svn commit: r463158 - head/security/vuxml
Thomas Zander
riggs at FreeBSD.org
Tue Feb 27 20:03:58 UTC 2018
Author: riggs
Date: Tue Feb 27 20:03:56 2018
New Revision: 463158
URL: https://svnweb.freebsd.org/changeset/ports/463158
Log:
Document CVE-2018-1304 and CVE-2018-1305 in Apache Tomcat
Submitted by: Roger Marquis <marquis at roble.com> via e-mail
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Tue Feb 27 19:57:56 2018 (r463157)
+++ head/security/vuxml/vuln.xml Tue Feb 27 20:03:56 2018 (r463158)
@@ -58,6 +58,51 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="55c4233e-1844-11e8-a712-0025908740c2">
+ <topic>tomcat -- Security constraints ignored or applied too late</topic>
+ <affects>
+ <package>
+ <name>tomcat</name>
+ <range><ge>7.0.0</ge><le>7.0.84</le></range>
+ <range><ge>8.0.0</ge><le>8.0.49</le></range>
+ <range><ge>8.5.0</ge><le>8.5.27</le></range>
+ <range><ge>9.0.0</ge><le>9.0.4</le></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The Apache Software Foundation reports:</p>
+ <blockquote cite="https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781@%3Cannounce.tomcat.apache.org%3E">
+ <p>Security constraints defined by annotations of Servlets were only
+ applied once a Servlet had been loaded. Because security constraints
+ defined in this way apply to the URL pattern and any URLs below that
+ point, it was possible - depending on the order Servlets were loaded -
+ for some security constraints not to be applied. This could have exposed
+ resources to users who were not authorised to access them.</p>
+ </blockquote>
+ <blockquote cite="https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb@%3Cannounce.tomcat.apache.org%3E">
+ <p>The URL pattern of "" (the empty string) which exactly maps to the
+ context root was not correctly handled when used as part of a security
+ constraint definition. This caused the constraint to be ignored. It was,
+ therefore, possible for unauthorised users to gain access to web
+ application resources that should have been protected. Only security
+ constraints with a URL pattern of the empty string were affected.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://tomcat.apache.org/security-9.html</url>
+ <url>http://tomcat.apache.org/security-8.html</url>
+ <url>http://tomcat.apache.org/security-7.html</url>
+ <cvename>CVE-2018-1304</cvename>
+ <cvename>CVE-2018-1305</cvename>
+ </references>
+ <dates>
+ <discovery>2018-02-23</discovery>
+ <entry>2018-02-23</entry>
+ </dates>
+ </vuln>
+
<vuln vid="22438240-1bd0-11e8-a2ec-6cc21735f730">
<topic>shibboleth-sp -- vulnerable to forged user attribute data</topic>
<affects>
More information about the svn-ports-head
mailing list