Author: markt
Date: Sun Jan 24 21:51:32 2010
New Revision: 902653
URL: http://svn.apache.org/viewvc?rev=902653&view=rev
Log:
Update for CVE-2009-2693, CVE-2009-2901 and CVE-2009-2902.
Modified:
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/xdocs/security-5.xml
tomcat/site/trunk/xdocs/security-6.xml
Modified: tomcat/site/trunk/docs/security-5.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=902653&r1=902652&r2=902653&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Sun Jan 24 21:51:32 2010
@@ -262,6 +262,91 @@
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+<a name="Fixed in subversion for Apache Tomcat 5.5.x">
+<strong>Fixed in subversion for Apache Tomcat 5.5.x</strong>
+</a>
+</font>
+</td>
+</tr>
+<tr>
+<td>
+<p>
+<blockquote>
+
+ <p>
+<i>Note: These issues will be fixed in 5.5.29 but that version has not yet
+ been released.</i>
+</p>
+
+ <p>
+<strong>Low: Arbitrary file deletion and/or alteration on deploy</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693";>
+ CVE-2009-2693</a>
+</p>
+
+ <p>When deploying WAR files, the WAR files were not checked for directory
+ traversal attempts. This allows an attacker to create arbitrary content
+ outside of the web root by including entries such as
+ <code>../../bin/catalina.sh</code> in the WAR.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=902650&view=rev";>
+ revision 902650</a>.</p>
+
+ <p>Affects: 5.5.0-5.5.28</p>
+
+ <p>
+<strong>Low: Insecure partial deploy after failed deploy</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2901";>
+ CVE-2009-2901</a>
+</p>
+
+ <p>By default, Tomcat automatically deploys any directories placed in a
+ host's appBase. This behaviour is controlled by the autoDeploy attribute
+ of a host which defaults to true. After a failed undeploy, the remaining
+ files will be deployed as a result of the autodeployment process.
+ Depending on circumstances, files normally protected by one or more
+ security constraints may be deployed without those security constraints,
+ making them accessible without authentication.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=902650&view=rev";>
+ revision 902650</a>.</p>
+
+ <p>Affects: 5.5.0-5.5.28</p>
+
+ <p>
+<strong>Low: Unexpected file deletion in work directory</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2902";>
+ CVE-2009-2902</a>
+</p>
+
+ <p>When deploying WAR files, the WAR file names were not checked for
+ directory traversal attempts. For example, deploying and undeploying
+ <code>...war</code> allows an attacker to cause the deletion of the
+ current contents of the host's work directory which may cause problems
+ for currently running applications.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=902650&view=rev";>
+ revision 902650</a>.</p>
+
+ <p>Affects: 5.5.0-5.5.28</p>
+
+ </blockquote>
+</p>
+</td>
+</tr>
+<tr>
+<td>
+<br/>
+</td>
+</tr>
+</table>
+<table border="0" cellspacing="0" cellpadding="2" width="100%">
+<tr>
+<td bgcolor="#525D76">
+<font color="#ffffff" face="arial,helvetica,sanserif">
<a name="Fixed in Apache Tomcat 5.5.28">
<strong>Fixed in Apache Tomcat 5.5.28</strong>
</a>
Modified: tomcat/site/trunk/docs/security-6.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=902653&r1=902652&r2=902653&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Sun Jan 24 21:51:32 2010
@@ -212,8 +212,8 @@
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Not fixed in Apache Tomcat 6.0.x">
-<strong>Not fixed in Apache Tomcat 6.0.x</strong>
+<a name="Fixed in Apache Tomcat 6.0.24">
+<strong>Fixed in Apache Tomcat 6.0.24</strong>
</a>
</font>
</td>
@@ -222,13 +222,69 @@
<td>
<p>
<blockquote>
-
+ <p>
+<i>Note: These issues were fixed in Apache Tomcat 6.0.21 but the
+ release votes for the 6.0.21, 6.0.22 and 6.0.23 release candidates did
+ not pass. Therefore, although users must download 6.0.24 to obtain a
+ version that includes fixes for these issues, versions 6.0.21 onwards
+ are not included in the list of affected versions.</i>
+</p>
+
+ <p>
+<strong>Low: Arbitrary file deletion and/or alteration on deploy</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693";>
+ CVE-2009-2693</a>
+</p>
+
+ <p>When deploying WAR files, the WAR files were not checked for directory
+ traversal attempts. This allows an attacker to create arbitrary content
+ outside of the web root by including entries such as
+ <code>../../bin/catalina.sh</code> in the WAR.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=892815&view=rev";>
+ revision 892815</a>.</p>
+
+ <p>Affects: 6.0.0-6.0.20</p>
+
+ <p>
+<strong>Low: Insecure partial deploy after failed deploy</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2901";>
+ CVE-2009-2901</a>
+</p>
+
+ <p>By default, Tomcat automatically deploys any directories placed in a
+ host's appBase. This behaviour is controlled by the autoDeploy attribute
+ of a host which defaults to true. After a failed undeploy, the remaining
+ files will be deployed as a result of the autodeployment process.
+ Depending on circumstances, files normally protected by one or more
+ security constraints may be deployed without those security constraints,
+ making them accessible without authentication.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=892815&view=rev";>
+ revision 892815</a>.</p>
+
+ <p>Affects: 6.0.0-6.0.20</p>
+
<p>
-<i>Note: It is expected that this issue will be fixed in 6.0.21 but the
- patch has not yet received the necessary votes to be applied to the
6.0.x
- code base.</i>
+<strong>Low: Unexpected file deletion in work directory</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2902";>
+ CVE-2009-2902</a>
</p>
+
+ <p>When deploying WAR files, the WAR file names were not checked for
+ directory traversal attempts. For example, deploying and undeploying
+ <code>...war</code> allows an attacker to cause the deletion of the
+ current contents of the host's work directory which may cause problems
+ for currently running applications.</p>
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=892815&view=rev";>
+ revision 892815</a>.</p>
+
+ <p>Affects: 6.0.0-6.0.20</p>
+
<p>
<strong>Low: Insecure default password</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548";>
@@ -240,6 +296,10 @@
a user is created with the name admin, roles admin and manager and a
blank password.</p>
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=881771&view=rev";>
+ revision 881771</a>.</p>
+
<p>Affects: 6.0.0-6.0.20</p>
</blockquote>
Modified: tomcat/site/trunk/xdocs/security-5.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=902653&r1=902652&r2=902653&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Sun Jan 24 21:51:32 2010
@@ -47,6 +47,62 @@
</section>
+ <section name="Fixed in subversion for Apache Tomcat 5.5.x">
+
+ <p><i>Note: These issues will be fixed in 5.5.29 but that version has not
yet
+ been released.</i></p>
+
+ <p><strong>Low: Arbitrary file deletion and/or alteration on
deploy</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693";>
+ CVE-2009-2693</a></p>
+
+ <p>When deploying WAR files, the WAR files were not checked for directory
+ traversal attempts. This allows an attacker to create arbitrary content
+ outside of the web root by including entries such as
+ <code>../../bin/catalina.sh</code> in the WAR.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=902650&view=rev";>
+ revision 902650</a>.</p>
+
+ <p>Affects: 5.5.0-5.5.28</p>
+
+ <p><strong>Low: Insecure partial deploy after failed deploy</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2901";>
+ CVE-2009-2901</a></p>
+
+ <p>By default, Tomcat automatically deploys any directories placed in a
+ host's appBase. This behaviour is controlled by the autoDeploy attribute
+ of a host which defaults to true. After a failed undeploy, the remaining
+ files will be deployed as a result of the autodeployment process.
+ Depending on circumstances, files normally protected by one or more
+ security constraints may be deployed without those security constraints,
+ making them accessible without authentication.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=902650&view=rev";>
+ revision 902650</a>.</p>
+
+ <p>Affects: 5.5.0-5.5.28</p>
+
+ <p><strong>Low: Unexpected file deletion in work directory</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2902";>
+ CVE-2009-2902</a></p>
+
+ <p>When deploying WAR files, the WAR file names were not checked for
+ directory traversal attempts. For example, deploying and undeploying
+ <code>...war</code> allows an attacker to cause the deletion of the
+ current contents of the host's work directory which may cause problems
+ for currently running applications.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=902650&view=rev";>
+ revision 902650</a>.</p>
+
+ <p>Affects: 5.5.0-5.5.28</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 5.5.28">
<p><strong>Important: Information Disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515";>
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=902653&r1=902652&r2=902653&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Sun Jan 24 21:51:32 2010
@@ -22,12 +22,62 @@
</section>
- <section name="Not fixed in Apache Tomcat 6.0.x">
-
- <p><i>Note: It is expected that this issue will be fixed in 6.0.21 but the
- patch has not yet received the necessary votes to be applied to the
6.0.x
- code base.</i></p>
+ <section name="Fixed in Apache Tomcat 6.0.24">
+ <p><i>Note: These issues were fixed in Apache Tomcat 6.0.21 but the
+ release votes for the 6.0.21, 6.0.22 and 6.0.23 release candidates did
+ not pass. Therefore, although users must download 6.0.24 to obtain a
+ version that includes fixes for these issues, versions 6.0.21 onwards
+ are not included in the list of affected versions.</i></p>
+
+ <p><strong>Low: Arbitrary file deletion and/or alteration on
deploy</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693";>
+ CVE-2009-2693</a></p>
+
+ <p>When deploying WAR files, the WAR files were not checked for directory
+ traversal attempts. This allows an attacker to create arbitrary content
+ outside of the web root by including entries such as
+ <code>../../bin/catalina.sh</code> in the WAR.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=892815&view=rev";>
+ revision 892815</a>.</p>
+ <p>Affects: 6.0.0-6.0.20</p>
+
+ <p><strong>Low: Insecure partial deploy after failed deploy</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2901";>
+ CVE-2009-2901</a></p>
+
+ <p>By default, Tomcat automatically deploys any directories placed in a
+ host's appBase. This behaviour is controlled by the autoDeploy attribute
+ of a host which defaults to true. After a failed undeploy, the remaining
+ files will be deployed as a result of the autodeployment process.
+ Depending on circumstances, files normally protected by one or more
+ security constraints may be deployed without those security constraints,
+ making them accessible without authentication.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=892815&view=rev";>
+ revision 892815</a>.</p>
+
+ <p>Affects: 6.0.0-6.0.20</p>
+
+ <p><strong>Low: Unexpected file deletion in work directory</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2902";>
+ CVE-2009-2902</a></p>
+
+ <p>When deploying WAR files, the WAR file names were not checked for
+ directory traversal attempts. For example, deploying and undeploying
+ <code>...war</code> allows an attacker to cause the deletion of the
+ current contents of the host's work directory which may cause problems
+ for currently running applications.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=892815&view=rev";>
+ revision 892815</a>.</p>
+
+ <p>Affects: 6.0.0-6.0.20</p>
+
<p><strong>Low: Insecure default password</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548";>
CVE-2009-3548</a></p>
@@ -37,6 +87,10 @@
a user is created with the name admin, roles admin and manager and a
blank password.</p>
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=881771&view=rev";>
+ revision 881771</a>.</p>
+
<p>Affects: 6.0.0-6.0.20</p>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
