Author: markt
Date: Fri Aug 12 13:19:44 2011
New Revision: 1157093
URL: http://svn.apache.org/viewvc?rev=1157093&view=rev
Log:
Update site for CVE-2011-2481
Modified:
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/xdocs/security-7.xml
Modified: tomcat/site/trunk/docs/security-7.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1157093&r1=1157092&r2=1157093&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Fri Aug 12 13:19:44 2011
@@ -415,11 +415,11 @@
<p>Affects: 7.0.0-7.0.18</p>
<p>
-<i>Note: The issue below was fixed in Apache Tomcat 7.0.17 but the
+<i>Note: The issues below were fixed in Apache Tomcat 7.0.17 but the
release votes for the 7.0.17 and 7.0.18 release candidates did not pass.
Therefore, although users must download 7.0.19 to obtain a version that
- includes a fix for this issue, versions 7.0.17 and 7.0.18 is not
included
- in the list of affected versions.</i>
+ includes a fix for these issues, versions 7.0.17 and 7.0.18 are not
+ included in the list of affected versions.</i>
</p>
<p>
@@ -445,6 +445,31 @@
<p>Affects: 7.0.0-7.0.16</p>
+ <p>
+<strong>Low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2481";
rel="nofollow">CVE-2011-2481</a>
+</p>
+
+ <p>The re-factoring of XML validation for Tomcat 7.0.x re-introduced the
+ vulnerability previously reported as
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783";
rel="nofollow">CVE-2009-0783</a>. This was initially
+ <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=51395";>
+ reported</a> as a memory leak. If a web application is the first web
+ application loaded, this bugs allows that web application to potentially
+ view and/or alter the web.xml, context.xml and tld files of other web
+ applications deployed on the Tomcat instance.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=1137753&view=rev";>
+ revision 1137753</a> and
+ <a href="http://svn.apache.org/viewvc?rev=1138788&view=rev";>
+ revision 1138788</a> and .</p>
+
+ <p>This was identified by the Tomcat security team on 20 June 2011 and
+ made public on 12 August 2011.</p>
+
+ <p>Affects: 7.0.0-7.0.16</p>
+
</blockquote>
</p>
</td>
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1157093&r1=1157092&r2=1157093&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Fri Aug 12 13:19:44 2011
@@ -102,11 +102,11 @@
<p>Affects: 7.0.0-7.0.18</p>
- <p><i>Note: The issue below was fixed in Apache Tomcat 7.0.17 but the
+ <p><i>Note: The issues below were fixed in Apache Tomcat 7.0.17 but the
release votes for the 7.0.17 and 7.0.18 release candidates did not pass.
Therefore, although users must download 7.0.19 to obtain a version that
- includes a fix for this issue, versions 7.0.17 and 7.0.18 is not
included
- in the list of affected versions.</i></p>
+ includes a fix for these issues, versions 7.0.17 and 7.0.18 are not
+ included in the list of affected versions.</i></p>
<p><strong>Low: Information disclosure</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204";
@@ -130,6 +130,31 @@
<p>Affects: 7.0.0-7.0.16</p>
+ <p><strong>Low: Information disclosure</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2481";
+ rel="nofollow">CVE-2011-2481</a></p>
+
+ <p>The re-factoring of XML validation for Tomcat 7.0.x re-introduced the
+ vulnerability previously reported as
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783";
+ rel="nofollow">CVE-2009-0783</a>. This was initially
+ <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=51395";>
+ reported</a> as a memory leak. If a web application is the first web
+ application loaded, this bugs allows that web application to potentially
+ view and/or alter the web.xml, context.xml and tld files of other web
+ applications deployed on the Tomcat instance.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=1137753&view=rev";>
+ revision 1137753</a> and
+ <a href="http://svn.apache.org/viewvc?rev=1138788&view=rev";>
+ revision 1138788</a> and .</p>
+
+ <p>This was identified by the Tomcat security team on 20 June 2011 and
+ made public on 12 August 2011.</p>
+
+ <p>Affects: 7.0.0-7.0.16</p>
+
</section>
<section name="Fixed in Apache Tomcat 7.0.14 (released 12 May 2011)">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
