Author: jfclere Date: Sun Jul 22 08:58:25 2018 New Revision: 1836429 URL: http://svn.apache.org/viewvc?rev=1836429&view=rev Log: Add the missing CVE.
Modified: tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/xdocs/security-7.xml Modified: tomcat/site/trunk/docs/security-7.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1836429&r1=1836428&r2=1836429&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-7.html (original) +++ tomcat/site/trunk/docs/security-7.html Sun Jul 22 08:58:25 2018 @@ -222,9 +222,15 @@ <a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x vulnerabilities</a> </li> <li> +<a href="#Fixed_in_Apache_Tomcat_7.0.90">Fixed in Apache Tomcat 7.0.90</a> +</li> +<li> <a href="#Fixed_in_Apache_Tomcat_7.0.89">Fixed in Apache Tomcat 7.0.89</a> </li> <li> +<a href="#Fixed_in_Apache_Tomcat_7.0.88">Fixed in Apache Tomcat 7.0.88</a> +</li> +<li> <a href="#Fixed_in_Apache_Tomcat_7.0.85">Fixed in Apache Tomcat 7.0.85</a> </li> <li> @@ -396,8 +402,34 @@ </div> +<h3 id="Fixed_in_Apache_Tomcat_7.0.90"> +<span class="pull-right">7 July 2018</span> Fixed in Apache Tomcat 7.0.90</h3> +<div class="text"> + + +<p> +<strong>Low: host name verification missing in WebSocket client</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8034" rel="nofollow">CVE-2018-8034</a> +</p> + + +<p>The host name verification when using TLS with the WebSocket client was + missing. It is now enabled by default.</p> + + +<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1833760">1833760</a>.</p> + + +<p>This issue was reported publicly on 11 June 2018 and formally announced as + a vulnerability on 22 July 2018.</p> + + +<p>Affects: 7.0.25 to 7.0.88</p> + + +</div> <h3 id="Fixed_in_Apache_Tomcat_7.0.89"> -<span class="pull-right">not yet released</span> Fixed in Apache Tomcat 7.0.89</h3> +<span class="pull-right">not released</span> Fixed in Apache Tomcat 7.0.89</h3> <div class="text"> @@ -422,6 +454,33 @@ </div> +<h3 id="Fixed_in_Apache_Tomcat_7.0.88"> +<span class="pull-right">16 May 2018</span> Fixed in Apache Tomcat 7.0.88</h3> +<div class="text"> + + +<p> +<strong>Important: A bug in the UTF-8 decoder can lead to DoS</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1336" rel="nofollow">CVE-2018-1336</a> +</p> + + +<p>An improper handing of overflow in the UTF-8 decoder with + supplementary characters can lead to an infinite loop in the + decoder causing a Denial of Service.</p> + + +<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1830376">1830376</a>.</p> + + +<p>This issue was reported publicly on 6 April 2018 and formally announced as + a vulnerability on 22 July 2018.</p> + + +<p>Affects: 7.0.28 to 7.0.88</p> + + +</div> <h3 id="Fixed_in_Apache_Tomcat_7.0.85"> <span class="pull-right">13 February 2018</span> Fixed in Apache Tomcat 7.0.85</h3> <div class="text"> Modified: tomcat/site/trunk/xdocs/security-7.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1836429&r1=1836428&r2=1836429&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-7.xml (original) +++ tomcat/site/trunk/xdocs/security-7.xml Sun Jul 22 08:58:25 2018 @@ -50,7 +50,24 @@ </section> - <section name="Fixed in Apache Tomcat 7.0.89" rtext="not yet released"> + <section name="Fixed in Apache Tomcat 7.0.90" rtext="7 July 2018"> + + <p><strong>Low: host name verification missing in WebSocket client</strong> + <cve>CVE-2018-8034</cve></p> + + <p>The host name verification when using TLS with the WebSocket client was + missing. It is now enabled by default.</p> + + <p>This was fixed in revision <revlink rev="1833760">1833760</revlink>.</p> + + <p>This issue was reported publicly on 11 June 2018 and formally announced as + a vulnerability on 22 July 2018.</p> + + <p>Affects: 7.0.25 to 7.0.88</p> + + </section> + + <section name="Fixed in Apache Tomcat 7.0.89" rtext="not released"> <p><strong>Low: CORS filter has insecure defaults</strong> <cve>CVE-2018-8014</cve></p> @@ -68,6 +85,24 @@ </section> + <section name="Fixed in Apache Tomcat 7.0.88" rtext="16 May 2018"> + + <p><strong>Important: A bug in the UTF-8 decoder can lead to DoS</strong> + <cve>CVE-2018-1336</cve></p> + + <p>An improper handing of overflow in the UTF-8 decoder with + supplementary characters can lead to an infinite loop in the + decoder causing a Denial of Service.</p> + + <p>This was fixed in revision <revlink rev="1830376">1830376</revlink>.</p> + + <p>This issue was reported publicly on 6 April 2018 and formally announced as + a vulnerability on 22 July 2018.</p> + + <p>Affects: 7.0.28 to 7.0.88</p> + + </section> + <section name="Fixed in Apache Tomcat 7.0.85" rtext="13 February 2018"> <p><strong>Important: Security constraint annotations applied too --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org