Re: svn commit: r1825106 [5/5] - in /tomcat/site/trunk: docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml

2018-02-22 Thread Mark Thomas 
On 23/02/18 00:37, Emmanuel Bourg wrote:
> Le 23/02/2018 à 01:25, ma...@apache.org a écrit :
>> +This issue was by the Apache Tomcat Security on 1 February 2018 and 
>> made
>> +   public on 23 February 2018.
> 
> The word "identified" is missing in this sentence.

Thanks for spotting this. I'll get that fixed shortly.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: svn commit: r1825106 [5/5] - in /tomcat/site/trunk: docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml

2018-02-22 Thread Emmanuel Bourg 
Le 23/02/2018 à 01:25, ma...@apache.org a écrit :
> +This issue was by the Apache Tomcat Security on 1 February 2018 and 
> made
> +   public on 23 February 2018.

The word "identified" is missing in this sentence.

Emmanuel Bourg

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1825106 [5/5] - in /tomcat/site/trunk: docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml

2018-02-22 Thread markt 
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1825106&r1=1825105&r2=1825106&view=diff
==
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Fri Feb 23 00:25:01 2018
@@ -50,6 +50,46 @@
 
   
 
+  
+  
+High: Security constraint annotations applied too late
+   CVE-2018-1305
+
+Security constraints defined by annotations of Servlets were only 
applied
+   once a Servlet had been loaded. Because security constraints defined in
+   this way apply to the URL pattern and any URLs below that point, it was
+   possible - depending on the order Servlets were loaded - for some
+   security constraints not to be applied. This could have exposed 
resources
+   to users who were not authorised to access them.
+
+This was fixed in revisions 1823322 and
+   1824360.
+
+This issue was by the Apache Tomcat Security on 1 February 2018 and made
+   public on 23 February 2018.
+
+Affects: 8.0.0.RC1 to 8.0.49
+
+High: Security constraints mapped to context root are
+   ignored CVE-2018-1304
+
+The URL pattern of "" (the empty string) which exactly maps to the
+   context root was not correctly handled when used as part of a security
+   constraint definition. This caused the constraint to be ignored. It was,
+   therefore, possible for unauthorised users to gain access to web
+   application resources that should have been protected. Only security
+   constraints with a URL pattern of the empty string were affected.
+
+This was fixed in revision 1823309.
+
+This issue was reported publicly as 62067 on 31 January 2018
+   and the security implications identified by the Apache Tomcat Security
+   Team the same day. It was made public on 23 February 2018.
+
+Affects: 7.0.0 to 7.0.84
+
+  
+  
   
 
 Low: Incorrectly documented CGI search algorithm

Modified: tomcat/site/trunk/xdocs/security-8.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1825106&r1=1825105&r2=1825106&view=diff
==
--- tomcat/site/trunk/xdocs/security-8.xml (original)
+++ tomcat/site/trunk/xdocs/security-8.xml Fri Feb 23 00:25:01 2018
@@ -50,6 +50,86 @@
 
   
 
+  
+  
+High: Security constraint annotations applied too late
+   CVE-2018-1305
+
+Security constraints defined by annotations of Servlets were only 
applied
+   once a Servlet had been loaded. Because security constraints defined in
+   this way apply to the URL pattern and any URLs below that point, it was
+   possible - depending on the order Servlets were loaded - for some
+   security constraints not to be applied. This could have exposed 
resources
+   to users who were not authorised to access them.
+
+This was fixed in revisions 1823319 and
+   1824359.
+
+This issue was by the Apache Tomcat Security on 1 February 2018 and made
+   public on 23 February 2018.
+
+Affects: 8.0.0.RC1 to 8.0.49
+
+High: Security constraints mapped to context root are
+   ignored CVE-2018-1304
+
+The URL pattern of "" (the empty string) which exactly maps to the
+   context root was not correctly handled when used as part of a security
+   constraint definition. This caused the constraint to be ignored. It was,
+   therefore, possible for unauthorised users to gain access to web
+   application resources that should have been protected. Only security
+   constraints with a URL pattern of the empty string were affected.
+
+This was fixed in revision 1823308.
+
+This issue was reported publicly as 62067 on 31 January 2018
+   and the security implications identified by the Apache Tomcat Security
+   Team the same day. It was made public on 23 February 2018.
+
+Affects: 8.0.0.RC1 to 8.0.49
+
+  
+  
+  
+  
+High: Security constraint annotations applied too late
+   CVE-2018-1305
+
+Security constraints defined by annotations of Servlets were only 
applied
+   once a Servlet had been loaded. Because security constraints defined in
+   this way apply to the URL pattern and any URLs below that point, it was
+   possible - depending on the order Servlets were loaded - for some
+   security constraints not to be applied. This could have exposed 
resources
+   to users who were not authorised to access them.
+
+This was fixed in revisions 1823314 and
+   1824358.
+
+This issue was by the Apache Tomcat Security on 1 February 2018 and made
+   public on 23 February 2018.
+
+Affects: 8.5.0 to 8.5.27
+
+High: Security constraints mapped to context root are
+   ignored CVE-2018-1304
+
+The URL pattern of "" (the empty string) which exactly maps to the
+