Author: markt
Date: Sun Oct 1 18:10:45 2017
New Revision: 1810270
URL: http://svn.apache.org/viewvc?rev=1810270&view=rev
Log:
Add CVE-2017-12617
Modified:
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/docs/security-8.html
tomcat/site/trunk/docs/security-9.html
tomcat/site/trunk/xdocs/security-7.xml
tomcat/site/trunk/xdocs/security-8.xml
tomcat/site/trunk/xdocs/security-9.xml
Modified: tomcat/site/trunk/docs/security-7.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1810270&r1=1810269&r2=1810270&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Sun Oct 1 18:10:45 2017
@@ -218,6 +218,9 @@
<a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x
vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_7.0.82">Fixed in Apache Tomcat 7.0.82</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_7.0.81">Fixed in Apache Tomcat 7.0.81</a>
</li>
<li>
@@ -380,6 +383,38 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_7.0.82">
+<span style="float: right;">TBD October 2017</span> Fixed in Apache Tomcat
7.0.82</h3>
+<div class="text">
+
+
+<p>
+<strong>Important: Remote Code Execution</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617";
rel="nofollow">CVE-2017-12617</a>
+</p>
+
+
+<p>When running on Windows with HTTP PUTs enabled (e.g. via setting the
+ <code>readonly</code> initialisation parameter of the Default to false)
+ it was possible to upload a JSP file to the server via a specially
+ crafted request. This JSP could then be requested and any code it
+ contained would be executed by the server.</p>
+
+
+<p>This was fixed in revisions <a
href="http://svn.apache.org/viewvc?view=rev&rev=1809978";>1809978</a>,
+ <a
href="http://svn.apache.org/viewvc?view=rev&rev=1809992";>1809992</a>,
+ <a
href="http://svn.apache.org/viewvc?view=rev&rev=1810014";>1810014</a> and
+ <a
href="http://svn.apache.org/viewvc?view=rev&rev=1810026";>1810026</a>.</p>
+
+
+<p>This issue was first reported publicly followed by multiple reports to
+ the Apache Tomcat Security Team on 20 September 2017.</p>
+
+
+<p>Affects: 8.0.0.RC1 to 8.0.46</p>
+
+
+</div>
<h3 id="Fixed_in_Apache_Tomcat_7.0.81">
<span style="float: right;">16 August 2017</span> Fixed in Apache Tomcat
7.0.81</h3>
<div class="text">
Modified: tomcat/site/trunk/docs/security-8.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1810270&r1=1810269&r2=1810270&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-8.html (original)
+++ tomcat/site/trunk/docs/security-8.html Sun Oct 1 18:10:45 2017
@@ -218,6 +218,12 @@
<a href="#Apache_Tomcat_8.x_vulnerabilities">Apache Tomcat 8.x
vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_8.0.47">Fixed in Apache Tomcat 8.0.47</a>
+</li>
+<li>
+<a href="#Fixed_in_Apache_Tomcat_8.5.23">Fixed in Apache Tomcat 8.5.23</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_8.0.45">Fixed in Apache Tomcat 8.0.45</a>
</li>
<li>
@@ -344,6 +350,66 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_8.0.47">
+<span style="float: right;">TBD October 2017</span> Fixed in Apache Tomcat
8.0.47</h3>
+<div class="text">
+
+
+<p>
+<strong>Important: Remote Code Execution</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617";
rel="nofollow">CVE-2017-12617</a>
+</p>
+
+
+<p>When running on Windows with HTTP PUTs enabled (e.g. via setting the
+ <code>readonly</code> initialisation parameter of the Default to false)
+ it was possible to upload a JSP file to the server via a specially
+ crafted request. This JSP could then be requested and any code it
+ contained would be executed by the server.</p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1809921";>1809921</a>.</p>
+
+
+<p>This issue was first reported publicly followed by multiple reports to
+ the Apache Tomcat Security Team on 20 September 2017.</p>
+
+
+<p>Affects: 8.0.0.RC1 to 8.0.46</p>
+
+
+</div>
+<h3 id="Fixed_in_Apache_Tomcat_8.5.23">
+<span style="float: right;">1 October 2017</span> Fixed in Apache Tomcat
8.5.23</h3>
+<div class="text">
+
+
+<p>
+<strong>Important: Remote Code Execution</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617";
rel="nofollow">CVE-2017-12617</a>
+</p>
+
+
+<p>When running on Windows with HTTP PUTs enabled (e.g. via setting the
+ <code>readonly</code> initialisation parameter of the Default to false)
+ it was possible to upload a JSP file to the server via a specially
+ crafted request. This JSP could then be requested and any code it
+ contained would be executed by the server.</p>
+
+
+<p>This was fixed in revisions <a
href="http://svn.apache.org/viewvc?view=rev&rev=1809673";>1809673</a>,
+ <a
href="http://svn.apache.org/viewvc?view=rev&rev=1809675";>1809675</a> and
+ <a
href="http://svn.apache.org/viewvc?view=rev&rev=1809896";>1809896</a>.</p>
+
+
+<p>This issue was first reported publicly followed by multiple reports to
+ the Apache Tomcat Security Team on 20 September 2017.</p>
+
+
+<p>Affects: 8.5.0 to 8.5.22</p>
+
+
+</div>
<h3 id="Fixed_in_Apache_Tomcat_8.0.45">
<span style="float: right;">1 July 2017</span> Fixed in Apache Tomcat
8.0.45</h3>
<div class="text">
Modified: tomcat/site/trunk/docs/security-9.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-9.html?rev=1810270&r1=1810269&r2=1810270&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-9.html (original)
+++ tomcat/site/trunk/docs/security-9.html Sun Oct 1 18:10:45 2017
@@ -218,6 +218,9 @@
<a href="#Apache_Tomcat_9.x_vulnerabilities">Apache Tomcat 9.x
vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_9.0.1">Fixed in Apache Tomcat 9.0.1</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_9.0.0.M22">Fixed in Apache Tomcat
9.0.0.M22</a>
</li>
<li>
@@ -296,6 +299,38 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_9.0.1">
+<span style="float: right;">30 September 2017</span> Fixed in Apache Tomcat
9.0.1</h3>
+<div class="text">
+
+
+<p>
+<strong>Important: Remote Code Execution</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617";
rel="nofollow">CVE-2017-12617</a>
+</p>
+
+
+<p>When running on Windows with HTTP PUTs enabled (e.g. via setting the
+ <code>readonly</code> initialisation parameter of the Default to false)
+ it was possible to upload a JSP file to the server via a specially
+ crafted request. This JSP could then be requested and any code it
+ contained would be executed by the server.</p>
+
+
+<p>This was fixed in revisions <a
href="http://svn.apache.org/viewvc?view=rev&rev=1809669";>1809669</a>,
+ <a
href="http://svn.apache.org/viewvc?view=rev&rev=1809674";>1809674</a>,
+ <a
href="http://svn.apache.org/viewvc?view=rev&rev=1809684";>1809684</a> and
+ <a
href="http://svn.apache.org/viewvc?view=rev&rev=1809711";>1809711</a>.</p>
+
+
+<p>This issue was first reported publicly followed by multiple reports to
+ the Apache Tomcat Security Team on 20 September 2017.</p>
+
+
+<p>Affects: 9.0.0.M1 to 9.0.0</p>
+
+
+</div>
<h3 id="Fixed_in_Apache_Tomcat_9.0.0.M22">
<span style="float: right;">26 June 2017</span> Fixed in Apache Tomcat
9.0.0.M22</h3>
<div class="text">
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1810270&r1=1810269&r2=1810270&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Sun Oct 1 18:10:45 2017
@@ -50,6 +50,29 @@
</section>
+ <section name="Fixed in Apache Tomcat 7.0.82" rtext="TBD October 2017">
+
+ <p><strong>Important: Remote Code Execution</strong>
+ <cve>CVE-2017-12617</cve></p>
+
+ <p>When running on Windows with HTTP PUTs enabled (e.g. via setting the
+ <code>readonly</code> initialisation parameter of the Default to false)
+ it was possible to upload a JSP file to the server via a specially
+ crafted request. This JSP could then be requested and any code it
+ contained would be executed by the server.</p>
+
+ <p>This was fixed in revisions <revlink rev="1809978">1809978</revlink>,
+ <revlink rev="1809992">1809992</revlink>,
+ <revlink rev="1810014">1810014</revlink> and
+ <revlink rev="1810026">1810026</revlink>.</p>
+
+ <p>This issue was first reported publicly followed by multiple reports to
+ the Apache Tomcat Security Team on 20 September 2017.</p>
+
+ <p>Affects: 8.0.0.RC1 to 8.0.46</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 7.0.81" rtext="16 August 2017">
<p><strong>Important: Information Disclosure</strong>
Modified: tomcat/site/trunk/xdocs/security-8.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1810270&r1=1810269&r2=1810270&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-8.xml (original)
+++ tomcat/site/trunk/xdocs/security-8.xml Sun Oct 1 18:10:45 2017
@@ -50,6 +50,48 @@
</section>
+ <section name="Fixed in Apache Tomcat 8.0.47" rtext="TBD October 2017">
+
+ <p><strong>Important: Remote Code Execution</strong>
+ <cve>CVE-2017-12617</cve></p>
+
+ <p>When running on Windows with HTTP PUTs enabled (e.g. via setting the
+ <code>readonly</code> initialisation parameter of the Default to false)
+ it was possible to upload a JSP file to the server via a specially
+ crafted request. This JSP could then be requested and any code it
+ contained would be executed by the server.</p>
+
+ <p>This was fixed in revision <revlink rev="1809921">1809921</revlink>.</p>
+
+ <p>This issue was first reported publicly followed by multiple reports to
+ the Apache Tomcat Security Team on 20 September 2017.</p>
+
+ <p>Affects: 8.0.0.RC1 to 8.0.46</p>
+
+ </section>
+
+ <section name="Fixed in Apache Tomcat 8.5.23" rtext="1 October 2017">
+
+ <p><strong>Important: Remote Code Execution</strong>
+ <cve>CVE-2017-12617</cve></p>
+
+ <p>When running on Windows with HTTP PUTs enabled (e.g. via setting the
+ <code>readonly</code> initialisation parameter of the Default to false)
+ it was possible to upload a JSP file to the server via a specially
+ crafted request. This JSP could then be requested and any code it
+ contained would be executed by the server.</p>
+
+ <p>This was fixed in revisions <revlink rev="1809673">1809673</revlink>,
+ <revlink rev="1809675">1809675</revlink> and
+ <revlink rev="1809896">1809896</revlink>.</p>
+
+ <p>This issue was first reported publicly followed by multiple reports to
+ the Apache Tomcat Security Team on 20 September 2017.</p>
+
+ <p>Affects: 8.5.0 to 8.5.22</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 8.0.45" rtext="1 July 2017">
<p><strong>Moderate: Cache Poisoning</strong>
Modified: tomcat/site/trunk/xdocs/security-9.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-9.xml?rev=1810270&r1=1810269&r2=1810270&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-9.xml (original)
+++ tomcat/site/trunk/xdocs/security-9.xml Sun Oct 1 18:10:45 2017
@@ -50,6 +50,29 @@
</section>
+ <section name="Fixed in Apache Tomcat 9.0.1" rtext="30 September 2017">
+
+ <p><strong>Important: Remote Code Execution</strong>
+ <cve>CVE-2017-12617</cve></p>
+
+ <p>When running on Windows with HTTP PUTs enabled (e.g. via setting the
+ <code>readonly</code> initialisation parameter of the Default to false)
+ it was possible to upload a JSP file to the server via a specially
+ crafted request. This JSP could then be requested and any code it
+ contained would be executed by the server.</p>
+
+ <p>This was fixed in revisions <revlink rev="1809669">1809669</revlink>,
+ <revlink rev="1809674">1809674</revlink>,
+ <revlink rev="1809684">1809684</revlink> and
+ <revlink rev="1809711">1809711</revlink>.</p>
+
+ <p>This issue was first reported publicly followed by multiple reports to
+ the Apache Tomcat Security Team on 20 September 2017.</p>
+
+ <p>Affects: 9.0.0.M1 to 9.0.0</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 9.0.0.M22" rtext="26 June 2017">
<p><strong>Important: Security Constraint Bypass</strong>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
