardJarScanFilter.jarsToSkip Product: Tomcat 8 Version: 8.5.x-trunk Hardware: All OS: All Status: NEW Severity: enhancement Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: 1983-01...@gmx.net Target Milestone: This JAR is part Oracle Wallet implementation for the JDBC driver. Unfortunately, it contains a "Class-Path" manifest entry which refers to other JARs in ORACLE_HOME. They shall be excluded to have ojdbc.jar as well as Wallet support available once per VM via common loader for all apps. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62560] Add "oraclepki.jar" to tomcat.util.scan.StandardJarScanFilter.jarsToSkip
https://bz.apache.org/bugzilla/show_bug.cgi?id=62560
--- Comment #1 from Michael Osipov <1983-01...@gmx.net> ---
A typical usecase is:
>
>
>
>resource="${oracle.home}/jdbc/lib/ojdbc6.jar" />
>resource="${oracle.home}/jlib/oraclepki.jar" />
>resource="${oracle.home}/jlib/osdt_cert.jar" />
>resource="${oracle.home}/jlib/osdt_core.jar" />
>
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62561] New: class-loader-howto.html does not mention server.loader and shared.loader from catalina.properties
https://bz.apache.org/bugzilla/show_bug.cgi?id=62561 Bug ID: 62561 Summary: class-loader-howto.html does not mention server.loader and shared.loader from catalina.properties Product: Tomcat 8 Version: 8.5.x-trunk Hardware: All OS: All Status: NEW Severity: normal Priority: P2 Component: Documentation Assignee: dev@tomcat.apache.org Reporter: 1983-01...@gmx.net Target Milestone: Just stumbled upon this in our custom config that upto Tomcat 9 server.loader and shared.loader are still loaded by Bootstrap class, but those are not documented in the aforementioned documenation file. To avoid confusion for the user both class loaders should be documented or mentioned that they are obsolete. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1836420 - in /tomcat/site/trunk: docs/security-9.html xdocs/security-9.xml
Author: jfclere Date: Sun Jul 22 06:51:36 2018 New Revision: 1836420 URL: http://svn.apache.org/viewvc?rev=1836420&view=rev Log: Add the missing fixed CVE. Modified: tomcat/site/trunk/docs/security-9.html tomcat/site/trunk/xdocs/security-9.xml Modified: tomcat/site/trunk/docs/security-9.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-9.html?rev=1836420&r1=1836419&r2=1836420&view=diff == --- tomcat/site/trunk/docs/security-9.html (original) +++ tomcat/site/trunk/docs/security-9.html Sun Jul 22 06:51:36 2018 @@ -222,9 +222,15 @@ Apache Tomcat 9.x vulnerabilities +Fixed in Apache Tomcat 9.0.10 + + Fixed in Apache Tomcat 9.0.9 +Fixed in Apache Tomcat 9.0.8 + + Fixed in Apache Tomcat 9.0.5 @@ -312,6 +318,53 @@ + +25 June 2018 Fixed in Apache Tomcat 9.0.10 + + + + +Low: host name verification missing in WebSocket client + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8034"; rel="nofollow">CVE-2018-8034 + + + +The host name verification when using TLS with the WebSocket client was + missing. It is now enabled by default. + + +This was fixed in revision http://svn.apache.org/viewvc?view=rev&rev=1833757";>1833757. + + +This issue was reported publicly on 11 June 2018 and formally announced as + a vulnerability on 22 July 2018. + + +Affects: 9.0.0.M1 to 9.0.9 + + + +Important: Due to a mishandling of close in NIO/NIO2 connectors user + sessions can get mixed up + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8037"; rel="nofollow">CVE-2018-8037 + + + +A bug in the tracking of connection closures can lead to reuse of user + sessions in a new connection + + +This was fixed in revision http://svn.apache.org/viewvc?view=rev&rev=1833906";>1833906. + + +This issue was reported to the Apache Tomcat Security Team by Dmitry + Treskunov on 16 June 2018 and made public on 22 July 2018. + + +Affects: 9.0.0.M9 to 9.0.9 + + + not yet released Fixed in Apache Tomcat 9.0.9 @@ -338,6 +391,33 @@ + +3 May 2018 Fixed in Apache Tomcat 9.0.8 + + + + +Important: A bug in the UTF-8 decoder can lead to DoS + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1336"; rel="nofollow">CVE-2018-1336 + + + +An improper handing of overflow in the UTF-8 decoder with + supplementary characters can lead to an infinite loop in the + decoder causing a Denial of Service. + + +This was fixed in revision http://svn.apache.org/viewvc?view=rev&rev=1830373";>1830373. + + +This issue was reported publicly on 6 April 2018 and formally announced as + a vulnerability on 22 July 2018. + + +Affects: 9.0.0.M1 to 9.0.7 + + + 11 February 2018 Fixed in Apache Tomcat 9.0.5 Modified: tomcat/site/trunk/xdocs/security-9.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-9.xml?rev=1836420&r1=1836419&r2=1836420&view=diff == --- tomcat/site/trunk/xdocs/security-9.xml (original) +++ tomcat/site/trunk/xdocs/security-9.xml Sun Jul 22 06:51:36 2018 @@ -50,6 +50,36 @@ + + +Low: host name verification missing in WebSocket client + CVE-2018-8034 + +The host name verification when using TLS with the WebSocket client was + missing. It is now enabled by default. + +This was fixed in revision 1833757. + +This issue was reported publicly on 11 June 2018 and formally announced as + a vulnerability on 22 July 2018. + +Affects: 9.0.0.M1 to 9.0.9 + +Important: Due to a mishandling of close in NIO/NIO2 connectors user + sessions can get mixed up + CVE-2018-8037 + +A bug in the tracking of connection closures can lead to reuse of user + sessions in a new connection + +This was fixed in revision 1833906. + +This issue was reported to the Apache Tomcat Security Team by Dmitry + Treskunov on 16 June 2018 and made public on 22 July 2018. + +Affects: 9.0.0.M9 to 9.0.9 + + Low: CORS filter has insecure defaults @@ -68,6 +98,24 @@ + + +Important: A bug in the UTF-8 decoder can lead to DoS + CVE-2018-1336 + +An improper handing of overflow in the UTF-8 decoder with + supplementary characters can lead to an infinite loop in the + decoder causing a Denial of Service. + +This was fixed in revision 1830373. + +This issue was reported publicly on 6 April 2018 and formally announced as + a vulnerability on 22 July 2018. + +Affects: 9.0.0.M1 to 9.0.7 + + + Important: Security constraint annotations applied too - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
