Author: markt
Date: Wed Jun 3 14:10:45 2009
New Revision: 781388
URL: http://svn.apache.org/viewvc?rev=781388&view=rev
Log:
Add CVE-2009-0580
Modified:
tomcat/site/trunk/docs/security-4.html
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/xdocs/security-4.xml
tomcat/site/trunk/xdocs/security-5.xml
tomcat/site/trunk/xdocs/security-6.xml
Modified: tomcat/site/trunk/docs/security-4.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?rev=781388&r1=781387&r2=781388&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Wed Jun 3 14:10:45 2009
@@ -290,6 +290,24 @@
<p>Affects: 4.1.0-4.1.39</p>
<p>
+<strong>low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580";>
+ CVE-2009-0580</a>
+</p>
+
+ <p>Due to insufficient error checking in some authentication classes,
Tomcat
+ allows for the enumeration (brute force testing) of user names by
+ supplying illegally URL encoded passwords. The attack is possible if
FORM
+ based authenticiaton (j_security_check) with either the MemoryRealm,
+ DataSourceRealm or JDBCRealm.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=781382&view=rev";>
+ revision 781382</a>.</p>
+
+ <p>Affects: 4.1.0-4.1.39</p>
+
+ <p>
<strong>low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781";>
CVE-2009-0781</a>
Modified: tomcat/site/trunk/docs/security-5.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=781388&r1=781387&r2=781388&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Wed Jun 3 14:10:45 2009
@@ -252,6 +252,24 @@
<p>Affects: 5.5.0-5.5.27</p>
<p>
+<strong>low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580";>
+ CVE-2009-0580</a>
+</p>
+
+ <p>Due to insufficient error checking in some authentication classes,
Tomcat
+ allows for the enumeration (brute force testing) of user names by
+ supplying illegally URL encoded passwords. The attack is possible if
FORM
+ based authenticiaton (j_security_check) with either the MemoryRealm,
+ DataSourceRealm or JDBCRealm.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=781379&view=rev";>
+ revision 781379</a>.</p>
+
+ <p>Affects: 5.5.0-5.5.27</p>
+
+ <p>
<strong>low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781";>
CVE-2009-0781</a>
Modified: tomcat/site/trunk/docs/security-6.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=781388&r1=781387&r2=781388&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Wed Jun 3 14:10:45 2009
@@ -253,6 +253,24 @@
<p>Affects: 6.0.0-6.0.18</p>
<p>
+<strong>low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580";>
+ CVE-2009-0580</a>
+</p>
+
+ <p>Due to insufficient error checking in some authentication classes,
Tomcat
+ allows for the enumeration (brute force testing) of user names by
+ supplying illegally URL encoded passwords. The attack is possible if
FORM
+ based authenticiaton (j_security_check) with either the MemoryRealm,
+ DataSourceRealm or JDBCRealm.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=747840&view=rev";>
+ revision 747840</a>.</p>
+
+ <p>Affects: 6.0.0-6.0.18</p>
+
+ <p>
<strong>low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781";>
CVE-2009-0781</a>
Modified: tomcat/site/trunk/xdocs/security-4.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?rev=781388&r1=781387&r2=781388&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Wed Jun 3 14:10:45 2009
@@ -61,6 +61,22 @@
<p>Affects: 4.1.0-4.1.39</p>
+ <p><strong>low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580";>
+ CVE-2009-0580</a></p>
+
+ <p>Due to insufficient error checking in some authentication classes,
Tomcat
+ allows for the enumeration (brute force testing) of user names by
+ supplying illegally URL encoded passwords. The attack is possible if
FORM
+ based authenticiaton (j_security_check) with either the MemoryRealm,
+ DataSourceRealm or JDBCRealm.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=781382&view=rev";>
+ revision 781382</a>.</p>
+
+ <p>Affects: 4.1.0-4.1.39</p>
+
<p><strong>low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781";>
CVE-2009-0781</a></p>
Modified: tomcat/site/trunk/xdocs/security-5.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=781388&r1=781387&r2=781388&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Wed Jun 3 14:10:45 2009
@@ -46,6 +46,22 @@
<p>Affects: 5.5.0-5.5.27</p>
+ <p><strong>low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580";>
+ CVE-2009-0580</a></p>
+
+ <p>Due to insufficient error checking in some authentication classes,
Tomcat
+ allows for the enumeration (brute force testing) of user names by
+ supplying illegally URL encoded passwords. The attack is possible if
FORM
+ based authenticiaton (j_security_check) with either the MemoryRealm,
+ DataSourceRealm or JDBCRealm.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=781379&view=rev";>
+ revision 781379</a>.</p>
+
+ <p>Affects: 5.5.0-5.5.27</p>
+
<p><strong>low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781";>
CVE-2009-0781</a></p>
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=781388&r1=781387&r2=781388&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Wed Jun 3 14:10:45 2009
@@ -45,6 +45,22 @@
<p>Affects: 6.0.0-6.0.18</p>
+ <p><strong>low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580";>
+ CVE-2009-0580</a></p>
+
+ <p>Due to insufficient error checking in some authentication classes,
Tomcat
+ allows for the enumeration (brute force testing) of user names by
+ supplying illegally URL encoded passwords. The attack is possible if
FORM
+ based authenticiaton (j_security_check) with either the MemoryRealm,
+ DataSourceRealm or JDBCRealm.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=747840&view=rev";>
+ revision 747840</a>.</p>
+
+ <p>Affects: 6.0.0-6.0.18</p>
+
<p><strong>low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781";>
CVE-2009-0781</a></p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
