lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <4DD26E30.2060103@apache.org>
Date: Tue, 17 May 2011 13:46:40 +0100
From: Mark Thomas <markt@...che.org>
To: Tomcat Users List <users@...cat.apache.org>
Cc: Tomcat Developers List <dev@...cat.apache.org>,
	Tomcat Announce List <announce@...cat.apache.org>,
	announce@...che.org, full-disclosure@...ts.grok.org.uk,
	bugtraq@...urityfocus.com
Subject: [SECURITY] CVE-2011-1582 Apache Tomcat security constraint bypass

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2011-1582 Apache Tomcat security constraint bypass

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.12-7.0.13
- - Earlier versions are not affected

Description:
An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant that
security constraints configured via annotations were ignored on the
first request to a Servlet. Subsequent requests were secured correctly.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Upgrade to a Tomcat 7.0.14 or later
- - Define all security constraints in web.xml

Credit:
This issue was identified by the Apache Tomcat security team.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJN0m4vAAoJEBDAHFovYFnn5NkQAOBocyvRk9fTGX569Ga95yDJ
vV84ZS3D1jCP3VQ1swh1Ouzd9NdP9pRGVWysTjz6N1bsZ+BMpGIyT/GpMqhfPAPx
OzzbkM2cNow8MR/PG3rFbYjQH1r6D400zSu+drHDtTzrOY2uXS2ClL0UuxUg9LcN
tUfidh9629OMVtuWqA2jwTSrc7fDdye5Ti1HZ0g5vUG5Cvab4LCcRdwh2VWT7g3T
LKUTr6AZAz0mQ/7+QNJOOykX+FJcOL99Q46NLVZzeLPWFoEBZn/BRs8O9WehYnLV
EEZtARSaUzTjssePo/O+oV4xYW5JIA1+5sKG7+xIvIaWKMbIPbdrPEPZusK/X0QR
LjdLbMUGcGzDUVNP0hGzpArIDXcWmslJKJ3YFTCg3VdeamULh12bqxw3AtliAzI9
pSTcMcVNOMWZOUl/Czc2I3t5ehWaOGr5j3D7No8mEFMCcRoQoRTNS7hKqqqKsyY4
hTxMJV9dXox5mIuDY8hLaGY9KuUFIo2AXWnr7lqIBrKGrziVAySuIpKSnzuFvz2z
q2DjPnXrFo/5W2ZVfUk0utCjyJX/NJdizKmW9PdQu4aT2BJdEgjjiW+qzPi20kZy
HgySY8kEFbI8CyM6PqD6Yb5nzA/xR1YAYRQx1pWTrE5Y0B5MTctAaPCIJQoc3nIA
GZ0Ziz0q/PX/x7ug1TnP
=srIH
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ