Author: markt Date: Wed Jun 3 13:30:25 2009 New Revision: 781365 URL: http://svn.apache.org/viewvc?rev=781365&view=rev Log: Add CVE-2009-0033
Modified: tomcat/site/trunk/docs/security-4.html tomcat/site/trunk/docs/security-5.html tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/xdocs/security-4.xml tomcat/site/trunk/xdocs/security-5.xml tomcat/site/trunk/xdocs/security-6.xml Modified: tomcat/site/trunk/docs/security-4.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?rev=781365&r1=781364&r2=781365&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-4.html (original) +++ tomcat/site/trunk/docs/security-4.html Wed Jun 3 13:30:25 2009 @@ -271,6 +271,25 @@ <p> <blockquote> <p> +<strong>Important: Denial of Service</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033"> + CVE-2009-0033</a> +</p> + + <p>If Tomcat receives a request with invalid headers via the Java AJP + connector, it does not return an error and instead closes the AJP + connection. In case this connector is member of a mod_jk load balancing + worker, this member will be put into an error state and will be blocked + from use for approximately one minute. Thus the behaviour can be used for + a denial of service attack using a carefully crafted request.</p> + + <p>This was fixed in + <a href="http://svn.apache.org/viewvc?rev=781362&view=rev"> + revision 781362</a>.</p> + + <p>Affects: 4.1.0-4.1.39</p> + + <p> <strong>low: Cross-site scripting</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781"> CVE-2009-0781</a> Modified: tomcat/site/trunk/docs/security-5.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=781365&r1=781364&r2=781365&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-5.html (original) +++ tomcat/site/trunk/docs/security-5.html Wed Jun 3 13:30:25 2009 @@ -233,6 +233,25 @@ <p> <blockquote> <p> +<strong>Important: Denial of Service</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033"> + CVE-2009-0033</a> +</p> + + <p>If Tomcat receives a request with invalid headers via the Java AJP + connector, it does not return an error and instead closes the AJP + connection. In case this connector is member of a mod_jk load balancing + worker, this member will be put into an error state and will be blocked + from use for approximately one minute. Thus the behaviour can be used for + a denial of service attack using a carefully crafted request.</p> + + <p>This was fixed in + <a href="http://svn.apache.org/viewvc?rev=781362&view=rev"> + revision 781362</a>.</p> + + <p>Affects: 5.5.0-5.5.27</p> + + <p> <strong>low: Cross-site scripting</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781"> CVE-2009-0781</a> Modified: tomcat/site/trunk/docs/security-6.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=781365&r1=781364&r2=781365&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-6.html (original) +++ tomcat/site/trunk/docs/security-6.html Wed Jun 3 13:30:25 2009 @@ -216,8 +216,8 @@ <tr> <td bgcolor="#525D76"> <font color="#ffffff" face="arial,helvetica,sanserif"> -<a name="Fixed in Apache Tomcat 6.0.SVN"> -<strong>Fixed in Apache Tomcat 6.0.SVN</strong> +<a name="Fixed in Apache Tomcat 6.0.20"> +<strong>Fixed in Apache Tomcat 6.0.20</strong> </a> </font> </td> @@ -227,6 +227,32 @@ <p> <blockquote> <p> +<i>Note: These issues were fixed in Apache Tomcat 6.0.19 but the release + vote for that release candidate did not pass. Therefore, although users + must download 6.0.20 to obtain a version that includes fixes for these + issues, 6.0.19 is not included in the list of affected versions.</i> +</p> + + <p> +<strong>Important: Denial of Service</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033"> + CVE-2009-0033</a> +</p> + + <p>If Tomcat receives a request with invalid headers via the Java AJP + connector, it does not return an error and instead closes the AJP + connection. In case this connector is member of a mod_jk load balancing + worker, this member will be put into an error state and will be blocked + from use for approximately one minute. Thus the behaviour can be used for + a denial of service attack using a carefully crafted request.</p> + + <p>This was fixed in + <a href="http://svn.apache.org/viewvc?rev=742915&view=rev"> + revision 742915</a>.</p> + + <p>Affects: 6.0.0-6.0.18</p> + + <p> <strong>low: Cross-site scripting</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781"> CVE-2009-0781</a> @@ -241,7 +267,7 @@ revision 750924</a>.</p> <p>Affects: 6.0.0-6.0.18</p> - + </blockquote> </p> </td> Modified: tomcat/site/trunk/xdocs/security-4.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?rev=781365&r1=781364&r2=781365&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-4.xml (original) +++ tomcat/site/trunk/xdocs/security-4.xml Wed Jun 3 13:30:25 2009 @@ -44,6 +44,23 @@ </section> <section name="Fixed in Apache Tomcat 4.1.SVN"> + <p><strong>Important: Denial of Service</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033"> + CVE-2009-0033</a></p> + + <p>If Tomcat receives a request with invalid headers via the Java AJP + connector, it does not return an error and instead closes the AJP + connection. In case this connector is member of a mod_jk load balancing + worker, this member will be put into an error state and will be blocked + from use for approximately one minute. Thus the behaviour can be used for + a denial of service attack using a carefully crafted request.</p> + + <p>This was fixed in + <a href="http://svn.apache.org/viewvc?rev=781362&view=rev"> + revision 781362</a>.</p> + + <p>Affects: 4.1.0-4.1.39</p> + <p><strong>low: Cross-site scripting</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781"> CVE-2009-0781</a></p> Modified: tomcat/site/trunk/xdocs/security-5.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=781365&r1=781364&r2=781365&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-5.xml (original) +++ tomcat/site/trunk/xdocs/security-5.xml Wed Jun 3 13:30:25 2009 @@ -29,6 +29,23 @@ </section> <section name="Fixed in Apache Tomcat 5.5.SVN"> + <p><strong>Important: Denial of Service</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033"> + CVE-2009-0033</a></p> + + <p>If Tomcat receives a request with invalid headers via the Java AJP + connector, it does not return an error and instead closes the AJP + connection. In case this connector is member of a mod_jk load balancing + worker, this member will be put into an error state and will be blocked + from use for approximately one minute. Thus the behaviour can be used for + a denial of service attack using a carefully crafted request.</p> + + <p>This was fixed in + <a href="http://svn.apache.org/viewvc?rev=781362&view=rev"> + revision 781362</a>.</p> + + <p>Affects: 5.5.0-5.5.27</p> + <p><strong>low: Cross-site scripting</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781"> CVE-2009-0781</a></p> Modified: tomcat/site/trunk/xdocs/security-6.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=781365&r1=781364&r2=781365&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-6.xml (original) +++ tomcat/site/trunk/xdocs/security-6.xml Wed Jun 3 13:30:25 2009 @@ -22,7 +22,29 @@ </section> - <section name="Fixed in Apache Tomcat 6.0.SVN"> + <section name="Fixed in Apache Tomcat 6.0.20"> + <p><i>Note: These issues were fixed in Apache Tomcat 6.0.19 but the release + vote for that release candidate did not pass. Therefore, although users + must download 6.0.20 to obtain a version that includes fixes for these + issues, 6.0.19 is not included in the list of affected versions.</i></p> + + <p><strong>Important: Denial of Service</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033"> + CVE-2009-0033</a></p> + + <p>If Tomcat receives a request with invalid headers via the Java AJP + connector, it does not return an error and instead closes the AJP + connection. In case this connector is member of a mod_jk load balancing + worker, this member will be put into an error state and will be blocked + from use for approximately one minute. Thus the behaviour can be used for + a denial of service attack using a carefully crafted request.</p> + + <p>This was fixed in + <a href="http://svn.apache.org/viewvc?rev=742915&view=rev"> + revision 742915</a>.</p> + + <p>Affects: 6.0.0-6.0.18</p> + <p><strong>low: Cross-site scripting</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781"> CVE-2009-0781</a></p> @@ -36,7 +58,7 @@ revision 750924</a>.</p> <p>Affects: 6.0.0-6.0.18</p> - + </section> <section name="Fixed in Apache Tomcat 6.0.18"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org