Author: kkolinko Date: Tue Sep 13 01:04:36 2011 New Revision: 1169992 URL: http://svn.apache.org/viewvc?rev=1169992&view=rev Log: tomcat-site.xsl: Copy <rev> and <bug> tags from tomcat-docs.xls. Add <cve> tag for links to CVE pages. security-7.xml: Simplify markup.
Modified: tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/xdocs/security-7.xml tomcat/site/trunk/xdocs/stylesheets/tomcat-site.xsl Modified: tomcat/site/trunk/docs/security-7.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1169992&r1=1169991&r2=1169992&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-7.html (original) +++ tomcat/site/trunk/docs/security-7.html Tue Sep 13 01:04:36 2011 @@ -343,9 +343,7 @@ </ul> </p> - <p>This was fixed in revision - <a href="http://svn.apache.org/viewvc?rev=1162958&view=rev"> - 1162958</a>.</p> + <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1162958">revision 1162958</a>.</p> <p>This was reported publicly on 20th August 2011.</p> @@ -354,7 +352,7 @@ <p>Mitigation options:</p> <ul> <li>Upgrade to Tomcat 7.0.21</li> - <li>Apply the appropriate <a href="http://svn.apache.org/viewvc?rev=1162958&view=rev">patch</a> + <li>Apply the appropriate <a href="http://svn.apache.org/viewvc?view=rev&rev=1162958">patch</a> </li> <li>Configure both Tomcat and the reverse proxy to use a shared secret ("requiredSecret" attribute in @@ -410,9 +408,7 @@ this vulnerability. </p> - <p>This was fixed in revision - <a href="http://svn.apache.org/viewvc?rev=1153379&view=rev"> - 1153379</a>.</p> + <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1153379">revision 1153379</a>.</p> <p>This was identified by Wilfried Weissmann on 20 July 2011 and made public on 12 August 2011.</p> @@ -476,16 +472,11 @@ </p> <p>This was fixed in revisions - <a href="http://svn.apache.org/viewvc?rev=1145383&view=rev"> - 1145383</a>, - <a href="http://svn.apache.org/viewvc?rev=1145489&view=rev"> - 1145489</a>, - <a href="http://svn.apache.org/viewvc?rev=1145571&view=rev"> - 1145571</a>, - <a href="http://svn.apache.org/viewvc?rev=1145694&view=rev"> - 1145694</a> and - <a href="http://svn.apache.org/viewvc?rev=1146005&view=rev"> - 1146005</a>.</p> + <a href="http://svn.apache.org/viewvc?view=rev&rev=1145383">1145383</a>, + <a href="http://svn.apache.org/viewvc?view=rev&rev=1145489">1145489</a>, + <a href="http://svn.apache.org/viewvc?view=rev&rev=1145571">1145571</a>, + <a href="http://svn.apache.org/viewvc?view=rev&rev=1145694">1145694</a> and + <a href="http://svn.apache.org/viewvc?view=rev&rev=1146005">1146005</a>.</p> <p>This was identified by the Tomcat security team on 7 July 2011 and made public on 13 July 2011.</p> @@ -514,9 +505,7 @@ do not have these permissions but are able to read log files may be able to discover a user's password.</p> - <p>This was fixed in - <a href="http://svn.apache.org/viewvc?rev=1140070&view=rev"> - revision 1140070</a>.</p> + <p>This was fixed in <a href="http://svn.apache.org/viewvc?view=rev&rev=1140070">revision 1140070</a>.</p> <p>This was identified by Polina Genova on 14 June 2011 and made public on 27 June 2011.</p> @@ -529,8 +518,8 @@ </p> <p>The re-factoring of XML validation for Tomcat 7.0.x re-introduced the - vulnerability previously reported as - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783" rel="nofollow">CVE-2009-0783</a>. This was initially + vulnerability previously reported as <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783" rel="nofollow">CVE-2009-0783</a>. + This was initially <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=51395"> reported</a> as a memory leak. If a web application is the first web application loaded, this bugs allows that web application to potentially Modified: tomcat/site/trunk/xdocs/security-7.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1169992&r1=1169991&r2=1169992&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-7.xml (original) +++ tomcat/site/trunk/xdocs/security-7.xml Tue Sep 13 01:04:36 2011 @@ -29,8 +29,7 @@ <p><strong>Important: Authentication bypass and information disclosure </strong> - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3190" - rel="nofollow">CVE-2011-3190</a></p> + <cve>CVE-2011-3190</cve></p> <p>Apache Tomcat supports the AJP protocol which is used with reverse proxies to pass requests and associated data about the request from the @@ -50,9 +49,7 @@ </ul> </p> - <p>This was fixed in revision - <a href="http://svn.apache.org/viewvc?rev=1162958&view=rev"> - 1162958</a>.</p> + <p>This was fixed in <revlink rev="1162958">revision 1162958</revlink>.</p> <p>This was reported publicly on 20th August 2011.</p> @@ -61,7 +58,7 @@ <p>Mitigation options:</p> <ul> <li>Upgrade to Tomcat 7.0.21</li> - <li>Apply the appropriate <a href="http://svn.apache.org/viewvc?rev=1162958&view=rev">patch</a></li> + <li>Apply the appropriate <revlink rev="1162958">patch</revlink></li> <li>Configure both Tomcat and the reverse proxy to use a shared secret ("requiredSecret" attribute in <a href="/tomcat-7.0-doc/config/ajp.html"><Connector></a>; @@ -74,8 +71,7 @@ <section name="Fixed in Apache Tomcat 7.0.20"> <p><strong>Important: Information disclosure</strong> - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729" - rel="nofollow">CVE-2011-2729</a></p> + <cve>CVE-2011-2729</cve></p> <p>Due to a bug in the capabilities code, jsvc (the service wrapper for Linux that is part of the Commons Daemon project) does not drop @@ -91,9 +87,7 @@ this vulnerability. </p> - <p>This was fixed in revision - <a href="http://svn.apache.org/viewvc?rev=1153379&view=rev"> - 1153379</a>.</p> + <p>This was fixed in <revlink rev="1153379">revision 1153379</revlink>.</p> <p>This was identified by Wilfried Weissmann on 20 July 2011 and made public on 12 August 2011.</p> @@ -105,8 +99,7 @@ <section name="Fixed in Apache Tomcat 7.0.19"> <p><strong>Low: Information disclosure</strong> - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526" - rel="nofollow">CVE-2011-2526</a></p> + <cve>CVE-2011-2526</cve></p> <p>Tomcat provides support for sendfile with the HTTP NIO and HTTP APR connectors. sendfile is used automatically for content served via the @@ -132,16 +125,11 @@ </p> <p>This was fixed in revisions - <a href="http://svn.apache.org/viewvc?rev=1145383&view=rev"> - 1145383</a>, - <a href="http://svn.apache.org/viewvc?rev=1145489&view=rev"> - 1145489</a>, - <a href="http://svn.apache.org/viewvc?rev=1145571&view=rev"> - 1145571</a>, - <a href="http://svn.apache.org/viewvc?rev=1145694&view=rev"> - 1145694</a> and - <a href="http://svn.apache.org/viewvc?rev=1146005&view=rev"> - 1146005</a>.</p> + <revlink rev="1145383">1145383</revlink>, + <revlink rev="1145489">1145489</revlink>, + <revlink rev="1145571">1145571</revlink>, + <revlink rev="1145694">1145694</revlink> and + <revlink rev="1146005">1146005</revlink>.</p> <p>This was identified by the Tomcat security team on 7 July 2011 and made public on 13 July 2011.</p> @@ -155,8 +143,7 @@ included in the list of affected versions.</i></p> <p><strong>Low: Information disclosure</strong> - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204" - rel="nofollow">CVE-2011-2204</a></p> + <cve>CVE-2011-2204</cve></p> <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and creating users via JMX, an exception during the user creation process may @@ -167,9 +154,7 @@ do not have these permissions but are able to read log files may be able to discover a user's password.</p> - <p>This was fixed in - <a href="http://svn.apache.org/viewvc?rev=1140070&view=rev"> - revision 1140070</a>.</p> + <p>This was fixed in <revlink rev="1140070">revision 1140070</revlink>.</p> <p>This was identified by Polina Genova on 14 June 2011 and made public on 27 June 2011.</p> @@ -177,13 +162,11 @@ <p>Affects: 7.0.0-7.0.16</p> <p><strong>Low: Information disclosure</strong> - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2481" - rel="nofollow">CVE-2011-2481</a></p> + <cve>CVE-2011-2481</cve></p> <p>The re-factoring of XML validation for Tomcat 7.0.x re-introduced the - vulnerability previously reported as - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783" - rel="nofollow">CVE-2009-0783</a>. This was initially + vulnerability previously reported as <cve>CVE-2009-0783</cve>. + This was initially <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=51395"> reported</a> as a memory leak. If a web application is the first web application loaded, this bugs allows that web application to potentially Modified: tomcat/site/trunk/xdocs/stylesheets/tomcat-site.xsl URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/stylesheets/tomcat-site.xsl?rev=1169992&r1=1169991&r2=1169992&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/stylesheets/tomcat-site.xsl (original) +++ tomcat/site/trunk/xdocs/stylesheets/tomcat-site.xsl Tue Sep 13 01:04:36 2011 @@ -17,7 +17,9 @@ <!-- Defined parameters (overrideable) --> <xsl:param name="relative-path" select="'.'"/> + <xsl:param name="buglink" select="'https://issues.apache.org/bugzilla/show_bug.cgi?id='"/> <xsl:param name="revlink" select="'http://svn.apache.org/viewvc?view=rev&rev='"/> + <xsl:param name="cvelink" select="'http://cve.mitre.org/cgi-bin/cvename.cgi?name='"/> <!-- Defined variables (non-overrideable) --> <xsl:variable name="body-bg" select="'#ffffff'"/> @@ -334,13 +336,31 @@ </div> </xsl:template> + <!-- Link to a bug report --> + <xsl:template match="bug"> + <xsl:variable name="link"><xsl:value-of select="$buglink"/><xsl:value-of select="text()"/></xsl:variable> + <a href="{$link}"><xsl:apply-templates/></a> + </xsl:template> + + <!-- Link to a SVN revision report --> + <xsl:template match="rev"> + <xsl:variable name="link"><xsl:value-of select="$revlink"/><xsl:value-of select="text()"/></xsl:variable> + <a href="{$link}">r<xsl:apply-templates/></a> + </xsl:template> + <!-- Link to a SVN revision report --> - <!-- It is similar to <rev> tag in tomcat-docs.xsl, but allows arbitrary text inside --> + <!-- It is similat to <rev> tag, but allows arbitrary text inside --> <xsl:template match="revlink"> <xsl:variable name="link"><xsl:value-of select="$revlink"/><xsl:value-of select="@rev"/></xsl:variable> <a href="{$link}"><xsl:apply-templates/></a> </xsl:template> + <!-- Link to a CVE report --> + <xsl:template match="cve"> + <xsl:variable name="link"><xsl:value-of select="$cvelink"/><xsl:value-of select="text()"/></xsl:variable> + <a href="{$link}" rel="nofollow"><xsl:apply-templates/></a> + </xsl:template> + <!-- specially process td tags ala site.vsl --> <xsl:template match="table[@class='detail-table']/tr/td"> <td bgcolor="{$table-td-bg}" valign="top" align="left"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org