Author: markt Date: Mon Feb 22 12:11:07 2016 New Revision: 1731628 URL: http://svn.apache.org/viewvc?rev=1731628&view=rev Log: Correction. The regressions in the original fix for CVE-2015-5345 were not addressed until 7.0.68
Modified: tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/xdocs/security-7.xml Modified: tomcat/site/trunk/docs/security-7.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1731628&r1=1731627&r2=1731628&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-7.html (original) +++ tomcat/site/trunk/docs/security-7.html Mon Feb 22 12:11:07 2016 @@ -356,6 +356,48 @@ <p> +<strong>Low: Directory disclosure</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345" rel="nofollow">CVE-2015-5345</a> +</p> + + +<p>When accessing a directory protected by a security constraint with a URL + that did not end in a slash, Tomcat would redirect to the URL with the + trailing slash thereby confirming the presence of the directory before + processing the security constraint. It was therefore possible for a user + to determine if a directory existed or not, even if the user was not + permitted to view the directory. The issue also occurred at the root of a + web application in which case the presence of the web application was + confirmed, even if a user did not have access.</p> + + +<p>The solution was to implement the redirect in the DefaultServlet so that + any security constraints and/or security enforcing Filters were processed + before the redirect. The Tomcat team recognised that moving the redirect + could cause regressions to two new Context configuration options + (<code>mapperContextRootRedirectEnabled</code> and + <code>mapperDirectoryRedirectEnabled</code>) were introduced. The initial + default was <code>false</code> for both since this was more secure. + However, due to regressions such as + <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=58765">Bug + 58765</a> the default for <code>mapperContextRootRedirectEnabled</code> + was later changed to true since it was viewed that the regression was + more serious than the security risk of associated with being able to + determine if a web application was deployed at a given path.</p> + + +<p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1715213">1715213</a> and + <a href="http://svn.apache.org/viewvc?view=rev&rev=1717212">1717212</a>.</p> + + +<p>This issue was identified by Mark Koek of QCSec on 12 October 2015 and + made public on 22 February 2016.</p> + + +<p>Affects: 7.0.0 to 7.0.67</p> + + +<p> <strong>Low: CSRF token leak</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5351" rel="nofollow">CVE-2015-5351</a> </p> @@ -461,48 +503,6 @@ <span style="float: right;">10 December 2015</span> Fixed in Apache Tomcat 7.0.67</h3> <div class="text"> - -<p> -<strong>Low: Directory disclosure</strong> - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345" rel="nofollow">CVE-2015-5345</a> -</p> - - -<p>When accessing a directory protected by a security constraint with a URL - that did not end in a slash, Tomcat would redirect to the URL with the - trailing slash thereby confirming the presence of the directory before - processing the security constraint. It was therefore possible for a user - to determine if a directory existed or not, even if the user was not - permitted to view the directory. The issue also occurred at the root of a - web application in which case the presence of the web application was - confirmed, even if a user did not have access.</p> - - -<p>The solution was to implement the redirect in the DefaultServlet so that - any security constraints and/or security enforcing Filters were processed - before the redirect. The Tomcat team recognised that moving the redirect - could cause regressions to two new Context configuration options - (<code>mapperContextRootRedirectEnabled</code> and - <code>mapperDirectoryRedirectEnabled</code>) were introduced. The initial - default was <code>false</code> for both since this was more secure. - However, due to regressions such as - <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=58765">Bug - 58765</a> the default for <code>mapperContextRootRedirectEnabled</code> - was later changed to true since it was viewed that the regression was - more serious than the security risk of associated with being able to - determine if a web application was deployed at a given path.</p> - - -<p>This was fixed in revisions <a href="http://svn.apache.org/viewvc?view=rev&rev=1715213">1715213</a> and - <a href="http://svn.apache.org/viewvc?view=rev&rev=1717212">1717212</a>.</p> - - -<p>This issue was identified by Mark Koek of QCSec on 12 October 2015 and - made public on 22 February 2016.</p> - - -<p>Affects: 7.0.0 to 7.0.66</p> - <p> <i>Note: The issue below was fixed in Apache Tomcat 7.0.66 but the Modified: tomcat/site/trunk/xdocs/security-7.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1731628&r1=1731627&r2=1731628&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-7.xml (original) +++ tomcat/site/trunk/xdocs/security-7.xml Mon Feb 22 12:11:07 2016 @@ -52,6 +52,40 @@ <section name="Fixed in Apache Tomcat 7.0.68" rtext="16 February 2016"> + <p><strong>Low: Directory disclosure</strong> + <cve>CVE-2015-5345</cve></p> + + <p>When accessing a directory protected by a security constraint with a URL + that did not end in a slash, Tomcat would redirect to the URL with the + trailing slash thereby confirming the presence of the directory before + processing the security constraint. It was therefore possible for a user + to determine if a directory existed or not, even if the user was not + permitted to view the directory. The issue also occurred at the root of a + web application in which case the presence of the web application was + confirmed, even if a user did not have access.</p> + + <p>The solution was to implement the redirect in the DefaultServlet so that + any security constraints and/or security enforcing Filters were processed + before the redirect. The Tomcat team recognised that moving the redirect + could cause regressions to two new Context configuration options + (<code>mapperContextRootRedirectEnabled</code> and + <code>mapperDirectoryRedirectEnabled</code>) were introduced. The initial + default was <code>false</code> for both since this was more secure. + However, due to regressions such as + <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=58765">Bug + 58765</a> the default for <code>mapperContextRootRedirectEnabled</code> + was later changed to true since it was viewed that the regression was + more serious than the security risk of associated with being able to + determine if a web application was deployed at a given path.</p> + + <p>This was fixed in revisions <revlink rev="1715213">1715213</revlink> and + <revlink rev="1717212">1717212</revlink>.</p> + + <p>This issue was identified by Mark Koek of QCSec on 12 October 2015 and + made public on 22 February 2016.</p> + + <p>Affects: 7.0.0 to 7.0.67</p> + <p><strong>Low: CSRF token leak</strong> <cve>CVE-2015-5351</cve></p> @@ -128,40 +162,6 @@ <section name="Fixed in Apache Tomcat 7.0.67" rtext="10 December 2015"> - <p><strong>Low: Directory disclosure</strong> - <cve>CVE-2015-5345</cve></p> - - <p>When accessing a directory protected by a security constraint with a URL - that did not end in a slash, Tomcat would redirect to the URL with the - trailing slash thereby confirming the presence of the directory before - processing the security constraint. It was therefore possible for a user - to determine if a directory existed or not, even if the user was not - permitted to view the directory. The issue also occurred at the root of a - web application in which case the presence of the web application was - confirmed, even if a user did not have access.</p> - - <p>The solution was to implement the redirect in the DefaultServlet so that - any security constraints and/or security enforcing Filters were processed - before the redirect. The Tomcat team recognised that moving the redirect - could cause regressions to two new Context configuration options - (<code>mapperContextRootRedirectEnabled</code> and - <code>mapperDirectoryRedirectEnabled</code>) were introduced. The initial - default was <code>false</code> for both since this was more secure. - However, due to regressions such as - <a href="https://bz.apache.org/bugzilla/show_bug.cgi?id=58765">Bug - 58765</a> the default for <code>mapperContextRootRedirectEnabled</code> - was later changed to true since it was viewed that the regression was - more serious than the security risk of associated with being able to - determine if a web application was deployed at a given path.</p> - - <p>This was fixed in revisions <revlink rev="1715213">1715213</revlink> and - <revlink rev="1717212">1717212</revlink>.</p> - - <p>This issue was identified by Mark Koek of QCSec on 12 October 2015 and - made public on 22 February 2016.</p> - - <p>Affects: 7.0.0 to 7.0.66</p> - <p><i>Note: The issue below was fixed in Apache Tomcat 7.0.66 but the release vote for the 7.0.66 release candidate did not pass. Therefore, although users must download 7.0.67 to obtain a version that includes a --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org