Author: markt Date: Wed May 16 14:57:44 2018 New Revision: 1831731 URL: http://svn.apache.org/viewvc?rev=1831731&view=rev Log: Add info for CVE-2018-8014
Modified: tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/docs/security-9.html tomcat/site/trunk/xdocs/security-7.xml tomcat/site/trunk/xdocs/security-8.xml tomcat/site/trunk/xdocs/security-9.xml Modified: tomcat/site/trunk/docs/security-7.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1831731&r1=1831730&r2=1831731&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-7.html (original) +++ tomcat/site/trunk/docs/security-7.html Wed May 16 14:57:44 2018 @@ -222,6 +222,9 @@ <a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x vulnerabilities</a> </li> <li> +<a href="#Fixed_in_Apache_Tomcat_7.0.89">Fixed in Apache Tomcat 7.0.89</a> +</li> +<li> <a href="#Fixed_in_Apache_Tomcat_7.0.85">Fixed in Apache Tomcat 7.0.85</a> </li> <li> @@ -393,6 +396,32 @@ </div> +<h3 id="Fixed_in_Apache_Tomcat_7.0.89"> +<span class="pull-right">not yet released</span> Fixed in Apache Tomcat 7.0.89</h3> +<div class="text"> + + +<p> +<strong>Low: CORS filter has insecure defaults</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014" rel="nofollow">CVE-2018-8014</a> +</p> + + +<p>The defaults settings for the CORS filter are insecure and enable + <code>supportsCredentials</code> for all origins. It is expected that + users of the CORS filter will have configured it appropriately for their + environment rather than using it in the default configuration. Therefore, + it is expected that most users will not be impacted by this issue.</p> + + +<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1831730">1831730</a>.</p> + + +<p>This issue was reported publicly on 1 May 2018 and formally announced as + a vulnerability on 16 May 2018.</p> + + +</div> <h3 id="Fixed_in_Apache_Tomcat_7.0.85"> <span class="pull-right">13 February 2018</span> Fixed in Apache Tomcat 7.0.85</h3> <div class="text"> Modified: tomcat/site/trunk/docs/security-8.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1831731&r1=1831730&r2=1831731&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-8.html (original) +++ tomcat/site/trunk/docs/security-8.html Wed May 16 14:57:44 2018 @@ -222,6 +222,12 @@ <a href="#Apache_Tomcat_8.x_vulnerabilities">Apache Tomcat 8.x vulnerabilities</a> </li> <li> +<a href="#Fixed_in_Apache_Tomcat_8.0.53">Fixed in Apache Tomcat 8.0.53</a> +</li> +<li> +<a href="#Fixed_in_Apache_Tomcat_8.5.32">Fixed in Apache Tomcat 8.5.32</a> +</li> +<li> <a href="#Fixed_in_Apache_Tomcat_8.0.50">Fixed in Apache Tomcat 8.0.50</a> </li> <li> @@ -366,6 +372,58 @@ </div> +<h3 id="Fixed_in_Apache_Tomcat_8.0.53"> +<span class="pull-right">not yet released</span> Fixed in Apache Tomcat 8.0.53</h3> +<div class="text"> + + +<p> +<strong>Low: CORS filter has insecure defaults</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014" rel="nofollow">CVE-2018-8014</a> +</p> + + +<p>The defaults settings for the CORS filter are insecure and enable + <code>supportsCredentials</code> for all origins. It is expected that + users of the CORS filter will have configured it appropriately for their + environment rather than using it in the default configuration. Therefore, + it is expected that most users will not be impacted by this issue.</p> + + +<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1831729">1831729</a>.</p> + + +<p>This issue was reported publicly on 1 May 2018 and formally announced as + a vulnerability on 16 May 2018.</p> + + +</div> +<h3 id="Fixed_in_Apache_Tomcat_8.5.32"> +<span class="pull-right">not yet released</span> Fixed in Apache Tomcat 8.5.32</h3> +<div class="text"> + + +<p> +<strong>Low: CORS filter has insecure defaults</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014" rel="nofollow">CVE-2018-8014</a> +</p> + + +<p>The defaults settings for the CORS filter are insecure and enable + <code>supportsCredentials</code> for all origins. It is expected that + users of the CORS filter will have configured it appropriately for their + environment rather than using it in the default configuration. Therefore, + it is expected that most users will not be impacted by this issue.</p> + + +<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1831728">1831728</a>.</p> + + +<p>This issue was reported publicly on 1 May 2018 and formally announced as + a vulnerability on 16 May 2018.</p> + + +</div> <h3 id="Fixed_in_Apache_Tomcat_8.0.50"> <span class="pull-right">13 February 2018</span> Fixed in Apache Tomcat 8.0.50</h3> <div class="text"> Modified: tomcat/site/trunk/docs/security-9.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-9.html?rev=1831731&r1=1831730&r2=1831731&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-9.html (original) +++ tomcat/site/trunk/docs/security-9.html Wed May 16 14:57:44 2018 @@ -225,6 +225,9 @@ <a href="#Fixed_in_Apache_Tomcat_9.0.5">Fixed in Apache Tomcat 9.0.5</a> </li> <li> +<a href="#Fixed_in_Apache_Tomcat_9.0.5">Fixed in Apache Tomcat 9.0.5</a> +</li> +<li> <a href="#Fixed_in_Apache_Tomcat_9.0.2">Fixed in Apache Tomcat 9.0.2</a> </li> <li> @@ -309,6 +312,32 @@ </div> +<h3 id="Fixed_in_Apache_Tomcat_9.0.5"> +<span class="pull-right">not yet released</span> Fixed in Apache Tomcat 9.0.5</h3> +<div class="text"> + + +<p> +<strong>Low: CORS filter has insecure defaults</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014" rel="nofollow">CVE-2018-8014</a> +</p> + + +<p>The defaults settings for the CORS filter are insecure and enable + <code>supportsCredentials</code> for all origins. It is expected that + users of the CORS filter will have configured it appropriately for their + environment rather than using it in the default configuration. Therefore, + it is expected that most users will not be impacted by this issue.</p> + + +<p>This was fixed in revision <a href="http://svn.apache.org/viewvc?view=rev&rev=1831726">1831726</a>.</p> + + +<p>This issue was reported publicly on 1 May 2018 and formally announced as + a vulnerability on 16 May 2018.</p> + + +</div> <h3 id="Fixed_in_Apache_Tomcat_9.0.5"> <span class="pull-right">11 February 2018</span> Fixed in Apache Tomcat 9.0.5</h3> <div class="text"> Modified: tomcat/site/trunk/xdocs/security-7.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1831731&r1=1831730&r2=1831731&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-7.xml (original) +++ tomcat/site/trunk/xdocs/security-7.xml Wed May 16 14:57:44 2018 @@ -50,6 +50,24 @@ </section> + <section name="Fixed in Apache Tomcat 7.0.89" rtext="not yet released"> + + <p><strong>Low: CORS filter has insecure defaults</strong> + <cve>CVE-2018-8014</cve></p> + + <p>The defaults settings for the CORS filter are insecure and enable + <code>supportsCredentials</code> for all origins. It is expected that + users of the CORS filter will have configured it appropriately for their + environment rather than using it in the default configuration. Therefore, + it is expected that most users will not be impacted by this issue.</p> + + <p>This was fixed in revision <revlink rev="1831730">1831730</revlink>.</p> + + <p>This issue was reported publicly on 1 May 2018 and formally announced as + a vulnerability on 16 May 2018.</p> + + </section> + <section name="Fixed in Apache Tomcat 7.0.85" rtext="13 February 2018"> <p><strong>Important: Security constraint annotations applied too Modified: tomcat/site/trunk/xdocs/security-8.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1831731&r1=1831730&r2=1831731&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-8.xml (original) +++ tomcat/site/trunk/xdocs/security-8.xml Wed May 16 14:57:44 2018 @@ -50,6 +50,42 @@ </section> + <section name="Fixed in Apache Tomcat 8.0.53" rtext="not yet released"> + + <p><strong>Low: CORS filter has insecure defaults</strong> + <cve>CVE-2018-8014</cve></p> + + <p>The defaults settings for the CORS filter are insecure and enable + <code>supportsCredentials</code> for all origins. It is expected that + users of the CORS filter will have configured it appropriately for their + environment rather than using it in the default configuration. Therefore, + it is expected that most users will not be impacted by this issue.</p> + + <p>This was fixed in revision <revlink rev="1831729">1831729</revlink>.</p> + + <p>This issue was reported publicly on 1 May 2018 and formally announced as + a vulnerability on 16 May 2018.</p> + + </section> + + <section name="Fixed in Apache Tomcat 8.5.32" rtext="not yet released"> + + <p><strong>Low: CORS filter has insecure defaults</strong> + <cve>CVE-2018-8014</cve></p> + + <p>The defaults settings for the CORS filter are insecure and enable + <code>supportsCredentials</code> for all origins. It is expected that + users of the CORS filter will have configured it appropriately for their + environment rather than using it in the default configuration. Therefore, + it is expected that most users will not be impacted by this issue.</p> + + <p>This was fixed in revision <revlink rev="1831728">1831728</revlink>.</p> + + <p>This issue was reported publicly on 1 May 2018 and formally announced as + a vulnerability on 16 May 2018.</p> + + </section> + <section name="Fixed in Apache Tomcat 8.0.50" rtext="13 February 2018"> <p><strong>Important: Security constraint annotations applied too Modified: tomcat/site/trunk/xdocs/security-9.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-9.xml?rev=1831731&r1=1831730&r2=1831731&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-9.xml (original) +++ tomcat/site/trunk/xdocs/security-9.xml Wed May 16 14:57:44 2018 @@ -50,6 +50,24 @@ </section> + <section name="Fixed in Apache Tomcat 9.0.5" rtext="not yet released"> + + <p><strong>Low: CORS filter has insecure defaults</strong> + <cve>CVE-2018-8014</cve></p> + + <p>The defaults settings for the CORS filter are insecure and enable + <code>supportsCredentials</code> for all origins. It is expected that + users of the CORS filter will have configured it appropriately for their + environment rather than using it in the default configuration. Therefore, + it is expected that most users will not be impacted by this issue.</p> + + <p>This was fixed in revision <revlink rev="1831726">1831726</revlink>.</p> + + <p>This issue was reported publicly on 1 May 2018 and formally announced as + a vulnerability on 16 May 2018.</p> + + </section> + <section name="Fixed in Apache Tomcat 9.0.5" rtext="11 February 2018"> <p><strong>Important: Security constraint annotations applied too --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org