Modified: tomcat/site/trunk/xdocs/security-7.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1825106&r1=1825105&r2=1825106&view=diff
==
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Fri Feb 23 00:25:01 2018
@@ -50,6 +50,46 @@
+
+
+High: Security constraint annotations applied too late
+ CVE-2018-1305
+
+Security constraints defined by annotations of Servlets were only
applied
+ once a Servlet had been loaded. Because security constraints defined in
+ this way apply to the URL pattern and any URLs below that point, it was
+ possible - depending on the order Servlets were loaded - for some
+ security constraints not to be applied. This could have exposed
resources
+ to users who were not authorised to access them.
+
+This was fixed in revisions 1823322 and
+ 1824360.
+
+This issue was by the Apache Tomcat Security on 1 February 2018 and made
+ public on 23 February 2018.
+
+Affects: 8.0.0.RC1 to 8.0.49
+
+High: Security constraints mapped to context root are
+ ignored CVE-2018-1304
+
+The URL pattern of "" (the empty string) which exactly maps to the
+ context root was not correctly handled when used as part of a security
+ constraint definition. This caused the constraint to be ignored. It was,
+ therefore, possible for unauthorised users to gain access to web
+ application resources that should have been protected. Only security
+ constraints with a URL pattern of the empty string were affected.
+
+This was fixed in revision 1823309.
+
+This issue was reported publicly as 62067 on 31 January 2018
+ and the security implications identified by the Apache Tomcat Security
+ Team the same day. It was made public on 23 February 2018.
+
+Affects: 7.0.0 to 7.0.84
+
+
+
Low: Incorrectly documented CGI search algorithm
Modified: tomcat/site/trunk/xdocs/security-8.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1825106&r1=1825105&r2=1825106&view=diff
==
--- tomcat/site/trunk/xdocs/security-8.xml (original)
+++ tomcat/site/trunk/xdocs/security-8.xml Fri Feb 23 00:25:01 2018
@@ -50,6 +50,86 @@
+
+
+High: Security constraint annotations applied too late
+ CVE-2018-1305
+
+Security constraints defined by annotations of Servlets were only
applied
+ once a Servlet had been loaded. Because security constraints defined in
+ this way apply to the URL pattern and any URLs below that point, it was
+ possible - depending on the order Servlets were loaded - for some
+ security constraints not to be applied. This could have exposed
resources
+ to users who were not authorised to access them.
+
+This was fixed in revisions 1823319 and
+ 1824359.
+
+This issue was by the Apache Tomcat Security on 1 February 2018 and made
+ public on 23 February 2018.
+
+Affects: 8.0.0.RC1 to 8.0.49
+
+High: Security constraints mapped to context root are
+ ignored CVE-2018-1304
+
+The URL pattern of "" (the empty string) which exactly maps to the
+ context root was not correctly handled when used as part of a security
+ constraint definition. This caused the constraint to be ignored. It was,
+ therefore, possible for unauthorised users to gain access to web
+ application resources that should have been protected. Only security
+ constraints with a URL pattern of the empty string were affected.
+
+This was fixed in revision 1823308.
+
+This issue was reported publicly as 62067 on 31 January 2018
+ and the security implications identified by the Apache Tomcat Security
+ Team the same day. It was made public on 23 February 2018.
+
+Affects: 8.0.0.RC1 to 8.0.49
+
+
+
+
+
+High: Security constraint annotations applied too late
+ CVE-2018-1305
+
+Security constraints defined by annotations of Servlets were only
applied
+ once a Servlet had been loaded. Because security constraints defined in
+ this way apply to the URL pattern and any URLs below that point, it was
+ possible - depending on the order Servlets were loaded - for some
+ security constraints not to be applied. This could have exposed
resources
+ to users who were not authorised to access them.
+
+This was fixed in revisions 1823314 and
+ 1824358.
+
+This issue was by the Apache Tomcat Security on 1 February 2018 and made
+ public on 23 February 2018.
+
+Affects: 8.5.0 to 8.5.27
+
+High: Security constraints mapped to context root are
+ ignored CVE-2018-1304
+
+The URL pattern of "" (the empty string) which exactly maps to the
+