Author: markt
Date: Mon Aug 29 19:49:44 2011
New Revision: 1162962
URL: http://svn.apache.org/viewvc?rev=1162962&view=rev
Log:
Add info for CVE-2011-3190
Modified:
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/xdocs/security-5.xml
tomcat/site/trunk/xdocs/security-6.xml
tomcat/site/trunk/xdocs/security-7.xml
Modified: tomcat/site/trunk/docs/security-5.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1162962&r1=1162961&r2=1162962&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Mon Aug 29 19:49:44 2011
@@ -215,9 +215,6 @@
<a href="#Apache_Tomcat_5.x_vulnerabilities">Apache Tomcat 5.x
vulnerabilities</a>
</li>
<li>
-<a href="#To_be_fixed_in_Apache_Tomcat_5.5.34_(not_yet_released)">To be fixed
in Apache Tomcat 5.5.34 (not yet released)</a>
-</li>
-<li>
<a href="#Fixed_in_Apache_Tomcat_5.5.34_(not_yet_released)">Fixed in Apache
Tomcat 5.5.34 (not yet released)</a>
</li>
<li>
@@ -340,61 +337,6 @@
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="To be fixed in Apache Tomcat 5.5.34 (not yet released)">
-<!--()-->
-</a>
-<a name="To_be_fixed_in_Apache_Tomcat_5.5.34_(not_yet_released)">
-<strong>To be fixed in Apache Tomcat 5.5.34 (not yet released)</strong>
-</a>
-</font>
-</td>
-</tr>
-<tr>
-<td>
-<p>
-<blockquote>
-
- <p>
-<strong>Important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729";
rel="nofollow">CVE-2011-2729</a>
-</p>
-
- <p>Due to a bug in the capabilities code, jsvc (the service wrapper for
- Linux that is part of the Commons Daemon project) does not drop
- capabilities allowing the application to access files and directories
- owned by superuser. This vulnerability only occurs when all of the
- following are true:
- <ul>
- <li>Tomcat is running on a Linux operating system</li>
- <li>jsvc was compiled with libcap</li>
- <li>-user parameter is used</li>
- </ul>
- Affected Tomcat versions shipped with source files for jsvc that
included
- this vulnerability.
- </p>
-
- <p>There is a <a
href="http://people.apache.org/~markt/patches/2011-08-12-cve-2011-22729-tc5.patch";>
- proposed patch</a> for this issue.</p>
-
- <p>This was identified by Wilfried Weissmann on 20 July 2011 and made
public
- on 12 August 2011.</p>
-
- <p>Affects: 5.5.32-5.5.33</p>
-
- </blockquote>
-</p>
-</td>
-</tr>
-<tr>
-<td>
-<br/>
-</td>
-</tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="2" width="100%">
-<tr>
-<td bgcolor="#525D76">
-<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 5.5.34 (not yet released)">
<!--()-->
</a>
@@ -469,6 +411,65 @@
<p>Affects: 5.5.0-5.5.33</p>
+ <p>
+<strong>Important: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729";
rel="nofollow">CVE-2011-2729</a>
+</p>
+
+ <p>Due to a bug in the capabilities code, jsvc (the service wrapper for
+ Linux that is part of the Commons Daemon project) does not drop
+ capabilities allowing the application to access files and directories
+ owned by superuser. This vulnerability only occurs when all of the
+ following are true:
+ <ul>
+ <li>Tomcat is running on a Linux operating system</li>
+ <li>jsvc was compiled with libcap</li>
+ <li>-user parameter is used</li>
+ </ul>
+ Affected Tomcat versions shipped with source files for jsvc that
included
+ this vulnerability.
+ </p>
+
+ <p>There is a <a
href="http://people.apache.org/~markt/patches/2011-08-12-cve-2011-22729-tc5.patch";>
+ proposed patch</a> for this issue.</p>
+
+ <p>This was identified by Wilfried Weissmann on 20 July 2011 and made
public
+ on 12 August 2011.</p>
+
+ <p>Affects: 5.5.32-5.5.33</p>
+
+ <p>
+<strong>Important: Authentication bypass and information disclosure
+ </strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3190";
rel="nofollow">CVE-2011-3190</a>
+</p>
+
+ <p>Apache Tomcat supports the AJP protocol which is used with reverse
+ proxies to pass requests and associated data about the request from the
+ reverse proxy to Tomcat. The AJP protocol is designed so that when a
+ request includes a request body, an unsolicited AJP message is sent to
+ Tomcat that includes the first part (or possibly all) of the request
+ body. In certain circumstances, Tomcat did not process this message as a
+ request body but as a new request. This permitted an attacker to have
+ full control over the AJP message permitting authentication bypass and
+ information disclosure. This vulnerability only occurs when all of the
+ following are true:
+ <ul>
+ <li>The org.apache.jk.server.JkCoyoteHandler AJP connector is not used
+ </li>
+ <li>POST requests are accepted</li>
+ <li>The request body is not processed</li>
+ </ul>
+ </p>
+
+ <p>This was fixed in revision
+ <a href="http://svn.apache.org/viewvc?rev=1162960&view=rev";>
+ 1162960</a>.</p>
+
+ <p>This was reported publicly on 20th August 2011.</p>
+
+ <p>Affects: 5.0.0-5.0.33</p>
+
</blockquote>
</p>
</td>
Modified: tomcat/site/trunk/docs/security-6.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1162962&r1=1162961&r2=1162962&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Aug 29 19:49:44 2011
@@ -3,18 +3,18 @@
<html>
<head>
<title>Apache Tomcat - Apache Tomcat 6 vulnerabilities</title>
-<meta content="Apache Tomcat Project" name="author" />
-<link rel="stylesheet" href="stylesheets/tomcat.css" type="text/css" />
-<link media="print" rel="stylesheet" href="stylesheets/tomcat-printer.css"
type="text/css" />
+<meta name="author" content="Apache Tomcat Project"/>
+<link type="text/css" href="stylesheets/tomcat.css" rel="stylesheet"/>
+<link type="text/css" href="stylesheets/tomcat-printer.css" rel="stylesheet"
media="print"/>
</head>
-<body vlink="#525D76" alink="#525D76" link="#525D76" text="#000000"
bgcolor="#ffffff">
-<table cellspacing="0" width="100%" border="0">
+<body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76"
vlink="#525D76">
+<table border="0" width="100%" cellspacing="0">
<!--PAGE HEADER-->
<tr>
<td>
<!--PROJECT LOGO-->
<a href="http://tomcat.apache.org/";>
-<img border="0" alt="Tomcat Logo" align="left" src="./images/tomcat.gif" />
+<img src="./images/tomcat.gif" align="left" alt="Tomcat Logo" border="0"/>
</a>
</td>
<td>
@@ -25,28 +25,28 @@
<td>
<!--APACHE LOGO-->
<a href="http://www.apache.org/";>
-<img border="0" alt="Apache Logo" align="right"
src="http://www.apache.org/images/asf-logo.gif"; />
+<img src="http://www.apache.org/images/asf-logo.gif"; align="right" alt="Apache
Logo" border="0"/>
</a>
</td>
</tr>
</table>
<div class="searchbox noPrint">
-<form method="get" action="http://www.google.com/search";>
-<input type="hidden" name="sitesearch" value="tomcat.apache.org" />
-<input type="text" id="query" name="q" size="25" value="Search the Site" />
-<input type="submit" value="Search Site" name="Search" />
+<form action="http://www.google.com/search"; method="get">
+<input value="tomcat.apache.org" name="sitesearch" type="hidden"/>
+<input value="Search the Site" size="25" name="q" id="query" type="text"/>
+<input name="Search" value="Search Site" type="submit"/>
</form>
</div>
-<table cellspacing="4" width="100%" border="0">
+<table border="0" width="100%" cellspacing="4">
<!--HEADER SEPARATOR-->
<tr>
<td colspan="2">
-<hr size="1" noshade="" />
+<hr noshade="" size="1"/>
</td>
</tr>
<tr>
<!--LEFT SIDE NAVIGATION-->
-<td class="noPrint" nowrap="true" valign="top" width="20%">
+<td width="20%" valign="top" nowrap="true" class="noPrint">
<p>
<strong>Apache Tomcat</strong>
</p>
@@ -192,11 +192,11 @@
</ul>
</td>
<!--RIGHT SIDE MAIN BODY-->
-<td id="mainBody" align="left" valign="top" width="80%">
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<td width="80%" valign="top" align="left" id="mainBody">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Table of Contents">
<!--()-->
</a>
@@ -215,6 +215,9 @@
<a href="#Apache_Tomcat_6.x_vulnerabilities">Apache Tomcat 6.x
vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_6.0.34_(not_yet_released)">Fixed in Apache
Tomcat 6.0.34 (not yet released)</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_6.0.33">Fixed in Apache Tomcat 6.0.33</a>
</li>
<li>
@@ -263,14 +266,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Apache Tomcat 6.x vulnerabilities">
<!--()-->
</a>
@@ -305,14 +308,74 @@
</tr>
<tr>
<td>
-<br />
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 6.0.34 (not yet released)">
+<!--()-->
+</a>
+<a name="Fixed_in_Apache_Tomcat_6.0.34_(not_yet_released)">
+<strong>Fixed in Apache Tomcat 6.0.34 (not yet released)</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+
+ <p>
+<strong>Important: Authentication bypass and information disclosure
+ </strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3190";
rel="nofollow">CVE-2011-3190</a>
+</p>
+
+ <p>Apache Tomcat supports the AJP protocol which is used with reverse
+ proxies to pass requests and associated data about the request from the
+ reverse proxy to Tomcat. The AJP protocol is designed so that when a
+ request includes a request body, an unsolicited AJP message is sent to
+ Tomcat that includes the first part (or possibly all) of the request
+ body. In certain circumstances, Tomcat did not process this message as a
+ request body but as a new request. This permitted an attacker to have
+ full control over the AJP message permitting authentication bypass and
+ information disclosure. This vulnerability only occurs when all of the
+ following are true:
+ <ul>
+ <li>The org.apache.jk.server.JkCoyoteHandler AJP connector is not used
+ </li>
+ <li>POST requests are accepted</li>
+ <li>The request body is not processed</li>
+ </ul>
+ </p>
+
+ <p>This was fixed in revision
+ <a href="http://svn.apache.org/viewvc?rev=1162959&view=rev";>
+ 1162959</a>.</p>
+
+ <p>This was reported publicly on 20th August 2011.</p>
+
+ <p>Affects: 6.0.0-6.0.33</p>
+
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.33">
<!--()-->
</a>
@@ -421,14 +484,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.32">
<!--()-->
</a>
@@ -437,8 +500,8 @@
</a>
</font>
</td>
-<td bgcolor="#525D76" align="right">
-<font face="arial,helvetica.sanserif" color="#ffffff">
+<td align="right" bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica.sanserif">
<strong>released 03 Feb 2011</strong>
</font>
</td>
@@ -480,14 +543,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.30">
<!--()-->
</a>
@@ -496,8 +559,8 @@
</a>
</font>
</td>
-<td bgcolor="#525D76" align="right">
-<font face="arial,helvetica.sanserif" color="#ffffff">
+<td align="right" bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica.sanserif">
<strong>released 13 Jan 2011</strong>
</font>
</td>
@@ -578,14 +641,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.28">
<!--()-->
</a>
@@ -594,8 +657,8 @@
</a>
</font>
</td>
-<td bgcolor="#525D76" align="right">
-<font face="arial,helvetica.sanserif" color="#ffffff">
+<td align="right" bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica.sanserif">
<strong>released 9 Jul 2010</strong>
</font>
</td>
@@ -665,14 +728,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.24">
<!--()-->
</a>
@@ -681,8 +744,8 @@
</a>
</font>
</td>
-<td bgcolor="#525D76" align="right">
-<font face="arial,helvetica.sanserif" color="#ffffff">
+<td align="right" bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica.sanserif">
<strong>released 21 Jan 2010</strong>
</font>
</td>
@@ -786,14 +849,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.20">
<!--()-->
</a>
@@ -802,8 +865,8 @@
</a>
</font>
</td>
-<td bgcolor="#525D76" align="right">
-<font face="arial,helvetica.sanserif" color="#ffffff">
+<td align="right" bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica.sanserif">
<strong>released 3 Jun 2009</strong>
</font>
</td>
@@ -928,14 +991,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.18">
<!--()-->
</a>
@@ -944,8 +1007,8 @@
</a>
</font>
</td>
-<td bgcolor="#525D76" align="right">
-<font face="arial,helvetica.sanserif" color="#ffffff">
+<td align="right" bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica.sanserif">
<strong>released 31 Jul 2008</strong>
</font>
</td>
@@ -1028,14 +1091,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.16">
<!--()-->
</a>
@@ -1044,8 +1107,8 @@
</a>
</font>
</td>
-<td bgcolor="#525D76" align="right">
-<font face="arial,helvetica.sanserif" color="#ffffff">
+<td align="right" bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica.sanserif">
<strong>released 8 Feb 2008</strong>
</font>
</td>
@@ -1119,14 +1182,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.14">
<!--()-->
</a>
@@ -1135,8 +1198,8 @@
</a>
</font>
</td>
-<td bgcolor="#525D76" align="right">
-<font face="arial,helvetica.sanserif" color="#ffffff">
+<td align="right" bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica.sanserif">
<strong>released 13 Aug 2007</strong>
</font>
</td>
@@ -1211,14 +1274,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.11">
<!--()-->
</a>
@@ -1227,8 +1290,8 @@
</a>
</font>
</td>
-<td bgcolor="#525D76" align="right">
-<font face="arial,helvetica.sanserif" color="#ffffff">
+<td align="right" bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica.sanserif">
<strong>not released</strong>
</font>
</td>
@@ -1272,14 +1335,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.10">
<!--()-->
</a>
@@ -1288,8 +1351,8 @@
</a>
</font>
</td>
-<td bgcolor="#525D76" align="right">
-<font face="arial,helvetica.sanserif" color="#ffffff">
+<td align="right" bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica.sanserif">
<strong>released 28 Feb 2007</strong>
</font>
</td>
@@ -1335,14 +1398,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.9">
<!--()-->
</a>
@@ -1351,8 +1414,8 @@
</a>
</font>
</td>
-<td bgcolor="#525D76" align="right">
-<font face="arial,helvetica.sanserif" color="#ffffff">
+<td align="right" bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica.sanserif">
<strong>released 8 Feb 2007</strong>
</font>
</td>
@@ -1378,14 +1441,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 6.0.6">
<!--()-->
</a>
@@ -1394,8 +1457,8 @@
</a>
</font>
</td>
-<td bgcolor="#525D76" align="right">
-<font face="arial,helvetica.sanserif" color="#ffffff">
+<td align="right" bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica.sanserif">
<strong>released 18 Dec 2006</strong>
</font>
</td>
@@ -1425,14 +1488,14 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
-<table width="100%" cellpadding="2" cellspacing="0" border="0">
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr>
<td bgcolor="#525D76">
-<font face="arial,helvetica,sanserif" color="#ffffff">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Not a vulnerability in Tomcat">
<!--()-->
</a>
@@ -1543,7 +1606,7 @@
</tr>
<tr>
<td>
-<br />
+<br/>
</td>
</tr>
</table>
@@ -1552,17 +1615,17 @@
<!--FOOTER SEPARATOR-->
<tr>
<td colspan="2">
-<hr size="1" noshade="" />
+<hr noshade="" size="1"/>
</td>
</tr>
<!--PAGE FOOTER-->
<tr>
<td colspan="2">
<div align="center">
-<font size="-1" color="#525D76">
+<font color="#525D76" size="-1">
<em>
Copyright © 1999-2011, The Apache Software Foundation
- <br />
+ <br/>
Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache
Tomcat
project logo are trademarks of the Apache Software Foundation.
</em>
Modified: tomcat/site/trunk/docs/security-7.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1162962&r1=1162961&r2=1162962&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Mon Aug 29 19:49:44 2011
@@ -215,6 +215,9 @@
<a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x
vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_7.0.21_(not_yet_released)">Fixed in Apache
Tomcat 7.0.21 (not yet released)</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_7.0.20">Fixed in Apache Tomcat 7.0.20</a>
</li>
<li>
@@ -299,6 +302,66 @@
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in Apache Tomcat 7.0.21 (not yet released)">
+<!--()-->
+</a>
+<a name="Fixed_in_Apache_Tomcat_7.0.21_(not_yet_released)">
+<strong>Fixed in Apache Tomcat 7.0.21 (not yet released)</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+
+ <p>
+<strong>Important: Authentication bypass and information disclosure
+ </strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3190";
rel="nofollow">CVE-2011-3190</a>
+</p>
+
+ <p>Apache Tomcat supports the AJP protocol which is used with reverse
+ proxies to pass requests and associated data about the request from the
+ reverse proxy to Tomcat. The AJP protocol is designed so that when a
+ request includes a request body, an unsolicited AJP message is sent to
+ Tomcat that includes the first part (or possibly all) of the request
+ body. In certain circumstances, Tomcat did not process this message as a
+ request body but as a new request. This permitted an attacker to have
+ full control over the AJP message permitting authentication bypass and
+ information disclosure. This vulnerability only occurs when all of the
+ following are true:
+ <ul>
+ <li>The org.apache.jk.server.JkCoyoteHandler AJP connector is not used
+ </li>
+ <li>POST requests are accepted</li>
+ <li>The request body is not processed</li>
+ </ul>
+ </p>
+
+ <p>This was fixed in revision
+ <a href="http://svn.apache.org/viewvc?rev=1162958&view=rev";>
+ 1162958</a>.</p>
+
+ <p>This was reported publicly on 20th August 2011.</p>
+
+ <p>Affects: 7.0.0-7.0.20</p>
+
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 7.0.20">
<!--()-->
</a>
Modified: tomcat/site/trunk/xdocs/security-5.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=1162962&r1=1162961&r2=1162962&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Mon Aug 29 19:49:44 2011
@@ -46,36 +46,6 @@
</section>
-->
- <section name="To be fixed in Apache Tomcat 5.5.34 (not yet released)">
-
- <p><strong>Important: Information disclosure</strong>
- <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729";
- rel="nofollow">CVE-2011-2729</a></p>
-
- <p>Due to a bug in the capabilities code, jsvc (the service wrapper for
- Linux that is part of the Commons Daemon project) does not drop
- capabilities allowing the application to access files and directories
- owned by superuser. This vulnerability only occurs when all of the
- following are true:
- <ul>
- <li>Tomcat is running on a Linux operating system</li>
- <li>jsvc was compiled with libcap</li>
- <li>-user parameter is used</li>
- </ul>
- Affected Tomcat versions shipped with source files for jsvc that
included
- this vulnerability.
- </p>
-
- <p>There is a <a
href="http://people.apache.org/~markt/patches/2011-08-12-cve-2011-22729-tc5.patch";>
- proposed patch</a> for this issue.</p>
-
- <p>This was identified by Wilfried Weissmann on 20 July 2011 and made
public
- on 12 August 2011.</p>
-
- <p>Affects: 5.5.32-5.5.33</p>
-
- </section>
-
<section name="Fixed in Apache Tomcat 5.5.34 (not yet released)">
<p><strong>Low: Information disclosure</strong>
@@ -136,6 +106,63 @@
<p>Affects: 5.5.0-5.5.33</p>
+ <p><strong>Important: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729";
+ rel="nofollow">CVE-2011-2729</a></p>
+
+ <p>Due to a bug in the capabilities code, jsvc (the service wrapper for
+ Linux that is part of the Commons Daemon project) does not drop
+ capabilities allowing the application to access files and directories
+ owned by superuser. This vulnerability only occurs when all of the
+ following are true:
+ <ul>
+ <li>Tomcat is running on a Linux operating system</li>
+ <li>jsvc was compiled with libcap</li>
+ <li>-user parameter is used</li>
+ </ul>
+ Affected Tomcat versions shipped with source files for jsvc that
included
+ this vulnerability.
+ </p>
+
+ <p>There is a <a
href="http://people.apache.org/~markt/patches/2011-08-12-cve-2011-22729-tc5.patch";>
+ proposed patch</a> for this issue.</p>
+
+ <p>This was identified by Wilfried Weissmann on 20 July 2011 and made
public
+ on 12 August 2011.</p>
+
+ <p>Affects: 5.5.32-5.5.33</p>
+
+ <p><strong>Important: Authentication bypass and information disclosure
+ </strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3190";
+ rel="nofollow">CVE-2011-3190</a></p>
+
+ <p>Apache Tomcat supports the AJP protocol which is used with reverse
+ proxies to pass requests and associated data about the request from the
+ reverse proxy to Tomcat. The AJP protocol is designed so that when a
+ request includes a request body, an unsolicited AJP message is sent to
+ Tomcat that includes the first part (or possibly all) of the request
+ body. In certain circumstances, Tomcat did not process this message as a
+ request body but as a new request. This permitted an attacker to have
+ full control over the AJP message permitting authentication bypass and
+ information disclosure. This vulnerability only occurs when all of the
+ following are true:
+ <ul>
+ <li>The org.apache.jk.server.JkCoyoteHandler AJP connector is not used
+ </li>
+ <li>POST requests are accepted</li>
+ <li>The request body is not processed</li>
+ </ul>
+ </p>
+
+ <p>This was fixed in revision
+ <a href="http://svn.apache.org/viewvc?rev=1162960&view=rev";>
+ 1162960</a>.</p>
+
+ <p>This was reported publicly on 20th August 2011.</p>
+
+ <p>Affects: 5.0.0-5.0.33</p>
+
</section>
<section name="Fixed in Apache Tomcat 5.5.32" rtext="released 1 Feb 2011">
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1162962&r1=1162961&r2=1162962&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon Aug 29 19:49:44 2011
@@ -30,6 +30,42 @@
</section>
+
+ <section name="Fixed in Apache Tomcat 6.0.34 (not yet released)">
+
+ <p><strong>Important: Authentication bypass and information disclosure
+ </strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3190";
+ rel="nofollow">CVE-2011-3190</a></p>
+
+ <p>Apache Tomcat supports the AJP protocol which is used with reverse
+ proxies to pass requests and associated data about the request from the
+ reverse proxy to Tomcat. The AJP protocol is designed so that when a
+ request includes a request body, an unsolicited AJP message is sent to
+ Tomcat that includes the first part (or possibly all) of the request
+ body. In certain circumstances, Tomcat did not process this message as a
+ request body but as a new request. This permitted an attacker to have
+ full control over the AJP message permitting authentication bypass and
+ information disclosure. This vulnerability only occurs when all of the
+ following are true:
+ <ul>
+ <li>The org.apache.jk.server.JkCoyoteHandler AJP connector is not used
+ </li>
+ <li>POST requests are accepted</li>
+ <li>The request body is not processed</li>
+ </ul>
+ </p>
+
+ <p>This was fixed in revision
+ <a href="http://svn.apache.org/viewvc?rev=1162959&view=rev";>
+ 1162959</a>.</p>
+
+ <p>This was reported publicly on 20th August 2011.</p>
+
+ <p>Affects: 6.0.0-6.0.33</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 6.0.33">
<p><strong>Low: Information disclosure</strong>
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1162962&r1=1162961&r2=1162962&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Mon Aug 29 19:49:44 2011
@@ -25,6 +25,41 @@
<a href="mailto:[email protected]";>Tomcat Security
Team</a>.</p>
</section>
+ <section name="Fixed in Apache Tomcat 7.0.21 (not yet released)">
+
+ <p><strong>Important: Authentication bypass and information disclosure
+ </strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3190";
+ rel="nofollow">CVE-2011-3190</a></p>
+
+ <p>Apache Tomcat supports the AJP protocol which is used with reverse
+ proxies to pass requests and associated data about the request from the
+ reverse proxy to Tomcat. The AJP protocol is designed so that when a
+ request includes a request body, an unsolicited AJP message is sent to
+ Tomcat that includes the first part (or possibly all) of the request
+ body. In certain circumstances, Tomcat did not process this message as a
+ request body but as a new request. This permitted an attacker to have
+ full control over the AJP message permitting authentication bypass and
+ information disclosure. This vulnerability only occurs when all of the
+ following are true:
+ <ul>
+ <li>The org.apache.jk.server.JkCoyoteHandler AJP connector is not used
+ </li>
+ <li>POST requests are accepted</li>
+ <li>The request body is not processed</li>
+ </ul>
+ </p>
+
+ <p>This was fixed in revision
+ <a href="http://svn.apache.org/viewvc?rev=1162958&view=rev";>
+ 1162958</a>.</p>
+
+ <p>This was reported publicly on 20th August 2011.</p>
+
+ <p>Affects: 7.0.0-7.0.20</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 7.0.20">
<p><strong>Important: Information disclosure</strong>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
![http://www.apache.org/images/asf-logo.gif"](http://www.apache.org/images/asf-logo.gif"){kind=link}