security-jk.xml

markt Wed, 31 Oct 2018 10:45:01 -0700

Author: markt
Date: Wed Oct 31 17:44:50 2018
New Revision: 1845353

URL: http://svn.apache.org/viewvc?rev=1845353&view=rev
Log:
Add information for CVE-2018-11759


Modified:
    tomcat/site/trunk/docs/security-jk.html
    tomcat/site/trunk/xdocs/security-jk.xml

Modified: tomcat/site/trunk/docs/security-jk.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-jk.html?rev=1845353&r1=1845352&r2=1845353&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-jk.html (original)
+++ tomcat/site/trunk/docs/security-jk.html Wed Oct 31 17:44:50 2018
@@ -214,6 +214,9 @@
 <a href="#Apache_Tomcat_JK_Connectors_vulnerabilities">Apache Tomcat JK 
Connectors vulnerabilities</a>
 </li>
 <li>
+<a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.46">Fixed in Apache Tomcat 
JK Connector 1.2.46</a>
+</li>
+<li>
 <a href="#Fixed_in_Apache_Tomcat_JK_Connector_1.2.43">Fixed in Apache Tomcat 
JK Connector 1.2.43</a>
 </li>
 <li>
@@ -256,6 +259,61 @@
 
   
 </div>
+<h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.46">Fixed in Apache Tomcat JK 
Connector 1.2.46</h3>
+<div class="text">
+
+    
+<p>
+<i>Note: The issue below was fixed in Apache Tomcat JK Connector 1.2.45
+       but the release vote for the 1.2.45 release candidate did not pass.
+       Therefore, although users must download 1.2.46 to obtain a version that
+       includes the fix for this issue, version 1.2.45 is not included in the
+       list of affected versions.</i>
+</p>
+
+    
+<p>
+<strong>Important: Information disclosure</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11759"; 
rel="nofollow">CVE-2018-11759</a>
+</p>
+
+    
+<p>The Apache Web Server (httpd) specific code that normalised the requested 
+       path before matching it to the URI-worker map did not handle some edge
+       cases correctly. If only a sub-set of the URLs supported by Tomcat were
+       exposed via httpd, then it was possible for a specially constructed
+       request to expose application functionality through the reverse proxy
+       that was not intended for clients accessing the application via the
+       reverse proxy. It was also possible in some configurations for a
+       specially constructed request to bypass the access controls configured 
in
+       httpd. While there is some overlap between this issue and CVE-2018-1323,
+       they are not identical.</p>
+
+    
+<p>This was fixed in revisions <a 
href="http://svn.apache.org/viewvc?view=rev&amp;rev=1838836";>1838836</a>,
+       <a 
href="http://svn.apache.org/viewvc?view=rev&amp;rev=1838857";>1838857</a>,
+       <a 
href="http://svn.apache.org/viewvc?view=rev&amp;rev=1838871";>1838871</a>,
+       <a 
href="http://svn.apache.org/viewvc?view=rev&amp;rev=1838882";>1838882</a>,
+       <a 
href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840444";>1840444</a>,
+       <a 
href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840445";>1840445</a>,
+       <a 
href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840448";>1840448</a>,
+       <a 
href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840449";>1840449</a>,
+       <a 
href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840450";>1840450</a>,
+       <a 
href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840451";>1840451</a>,
+       <a 
href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840491";>1840491</a>,
+       <a 
href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840588";>1840588</a>,
+       <a 
href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840592";>1840592</a>,
+       <a 
href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840603";>1840603</a>,
+       <a 
href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840604";>1840604</a>,
+       <a 
href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840610";>1840610</a>,
+       <a 
href="http://svn.apache.org/viewvc?view=rev&amp;rev=1840629";>1840629</a> and
+       <a 
href="http://svn.apache.org/viewvc?view=rev&amp;rev=1841463";>1841463</a>.</p>
+
+    
+<p>Affects: JK 1.2.0-1.2.44</p>
+
+  
+</div>
 <h3 id="Fixed_in_Apache_Tomcat_JK_Connector_1.2.43">Fixed in Apache Tomcat JK 
Connector 1.2.43</h3>
 <div class="text">
 

Modified: tomcat/site/trunk/xdocs/security-jk.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-jk.xml?rev=1845353&r1=1845352&r2=1845353&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-jk.xml (original)
+++ tomcat/site/trunk/xdocs/security-jk.xml Wed Oct 31 17:44:50 2018
@@ -28,6 +28,51 @@
 
   </section>
 
+  <section name="Fixed in Apache Tomcat JK Connector 1.2.46">
+
+    <p><i>Note: The issue below was fixed in Apache Tomcat JK Connector 1.2.45
+       but the release vote for the 1.2.45 release candidate did not pass.
+       Therefore, although users must download 1.2.46 to obtain a version that
+       includes the fix for this issue, version 1.2.45 is not included in the
+       list of affected versions.</i></p>
+
+    <p><strong>Important: Information disclosure</strong>
+       <cve>CVE-2018-11759</cve></p>
+
+    <p>The Apache Web Server (httpd) specific code that normalised the 
requested 
+       path before matching it to the URI-worker map did not handle some edge
+       cases correctly. If only a sub-set of the URLs supported by Tomcat were
+       exposed via httpd, then it was possible for a specially constructed
+       request to expose application functionality through the reverse proxy
+       that was not intended for clients accessing the application via the
+       reverse proxy. It was also possible in some configurations for a
+       specially constructed request to bypass the access controls configured 
in
+       httpd. While there is some overlap between this issue and CVE-2018-1323,
+       they are not identical.</p>
+
+    <p>This was fixed in revisions <revlink rev="1838836">1838836</revlink>,
+       <revlink rev="1838857">1838857</revlink>,
+       <revlink rev="1838871">1838871</revlink>,
+       <revlink rev="1838882">1838882</revlink>,
+       <revlink rev="1840444">1840444</revlink>,
+       <revlink rev="1840445">1840445</revlink>,
+       <revlink rev="1840448">1840448</revlink>,
+       <revlink rev="1840449">1840449</revlink>,
+       <revlink rev="1840450">1840450</revlink>,
+       <revlink rev="1840451">1840451</revlink>,
+       <revlink rev="1840491">1840491</revlink>,
+       <revlink rev="1840588">1840588</revlink>,
+       <revlink rev="1840592">1840592</revlink>,
+       <revlink rev="1840603">1840603</revlink>,
+       <revlink rev="1840604">1840604</revlink>,
+       <revlink rev="1840610">1840610</revlink>,
+       <revlink rev="1840629">1840629</revlink> and
+       <revlink rev="1841463">1841463</revlink>.</p>
+
+    <p>Affects: JK 1.2.0-1.2.44</p>
+
+  </section>
+
   <section name="Fixed in Apache Tomcat JK Connector 1.2.43">
 
     <p><strong>Important: Information disclosure</strong>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1845353 - in /tomcat/site/trunk: docs/security-jk.html xdocs/security-jk.xml

Reply via email to