Date: Tue, 27 Feb 2018 20:03:57 +0000 (UTC) From: Thomas Zander <riggs@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r463158 - head/security/vuxml Message-ID: <201802272003.w1RK3vap077963@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: riggs Date: Tue Feb 27 20:03:56 2018 New Revision: 463158 URL: https://svnweb.freebsd.org/changeset/ports/463158 Log: Document CVE-2018-1304 and CVE-2018-1305 in Apache Tomcat Submitted by: Roger Marquis <marquis@roble.com> via e-mail Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Feb 27 19:57:56 2018 (r463157) +++ head/security/vuxml/vuln.xml Tue Feb 27 20:03:56 2018 (r463158) @@ -58,6 +58,51 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="55c4233e-1844-11e8-a712-0025908740c2"> + <topic>tomcat -- Security constraints ignored or applied too late</topic> + <affects> + <package> + <name>tomcat</name> + <range><ge>7.0.0</ge><le>7.0.84</le></range> + <range><ge>8.0.0</ge><le>8.0.49</le></range> + <range><ge>8.5.0</ge><le>8.5.27</le></range> + <range><ge>9.0.0</ge><le>9.0.4</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The Apache Software Foundation reports:</p> + <blockquote cite="https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781@%3Cannounce.tomcat.apache.org%3E"> + <p>Security constraints defined by annotations of Servlets were only + applied once a Servlet had been loaded. Because security constraints + defined in this way apply to the URL pattern and any URLs below that + point, it was possible - depending on the order Servlets were loaded - + for some security constraints not to be applied. This could have exposed + resources to users who were not authorised to access them.</p> + </blockquote> + <blockquote cite="https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb@%3Cannounce.tomcat.apache.org%3E"> + <p>The URL pattern of "" (the empty string) which exactly maps to the + context root was not correctly handled when used as part of a security + constraint definition. This caused the constraint to be ignored. It was, + therefore, possible for unauthorised users to gain access to web + application resources that should have been protected. Only security + constraints with a URL pattern of the empty string were affected.</p> + </blockquote> + </body> + </description> + <references> + <url>http://tomcat.apache.org/security-9.html</url> + <url>http://tomcat.apache.org/security-8.html</url> + <url>http://tomcat.apache.org/security-7.html</url> + <cvename>CVE-2018-1304</cvename> + <cvename>CVE-2018-1305</cvename> + </references> + <dates> + <discovery>2018-02-23</discovery> + <entry>2018-02-23</entry> + </dates> + </vuln> + <vuln vid="22438240-1bd0-11e8-a2ec-6cc21735f730"> <topic>shibboleth-sp -- vulnerable to forged user attribute data</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201802272003.w1RK3vap077963>