Author: markt Date: Thu Jul 14 13:41:49 2011 New Revision: 1146707 URL: http://svn.apache.org/viewvc?rev=1146707&view=rev Log: Update now patch has been applied
Modified: tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/xdocs/security-6.xml Modified: tomcat/site/trunk/docs/security-6.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1146707&r1=1146706&r2=1146707&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-6.html (original) +++ tomcat/site/trunk/docs/security-6.html Thu Jul 14 13:41:49 2011 @@ -215,9 +215,6 @@ <a href="#Apache_Tomcat_6.x_vulnerabilities">Apache Tomcat 6.x vulnerabilities</a> </li> <li> -<a href="#To_be_fixed_in_Apache_Tomcat_6.0.33_(not_yet_released)">To be fixed in Apache Tomcat 6.0.33 (not yet released)</a> -</li> -<li> <a href="#Fixed_in_Apache_Tomcat_6.0.33_(not_yet_released)">Fixed in Apache Tomcat 6.0.33 (not yet released)</a> </li> <li> @@ -316,11 +313,11 @@ <tr> <td bgcolor="#525D76"> <font color="#ffffff" face="arial,helvetica,sanserif"> -<a name="To be fixed in Apache Tomcat 6.0.33 (not yet released)"> +<a name="Fixed in Apache Tomcat 6.0.33 (not yet released)"> <!--()--> </a> -<a name="To_be_fixed_in_Apache_Tomcat_6.0.33_(not_yet_released)"> -<strong>To be fixed in Apache Tomcat 6.0.33 (not yet released)</strong> +<a name="Fixed_in_Apache_Tomcat_6.0.33_(not_yet_released)"> +<strong>Fixed in Apache Tomcat 6.0.33 (not yet released)</strong> </a> </font> </td> @@ -332,6 +329,29 @@ <p> <strong>Low: Information disclosure</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204" rel="nofollow">CVE-2011-2204</a> +</p> + + <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and + creating users via JMX, an exception during the user creation process may + trigger an error message in the JMX client that includes the user's + password. This error message is also written to the Tomcat logs. User + passwords are visible to administrators with JMX access and/or + administrators with read access to the tomcat-users.xml file. Users that + do not have these permissions but are able to read log files may be able + to discover a user's password.</p> + + <p>This was fixed in + <a href="http://svn.apache.org/viewvc?rev=1140071&view=rev"> + revision 1140071</a>.</p> + + <p>This was identified by Polina Genova on 14 June 2011 and + made public on 27 June 2011.</p> + + <p>Affects: 6.0.0-6.0.32</p> + + <p> +<strong>Low: Information disclosure</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526" rel="nofollow">CVE-2011-2526</a> </p> @@ -358,8 +378,9 @@ </ul> </p> - <p>There is a <a href="http://people.apache.org/~markt/patches/2011-07-13-cve-2011-2526-tc6.patch"> - proposed patch</a> for this issue.</p> + <p>This was fixed in + <a href="http://svn.apache.org/viewvc?rev=1146703&view=rev"> + revision 1146703</a>.</p> <p>This was identified by the Tomcat security team on 7 July 2011 and made public on 13 July 2011.</p> @@ -380,57 +401,6 @@ <tr> <td bgcolor="#525D76"> <font color="#ffffff" face="arial,helvetica,sanserif"> -<a name="Fixed in Apache Tomcat 6.0.33 (not yet released)"> -<!--()--> -</a> -<a name="Fixed_in_Apache_Tomcat_6.0.33_(not_yet_released)"> -<strong>Fixed in Apache Tomcat 6.0.33 (not yet released)</strong> -</a> -</font> -</td> -</tr> -<tr> -<td> -<p> -<blockquote> - - <p> -<strong>Low: Information disclosure</strong> - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204" rel="nofollow">CVE-2011-2204</a> -</p> - - <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and - creating users via JMX, an exception during the user creation process may - trigger an error message in the JMX client that includes the user's - password. This error message is also written to the Tomcat logs. User - passwords are visible to administrators with JMX access and/or - administrators with read access to the tomcat-users.xml file. Users that - do not have these permissions but are able to read log files may be able - to discover a user's password.</p> - - <p>This was fixed in - <a href="http://svn.apache.org/viewvc?rev=1140071&view=rev"> - revision 1140071</a>.</p> - - <p>This was identified by Polina Genova on 14 June 2011 and - made public on 27 June 2011.</p> - - <p>Affects: 6.0.0-6.0.32</p> - - </blockquote> -</p> -</td> -</tr> -<tr> -<td> -<br/> -</td> -</tr> -</table> -<table border="0" cellspacing="0" cellpadding="2" width="100%"> -<tr> -<td bgcolor="#525D76"> -<font color="#ffffff" face="arial,helvetica,sanserif"> <a name="Fixed in Apache Tomcat 6.0.32"> <!--()--> </a> Modified: tomcat/site/trunk/xdocs/security-6.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1146707&r1=1146706&r2=1146707&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-6.xml (original) +++ tomcat/site/trunk/xdocs/security-6.xml Thu Jul 14 13:41:49 2011 @@ -30,9 +30,31 @@ </section> - <section name="To be fixed in Apache Tomcat 6.0.33 (not yet released)"> + <section name="Fixed in Apache Tomcat 6.0.33 (not yet released)"> <p><strong>Low: Information disclosure</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204" + rel="nofollow">CVE-2011-2204</a></p> + + <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and + creating users via JMX, an exception during the user creation process may + trigger an error message in the JMX client that includes the user's + password. This error message is also written to the Tomcat logs. User + passwords are visible to administrators with JMX access and/or + administrators with read access to the tomcat-users.xml file. Users that + do not have these permissions but are able to read log files may be able + to discover a user's password.</p> + + <p>This was fixed in + <a href="http://svn.apache.org/viewvc?rev=1140071&view=rev"> + revision 1140071</a>.</p> + + <p>This was identified by Polina Genova on 14 June 2011 and + made public on 27 June 2011.</p> + + <p>Affects: 6.0.0-6.0.32</p> + + <p><strong>Low: Information disclosure</strong> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2526" rel="nofollow">CVE-2011-2526</a></p> @@ -59,8 +81,9 @@ </ul> </p> - <p>There is a <a href="http://people.apache.org/~markt/patches/2011-07-13-cve-2011-2526-tc6.patch"> - proposed patch</a> for this issue.</p> + <p>This was fixed in + <a href="http://svn.apache.org/viewvc?rev=1146703&view=rev"> + revision 1146703</a>.</p> <p>This was identified by the Tomcat security team on 7 July 2011 and made public on 13 July 2011.</p> @@ -69,32 +92,6 @@ </section> - <section name="Fixed in Apache Tomcat 6.0.33 (not yet released)"> - - <p><strong>Low: Information disclosure</strong> - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204" - rel="nofollow">CVE-2011-2204</a></p> - - <p>When using the MemoryUserDatabase (based on tomcat-users.xml) and - creating users via JMX, an exception during the user creation process may - trigger an error message in the JMX client that includes the user's - password. This error message is also written to the Tomcat logs. User - passwords are visible to administrators with JMX access and/or - administrators with read access to the tomcat-users.xml file. Users that - do not have these permissions but are able to read log files may be able - to discover a user's password.</p> - - <p>This was fixed in - <a href="http://svn.apache.org/viewvc?rev=1140071&view=rev"> - revision 1140071</a>.</p> - - <p>This was identified by Polina Genova on 14 June 2011 and - made public on 27 June 2011.</p> - - <p>Affects: 6.0.0-6.0.32</p> - - </section> - <section name="Fixed in Apache Tomcat 6.0.32" rtext="released 03 Feb 2011"> <p><i>Note: The issue below was fixed in Apache Tomcat 6.0.31 but the --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org