Mark Thomas
References:
[1] http://svn.apache.org/viewvc?view=revision&revision=834047
[2] http://markmail.org/thread/wfu4nff5chvkb6xp
[3] http://tomcat.apache.org/security.html
Mark Thomas
Schoenefeld of the Red Hat Security Response Team
References:
[1] http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
Team via JPCERT.
References:
http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJpdGRb7IeiTPGAkMRAkK+AKC1m5WunqOmwuFYSYEoASF/AokgDQCffmxM
This issue was discovered by D. Matscheko and T. Hackner of SEC Consult.
References:
http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkommckACgkQb7IeiTPGAkP75ACg7XYuld/25X2ltLLTeeQx88UB
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
On 6/3/2009 11:42 AM, Mark Thomas wrote:
> CVE-2009-0580: Tomcat information disclosure vulnerability
I know I'm likely to get a vague response, but could you provide some
more info about this issue?
the Tomcat security team via JPCERT.
References:
http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkjuibsACgkQb7IeiTPGAkO33wCgiBY0nBdTaXBC8oPoHqMWH4mt
team.
References:
http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
This issue was discovered by Konstantin Kolinko.
References:
http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkiTGFsACgkQb7IeiTPGAkNG6ACfY+P91mt1/h06Q8c5foCJldFp
These issues were discovered by Petr Splichal of RedHat.
References:
http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkhEahEACgkQb7IeiTPGAkOQggCgirNfHSCkMDhcEzG6Ig1N0WzP
http://localost:8080/servlets-examples/servlet/CookieExample?cookiename=BLOCKER&cookievalue=%5C%22A%3D%27%3B+Expires%3DThu%2C+1+Jan+2009+00%3A00%3A01+UTC%3B+Path%3D%2Fservlets-examples%2Fservlet+%3B
References:
http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
Mark Thomas wrote:
> CVE-2007-3382: Handling of cookies containing a ' character
>
> Versions Affected:
> 5.5.0 to 5.5.24
This issue was discovered by the Apache Tomcat security team
References:
[1] http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
team.
References:
http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAklKflkACgkQb7IeiTPGAkPEqwCg5WiCeyaGrUbP/PTIhqF8TGZt
This vulnerability was discovered by Erhan Baz at Yapi Kredi.
References:
[1] http://www.springsource.com/security/tc-server
Mark Thomas
SpringSource Security Team
Labs.
References:
http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkiTGGkACgkQb7IeiTPGAkNeQACdHk1KQ98Dx45Sc+Hslw/YIBH7
Based on Tomcat Path Traversal Flaw reported by OuTian[1] and Simon Ryeo[2].
Thanks go to the members of the Apache Security Team for their energy and
endless efforts to triage and research potential vulnerabilities, separating
signal from noise; notably Remy Maucherat, Mark Thomas, Tim Ellison, and
Joe Orton for their various contributions to triaging this specific flaw.
** Sun's Resolution **
Sun released Java 6u11, 1.5.0_17, and 1.4.2_19 addressing this flaw. [3]
This issue was discovered by Delian Krustev.
References:
http://tomcat.apache.org/security.html
Mark Thomas
*** Patch starts below this line ***
Index: catalina.policy
===================================================================
- --- catalina.policy (revision 606588)
This issue was discovered by D. Matscheko and T. Hackner of SEC Consult.
References:
http://tomcat.apache.org/security.html
Mark Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkoo/a0ACgkQb7IeiTPGAkOwBgCgg32bOh5/3FWwmg+qnazFuJLy
|
