Author: schultz Date: Sat Sep 10 01:51:49 2011 New Revision: 1167434 URL: http://svn.apache.org/viewvc?rev=1167434&view=rev Log: Committed *all* files for CVE-2011-3190 mitigation options.
Modified: tomcat/site/trunk/docs/security-5.html tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/xdocs/security-5.xml tomcat/site/trunk/xdocs/security-6.xml tomcat/site/trunk/xdocs/security-7.xml Modified: tomcat/site/trunk/docs/security-5.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1167434&r1=1167433&r2=1167434&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-5.html (original) +++ tomcat/site/trunk/docs/security-5.html Sat Sep 10 01:51:49 2011 @@ -473,11 +473,12 @@ <p>This was reported publicly on 20th August 2011.</p> <p>Affects: 5.5.0-5.5.33</p> - + <p>Mitigation options:</p> <ul> <li>Upgrade to Tomcat 5.5.34</li> - <li>Apply the appropriate <a href=" http://svn.apache.org/viewvc?rev=1162960&view=rev">patch</a></li> + <li>Apply the appropriate <a href=" http://svn.apache.org/viewvc?rev=1162960&view=rev">patch</a> +</li> <li>Configure both Tomcat and the reverse proxy to use a shared secret ("request.secret" attribute in <Connector>; "worker.<i>workername</i>.secret" for mod_jk; mod_proxy_ajp currently does not support shared secrets)</li> <li>Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector</li> </ul> Modified: tomcat/site/trunk/docs/security-6.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1167434&r1=1167433&r2=1167434&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-6.html (original) +++ tomcat/site/trunk/docs/security-6.html Sat Sep 10 01:51:49 2011 @@ -368,7 +368,8 @@ <p>Mitigation options:</p> <ul> <li>Upgrade to Tomcat 6.0.34</li> - <li>Apply the appropriate <a href="http://svn.apache.org/viewvc?rev=1162959&view=rev">patch</a></li> + <li>Apply the appropriate <a href="http://svn.apache.org/viewvc?rev=1162959&view=rev">patch</a> +</li> <li>Configure both Tomcat and the reverse proxy to use a shared secret ("request.secret" attribute in <Connector>; "worker.<i>workername</i>.secret" for mod_jk; mod_proxy_ajp currently does not support shared secrets)</li> <li>Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector</li> </ul> Modified: tomcat/site/trunk/docs/security-7.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1167434&r1=1167433&r2=1167434&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-7.html (original) +++ tomcat/site/trunk/docs/security-7.html Sat Sep 10 01:51:49 2011 @@ -350,11 +350,12 @@ <p>This was reported publicly on 20th August 2011.</p> <p>Affects: 7.0.0-7.0.20</p> - + <p>Mitigation options:</p> <ul> <li>Upgrade to Tomcat 7.0.21</li> - <li>Apply the appropriate <a href="http://svn.apache.org/viewvc?rev=1162958&view=rev">patch</a></li> + <li>Apply the appropriate <a href="http://svn.apache.org/viewvc?rev=1162958&view=rev">patch</a> +</li> <li>Configure both Tomcat and the reverse proxy to use a shared secret ("request.secret" attribute in <Connector>; "worker.<i>workername</i>.secret" for mod_jk; mod_proxy_ajp currently does not support shared secrets)</li> </ul> </blockquote> Modified: tomcat/site/trunk/xdocs/security-5.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=1167434&r1=1167433&r2=1167434&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-5.xml (original) +++ tomcat/site/trunk/xdocs/security-5.xml Sat Sep 10 01:51:49 2011 @@ -164,6 +164,13 @@ <p>Affects: 5.5.0-5.5.33</p> + <p>Mitigation options:</p> + <ul> + <li>Upgrade to Tomcat 5.5.34</li> + <li>Apply the appropriate <a href=" http://svn.apache.org/viewvc?rev=1162960&view=rev">patch</a></li> + <li>Configure both Tomcat and the reverse proxy to use a shared secret ("request.secret" attribute in <Connector>; "worker.<i>workername</i>.secret" for mod_jk; mod_proxy_ajp currently does not support shared secrets)</li> + <li>Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector</li> + </ul> </section> <section name="Fixed in Apache Tomcat 5.5.32" rtext="released 1 Feb 2011"> Modified: tomcat/site/trunk/xdocs/security-6.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1167434&r1=1167433&r2=1167434&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-6.xml (original) +++ tomcat/site/trunk/xdocs/security-6.xml Sat Sep 10 01:51:49 2011 @@ -64,6 +64,13 @@ <p>Affects: 6.0.0-6.0.33</p> + <p>Mitigation options:</p> + <ul> + <li>Upgrade to Tomcat 6.0.34</li> + <li>Apply the appropriate <a href="http://svn.apache.org/viewvc?rev=1162959&view=rev">patch</a></li> + <li>Configure both Tomcat and the reverse proxy to use a shared secret ("request.secret" attribute in <Connector>; "worker.<i>workername</i>.secret" for mod_jk; mod_proxy_ajp currently does not support shared secrets)</li> + <li>Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector</li> + </ul> </section> <section name="Fixed in Apache Tomcat 6.0.33"> Modified: tomcat/site/trunk/xdocs/security-7.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1167434&r1=1167433&r2=1167434&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-7.xml (original) +++ tomcat/site/trunk/xdocs/security-7.xml Sat Sep 10 01:51:49 2011 @@ -58,6 +58,12 @@ <p>Affects: 7.0.0-7.0.20</p> + <p>Mitigation options:</p> + <ul> + <li>Upgrade to Tomcat 7.0.21</li> + <li>Apply the appropriate <a href="http://svn.apache.org/viewvc?rev=1162958&view=rev">patch</a></li> + <li>Configure both Tomcat and the reverse proxy to use a shared secret ("request.secret" attribute in <Connector>; "worker.<i>workername</i>.secret" for mod_jk; mod_proxy_ajp currently does not support shared secrets)</li> + </ul> </section> <section name="Fixed in Apache Tomcat 7.0.20"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org