Author: markt Date: Wed Oct 31 17:44:50 2018 New Revision: 1845353 URL: http://svn.apache.org/viewvc?rev=1845353&view=rev Log: Add information for CVE-2018-11759
Modified: tomcat/site/trunk/docs/security-jk.html tomcat/site/trunk/xdocs/security-jk.xml Modified: tomcat/site/trunk/docs/security-jk.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-jk.html?rev=1845353&r1=1845352&r2=1845353&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-jk.html (original) +++ tomcat/site/trunk/docs/security-jk.html Wed Oct 31 17:44:50 2018 @@ -214,6 +214,9 @@ <a href="#Apache_Tomcat_JK_Connectors_vulnerabilities">Apache Tomcat JK Connectors vulnerabilities</a> </li> <li> +<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.46">Fixed in Apache Tomcat JK Connector 1.2.46</a> +</li> +<li> <a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.43">Fixed in Apache Tomcat JK Connector 1.2.43</a> </li> <li> @@ -256,6 +259,61 @@ </div> +<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.46">Fixed in Apache Tomcat JK Connector 1.2.46</h3> +<div class="text"> + + +<p> +<i>Note: The issue below was fixed in Apache Tomcat JK Connector 1.2.45 + but the release vote for the 1.2.45 release candidate did not pass. + Therefore, although users must download 1.2.46 to obtain a version that + includes the fix for this issue, version 1.2.45 is not included in the + list of affected versions.</i> +</p> + + +<p> +<strong>Important: Information disclosure</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11759" rel="nofollow">CVE-2018-11759</a> +</p> + + +<p>The Apache Web Server (httpd) specific code that normalised the requested + path before matching it to the URI-worker map did not handle some edge + cases correctly. If only a sub-set of the URLs supported by Tomcat were + exposed via httpd, then it was possible for a specially constructed + request to expose application functionality through the reverse proxy + that was not intended for clients accessing the application via the + reverse proxy. It was also possible in some configurations for a + specially constructed request to bypass the access controls configured in + httpd. While there is some overlap between this issue and CVE-2018-1323, + they are not identical.</p> + + +<p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1838836">1838836</a>, + <a href="http://svn.apache.org/viewvc?view=rev&rev=1838857">1838857</a>, + <a href="http://svn.apache.org/viewvc?view=rev&rev=1838871">1838871</a>, + <a href="http://svn.apache.org/viewvc?view=rev&rev=1838882">1838882</a>, + <a href="http://svn.apache.org/viewvc?view=rev&rev=1840444">1840444</a>, + <a href="http://svn.apache.org/viewvc?view=rev&rev=1840445">1840445</a>, + <a href="http://svn.apache.org/viewvc?view=rev&rev=1840448">1840448</a>, + <a href="http://svn.apache.org/viewvc?view=rev&rev=1840449">1840449</a>, + <a href="http://svn.apache.org/viewvc?view=rev&rev=1840450">1840450</a>, + <a href="http://svn.apache.org/viewvc?view=rev&rev=1840451">1840451</a>, + <a href="http://svn.apache.org/viewvc?view=rev&rev=1840491">1840491</a>, + <a href="http://svn.apache.org/viewvc?view=rev&rev=1840588">1840588</a>, + <a href="http://svn.apache.org/viewvc?view=rev&rev=1840592">1840592</a>, + <a href="http://svn.apache.org/viewvc?view=rev&rev=1840603">1840603</a>, + <a href="http://svn.apache.org/viewvc?view=rev&rev=1840604">1840604</a>, + <a href="http://svn.apache.org/viewvc?view=rev&rev=1840610">1840610</a>, + <a href="http://svn.apache.org/viewvc?view=rev&rev=1840629">1840629</a> and + <a href="http://svn.apache.org/viewvc?view=rev&rev=1841463">1841463</a>.</p> + + +<p>Affects: JK 1.2.0-1.2.44</p> + + +</div> <h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.43">Fixed in Apache Tomcat JK Connector 1.2.43</h3> <div class="text"> Modified: tomcat/site/trunk/xdocs/security-jk.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-jk.xml?rev=1845353&r1=1845352&r2=1845353&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-jk.xml (original) +++ tomcat/site/trunk/xdocs/security-jk.xml Wed Oct 31 17:44:50 2018 @@ -28,6 +28,51 @@ </section> + <section name="Fixed in Apache Tomcat JK Connector 1.2.46"> + + <p><i>Note: The issue below was fixed in Apache Tomcat JK Connector 1.2.45 + but the release vote for the 1.2.45 release candidate did not pass. + Therefore, although users must download 1.2.46 to obtain a version that + includes the fix for this issue, version 1.2.45 is not included in the + list of affected versions.</i></p> + + <p><strong>Important: Information disclosure</strong> + <cve>CVE-2018-11759</cve></p> + + <p>The Apache Web Server (httpd) specific code that normalised the requested + path before matching it to the URI-worker map did not handle some edge + cases correctly. If only a sub-set of the URLs supported by Tomcat were + exposed via httpd, then it was possible for a specially constructed + request to expose application functionality through the reverse proxy + that was not intended for clients accessing the application via the + reverse proxy. It was also possible in some configurations for a + specially constructed request to bypass the access controls configured in + httpd. While there is some overlap between this issue and CVE-2018-1323, + they are not identical.</p> + + <p>This was fixed in revisions <revlink rev="1838836">1838836</revlink>, + <revlink rev="1838857">1838857</revlink>, + <revlink rev="1838871">1838871</revlink>, + <revlink rev="1838882">1838882</revlink>, + <revlink rev="1840444">1840444</revlink>, + <revlink rev="1840445">1840445</revlink>, + <revlink rev="1840448">1840448</revlink>, + <revlink rev="1840449">1840449</revlink>, + <revlink rev="1840450">1840450</revlink>, + <revlink rev="1840451">1840451</revlink>, + <revlink rev="1840491">1840491</revlink>, + <revlink rev="1840588">1840588</revlink>, + <revlink rev="1840592">1840592</revlink>, + <revlink rev="1840603">1840603</revlink>, + <revlink rev="1840604">1840604</revlink>, + <revlink rev="1840610">1840610</revlink>, + <revlink rev="1840629">1840629</revlink> and + <revlink rev="1841463">1841463</revlink>.</p> + + <p>Affects: JK 1.2.0-1.2.44</p> + + </section> + <section name="Fixed in Apache Tomcat JK Connector 1.2.43"> <p><strong>Important: Information disclosure</strong> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org