Modified: tomcat/site/trunk/docs/security-impact.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-impact.html?rev=1857582&r1=1857581&r2=1857582&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-impact.html (original) +++ tomcat/site/trunk/docs/security-impact.html Mon Apr 15 13:58:46 2019 @@ -32,6 +32,11 @@ <input value="tomcat.apache.org" name="sitesearch" type="hidden"><input placeholder="Search…" required="required" name="q" id="query" type="search"><button>GO</button> </div> </form> +<div class="asfevents"> +<a href="https://www.apache.org/events/current-event.html"><img src="https://www.apache.org/events/current-event-234x60.png"><br> + Save the date! + </a> +</div> <nav> <div> <h2>Apache Tomcat</h2>
Modified: tomcat/site/trunk/docs/security-jk.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-jk.html?rev=1857582&r1=1857581&r2=1857582&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-jk.html (original) +++ tomcat/site/trunk/docs/security-jk.html Mon Apr 15 13:58:46 2019 @@ -1,281 +1,286 @@ <!DOCTYPE html SYSTEM "about:legacy-compat"> <html lang="en"> - <head> - <META http-equiv="Content-Type" content="text/html; charset=UTF-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - <link href="res/css/tomcat.css" rel="stylesheet" type="text/css"> - <link href="res/css/fonts/fonts.css" rel="stylesheet" type="text/css"> - <title>Apache Tomcat® - Apache Tomcat JK Connectors vulnerabilities</title> - <meta name="author" content="Apache Tomcat Project"> - </head> - <body> - <div id="wrapper"> - <header id="header"> - <div class="clearfix"> - <div class="menu-toggler pull-left" tabindex="1"> - <div class="hamburger"></div> - </div> - <a href="http://tomcat.apache.org/"><img class="tomcat-logo pull-left noPrint" alt="Tomcat Home" src="res/images/tomcat.png"></a> - <h1 class="pull-left"> - Apache Tomcat<sup>®</sup> - </h1> - <div class="asf-logos pull-right"> - <a href="https://www.apache.org/foundation/contributing.html" target="_blank" class="pull-left"><img src="https://www.apache.org/images/SupportApache-small.png" class="support-asf" alt="Support Apache"></a><a href="http://www.apache.org/" target="_blank" class="pull-left"><img src="res/images/asf_logo.svg" class="asf-logo" alt="The Apache Software Foundation"></a> - </div> - </div> - </header> - <main id="middle"> - <div> - <div id="mainLeft"> - <div id="nav-wrapper"> - <form action="https://www.google.com/search" method="get"> - <div class="searchbox"> - <input value="tomcat.apache.org" name="sitesearch" type="hidden"><input placeholder="Search…" required="required" name="q" id="query" type="search"><button>GO</button> - </div> - </form> - <nav> - <div> - <h2>Apache Tomcat</h2> - <ul> - <li> - <a href="./index.html">Home</a> - </li> - <li> - <a href="./taglibs.html">Taglibs</a> - </li> - <li> - <a href="./maven-plugin.html">Maven Plugin</a> - </li> - </ul> - </div> - <div> - <h2>Download</h2> - <ul> - <li> - <a href="./whichversion.html">Which version?</a> - </li> - <li> - <a href="https://tomcat.apache.org/download-90.cgi">Tomcat 9</a> - </li> - <li> - <a href="https://tomcat.apache.org/download-80.cgi">Tomcat 8</a> - </li> - <li> - <a href="https://tomcat.apache.org/download-70.cgi">Tomcat 7</a> - </li> - <li> - <a href="https://tomcat.apache.org/download-connectors.cgi">Tomcat Connectors</a> - </li> - <li> - <a href="https://tomcat.apache.org/download-native.cgi">Tomcat Native</a> - </li> - <li> - <a href="https://tomcat.apache.org/download-taglibs.cgi">Taglibs</a> - </li> - <li> - <a href="https://archive.apache.org/dist/tomcat/">Archives</a> - </li> - </ul> - </div> - <div> - <h2>Documentation</h2> - <ul> - <li> - <a href="./tomcat-9.0-doc/index.html">Tomcat 9.0</a> - </li> - <li> - <a href="./tomcat-8.5-doc/index.html">Tomcat 8.5</a> - </li> - <li> - <a href="./tomcat-7.0-doc/index.html">Tomcat 7.0</a> - </li> - <li> - <a href="./connectors-doc/">Tomcat Connectors</a> - </li> - <li> - <a href="./native-doc/">Tomcat Native</a> - </li> - <li> - <a href="https://wiki.apache.org/tomcat/FrontPage">Wiki</a> - </li> - <li> - <a href="./migration.html">Migration Guide</a> - </li> - <li> - <a href="./presentations.html">Presentations</a> - </li> - </ul> - </div> - <div> - <h2>Problems?</h2> - <ul> - <li> - <a href="./security.html">Security Reports</a> - </li> - <li> - <a href="./findhelp.html">Find help</a> - </li> - <li> - <a href="https://wiki.apache.org/tomcat/FAQ">FAQ</a> - </li> - <li> - <a href="./lists.html">Mailing Lists</a> - </li> - <li> - <a href="./bugreport.html">Bug Database</a> - </li> - <li> - <a href="./irc.html">IRC</a> - </li> - </ul> - </div> - <div> - <h2>Get Involved</h2> - <ul> - <li> - <a href="./getinvolved.html">Overview</a> - </li> - <li> - <a href="./source.html">Source code</a> - </li> - <li> - <a href="./ci.html">Buildbot</a> - </li> - <li> - <a href="./tools.html">Tools</a> - </li> - </ul> - </div> - <div> - <h2>Media</h2> - <ul> - <li> - <a href="https://twitter.com/theapachetomcat">Twitter</a> - </li> - <li> - <a href="https://www.youtube.com/c/ApacheTomcatOfficial">YouTube</a> - </li> - <li> - <a href="https://blogs.apache.org/tomcat/">Blog</a> - </li> - </ul> - </div> - <div> - <h2>Misc</h2> - <ul> - <li> - <a href="./whoweare.html">Who We Are</a> - </li> - <li> - <a href="https://www.redbubble.com/people/comdev/works/30885254-apache-tomcat">Swag</a> - </li> - <li> - <a href="./heritage.html">Heritage</a> - </li> - <li> - <a href="http://www.apache.org">Apache Home</a> - </li> - <li> - <a href="./resources.html">Resources</a> - </li> - <li> - <a href="./contact.html">Contact</a> - </li> - <li> - <a href="./legal.html">Legal</a> - </li> - <li> - <a href="https://www.apache.org/foundation/contributing.html">Support Apache</a> - </li> - <li> - <a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a> - </li> - <li> - <a href="http://www.apache.org/foundation/thanks.html">Thanks</a> - </li> - <li> - <a href="http://www.apache.org/licenses/">License</a> - </li> - </ul> - </div> - </nav> - </div> - </div> - <div id="mainRight"> - <div id="content"> - <h2 style="display: none;">Content</h2> - <h3 id="Table_of_Contents">Table of Contents</h3> - <div class="text"> - - <ul> - <li> - <a href="#Apache_Tomcat_JK_Connectors_vulnerabilities">Apache Tomcat JK Connectors vulnerabilities</a> - </li> - <li> - <a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.46">Fixed in Apache Tomcat JK Connector 1.2.46</a> - </li> - <li> - <a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.43">Fixed in Apache Tomcat JK Connector 1.2.43</a> - </li> - <li> - <a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.42">Fixed in Apache Tomcat JK Connector 1.2.42</a> - </li> - <li> - <a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.41">Fixed in Apache Tomcat JK Connector 1.2.41</a> - </li> - <li> - <a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.27">Fixed in Apache Tomcat JK Connector 1.2.27</a> - </li> - <li> - <a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.23">Fixed in Apache Tomcat JK Connector 1.2.23</a> - </li> - <li> - <a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.21">Fixed in Apache Tomcat JK Connector 1.2.21</a> - </li> - <li> - <a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.16">Fixed in Apache Tomcat JK Connector 1.2.16</a> - </li> - </ul> - - </div> - <h3 id="Apache_Tomcat_JK_Connectors_vulnerabilities">Apache Tomcat JK Connectors vulnerabilities</h3> - <div class="text"> - - <p> - This page lists all security vulnerabilities fixed in released versions +<head> +<META http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<meta name="viewport" content="width=device-width, initial-scale=1"> +<link href="res/css/tomcat.css" rel="stylesheet" type="text/css"> +<link href="res/css/fonts/fonts.css" rel="stylesheet" type="text/css"> +<title>Apache Tomcat® - Apache Tomcat JK Connectors vulnerabilities</title> +<meta name="author" content="Apache Tomcat Project"> +</head> +<body> +<div id="wrapper"> +<header id="header"> +<div class="clearfix"> +<div class="menu-toggler pull-left" tabindex="1"> +<div class="hamburger"></div> +</div> +<a href="http://tomcat.apache.org/"><img class="tomcat-logo pull-left noPrint" alt="Tomcat Home" src="res/images/tomcat.png"></a> +<h1 class="pull-left">Apache Tomcat<sup>®</sup> +</h1> +<div class="asf-logos pull-right"> +<a href="https://www.apache.org/foundation/contributing.html" target="_blank" class="pull-left"><img src="https://www.apache.org/images/SupportApache-small.png" class="support-asf" alt="Support Apache"></a><a href="http://www.apache.org/" target="_blank" class="pull-left"><img src="res/images/asf_logo.svg" class="asf-logo" alt="The Apache Software Foundation"></a> +</div> +</div> +</header> +<main id="middle"> +<div> +<div id="mainLeft"> +<div id="nav-wrapper"> +<form action="https://www.google.com/search" method="get"> +<div class="searchbox"> +<input value="tomcat.apache.org" name="sitesearch" type="hidden"><input placeholder="Search…" required="required" name="q" id="query" type="search"><button>GO</button> +</div> +</form> +<div class="asfevents"> +<a href="https://www.apache.org/events/current-event.html"><img src="https://www.apache.org/events/current-event-234x60.png"><br> + Save the date! + </a> +</div> +<nav> +<div> +<h2>Apache Tomcat</h2> +<ul> +<li> +<a href="./index.html">Home</a> +</li> +<li> +<a href="./taglibs.html">Taglibs</a> +</li> +<li> +<a href="./maven-plugin.html">Maven Plugin</a> +</li> +</ul> +</div> +<div> +<h2>Download</h2> +<ul> +<li> +<a href="./whichversion.html">Which version?</a> +</li> +<li> +<a href="https://tomcat.apache.org/download-90.cgi">Tomcat 9</a> +</li> +<li> +<a href="https://tomcat.apache.org/download-80.cgi">Tomcat 8</a> +</li> +<li> +<a href="https://tomcat.apache.org/download-70.cgi">Tomcat 7</a> +</li> +<li> +<a href="https://tomcat.apache.org/download-connectors.cgi">Tomcat Connectors</a> +</li> +<li> +<a href="https://tomcat.apache.org/download-native.cgi">Tomcat Native</a> +</li> +<li> +<a href="https://tomcat.apache.org/download-taglibs.cgi">Taglibs</a> +</li> +<li> +<a href="https://archive.apache.org/dist/tomcat/">Archives</a> +</li> +</ul> +</div> +<div> +<h2>Documentation</h2> +<ul> +<li> +<a href="./tomcat-9.0-doc/index.html">Tomcat 9.0</a> +</li> +<li> +<a href="./tomcat-8.5-doc/index.html">Tomcat 8.5</a> +</li> +<li> +<a href="./tomcat-7.0-doc/index.html">Tomcat 7.0</a> +</li> +<li> +<a href="./connectors-doc/">Tomcat Connectors</a> +</li> +<li> +<a href="./native-doc/">Tomcat Native</a> +</li> +<li> +<a href="https://wiki.apache.org/tomcat/FrontPage">Wiki</a> +</li> +<li> +<a href="./migration.html">Migration Guide</a> +</li> +<li> +<a href="./presentations.html">Presentations</a> +</li> +</ul> +</div> +<div> +<h2>Problems?</h2> +<ul> +<li> +<a href="./security.html">Security Reports</a> +</li> +<li> +<a href="./findhelp.html">Find help</a> +</li> +<li> +<a href="https://wiki.apache.org/tomcat/FAQ">FAQ</a> +</li> +<li> +<a href="./lists.html">Mailing Lists</a> +</li> +<li> +<a href="./bugreport.html">Bug Database</a> +</li> +<li> +<a href="./irc.html">IRC</a> +</li> +</ul> +</div> +<div> +<h2>Get Involved</h2> +<ul> +<li> +<a href="./getinvolved.html">Overview</a> +</li> +<li> +<a href="./source.html">Source code</a> +</li> +<li> +<a href="./ci.html">Buildbot</a> +</li> +<li> +<a href="./tools.html">Tools</a> +</li> +</ul> +</div> +<div> +<h2>Media</h2> +<ul> +<li> +<a href="https://twitter.com/theapachetomcat">Twitter</a> +</li> +<li> +<a href="https://www.youtube.com/c/ApacheTomcatOfficial">YouTube</a> +</li> +<li> +<a href="https://blogs.apache.org/tomcat/">Blog</a> +</li> +</ul> +</div> +<div> +<h2>Misc</h2> +<ul> +<li> +<a href="./whoweare.html">Who We Are</a> +</li> +<li> +<a href="https://www.redbubble.com/people/comdev/works/30885254-apache-tomcat">Swag</a> +</li> +<li> +<a href="./heritage.html">Heritage</a> +</li> +<li> +<a href="http://www.apache.org">Apache Home</a> +</li> +<li> +<a href="./resources.html">Resources</a> +</li> +<li> +<a href="./contact.html">Contact</a> +</li> +<li> +<a href="./legal.html">Legal</a> +</li> +<li> +<a href="https://www.apache.org/foundation/contributing.html">Support Apache</a> +</li> +<li> +<a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a> +</li> +<li> +<a href="http://www.apache.org/foundation/thanks.html">Thanks</a> +</li> +<li> +<a href="http://www.apache.org/licenses/">License</a> +</li> +</ul> +</div> +</nav> +</div> +</div> +<div id="mainRight"> +<div id="content"> +<h2 style="display: none;">Content</h2> +<h3 id="Table_of_Contents">Table of Contents</h3> +<div class="text"> + +<ul> +<li> +<a href="#Apache_Tomcat_JK_Connectors_vulnerabilities">Apache Tomcat JK Connectors vulnerabilities</a> +</li> +<li> +<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.46">Fixed in Apache Tomcat JK Connector 1.2.46</a> +</li> +<li> +<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.43">Fixed in Apache Tomcat JK Connector 1.2.43</a> +</li> +<li> +<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.42">Fixed in Apache Tomcat JK Connector 1.2.42</a> +</li> +<li> +<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.41">Fixed in Apache Tomcat JK Connector 1.2.41</a> +</li> +<li> +<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.27">Fixed in Apache Tomcat JK Connector 1.2.27</a> +</li> +<li> +<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.23">Fixed in Apache Tomcat JK Connector 1.2.23</a> +</li> +<li> +<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.21">Fixed in Apache Tomcat JK Connector 1.2.21</a> +</li> +<li> +<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.16">Fixed in Apache Tomcat JK Connector 1.2.16</a> +</li> +</ul> + +</div> +<h3 id="Apache_Tomcat_JK_Connectors_vulnerabilities">Apache Tomcat JK Connectors vulnerabilities</h3> +<div class="text"> + +<p>This page lists all security vulnerabilities fixed in released versions of Apache Tomcat Jk Connectors. Each vulnerability is given a <a href="security-impact.html">security impact rating</a> by the Apache Tomcat security team — please note that this rating may vary from platform to platform. We also list the versions of Apache Tomcat JK Connectors the flaw is known to affect, and where a flaw has not been - verified list the version with a question mark. - </p> - - <p> - This page has been created from a review of the Apache Tomcat archives + verified list the version with a question mark.</p> + + +<p>This page has been created from a review of the Apache Tomcat archives and the CVE list. Please send comments or corrections for these vulnerabilities to the <a href="security.html">Tomcat - Security Team</a>. - </p> - - </div> - <h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.46">Fixed in Apache Tomcat JK Connector 1.2.46</h3> - <div class="text"> - - <p> - <i>Note: The issue below was fixed in Apache Tomcat JK Connector 1.2.45 + Security Team</a>.</p> + + +</div> +<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.46">Fixed in Apache Tomcat JK Connector 1.2.46</h3> +<div class="text"> + + +<p> +<i>Note: The issue below was fixed in Apache Tomcat JK Connector 1.2.45 but the release vote for the 1.2.45 release candidate did not pass. Therefore, although users must download 1.2.46 to obtain a version that includes the fix for this issue, version 1.2.45 is not included in the list of affected versions.</i> - </p> - - <p> - <strong>Important: Information disclosure</strong> +</p> + + +<p> +<strong>Important: Information disclosure</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11759" rel="nofollow">CVE-2018-11759</a> - </p> - - <p>The Apache Web Server (httpd) specific code that normalised the requested +</p> + + +<p>The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed @@ -285,9 +290,9 @@ specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.</p> - - <p> - This was fixed in revisions <a href="https://svn.apache.org/viewvc?view=rev&rev=1838836">1838836</a>, + + +<p>This was fixed in revisions <a href="https://svn.apache.org/viewvc?view=rev&rev=1838836">1838836</a>, <a href="https://svn.apache.org/viewvc?view=rev&rev=1838857">1838857</a>, <a href="https://svn.apache.org/viewvc?view=rev&rev=1838871">1838871</a>, <a href="https://svn.apache.org/viewvc?view=rev&rev=1838882">1838882</a>, @@ -304,137 +309,145 @@ <a href="https://svn.apache.org/viewvc?view=rev&rev=1840604">1840604</a>, <a href="https://svn.apache.org/viewvc?view=rev&rev=1840610">1840610</a>, <a href="https://svn.apache.org/viewvc?view=rev&rev=1840629">1840629</a> and - <a href="https://svn.apache.org/viewvc?view=rev&rev=1841463">1841463</a>. - </p> - - <p>Affects: JK 1.2.0-1.2.44</p> - - </div> - <h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.43">Fixed in Apache Tomcat JK Connector 1.2.43</h3> - <div class="text"> - - <p> - <strong>Important: Information disclosure</strong> + <a href="https://svn.apache.org/viewvc?view=rev&rev=1841463">1841463</a>.</p> + + +<p>Affects: JK 1.2.0-1.2.44</p> + + +</div> +<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.43">Fixed in Apache Tomcat JK Connector 1.2.43</h3> +<div class="text"> + + +<p> +<strong>Important: Information disclosure</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1323" rel="nofollow">CVE-2018-1323</a> - </p> - - <p>The IIS/ISAPI specific code that normalised the requested path before +</p> + + +<p>The IIS/ISAPI specific code that normalised the requested path before matching it to the URI-worker map did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via IIS, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy.</p> - - <p> - This was fixed in <a href="https://svn.apache.org/viewvc?view=rev&rev=1825658">revision 1825658</a>. - </p> - - <p>Affects: JK 1.2.0-1.2.42</p> - - </div> - <h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.42">Fixed in Apache Tomcat JK Connector 1.2.42</h3> - <div class="text"> - - <p> - <strong>Moderate: Buffer Overflow</strong> + + +<p>This was fixed in <a href="https://svn.apache.org/viewvc?view=rev&rev=1825658">revision 1825658</a>.</p> + + +<p>Affects: JK 1.2.0-1.2.42</p> + + +</div> +<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.42">Fixed in Apache Tomcat JK Connector 1.2.42</h3> +<div class="text"> + + +<p> +<strong>Moderate: Buffer Overflow</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6808" rel="nofollow">CVE-2016-6808</a> - </p> - - <p>The IIS/ISAPI specific code implements special handling when a virtual +</p> + + +<p>The IIS/ISAPI specific code implements special handling when a virtual host is present. The virtual host name and the URI are concatenated to create a virtual host mapping rule. The length checks prior to writing to the target buffer for this rule did not take account of the length of the virtual host name, creating the potential for a buffer overflow.</p> - - <p>It is not known if this overflow is exploitable.</p> - - <p> - This was fixed in <a href="https://svn.apache.org/viewvc?view=rev&rev=1762057">revision 1762057</a>. - </p> - - <p>Affects: JK 1.2.0-1.2.41</p> - - </div> - <h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.41">Fixed in Apache Tomcat JK Connector 1.2.41</h3> - <div class="text"> - - <p> - <strong>Important: Information disclosure</strong> + + +<p>It is not known if this overflow is exploitable.</p> + + +<p>This was fixed in <a href="https://svn.apache.org/viewvc?view=rev&rev=1762057">revision 1762057</a>.</p> + + +<p>Affects: JK 1.2.0-1.2.41</p> + + +</div> +<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.41">Fixed in Apache Tomcat JK Connector 1.2.41</h3> +<div class="text"> + + +<p> +<strong>Important: Information disclosure</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8111" rel="nofollow">CVE-2014-8111</a> - </p> - - <p> - Multiple adjacent slashes in a request URI were not collapsed to a single +</p> + + +<p>Multiple adjacent slashes in a request URI were not collapsed to a single slash before comparing the request URI to the configured mount and unmount patterns. It is therefore possible for an attacker to use a request URI containing multiple adjacent slashes to bypass the restrictions of a <code>JkUnmount</code> directive. This may expose application functionality through the reverse proxy that is not intended - for clients accessing the application via the reverse proxy. - </p> - - <p> - As of mod_jk 1.2.41, slashes are collapsed by default. The behaviour is + for clients accessing the application via the reverse proxy.</p> + + +<p>As of mod_jk 1.2.41, slashes are collapsed by default. The behaviour is now configurable via a new <code>JkOption</code> for httpd (values <code>CollapseSlashesAll</code>, <code>CollapseSlashesNone</code> or <code>CollapseSlashesUnmount</code>) and via a new property <code>collapse_slashes</code> for IIS (values <code>all</code>, - <code>none</code>, <code>unmount</code>). - </p> - - <p> - This was fixed in <a href="https://svn.apache.org/viewvc?view=rev&rev=1647017">revision 1647017</a>. - </p> - - <p>Affects: JK 1.2.0-1.2.40</p> - - </div> - <h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.27">Fixed in Apache Tomcat JK Connector 1.2.27</h3> - <div class="text"> - - <p> - <strong>Important: Information disclosure</strong> + <code>none</code>, <code>unmount</code>).</p> + + +<p>This was fixed in <a href="https://svn.apache.org/viewvc?view=rev&rev=1647017">revision 1647017</a>.</p> + + +<p>Affects: JK 1.2.0-1.2.40</p> + + +</div> +<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.27">Fixed in Apache Tomcat JK Connector 1.2.27</h3> +<div class="text"> + +<p> +<strong>Important: Information disclosure</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5519" rel="nofollow">CVE-2008-5519</a> - </p> - - <p>Situations where faulty clients set Content-Length without providing +</p> + + +<p>Situations where faulty clients set Content-Length without providing data, or where a user submits repeated requests very quickly, may permit one user to view the response associated with a different user's request. </p> - - <p> - This was fixed in <a href="https://svn.apache.org/viewvc?view=rev&rev=702540">revision 702540</a>. - </p> - - <p> - Affects: JK 1.2.0-1.2.26 - <br> - Source shipped with Tomcat 4.0.0-4.0.6, 4.1.0-4.1.36, 5.0.0-5.0.30, - 5.5.0-5.5.27 - </p> - - </div> - <h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.23">Fixed in Apache Tomcat JK Connector 1.2.23</h3> - <div class="text"> - - <p> - <strong>Important: Information disclosure</strong> + + +<p>This was fixed in <a href="https://svn.apache.org/viewvc?view=rev&rev=702540">revision 702540</a>.</p> + + +<p>Affects: JK 1.2.0-1.2.26<br> + Source shipped with Tomcat 4.0.0-4.0.6, 4.1.0-4.1.36, 5.0.0-5.0.30, + 5.5.0-5.5.27</p> + + +</div> +<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.23">Fixed in Apache Tomcat JK Connector 1.2.23</h3> +<div class="text"> + +<p> +<strong>Important: Information disclosure</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860" rel="nofollow">CVE-2007-1860</a> - </p> - - <p> - The issue is related to - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450" rel="nofollow">CVE-2007-0450</a>, the patch for which was insufficient. - </p> - - <p>When multiple components (firewalls, caches, proxies and Tomcat) +</p> + + +<p>The issue is related to + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450" rel="nofollow">CVE-2007-0450</a>, the patch for which was insufficient.</p> + + +<p>When multiple components (firewalls, caches, proxies and Tomcat) process a request, the request URL should not get decoded multiple times in an iterative way by these components. Otherwise it might be possible to pass access control rules implemented on front of the last component by applying multiple URL encoding to the request. </p> - - <p>mod_jk before version 1.2.23 by default decoded request URLs inside Apache + + +<p>mod_jk before version 1.2.23 by default decoded request URLs inside Apache httpd and forwarded the encoded URL to Tomcat, which itself did a second decoding. This made it possible to pass a prefix JkMount for /someapp, but actually access /otherapp on Tomcat. Starting with version 1.2.23 @@ -442,79 +455,75 @@ You can achieve the same level of security for older versions by setting the forwarding option "JkOption ForwardURICompatUnparsed". </p> - - <p> - Please note, that your configuration might contain a different forwarding + + +<p>Please note, that your configuration might contain a different forwarding JkOption. In this case, please consult the <a href="http://tomcat.apache.org/connectors-doc/reference/apache.html#Forwarding"> forwarding documentation</a> concerning the security implications. The new default setting is more secure than before, but it breaks interoperability with mod_rewrite. - - </p> - - <p> - Affects: JK 1.2.0-1.2.22 (httpd mod_jk module only) - <br> - Source shipped with Tomcat 4.0.0-4.0.6, 4.1.0-4.1.36, 5.0.0-5.0.30, - 5.5.0-5.5.23 - </p> - - </div> - <h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.21">Fixed in Apache Tomcat JK Connector 1.2.21</h3> - <div class="text"> - - <p> - <strong>Critical: Arbitrary code execution and denial of service</strong> + </p> + + +<p>Affects: JK 1.2.0-1.2.22 (httpd mod_jk module only)<br> + Source shipped with Tomcat 4.0.0-4.0.6, 4.1.0-4.1.36, 5.0.0-5.0.30, + 5.5.0-5.5.23</p> + + +</div> +<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.21">Fixed in Apache Tomcat JK Connector 1.2.21</h3> +<div class="text"> + +<p> +<strong>Critical: Arbitrary code execution and denial of service</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0774" rel="nofollow">CVE-2007-0774</a> - </p> - - <p>An unsafe memory copy in the URI handler for the native JK connector +</p> + + +<p>An unsafe memory copy in the URI handler for the native JK connector could result in a stack overflow condition which could be leveraged to execute arbitrary code or crash the web server.</p> - - <p> - Affects: JK 1.2.19-1.2.20 - <br> - Source shipped with: Tomcat 4.1.34, 5.5.20 - </p> - - </div> - <h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.16">Fixed in Apache Tomcat JK Connector 1.2.16</h3> - <div class="text"> - - <p> - <strong>Important: Information disclosure</strong> + + +<p>Affects: JK 1.2.19-1.2.20<br> + Source shipped with: Tomcat 4.1.34, 5.5.20</p> + + +</div> +<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.16">Fixed in Apache Tomcat JK Connector 1.2.16</h3> +<div class="text"> + +<p> +<strong>Important: Information disclosure</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7197" rel="nofollow">CVE-2006-7197</a> - </p> - - <p>The Tomcat AJP connector contained a bug that sometimes set a too long +</p> + + +<p>The Tomcat AJP connector contained a bug that sometimes set a too long length for the chunks delivered by send_body_chunks AJP messages. Bugs of this type can cause mod_jk to read beyond buffer boundaries and thus reveal sensitive memory information to a client.</p> - - <p> - Affects: JK 1.2.0-1.2.15 - <br> - Source shipped with: Tomcat 4.0.0-4.0.6, 4.1.0-4.1.32, 5.0.0-5.0.30, - 5.5.0-5.5.16 - </p> - - </div> - </div> - </div> - </div> - </main> - <footer id="footer"> - Copyright © 1999-2019, The Apache Software Foundation + - <br> - Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat +<p>Affects: JK 1.2.0-1.2.15<br> + Source shipped with: Tomcat 4.0.0-4.0.6, 4.1.0-4.1.32, 5.0.0-5.0.30, + 5.5.0-5.5.16</p> + + +</div> +</div> +</div> +</div> +</main> +<footer id="footer"> + Copyright © 1999-2019, The Apache Software Foundation + <br> + Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat project logo are either registered trademarks or trademarks of the Apache Software Foundation. - - </footer> - </div> - <script src="res/js/tomcat.js"></script> - </body> + </footer> +</div> +<script src="res/js/tomcat.js"></script> +</body> </html> Modified: tomcat/site/trunk/docs/security-native.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-native.html?rev=1857582&r1=1857581&r2=1857582&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-native.html (original) +++ tomcat/site/trunk/docs/security-native.html Mon Apr 15 13:58:46 2019 @@ -32,6 +32,11 @@ <input value="tomcat.apache.org" name="sitesearch" type="hidden"><input placeholder="Search…" required="required" name="q" id="query" type="search"><button>GO</button> </div> </form> +<div class="asfevents"> +<a href="https://www.apache.org/events/current-event.html"><img src="https://www.apache.org/events/current-event-234x60.png"><br> + Save the date! + </a> +</div> <nav> <div> <h2>Apache Tomcat</h2> Modified: tomcat/site/trunk/docs/security-taglibs.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-taglibs.html?rev=1857582&r1=1857581&r2=1857582&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-taglibs.html (original) +++ tomcat/site/trunk/docs/security-taglibs.html Mon Apr 15 13:58:46 2019 @@ -32,6 +32,11 @@ <input value="tomcat.apache.org" name="sitesearch" type="hidden"><input placeholder="Search…" required="required" name="q" id="query" type="search"><button>GO</button> </div> </form> +<div class="asfevents"> +<a href="https://www.apache.org/events/current-event.html"><img src="https://www.apache.org/events/current-event-234x60.png"><br> + Save the date! + </a> +</div> <nav> <div> <h2>Apache Tomcat</h2> Modified: tomcat/site/trunk/docs/security.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security.html?rev=1857582&r1=1857581&r2=1857582&view=diff ============================================================================== --- tomcat/site/trunk/docs/security.html (original) +++ tomcat/site/trunk/docs/security.html Mon Apr 15 13:58:46 2019 @@ -1,379 +1,383 @@ <!DOCTYPE html SYSTEM "about:legacy-compat"> <html lang="en"> - <head> - <META http-equiv="Content-Type" content="text/html; charset=UTF-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - <link href="res/css/tomcat.css" rel="stylesheet" type="text/css"> - <link href="res/css/fonts/fonts.css" rel="stylesheet" type="text/css"> - <title>Apache Tomcat® - Reporting Security Problems</title> - <meta name="author" content="Apache Tomcat Project"> - </head> - <body> - <div id="wrapper"> - <header id="header"> - <div class="clearfix"> - <div class="menu-toggler pull-left" tabindex="1"> - <div class="hamburger"></div> - </div> - <a href="http://tomcat.apache.org/"><img class="tomcat-logo pull-left noPrint" alt="Tomcat Home" src="res/images/tomcat.png"></a> - <h1 class="pull-left"> - Apache Tomcat<sup>®</sup> - </h1> - <div class="asf-logos pull-right"> - <a href="https://www.apache.org/foundation/contributing.html" target="_blank" class="pull-left"><img src="https://www.apache.org/images/SupportApache-small.png" class="support-asf" alt="Support Apache"></a><a href="http://www.apache.org/" target="_blank" class="pull-left"><img src="res/images/asf_logo.svg" class="asf-logo" alt="The Apache Software Foundation"></a> - </div> - </div> - </header> - <main id="middle"> - <div> - <div id="mainLeft"> - <div id="nav-wrapper"> - <form action="https://www.google.com/search" method="get"> - <div class="searchbox"> - <input value="tomcat.apache.org" name="sitesearch" type="hidden"><input placeholder="Search…" required="required" name="q" id="query" type="search"><button>GO</button> - </div> - </form> - <nav> - <div> - <h2>Apache Tomcat</h2> - <ul> - <li> - <a href="./index.html">Home</a> - </li> - <li> - <a href="./taglibs.html">Taglibs</a> - </li> - <li> - <a href="./maven-plugin.html">Maven Plugin</a> - </li> - </ul> - </div> - <div> - <h2>Download</h2> - <ul> - <li> - <a href="./whichversion.html">Which version?</a> - </li> - <li> - <a href="https://tomcat.apache.org/download-90.cgi">Tomcat 9</a> - </li> - <li> - <a href="https://tomcat.apache.org/download-80.cgi">Tomcat 8</a> - </li> - <li> - <a href="https://tomcat.apache.org/download-70.cgi">Tomcat 7</a> - </li> - <li> - <a href="https://tomcat.apache.org/download-connectors.cgi">Tomcat Connectors</a> - </li> - <li> - <a href="https://tomcat.apache.org/download-native.cgi">Tomcat Native</a> - </li> - <li> - <a href="https://tomcat.apache.org/download-taglibs.cgi">Taglibs</a> - </li> - <li> - <a href="https://archive.apache.org/dist/tomcat/">Archives</a> - </li> - </ul> - </div> - <div> - <h2>Documentation</h2> - <ul> - <li> - <a href="./tomcat-9.0-doc/index.html">Tomcat 9.0</a> - </li> - <li> - <a href="./tomcat-8.5-doc/index.html">Tomcat 8.5</a> - </li> - <li> - <a href="./tomcat-7.0-doc/index.html">Tomcat 7.0</a> - </li> - <li> - <a href="./connectors-doc/">Tomcat Connectors</a> - </li> - <li> - <a href="./native-doc/">Tomcat Native</a> - </li> - <li> - <a href="https://wiki.apache.org/tomcat/FrontPage">Wiki</a> - </li> - <li> - <a href="./migration.html">Migration Guide</a> - </li> - <li> - <a href="./presentations.html">Presentations</a> - </li> - </ul> - </div> - <div> - <h2>Problems?</h2> - <ul> - <li> - <a href="./security.html">Security Reports</a> - </li> - <li> - <a href="./findhelp.html">Find help</a> - </li> - <li> - <a href="https://wiki.apache.org/tomcat/FAQ">FAQ</a> - </li> - <li> - <a href="./lists.html">Mailing Lists</a> - </li> - <li> - <a href="./bugreport.html">Bug Database</a> - </li> - <li> - <a href="./irc.html">IRC</a> - </li> - </ul> - </div> - <div> - <h2>Get Involved</h2> - <ul> - <li> - <a href="./getinvolved.html">Overview</a> - </li> - <li> - <a href="./source.html">Source code</a> - </li> - <li> - <a href="./ci.html">Buildbot</a> - </li> - <li> - <a href="./tools.html">Tools</a> - </li> - </ul> - </div> - <div> - <h2>Media</h2> - <ul> - <li> - <a href="https://twitter.com/theapachetomcat">Twitter</a> - </li> - <li> - <a href="https://www.youtube.com/c/ApacheTomcatOfficial">YouTube</a> - </li> - <li> - <a href="https://blogs.apache.org/tomcat/">Blog</a> - </li> - </ul> - </div> - <div> - <h2>Misc</h2> - <ul> - <li> - <a href="./whoweare.html">Who We Are</a> - </li> - <li> - <a href="https://www.redbubble.com/people/comdev/works/30885254-apache-tomcat">Swag</a> - </li> - <li> - <a href="./heritage.html">Heritage</a> - </li> - <li> - <a href="http://www.apache.org">Apache Home</a> - </li> - <li> - <a href="./resources.html">Resources</a> - </li> - <li> - <a href="./contact.html">Contact</a> - </li> - <li> - <a href="./legal.html">Legal</a> - </li> - <li> - <a href="https://www.apache.org/foundation/contributing.html">Support Apache</a> - </li> - <li> - <a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a> - </li> - <li> - <a href="http://www.apache.org/foundation/thanks.html">Thanks</a> - </li> - <li> - <a href="http://www.apache.org/licenses/">License</a> - </li> - </ul> - </div> - </nav> - </div> - </div> - <div id="mainRight"> - <div id="content"> - <h2 style="display: none;">Content</h2> - <h3 id="Security_Updates">Security Updates</h3> - <div class="text"> - - <p>Please note that, except in rare circumstances, binary patches are not +<head> +<META http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<meta name="viewport" content="width=device-width, initial-scale=1"> +<link href="res/css/tomcat.css" rel="stylesheet" type="text/css"> +<link href="res/css/fonts/fonts.css" rel="stylesheet" type="text/css"> +<title>Apache Tomcat® - Reporting Security Problems</title> +<meta name="author" content="Apache Tomcat Project"> +</head> +<body> +<div id="wrapper"> +<header id="header"> +<div class="clearfix"> +<div class="menu-toggler pull-left" tabindex="1"> +<div class="hamburger"></div> +</div> +<a href="http://tomcat.apache.org/"><img class="tomcat-logo pull-left noPrint" alt="Tomcat Home" src="res/images/tomcat.png"></a> +<h1 class="pull-left">Apache Tomcat<sup>®</sup> +</h1> +<div class="asf-logos pull-right"> +<a href="https://www.apache.org/foundation/contributing.html" target="_blank" class="pull-left"><img src="https://www.apache.org/images/SupportApache-small.png" class="support-asf" alt="Support Apache"></a><a href="http://www.apache.org/" target="_blank" class="pull-left"><img src="res/images/asf_logo.svg" class="asf-logo" alt="The Apache Software Foundation"></a> +</div> +</div> +</header> +<main id="middle"> +<div> +<div id="mainLeft"> +<div id="nav-wrapper"> +<form action="https://www.google.com/search" method="get"> +<div class="searchbox"> +<input value="tomcat.apache.org" name="sitesearch" type="hidden"><input placeholder="Search…" required="required" name="q" id="query" type="search"><button>GO</button> +</div> +</form> +<div class="asfevents"> +<a href="https://www.apache.org/events/current-event.html"><img src="https://www.apache.org/events/current-event-234x60.png"><br> + Save the date! + </a> +</div> +<nav> +<div> +<h2>Apache Tomcat</h2> +<ul> +<li> +<a href="./index.html">Home</a> +</li> +<li> +<a href="./taglibs.html">Taglibs</a> +</li> +<li> +<a href="./maven-plugin.html">Maven Plugin</a> +</li> +</ul> +</div> +<div> +<h2>Download</h2> +<ul> +<li> +<a href="./whichversion.html">Which version?</a> +</li> +<li> +<a href="https://tomcat.apache.org/download-90.cgi">Tomcat 9</a> +</li> +<li> +<a href="https://tomcat.apache.org/download-80.cgi">Tomcat 8</a> +</li> +<li> +<a href="https://tomcat.apache.org/download-70.cgi">Tomcat 7</a> +</li> +<li> +<a href="https://tomcat.apache.org/download-connectors.cgi">Tomcat Connectors</a> +</li> +<li> +<a href="https://tomcat.apache.org/download-native.cgi">Tomcat Native</a> +</li> +<li> +<a href="https://tomcat.apache.org/download-taglibs.cgi">Taglibs</a> +</li> +<li> +<a href="https://archive.apache.org/dist/tomcat/">Archives</a> +</li> +</ul> +</div> +<div> +<h2>Documentation</h2> +<ul> +<li> +<a href="./tomcat-9.0-doc/index.html">Tomcat 9.0</a> +</li> +<li> +<a href="./tomcat-8.5-doc/index.html">Tomcat 8.5</a> +</li> +<li> +<a href="./tomcat-7.0-doc/index.html">Tomcat 7.0</a> +</li> +<li> +<a href="./connectors-doc/">Tomcat Connectors</a> +</li> +<li> +<a href="./native-doc/">Tomcat Native</a> +</li> +<li> +<a href="https://wiki.apache.org/tomcat/FrontPage">Wiki</a> +</li> +<li> +<a href="./migration.html">Migration Guide</a> +</li> +<li> +<a href="./presentations.html">Presentations</a> +</li> +</ul> +</div> +<div> +<h2>Problems?</h2> +<ul> +<li> +<a href="./security.html">Security Reports</a> +</li> +<li> +<a href="./findhelp.html">Find help</a> +</li> +<li> +<a href="https://wiki.apache.org/tomcat/FAQ">FAQ</a> +</li> +<li> +<a href="./lists.html">Mailing Lists</a> +</li> +<li> +<a href="./bugreport.html">Bug Database</a> +</li> +<li> +<a href="./irc.html">IRC</a> +</li> +</ul> +</div> +<div> +<h2>Get Involved</h2> +<ul> +<li> +<a href="./getinvolved.html">Overview</a> +</li> +<li> +<a href="./source.html">Source code</a> +</li> +<li> +<a href="./ci.html">Buildbot</a> +</li> +<li> +<a href="./tools.html">Tools</a> +</li> +</ul> +</div> +<div> +<h2>Media</h2> +<ul> +<li> +<a href="https://twitter.com/theapachetomcat">Twitter</a> +</li> +<li> +<a href="https://www.youtube.com/c/ApacheTomcatOfficial">YouTube</a> +</li> +<li> +<a href="https://blogs.apache.org/tomcat/">Blog</a> +</li> +</ul> +</div> +<div> +<h2>Misc</h2> +<ul> +<li> +<a href="./whoweare.html">Who We Are</a> +</li> +<li> +<a href="https://www.redbubble.com/people/comdev/works/30885254-apache-tomcat">Swag</a> +</li> +<li> +<a href="./heritage.html">Heritage</a> +</li> +<li> +<a href="http://www.apache.org">Apache Home</a> +</li> +<li> +<a href="./resources.html">Resources</a> +</li> +<li> +<a href="./contact.html">Contact</a> +</li> +<li> +<a href="./legal.html">Legal</a> +</li> +<li> +<a href="https://www.apache.org/foundation/contributing.html">Support Apache</a> +</li> +<li> +<a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a> +</li> +<li> +<a href="http://www.apache.org/foundation/thanks.html">Thanks</a> +</li> +<li> +<a href="http://www.apache.org/licenses/">License</a> +</li> +</ul> +</div> +</nav> +</div> +</div> +<div id="mainRight"> +<div id="content"> +<h2 style="display: none;">Content</h2> +<h3 id="Security_Updates">Security Updates</h3> +<div class="text"> + + +<p>Please note that, except in rare circumstances, binary patches are not produced for individual vulnerabilities. To obtain the binary fix for a particular vulnerability you should upgrade to an Apache Tomcat version where that vulnerability has been fixed.</p> - + - <p>Source patches, usually in the form of references to commits, may be +<p>Source patches, usually in the form of references to commits, may be provided in either in a vulnerability announcement and/or the vulnerability details listed on these pages. These source patches may be used by users wishing to build their own local version of Tomcat with just that security patch rather than upgrade. Please note that an exercise is currently underway to add links to the commits for all the vulnerabilities listed on these pages.</p> - + - <p>Lists of security problems fixed in released versions of Apache Tomcat +<p>Lists of security problems fixed in released versions of Apache Tomcat are available:</p> - - <ul> - - <li> - <a href="security-9.html">Apache Tomcat 9.x Security Vulnerabilities + +<ul> + +<li> +<a href="security-9.html">Apache Tomcat 9.x Security Vulnerabilities </a> - </li> - - <li> - <a href="security-8.html">Apache Tomcat 8.x Security Vulnerabilities +</li> + +<li> +<a href="security-8.html">Apache Tomcat 8.x Security Vulnerabilities </a> - </li> - - <li> - <a href="security-7.html">Apache Tomcat 7.x Security Vulnerabilities +</li> + +<li> +<a href="security-7.html">Apache Tomcat 7.x Security Vulnerabilities </a> - </li> - - <li> - <a href="security-jk.html">Apache Tomcat JK Connectors Security +</li> + +<li> +<a href="security-jk.html">Apache Tomcat JK Connectors Security Vulnerabilities</a> - </li> - - <li> - <a href="security-native.html">Apache Tomcat APR/native Connector +</li> + +<li> +<a href="security-native.html">Apache Tomcat APR/native Connector Security Vulnerabilities</a> - </li> - - <li> - <a href="security-taglibs.html">Apache Taglibs +</li> + +<li> +<a href="security-taglibs.html">Apache Taglibs Security Vulnerabilities</a> - </li> - - </ul> - - <p>Lists of security problems fixed in versions of Apache Tomcat that may +</li> + +</ul> + + +<p>Lists of security problems fixed in versions of Apache Tomcat that may be downloaded from the archives are also available:</p> - - <ul> - - <li> - <a href="security-6.html">Apache Tomcat 6.x Security Vulnerabilities + +<ul> + +<li> +<a href="security-6.html">Apache Tomcat 6.x Security Vulnerabilities </a> - </li> - - <li> - <a href="security-5.html">Apache Tomcat 5.x Security Vulnerabilities +</li> + +<li> +<a href="security-5.html">Apache Tomcat 5.x Security Vulnerabilities </a> - </li> - - <li> - <a href="security-4.html">Apache Tomcat 4.x Security Vulnerabilities +</li> + +<li> +<a href="security-4.html">Apache Tomcat 4.x Security Vulnerabilities </a> - </li> - - <li> - <a href="security-3.html">Apache Tomcat 3.x Security Vulnerabilities +</li> + +<li> +<a href="security-3.html">Apache Tomcat 3.x Security Vulnerabilities </a> - </li> - - </ul> - - </div> - <h3 id="Reporting_New_Security_Problems_with_Apache_Tomcat">Reporting New Security Problems with Apache Tomcat</h3> - <div class="text"> - - <p>The Apache Software Foundation takes a very active stance in eliminating +</li> + +</ul> + + +</div> +<h3 id="Reporting_New_Security_Problems_with_Apache_Tomcat">Reporting New Security Problems with Apache Tomcat</h3> +<div class="text"> + +<p>The Apache Software Foundation takes a very active stance in eliminating security problems and denial of service attacks against Apache Tomcat. </p> - - <p>We strongly encourage folks to report such problems to our private + + +<p>We strongly encourage folks to report such problems to our private security mailing list first, before disclosing them in a public forum. </p> - - <p> - <strong>Please note that the security mailing list should only be used + + +<p> +<strong>Please note that the security mailing list should only be used for reporting undisclosed security vulnerabilities in Apache Tomcat and managing the process of fixing such vulnerabilities. We cannot accept regular bug reports or other queries at this address. All mail sent to this address that does not relate to an undisclosed security problem in the Apache Tomcat source code will be ignored.</strong> - </p> - - <p> - If you need to report a bug that isn't an undisclosed security +</p> + + +<p>If you need to report a bug that isn't an undisclosed security vulnerability, please use the <a href="bugreport.html">bug reporting - page</a>. - </p> - - - <p>Questions about:</p> - - <ul> - - <li>how to configure Tomcat securely</li> - - <li>if a vulnerability applies to your particular application</li> - - <li>obtaining further information on a published vulnerability</li> - - <li>availability of patches and/or new releases</li> - - </ul> - - <p> - should be addressed to the users mailing list. Please see the + page</a>.</p> + + +<p>Questions about:</p> + +<ul> + +<li>how to configure Tomcat securely</li> + +<li>if a vulnerability applies to your particular application</li> + +<li>obtaining further information on a published vulnerability</li> + +<li>availability of patches and/or new releases</li> + +</ul> + +<p>should be addressed to the users mailing list. Please see the <a href="lists.html">mailing lists</a> page for details of how to - subscribe. - </p> - + subscribe.</p> - <p> - The private security mailing address is: + +<p>The private security mailing address is: <a href="mailto:secur...@tomcat.apache.org"> secur...@tomcat.apache.org</a> - </p> - - <p>Note that all networked servers are subject to denial of service attacks, +</p> + + +<p>Note that all networked servers are subject to denial of service attacks, and we cannot promise magic workarounds to generic problems (such as a client streaming lots of data to your server, or re-requesting the same URL repeatedly). In general our philosophy is to avoid any attacks which can cause the server to consume resources in a non-linear relationship to the size of inputs.</p> - - </div> - <h3 id="Errors_and_omissions">Errors and omissions</h3> - <div class="text"> - - <p> - Please report any errors or omissions to + +</div> +<h3 id="Errors_and_omissions">Errors and omissions</h3> +<div class="text"> + + +<p>Please report any errors or omissions to <a href="mailto:secur...@tomcat.apache.org">secur...@tomcat.apache.org </a>. - - </p> - - </div> - </div> - </div> - </div> - </main> - <footer id="footer"> - Copyright © 1999-2019, The Apache Software Foundation - - <br> - Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat + </p> + + +</div> +</div> +</div> +</div> +</main> +<footer id="footer"> + Copyright © 1999-2019, The Apache Software Foundation + <br> + Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat project logo are either registered trademarks or trademarks of the Apache Software Foundation. - - </footer> - </div> - <script src="res/js/tomcat.js"></script> - </body> + </footer> +</div> +<script src="res/js/tomcat.js"></script> +</body> </html> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org