[jboss-cvs] JBossAS SVN: r92294 - projects/docs/enterprise/4.2.7/readme/en-US.

jboss-cvs-commits at lists.jboss.org jboss-cvs-commits at lists.jboss.org
Wed Aug 12 23:36:27 EDT 2009 

Author: irooskov at redhat.com
Date: 2009-08-12 23:36:27 -0400 (Wed, 12 Aug 2009)
New Revision: 92294

Modified:
   projects/docs/enterprise/4.2.7/readme/en-US/Release_Notes_CP07.xml
Log:
updated with JBPAPP-2459 fix


Modified: projects/docs/enterprise/4.2.7/readme/en-US/Release_Notes_CP07.xml
===================================================================
--- projects/docs/enterprise/4.2.7/readme/en-US/Release_Notes_CP07.xml	2009-08-13 03:35:09 UTC (rev 92293)
+++ projects/docs/enterprise/4.2.7/readme/en-US/Release_Notes_CP07.xml	2009-08-13 03:36:27 UTC (rev 92294)
@@ -503,11 +503,11 @@
 							<ulink url="http://jira.jboss.com/jira/browse/JBPAPP-2067">JBPAPP-2067</ulink>: The release of Tomcat 6.0.20 saw a set of security vulnerabilities fixed that have now been backported to JBoss Web. These vulnerabilities are:
 						</para>
 						<itemizedlist>
-							<listitem>
+						<!--	<listitem>
 								<para>
 									<ulink url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033">CVE-2009-0033</ulink>: For Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the <filename>Java AJP</filename> connector and <filename>mod_jk</filename> load balancing were used it would allow for remote attackers to cause a denial of service (application outage) attack via a crafted request with invalid headers. This would occur in relation to the temporary blocking of connectors that had encountered errors, as demonstrated by an error involving a malformed <filename>HTTP Host</filename> header. This update has been rated as having important security impact by the Red Hat Security Response Team.
 								</para>
-							</listitem>
+							</listitem> -->
 							<listitem>
 								<para>
 									<ulink url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515">CVE-2008-5515</ulink>: Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalized the target pathname before filtering the query string when using the <methodname>RequestDispatcher</methodname> method, which allowed remote attackers to bypass intended access restrictions and conduct directory traversal attacks via <code>..</code> (dot dot) sequences and the <filename>WEB-INF</filename> directory in a <classname>Request</classname>. This update has been rated as having important security impact by the Red
@@ -519,11 +519,11 @@
 									<ulink url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783">CVE-2009-0783</ulink>: Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 would permit web applications to replace an XML parser used for other web applications. This would allow local users to read or modify the <filename>web.xml</filename>, <filename>context.xml</filename>, or <filename>tld</filename> files of arbitrary web applications via a crafted application that is loaded earlier than the target application. This update has been rated as having low security impact by the Red Hat Security Response Team.
 								</para>
 							</listitem>
-							<listitem>
+						<!--	<listitem>
 								<para>
 									<ulink url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781">CVE-2009-0781</ulink>: A Cross-site scripting (XSS) vulnerability existed within the <filename>jsp/cal/cal2.jsp</filename> calendar examples web application for Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18. This vulnerability would allow remote attackers to inject arbitrary web script or HTML via the time parameter, related to <emphasis>invalid HTML</emphasis>. This update has been rated as having low security impact by the Red Hat Security Response Team.
 								</para>
-							</listitem>
+							</listitem> -->
 							<listitem>
 								<para>
 									<ulink url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580">CVE-2009-0580</ulink>: For Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when <property>FORM</property> authentication was used, this would allow remote attackers to enumerate valid usernames via requests to <filename>/j_security_check</filename>. This would be achieved with malformed URL encoding of passwords, related to improper error checking in the <classname>MemoryRealm</classname>, <classname>DataSourceRealm</classname>, and <classname>JDBCRealm</classname> authentication realms, as demonstrated by a <code>%</code> (percent) value for the <property>j_password</property> parameter. This update has been rated as having low security impact by the Red Hat Security Response Team.

More information about the jboss-cvs-commits mailing list