Author: schultz Date: Wed Aug 28 21:26:56 2024 New Revision: 1920257 URL: http://svn.apache.org/viewvc?rev=1920257&view=rev Log: Minor edits.
Modified: tomcat/site/trunk/docs/security-model.html tomcat/site/trunk/xdocs/security-model.xml Modified: tomcat/site/trunk/docs/security-model.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-model.html?rev=1920257&r1=1920256&r2=1920257&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-model.html (original) +++ tomcat/site/trunk/docs/security-model.html Wed Aug 28 21:26:56 2024 @@ -12,9 +12,9 @@ <div class="subsection"><h4 id="Administrative_users">Administrative users</h4><div class="text"> - <p>Administrative users are always considered to be trusted. Reports that - require attacker access to and/or control of any of the following to - succeed will be rejected:</p> + <p>Administrative users are always considered to be trusted. Reports for + vulnerabilities where an attacker already has access to or control over + any of the following will be rejected:</p> <ul> <li>The Manager or Host Manager applications provided with Tomcat</li> @@ -29,13 +29,14 @@ <div class="subsection"><h4 id="Web_applications">Web applications</h4><div class="text"> <p>Web applications deployed to Tomcat are considered to be trusted. - Vulnerabilities in user provided web applications are application + Vulnerabilities in user-provided web applications are application vulnerabilities, not Tomcat vulnerabilities.</p> <p>Reports of vulnerabilities in the web applications included with - Tomcat will be accepted. Reporters should review the comments about - each of the provided applications in the security considerations - section of the documentation for the version under test.</p> + standard Tomcat distributions will be accepted. Reporters should + review the comments about each of the provided applications in the + security considerations section of the documentation for the version + under test.</p> </div></div> @@ -50,7 +51,7 @@ connector</li> <li>HTTP headers processed by a <code>RemoteIpValve</code>, <code>SSLValve</code>, equivalent filters or any similar - functionality.</li> + functionality</li> </ul> </div></div> @@ -67,10 +68,10 @@ <div class="subsection"><h4 id="Logging">Logging</h4><div class="text"> - <p>Security sensitive information will not be logged with the default + <p>Security-sensitive information will not be logged with the default configuration apart from anything included in the request URI.</p> - <p>Security sensitive information may be logged with modified logging + <p>Security-sensitive information may be logged with modified logging configurations, particularly if debug logging is enabled.</p> </div></div> Modified: tomcat/site/trunk/xdocs/security-model.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-model.xml?rev=1920257&r1=1920256&r2=1920257&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-model.xml (original) +++ tomcat/site/trunk/xdocs/security-model.xml Wed Aug 28 21:26:56 2024 @@ -20,9 +20,9 @@ <subsection name="Administrative users"> - <p>Administrative users are always considered to be trusted. Reports that - require attacker access to and/or control of any of the following to - succeed will be rejected:</p> + <p>Administrative users are always considered to be trusted. Reports for + vulnerabilities where an attacker already has access to or control over + any of the following will be rejected:</p> <ul> <li>The Manager or Host Manager applications provided with Tomcat</li> @@ -37,13 +37,14 @@ <subsection name="Web applications"> <p>Web applications deployed to Tomcat are considered to be trusted. - Vulnerabilities in user provided web applications are application + Vulnerabilities in user-provided web applications are application vulnerabilities, not Tomcat vulnerabilities.</p> <p>Reports of vulnerabilities in the web applications included with - Tomcat will be accepted. Reporters should review the comments about - each of the provided applications in the security considerations - section of the documentation for the version under test.</p> + standard Tomcat distributions will be accepted. Reporters should + review the comments about each of the provided applications in the + security considerations section of the documentation for the version + under test.</p> </subsection> @@ -58,7 +59,7 @@ connector</li> <li>HTTP headers processed by a <code>RemoteIpValve</code>, <code>SSLValve</code>, equivalent filters or any similar - functionality.</li> + functionality</li> </ul> </subsection> @@ -75,10 +76,10 @@ <subsection name="Logging"> - <p>Security sensitive information will not be logged with the default + <p>Security-sensitive information will not be logged with the default configuration apart from anything included in the request URI.</p> - <p>Security sensitive information may be logged with modified logging + <p>Security-sensitive information may be logged with modified logging configurations, particularly if debug logging is enabled.</p> </subsection> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org