Author: markt Date: Wed Jun 3 14:10:45 2009 New Revision: 781388 URL: http://svn.apache.org/viewvc?rev=781388&view=rev Log: Add CVE-2009-0580
Modified: tomcat/site/trunk/docs/security-4.html tomcat/site/trunk/docs/security-5.html tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/xdocs/security-4.xml tomcat/site/trunk/xdocs/security-5.xml tomcat/site/trunk/xdocs/security-6.xml Modified: tomcat/site/trunk/docs/security-4.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?rev=781388&r1=781387&r2=781388&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-4.html (original) +++ tomcat/site/trunk/docs/security-4.html Wed Jun 3 14:10:45 2009 @@ -290,6 +290,24 @@ <p>Affects: 4.1.0-4.1.39</p> <p> +<strong>low: Information disclosure</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580"> + CVE-2009-0580</a> +</p> + + <p>Due to insufficient error checking in some authentication classes, Tomcat + allows for the enumeration (brute force testing) of user names by + supplying illegally URL encoded passwords. The attack is possible if FORM + based authenticiaton (j_security_check) with either the MemoryRealm, + DataSourceRealm or JDBCRealm.</p> + + <p>This was fixed in + <a href="http://svn.apache.org/viewvc?rev=781382&view=rev"> + revision 781382</a>.</p> + + <p>Affects: 4.1.0-4.1.39</p> + + <p> <strong>low: Cross-site scripting</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781"> CVE-2009-0781</a> Modified: tomcat/site/trunk/docs/security-5.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=781388&r1=781387&r2=781388&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-5.html (original) +++ tomcat/site/trunk/docs/security-5.html Wed Jun 3 14:10:45 2009 @@ -252,6 +252,24 @@ <p>Affects: 5.5.0-5.5.27</p> <p> +<strong>low: Information disclosure</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580"> + CVE-2009-0580</a> +</p> + + <p>Due to insufficient error checking in some authentication classes, Tomcat + allows for the enumeration (brute force testing) of user names by + supplying illegally URL encoded passwords. The attack is possible if FORM + based authenticiaton (j_security_check) with either the MemoryRealm, + DataSourceRealm or JDBCRealm.</p> + + <p>This was fixed in + <a href="http://svn.apache.org/viewvc?rev=781379&view=rev"> + revision 781379</a>.</p> + + <p>Affects: 5.5.0-5.5.27</p> + + <p> <strong>low: Cross-site scripting</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781"> CVE-2009-0781</a> Modified: tomcat/site/trunk/docs/security-6.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=781388&r1=781387&r2=781388&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-6.html (original) +++ tomcat/site/trunk/docs/security-6.html Wed Jun 3 14:10:45 2009 @@ -253,6 +253,24 @@ <p>Affects: 6.0.0-6.0.18</p> <p> +<strong>low: Information disclosure</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580"> + CVE-2009-0580</a> +</p> + + <p>Due to insufficient error checking in some authentication classes, Tomcat + allows for the enumeration (brute force testing) of user names by + supplying illegally URL encoded passwords. The attack is possible if FORM + based authenticiaton (j_security_check) with either the MemoryRealm, + DataSourceRealm or JDBCRealm.</p> + + <p>This was fixed in + <a href="http://svn.apache.org/viewvc?rev=747840&view=rev"> + revision 747840</a>.</p> + + <p>Affects: 6.0.0-6.0.18</p> + + <p> <strong>low: Cross-site scripting</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781"> CVE-2009-0781</a> Modified: tomcat/site/trunk/xdocs/security-4.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?rev=781388&r1=781387&r2=781388&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-4.xml (original) +++ tomcat/site/trunk/xdocs/security-4.xml Wed Jun 3 14:10:45 2009 @@ -61,6 +61,22 @@ <p>Affects: 4.1.0-4.1.39</p> + <p><strong>low: Information disclosure</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580"> + CVE-2009-0580</a></p> + + <p>Due to insufficient error checking in some authentication classes, Tomcat + allows for the enumeration (brute force testing) of user names by + supplying illegally URL encoded passwords. The attack is possible if FORM + based authenticiaton (j_security_check) with either the MemoryRealm, + DataSourceRealm or JDBCRealm.</p> + + <p>This was fixed in + <a href="http://svn.apache.org/viewvc?rev=781382&view=rev"> + revision 781382</a>.</p> + + <p>Affects: 4.1.0-4.1.39</p> + <p><strong>low: Cross-site scripting</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781"> CVE-2009-0781</a></p> Modified: tomcat/site/trunk/xdocs/security-5.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=781388&r1=781387&r2=781388&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-5.xml (original) +++ tomcat/site/trunk/xdocs/security-5.xml Wed Jun 3 14:10:45 2009 @@ -46,6 +46,22 @@ <p>Affects: 5.5.0-5.5.27</p> + <p><strong>low: Information disclosure</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580"> + CVE-2009-0580</a></p> + + <p>Due to insufficient error checking in some authentication classes, Tomcat + allows for the enumeration (brute force testing) of user names by + supplying illegally URL encoded passwords. The attack is possible if FORM + based authenticiaton (j_security_check) with either the MemoryRealm, + DataSourceRealm or JDBCRealm.</p> + + <p>This was fixed in + <a href="http://svn.apache.org/viewvc?rev=781379&view=rev"> + revision 781379</a>.</p> + + <p>Affects: 5.5.0-5.5.27</p> + <p><strong>low: Cross-site scripting</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781"> CVE-2009-0781</a></p> Modified: tomcat/site/trunk/xdocs/security-6.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=781388&r1=781387&r2=781388&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-6.xml (original) +++ tomcat/site/trunk/xdocs/security-6.xml Wed Jun 3 14:10:45 2009 @@ -45,6 +45,22 @@ <p>Affects: 6.0.0-6.0.18</p> + <p><strong>low: Information disclosure</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580"> + CVE-2009-0580</a></p> + + <p>Due to insufficient error checking in some authentication classes, Tomcat + allows for the enumeration (brute force testing) of user names by + supplying illegally URL encoded passwords. The attack is possible if FORM + based authenticiaton (j_security_check) with either the MemoryRealm, + DataSourceRealm or JDBCRealm.</p> + + <p>This was fixed in + <a href="http://svn.apache.org/viewvc?rev=747840&view=rev"> + revision 747840</a>.</p> + + <p>Affects: 6.0.0-6.0.18</p> + <p><strong>low: Cross-site scripting</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781"> CVE-2009-0781</a></p> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org