Author: markt
Date: Wed May 16 14:57:44 2018
New Revision: 1831731
URL: http://svn.apache.org/viewvc?rev=1831731&view=rev
Log:
Add info for CVE-2018-8014
Modified:
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/docs/security-8.html
tomcat/site/trunk/docs/security-9.html
tomcat/site/trunk/xdocs/security-7.xml
tomcat/site/trunk/xdocs/security-8.xml
tomcat/site/trunk/xdocs/security-9.xml
Modified: tomcat/site/trunk/docs/security-7.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1831731&r1=1831730&r2=1831731&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Wed May 16 14:57:44 2018
@@ -222,6 +222,9 @@
<a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x
vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_7.0.89">Fixed in Apache Tomcat 7.0.89</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_7.0.85">Fixed in Apache Tomcat 7.0.85</a>
</li>
<li>
@@ -393,6 +396,32 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_7.0.89">
+<span class="pull-right">not yet released</span> Fixed in Apache Tomcat
7.0.89</h3>
+<div class="text">
+
+
+<p>
+<strong>Low: CORS filter has insecure defaults</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014";
rel="nofollow">CVE-2018-8014</a>
+</p>
+
+
+<p>The defaults settings for the CORS filter are insecure and enable
+ <code>supportsCredentials</code> for all origins. It is expected that
+ users of the CORS filter will have configured it appropriately for their
+ environment rather than using it in the default configuration.
Therefore,
+ it is expected that most users will not be impacted by this issue.</p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1831730";>1831730</a>.</p>
+
+
+<p>This issue was reported publicly on 1 May 2018 and formally announced as
+ a vulnerability on 16 May 2018.</p>
+
+
+</div>
<h3 id="Fixed_in_Apache_Tomcat_7.0.85">
<span class="pull-right">13 February 2018</span> Fixed in Apache Tomcat
7.0.85</h3>
<div class="text">
Modified: tomcat/site/trunk/docs/security-8.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1831731&r1=1831730&r2=1831731&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-8.html (original)
+++ tomcat/site/trunk/docs/security-8.html Wed May 16 14:57:44 2018
@@ -222,6 +222,12 @@
<a href="#Apache_Tomcat_8.x_vulnerabilities">Apache Tomcat 8.x
vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_8.0.53">Fixed in Apache Tomcat 8.0.53</a>
+</li>
+<li>
+<a href="#Fixed_in_Apache_Tomcat_8.5.32">Fixed in Apache Tomcat 8.5.32</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_8.0.50">Fixed in Apache Tomcat 8.0.50</a>
</li>
<li>
@@ -366,6 +372,58 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_8.0.53">
+<span class="pull-right">not yet released</span> Fixed in Apache Tomcat
8.0.53</h3>
+<div class="text">
+
+
+<p>
+<strong>Low: CORS filter has insecure defaults</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014";
rel="nofollow">CVE-2018-8014</a>
+</p>
+
+
+<p>The defaults settings for the CORS filter are insecure and enable
+ <code>supportsCredentials</code> for all origins. It is expected that
+ users of the CORS filter will have configured it appropriately for their
+ environment rather than using it in the default configuration.
Therefore,
+ it is expected that most users will not be impacted by this issue.</p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1831729";>1831729</a>.</p>
+
+
+<p>This issue was reported publicly on 1 May 2018 and formally announced as
+ a vulnerability on 16 May 2018.</p>
+
+
+</div>
+<h3 id="Fixed_in_Apache_Tomcat_8.5.32">
+<span class="pull-right">not yet released</span> Fixed in Apache Tomcat
8.5.32</h3>
+<div class="text">
+
+
+<p>
+<strong>Low: CORS filter has insecure defaults</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014";
rel="nofollow">CVE-2018-8014</a>
+</p>
+
+
+<p>The defaults settings for the CORS filter are insecure and enable
+ <code>supportsCredentials</code> for all origins. It is expected that
+ users of the CORS filter will have configured it appropriately for their
+ environment rather than using it in the default configuration.
Therefore,
+ it is expected that most users will not be impacted by this issue.</p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1831728";>1831728</a>.</p>
+
+
+<p>This issue was reported publicly on 1 May 2018 and formally announced as
+ a vulnerability on 16 May 2018.</p>
+
+
+</div>
<h3 id="Fixed_in_Apache_Tomcat_8.0.50">
<span class="pull-right">13 February 2018</span> Fixed in Apache Tomcat
8.0.50</h3>
<div class="text">
Modified: tomcat/site/trunk/docs/security-9.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-9.html?rev=1831731&r1=1831730&r2=1831731&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-9.html (original)
+++ tomcat/site/trunk/docs/security-9.html Wed May 16 14:57:44 2018
@@ -225,6 +225,9 @@
<a href="#Fixed_in_Apache_Tomcat_9.0.5">Fixed in Apache Tomcat 9.0.5</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_9.0.5">Fixed in Apache Tomcat 9.0.5</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_9.0.2">Fixed in Apache Tomcat 9.0.2</a>
</li>
<li>
@@ -309,6 +312,32 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_9.0.5">
+<span class="pull-right">not yet released</span> Fixed in Apache Tomcat
9.0.5</h3>
+<div class="text">
+
+
+<p>
+<strong>Low: CORS filter has insecure defaults</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014";
rel="nofollow">CVE-2018-8014</a>
+</p>
+
+
+<p>The defaults settings for the CORS filter are insecure and enable
+ <code>supportsCredentials</code> for all origins. It is expected that
+ users of the CORS filter will have configured it appropriately for their
+ environment rather than using it in the default configuration.
Therefore,
+ it is expected that most users will not be impacted by this issue.</p>
+
+
+<p>This was fixed in revision <a
href="http://svn.apache.org/viewvc?view=rev&rev=1831726";>1831726</a>.</p>
+
+
+<p>This issue was reported publicly on 1 May 2018 and formally announced as
+ a vulnerability on 16 May 2018.</p>
+
+
+</div>
<h3 id="Fixed_in_Apache_Tomcat_9.0.5">
<span class="pull-right">11 February 2018</span> Fixed in Apache Tomcat
9.0.5</h3>
<div class="text">
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1831731&r1=1831730&r2=1831731&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Wed May 16 14:57:44 2018
@@ -50,6 +50,24 @@
</section>
+ <section name="Fixed in Apache Tomcat 7.0.89" rtext="not yet released">
+
+ <p><strong>Low: CORS filter has insecure defaults</strong>
+ <cve>CVE-2018-8014</cve></p>
+
+ <p>The defaults settings for the CORS filter are insecure and enable
+ <code>supportsCredentials</code> for all origins. It is expected that
+ users of the CORS filter will have configured it appropriately for their
+ environment rather than using it in the default configuration.
Therefore,
+ it is expected that most users will not be impacted by this issue.</p>
+
+ <p>This was fixed in revision <revlink rev="1831730">1831730</revlink>.</p>
+
+ <p>This issue was reported publicly on 1 May 2018 and formally announced as
+ a vulnerability on 16 May 2018.</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 7.0.85" rtext="13 February 2018">
<p><strong>Important: Security constraint annotations applied too
Modified: tomcat/site/trunk/xdocs/security-8.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1831731&r1=1831730&r2=1831731&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-8.xml (original)
+++ tomcat/site/trunk/xdocs/security-8.xml Wed May 16 14:57:44 2018
@@ -50,6 +50,42 @@
</section>
+ <section name="Fixed in Apache Tomcat 8.0.53" rtext="not yet released">
+
+ <p><strong>Low: CORS filter has insecure defaults</strong>
+ <cve>CVE-2018-8014</cve></p>
+
+ <p>The defaults settings for the CORS filter are insecure and enable
+ <code>supportsCredentials</code> for all origins. It is expected that
+ users of the CORS filter will have configured it appropriately for their
+ environment rather than using it in the default configuration.
Therefore,
+ it is expected that most users will not be impacted by this issue.</p>
+
+ <p>This was fixed in revision <revlink rev="1831729">1831729</revlink>.</p>
+
+ <p>This issue was reported publicly on 1 May 2018 and formally announced as
+ a vulnerability on 16 May 2018.</p>
+
+ </section>
+
+ <section name="Fixed in Apache Tomcat 8.5.32" rtext="not yet released">
+
+ <p><strong>Low: CORS filter has insecure defaults</strong>
+ <cve>CVE-2018-8014</cve></p>
+
+ <p>The defaults settings for the CORS filter are insecure and enable
+ <code>supportsCredentials</code> for all origins. It is expected that
+ users of the CORS filter will have configured it appropriately for their
+ environment rather than using it in the default configuration.
Therefore,
+ it is expected that most users will not be impacted by this issue.</p>
+
+ <p>This was fixed in revision <revlink rev="1831728">1831728</revlink>.</p>
+
+ <p>This issue was reported publicly on 1 May 2018 and formally announced as
+ a vulnerability on 16 May 2018.</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 8.0.50" rtext="13 February 2018">
<p><strong>Important: Security constraint annotations applied too
Modified: tomcat/site/trunk/xdocs/security-9.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-9.xml?rev=1831731&r1=1831730&r2=1831731&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-9.xml (original)
+++ tomcat/site/trunk/xdocs/security-9.xml Wed May 16 14:57:44 2018
@@ -50,6 +50,24 @@
</section>
+ <section name="Fixed in Apache Tomcat 9.0.5" rtext="not yet released">
+
+ <p><strong>Low: CORS filter has insecure defaults</strong>
+ <cve>CVE-2018-8014</cve></p>
+
+ <p>The defaults settings for the CORS filter are insecure and enable
+ <code>supportsCredentials</code> for all origins. It is expected that
+ users of the CORS filter will have configured it appropriately for their
+ environment rather than using it in the default configuration.
Therefore,
+ it is expected that most users will not be impacted by this issue.</p>
+
+ <p>This was fixed in revision <revlink rev="1831726">1831726</revlink>.</p>
+
+ <p>This issue was reported publicly on 1 May 2018 and formally announced as
+ a vulnerability on 16 May 2018.</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 9.0.5" rtext="11 February 2018">
<p><strong>Important: Security constraint annotations applied too
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
