[SECURITY] CVE-2011-1582 Apache Tomcat security constraint bypass

From: Mark Thomas <markt@apache.org>
To: Tomcat Users List <users@tomcat.apache.org>
Cc: Tomcat Developers List <dev@tomcat.apache.org>,Tomcat Announce List <announce@tomcat.apache.org>,announce@apache.org,full-disclosure@lists.grok.org.uk,bugtraq@securityfocus.com
Subject: [SECURITY] CVE-2011-1582 Apache Tomcat security constraint bypass
Date:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2011-1582 Apache Tomcat security constraint bypass

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.12-7.0.13
- - Earlier versions are not affected

Description:
An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant that
security constraints configured via annotations were ignored on the
first request to a Servlet. Subsequent requests were secured correctly.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Upgrade to a Tomcat 7.0.14 or later
- - Define all security constraints in web.xml

Credit:
This issue was identified by the Apache Tomcat security team.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJN0m4vAAoJEBDAHFovYFnn5NkQAOBocyvRk9fTGX569Ga95yDJ
vV84ZS3D1jCP3VQ1swh1Ouzd9NdP9pRGVWysTjz6N1bsZ+BMpGIyT/GpMqhfPAPx
OzzbkM2cNow8MR/PG3rFbYjQH1r6D400zSu+drHDtTzrOY2uXS2ClL0UuxUg9LcN
tUfidh9629OMVtuWqA2jwTSrc7fDdye5Ti1HZ0g5vUG5Cvab4LCcRdwh2VWT7g3T
LKUTr6AZAz0mQ/7+QNJOOykX+FJcOL99Q46NLVZzeLPWFoEBZn/BRs8O9WehYnLV
EEZtARSaUzTjssePo/O+oV4xYW5JIA1+5sKG7+xIvIaWKMbIPbdrPEPZusK/X0QR
LjdLbMUGcGzDUVNP0hGzpArIDXcWmslJKJ3YFTCg3VdeamULh12bqxw3AtliAzI9
pSTcMcVNOMWZOUl/Czc2I3t5ehWaOGr5j3D7No8mEFMCcRoQoRTNS7hKqqqKsyY4
hTxMJV9dXox5mIuDY8hLaGY9KuUFIo2AXWnr7lqIBrKGrziVAySuIpKSnzuFvz2z
q2DjPnXrFo/5W2ZVfUk0utCjyJX/NJdizKmW9PdQu4aT2BJdEgjjiW+qzPi20kZy
HgySY8kEFbI8CyM6PqD6Yb5nzA/xR1YAYRQx1pWTrE5Y0B5MTctAaPCIJQoc3nIA
GZ0Ziz0q/PX/x7ug1TnP
=srIH
-----END PGP SIGNATURE-----






Copyright © 1995-2019 LinuxRocket.net. All rights reserved.