Author: markt
Date: Mon Jun 8 08:39:25 2009
New Revision: 782559
URL: http://svn.apache.org/viewvc?rev=782559&view=rev
Log:
Update CVE-2009-0580
Modified:
tomcat/site/trunk/docs/security-4.html
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/xdocs/security-4.xml
tomcat/site/trunk/xdocs/security-5.xml
tomcat/site/trunk/xdocs/security-6.xml
Modified: tomcat/site/trunk/docs/security-4.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?rev=782559&r1=782558&r2=782559&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Mon Jun 8 08:39:25 2009
@@ -298,14 +298,16 @@
<p>Due to insufficient error checking in some authentication classes,
Tomcat
allows for the enumeration (brute force testing) of user names by
supplying illegally URL encoded passwords. The attack is possible if
FORM
- based authenticiaton (j_security_check) with either the MemoryRealm,
- DataSourceRealm or JDBCRealm.</p>
+ based authentication (j_security_check) is used with the MemoryRealm.
+ Note that in early versions, the DataSourceRealm and JDBCRealm were also
+ affected.</p>
<p>This was fixed in
<a href="http://svn.apache.org/viewvc?rev=781382&view=rev";>
revision 781382</a>.</p>
- <p>Affects: 4.1.0-4.1.39</p>
+ <p>Affects: 4.1.0-4.1.39 (Memory Realm), 4.1.0-4.1.31 (JDBC Realm),
+ 4.1.17-4.1.31 (DataSource Realm)</p>
<p>
<strong>low: Cross-site scripting</strong>
Modified: tomcat/site/trunk/docs/security-5.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=782559&r1=782558&r2=782559&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Mon Jun 8 08:39:25 2009
@@ -260,14 +260,16 @@
<p>Due to insufficient error checking in some authentication classes,
Tomcat
allows for the enumeration (brute force testing) of user names by
supplying illegally URL encoded passwords. The attack is possible if
FORM
- based authenticiaton (j_security_check) with either the MemoryRealm,
- DataSourceRealm or JDBCRealm.</p>
+ based authentication (j_security_check) is used with the MemoryRealm.
+ Note that in early versions, the DataSourceRealm and JDBCRealm were also
+ affected.</p>
<p>This was fixed in
<a href="http://svn.apache.org/viewvc?rev=781379&view=rev";>
revision 781379</a>.</p>
- <p>Affects: 5.5.0-5.5.27</p>
+ <p>Affects: 5.5.0-5.5.27 (Memory Realm), 5.5.0-5.5.5 (DataSource and JDBC
+ Realms)</p>
<p>
<strong>low: Cross-site scripting</strong>
Modified: tomcat/site/trunk/docs/security-6.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=782559&r1=782558&r2=782559&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Jun 8 08:39:25 2009
@@ -261,14 +261,13 @@
<p>Due to insufficient error checking in some authentication classes,
Tomcat
allows for the enumeration (brute force testing) of user names by
supplying illegally URL encoded passwords. The attack is possible if
FORM
- based authenticiaton (j_security_check) with either the MemoryRealm,
- DataSourceRealm or JDBCRealm.</p>
+ based authentication (j_security_check) is used with the
MemoryRealm.</p>
<p>This was fixed in
<a href="http://svn.apache.org/viewvc?rev=747840&view=rev";>
revision 747840</a>.</p>
- <p>Affects: 6.0.0-6.0.18</p>
+ <p>Affects: 6.0.0-6.0.18 (MemoryRealm), 6.0.0-</p>
<p>
<strong>low: Cross-site scripting</strong>
Modified: tomcat/site/trunk/xdocs/security-4.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?rev=782559&r1=782558&r2=782559&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Mon Jun 8 08:39:25 2009
@@ -68,14 +68,16 @@
<p>Due to insufficient error checking in some authentication classes,
Tomcat
allows for the enumeration (brute force testing) of user names by
supplying illegally URL encoded passwords. The attack is possible if
FORM
- based authenticiaton (j_security_check) with either the MemoryRealm,
- DataSourceRealm or JDBCRealm.</p>
+ based authentication (j_security_check) is used with the MemoryRealm.
+ Note that in early versions, the DataSourceRealm and JDBCRealm were also
+ affected.</p>
<p>This was fixed in
<a href="http://svn.apache.org/viewvc?rev=781382&view=rev";>
revision 781382</a>.</p>
- <p>Affects: 4.1.0-4.1.39</p>
+ <p>Affects: 4.1.0-4.1.39 (Memory Realm), 4.1.0-4.1.31 (JDBC Realm),
+ 4.1.17-4.1.31 (DataSource Realm)</p>
<p><strong>low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781";>
Modified: tomcat/site/trunk/xdocs/security-5.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=782559&r1=782558&r2=782559&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Mon Jun 8 08:39:25 2009
@@ -53,14 +53,16 @@
<p>Due to insufficient error checking in some authentication classes,
Tomcat
allows for the enumeration (brute force testing) of user names by
supplying illegally URL encoded passwords. The attack is possible if
FORM
- based authenticiaton (j_security_check) with either the MemoryRealm,
- DataSourceRealm or JDBCRealm.</p>
+ based authentication (j_security_check) is used with the MemoryRealm.
+ Note that in early versions, the DataSourceRealm and JDBCRealm were also
+ affected.</p>
<p>This was fixed in
<a href="http://svn.apache.org/viewvc?rev=781379&view=rev";>
revision 781379</a>.</p>
- <p>Affects: 5.5.0-5.5.27</p>
+ <p>Affects: 5.5.0-5.5.27 (Memory Realm), 5.5.0-5.5.5 (DataSource and JDBC
+ Realms)</p>
<p><strong>low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781";>
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=782559&r1=782558&r2=782559&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon Jun 8 08:39:25 2009
@@ -52,14 +52,13 @@
<p>Due to insufficient error checking in some authentication classes,
Tomcat
allows for the enumeration (brute force testing) of user names by
supplying illegally URL encoded passwords. The attack is possible if
FORM
- based authenticiaton (j_security_check) with either the MemoryRealm,
- DataSourceRealm or JDBCRealm.</p>
+ based authentication (j_security_check) is used with the
MemoryRealm.</p>
<p>This was fixed in
<a href="http://svn.apache.org/viewvc?rev=747840&view=rev";>
revision 747840</a>.</p>
- <p>Affects: 6.0.0-6.0.18</p>
+ <p>Affects: 6.0.0-6.0.18 (MemoryRealm), 6.0.0-</p>
<p><strong>low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781";>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
