svn commit: r1859425 - in /tomcat/site/trunk: docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml

Fri, 17 May 2019 03:10:00 -0700 

Author: markt
Date: Fri May 17 10:09:40 2019
New Revision: 1859425

URL: http://svn.apache.org/viewvc?rev=1859425&view=rev
Log:
Publish details of CVE-2019-0221

Modified:
    tomcat/site/trunk/docs/security-7.html
    tomcat/site/trunk/docs/security-8.html
    tomcat/site/trunk/docs/security-9.html
    tomcat/site/trunk/xdocs/security-7.xml
    tomcat/site/trunk/xdocs/security-8.xml
    tomcat/site/trunk/xdocs/security-9.xml

Modified: tomcat/site/trunk/docs/security-7.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1859425&r1=1859424&r2=1859425&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Fri May 17 10:09:40 2019
@@ -435,6 +435,31 @@
     
 <p>Affects: 7.0.0 to 7.0.93</p>
 
+    
+<p>
+<strong>Low: XSS in SSI printenv</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0221"; 
rel="nofollow">CVE-2019-0221</a>
+</p>
+
+    
+<p>The SSI printenv command echoes user provided data without escaping and
+       is, therefore, vulnerable to XSS. SSI is disabled by default. The
+       printenv command is intended for debugging and is unlikely to be present
+       in a production website.</p>
+
+    
+<p>This was fixed with commit
+       <a 
href="https://github.com/apache/tomcat/commit/44ec74c";>44ec74c</a>.</p>
+
+    
+<p>This issue was identified by Nightwatch Cybersecurity Research and
+       reported to the Apache Tomcat security team via the bug bounty program
+       sponsored by the EU FOSSA-2 project on 7th March 2019. The issue was 
made
+       public on 17 May 2019.</p>
+
+    
+<p>Affects: 7.0.0 to 7.0.93</p>
+
   
 </div>
 <h3 id="Fixed_in_Apache_Tomcat_7.0.91">

Modified: tomcat/site/trunk/docs/security-8.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1859425&r1=1859424&r2=1859425&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-8.html (original)
+++ tomcat/site/trunk/docs/security-8.html Fri May 17 10:09:40 2019
@@ -414,6 +414,31 @@
     
 <p>Affects: 8.5.0 to 8.5.39</p>
 
+    
+<p>
+<strong>Low: XSS in SSI printenv</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0221"; 
rel="nofollow">CVE-2019-0221</a>
+</p>
+
+    
+<p>The SSI printenv command echoes user provided data without escaping and
+       is, therefore, vulnerable to XSS. SSI is disabled by default. The
+       printenv command is intended for debugging and is unlikely to be present
+       in a production website.</p>
+
+    
+<p>This was fixed with commit
+       <a 
href="https://github.com/apache/tomcat/commit/4fcdf70";>4fcdf70</a>.</p>
+
+    
+<p>This issue was identified by Nightwatch Cybersecurity Research and
+       reported to the Apache Tomcat security team via the bug bounty program
+       sponsored by the EU FOSSA-2 project on 7th March 2019. The issue was 
made
+       public on 17 May 2019.</p>
+
+    
+<p>Affects: 8.5.0 to 8.5.39</p>
+
   
 </div>
 <h3 id="Fixed_in_Apache_Tomcat_8.5.38">

Modified: tomcat/site/trunk/docs/security-9.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-9.html?rev=1859425&r1=1859424&r2=1859425&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-9.html (original)
+++ tomcat/site/trunk/docs/security-9.html Fri May 17 10:09:40 2019
@@ -327,7 +327,7 @@
 
     
 <p>
-<i>Note: The issue below was fixed in Apache Tomcat 9.0.18 but the
+<i>Note: The issues below were fixed in Apache Tomcat 9.0.18 but the
        release vote for the 9.0.18 release candidate did not pass. Therefore,
        although users must download 9.0.19 to obtain a version that includes a
        fix for these issues, version 9.0.18 is not included in the list of 
@@ -364,6 +364,31 @@
 
     
 <p>Affects: 9.0.0.M1 to 9.0.17</p>
+
+    
+<p>
+<strong>Low: XSS in SSI printenv</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0221"; 
rel="nofollow">CVE-2019-0221</a>
+</p>
+
+    
+<p>The SSI printenv command echoes user provided data without escaping and
+       is, therefore, vulnerable to XSS. SSI is disabled by default. The
+       printenv command is intended for debugging and is unlikely to be present
+       in a production website.</p>
+
+    
+<p>This was fixed with commit
+       <a 
href="https://github.com/apache/tomcat/commit/15fcd16";>15fcd16</a>.</p>
+
+    
+<p>This issue was identified by Nightwatch Cybersecurity Research and
+       reported to the Apache Tomcat security team via the bug bounty program
+       sponsored by the EU FOSSA-2 project on 7th March 2019. The issue was 
made
+       public on 17 May 2019.</p>
+
+    
+<p>Affects: 9.0.0.M1 to 9.0.17</p>
 
   
 </div>

Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1859425&r1=1859424&r2=1859425&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Fri May 17 10:09:40 2019
@@ -74,6 +74,24 @@
 
     <p>Affects: 7.0.0 to 7.0.93</p>
 
+    <p><strong>Low: XSS in SSI printenv</strong>
+       <cve>CVE-2019-0221</cve></p>
+
+    <p>The SSI printenv command echoes user provided data without escaping and
+       is, therefore, vulnerable to XSS. SSI is disabled by default. The
+       printenv command is intended for debugging and is unlikely to be present
+       in a production website.</p>
+
+    <p>This was fixed with commit
+       <hashlink hash="44ec74c">44ec74c</hashlink>.</p>
+
+    <p>This issue was identified by Nightwatch Cybersecurity Research and
+       reported to the Apache Tomcat security team via the bug bounty program
+       sponsored by the EU FOSSA-2 project on 7th March 2019. The issue was 
made
+       public on 17 May 2019.</p>
+
+    <p>Affects: 7.0.0 to 7.0.93</p>
+
   </section>
 
   <section name="Fixed in Apache Tomcat 7.0.91" rtext="19 September 2018">

Modified: tomcat/site/trunk/xdocs/security-8.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1859425&r1=1859424&r2=1859425&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-8.xml (original)
+++ tomcat/site/trunk/xdocs/security-8.xml Fri May 17 10:09:40 2019
@@ -74,6 +74,24 @@
 
     <p>Affects: 8.5.0 to 8.5.39</p>
 
+    <p><strong>Low: XSS in SSI printenv</strong>
+       <cve>CVE-2019-0221</cve></p>
+
+    <p>The SSI printenv command echoes user provided data without escaping and
+       is, therefore, vulnerable to XSS. SSI is disabled by default. The
+       printenv command is intended for debugging and is unlikely to be present
+       in a production website.</p>
+
+    <p>This was fixed with commit
+       <hashlink hash="4fcdf70">4fcdf70</hashlink>.</p>
+
+    <p>This issue was identified by Nightwatch Cybersecurity Research and
+       reported to the Apache Tomcat security team via the bug bounty program
+       sponsored by the EU FOSSA-2 project on 7th March 2019. The issue was 
made
+       public on 17 May 2019.</p>
+
+    <p>Affects: 8.5.0 to 8.5.39</p>
+
   </section>
 
   <section name="Fixed in Apache Tomcat 8.5.38" rtext="8 February 2019">

Modified: tomcat/site/trunk/xdocs/security-9.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-9.xml?rev=1859425&r1=1859424&r2=1859425&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-9.xml (original)
+++ tomcat/site/trunk/xdocs/security-9.xml Fri May 17 10:09:40 2019
@@ -52,7 +52,7 @@
 
   <section name="Fixed in Apache Tomcat 9.0.19" rtext="13 April 2019">
 
-    <p><i>Note: The issue below was fixed in Apache Tomcat 9.0.18 but the
+    <p><i>Note: The issues below were fixed in Apache Tomcat 9.0.18 but the
        release vote for the 9.0.18 release candidate did not pass. Therefore,
        although users must download 9.0.19 to obtain a version that includes a
        fix for these issues, version 9.0.18 is not included in the list of 
@@ -82,6 +82,24 @@
 
     <p>Affects: 9.0.0.M1 to 9.0.17</p>
 
+    <p><strong>Low: XSS in SSI printenv</strong>
+       <cve>CVE-2019-0221</cve></p>
+
+    <p>The SSI printenv command echoes user provided data without escaping and
+       is, therefore, vulnerable to XSS. SSI is disabled by default. The
+       printenv command is intended for debugging and is unlikely to be present
+       in a production website.</p>
+
+    <p>This was fixed with commit
+       <hashlink hash="15fcd16">15fcd16</hashlink>.</p>
+
+    <p>This issue was identified by Nightwatch Cybersecurity Research and
+       reported to the Apache Tomcat security team via the bug bounty program
+       sponsored by the EU FOSSA-2 project on 7th March 2019. The issue was 
made
+       public on 17 May 2019.</p>
+
+    <p>Affects: 9.0.0.M1 to 9.0.17</p>
+
   </section>
 
   <section name="Fixed in Apache Tomcat 9.0.16" rtext="8 February 2019">



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to