← Back to branch summary

~ubuntu-branches/ubuntu/natty/tomcat6/natty-proposed

~ubuntu-branches/ubuntu/natty/tomcat6/natty-proposed

« back to all changes in this revision

Viewing changes to java/org/apache/catalina/authenticator/mbeans-descriptors.xml

Committer: Package Import Robot
Author(s): Marc Deslauriers
Date: 2011-09-26 11:27:14 UTC
Revision ID: package-import@ubuntu.com-20110926112714-ngfuvuxfnr5oe2x8

Tags: 6.0.28-10ubuntu2.2

https://launchpad.net/bugs/843701

* SECURITY UPDATE: information disclosure via log file
  - debian/patches/0015-CVE-2011-2204.patch: fix logging in
    java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
    java/org/apache/catalina/users/MemoryUserDatabase.java,
    java/org/apache/catalina/users/MemoryUser.java.
  - CVE-2011-2204
* SECURITY UPDATE: file restriction bypass or denial of service via
  untrusted web application.
  - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
    java/org/apache/catalina/connector/LocalStrings.properties,
    java/org/apache/catalina/connector/Request.java,
    java/org/apache/catalina/servlets/DefaultServlet.java,
    java/org/apache/coyote/http11/Http11AprProcessor.java,
    java/org/apache/coyote/http11/LocalStrings.properties,
    java/org/apache/tomcat/util/net/AprEndpoint.java,
    java/org/apache/tomcat/util/net/NioEndpoint.java.
  - CVE-2011-2526
* SECURITY UPDATE: AJP request spoofing and authentication bypass
  (LP: #843701)
  - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
    bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
    java/org/apache/coyote/ajp/AjpProcessor.java.
  - CVE-2011-3190
* SECURITY UPDATE: HTTP DIGEST authentication weaknesses
  - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
    java/org/apache/catalina/authenticator/DigestAuthenticator.java,
    java/org/apache/catalina/authenticator/LocalStrings.properties,
    java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
    java/org/apache/catalina/realm/RealmBase.java,
    webapps/docs/config/valve.xml.
  - CVE-2011-1184

files added:
.pc/0015-CVE-2011-2204.patch

.pc/0015-CVE-2011-2204.patch/java

.pc/0015-CVE-2011-2204.patch/java/org

.pc/0015-CVE-2011-2204.patch/java/org/apache

.pc/0015-CVE-2011-2204.patch/java/org/apache/catalina

.pc/0015-CVE-2011-2204.patch/java/org/apache/catalina/mbeans

.pc/0015-CVE-2011-2204.patch/java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java

.pc/0015-CVE-2011-2204.patch/java/org/apache/catalina/users

.pc/0015-CVE-2011-2204.patch/java/org/apache/catalina/users/MemoryUser.java

.pc/0015-CVE-2011-2204.patch/java/org/apache/catalina/users/MemoryUserDatabase.java

.pc/0016-CVE-2011-2526.patch

.pc/0016-CVE-2011-2526.patch/java

.pc/0016-CVE-2011-2526.patch/java/org

.pc/0016-CVE-2011-2526.patch/java/org/apache

.pc/0016-CVE-2011-2526.patch/java/org/apache/catalina

.pc/0016-CVE-2011-2526.patch/java/org/apache/catalina/connector

.pc/0016-CVE-2011-2526.patch/java/org/apache/catalina/connector/LocalStrings.properties

.pc/0016-CVE-2011-2526.patch/java/org/apache/catalina/connector/Request.java

.pc/0016-CVE-2011-2526.patch/java/org/apache/catalina/servlets

.pc/0016-CVE-2011-2526.patch/java/org/apache/catalina/servlets/DefaultServlet.java

.pc/0016-CVE-2011-2526.patch/java/org/apache/coyote

.pc/0016-CVE-2011-2526.patch/java/org/apache/coyote/http11

.pc/0016-CVE-2011-2526.patch/java/org/apache/coyote/http11/Http11AprProcessor.java

.pc/0016-CVE-2011-2526.patch/java/org/apache/coyote/http11/LocalStrings.properties

.pc/0016-CVE-2011-2526.patch/java/org/apache/tomcat

.pc/0016-CVE-2011-2526.patch/java/org/apache/tomcat/util

.pc/0016-CVE-2011-2526.patch/java/org/apache/tomcat/util/net

.pc/0016-CVE-2011-2526.patch/java/org/apache/tomcat/util/net/AprEndpoint.java

.pc/0016-CVE-2011-2526.patch/java/org/apache/tomcat/util/net/NioEndpoint.java

.pc/0017-CVE-2011-3190.patch

.pc/0017-CVE-2011-3190.patch/java

.pc/0017-CVE-2011-3190.patch/java/org

.pc/0017-CVE-2011-3190.patch/java/org/apache

.pc/0017-CVE-2011-3190.patch/java/org/apache/coyote

.pc/0017-CVE-2011-3190.patch/java/org/apache/coyote/ajp

.pc/0017-CVE-2011-3190.patch/java/org/apache/coyote/ajp/AjpAprProcessor.java

.pc/0017-CVE-2011-3190.patch/java/org/apache/coyote/ajp/AjpProcessor.java

.pc/0018-CVE-2011-1184.patch

.pc/0018-CVE-2011-1184.patch/java

.pc/0018-CVE-2011-1184.patch/java/org

.pc/0018-CVE-2011-1184.patch/java/org/apache

.pc/0018-CVE-2011-1184.patch/java/org/apache/catalina

.pc/0018-CVE-2011-1184.patch/java/org/apache/catalina/authenticator

.pc/0018-CVE-2011-1184.patch/java/org/apache/catalina/authenticator/DigestAuthenticator.java

.pc/0018-CVE-2011-1184.patch/java/org/apache/catalina/authenticator/LocalStrings.properties

.pc/0018-CVE-2011-1184.patch/java/org/apache/catalina/authenticator/mbeans-descriptors.xml

.pc/0018-CVE-2011-1184.patch/java/org/apache/catalina/realm

.pc/0018-CVE-2011-1184.patch/java/org/apache/catalina/realm/RealmBase.java

.pc/0018-CVE-2011-1184.patch/webapps

.pc/0018-CVE-2011-1184.patch/webapps/docs

.pc/0018-CVE-2011-1184.patch/webapps/docs/config

.pc/0018-CVE-2011-1184.patch/webapps/docs/config/valve.xml

debian/patches/0015-CVE-2011-2204.patch

debian/patches/0016-CVE-2011-2526.patch

debian/patches/0017-CVE-2011-3190.patch

debian/patches/0018-CVE-2011-1184.patch

files modified:
.pc/applied-patches

debian/changelog

debian/patches/series

java/org/apache/catalina/authenticator/DigestAuthenticator.java

java/org/apache/catalina/authenticator/LocalStrings.properties

java/org/apache/catalina/authenticator/mbeans-descriptors.xml

java/org/apache/catalina/connector/LocalStrings.properties

java/org/apache/catalina/connector/Request.java

java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java

java/org/apache/catalina/realm/RealmBase.java

java/org/apache/catalina/servlets/DefaultServlet.java

java/org/apache/catalina/users/MemoryUser.java

java/org/apache/catalina/users/MemoryUserDatabase.java

java/org/apache/coyote/ajp/AjpAprProcessor.java

java/org/apache/coyote/ajp/AjpProcessor.java

java/org/apache/coyote/http11/Http11AprProcessor.java

java/org/apache/coyote/http11/LocalStrings.properties

java/org/apache/tomcat/util/net/AprEndpoint.java

java/org/apache/tomcat/util/net/NioEndpoint.java

webapps/docs/config/valve.xml

Show diffs side-by-side

added added

removed removed

java/org/apache/catalina/authenticator/mbeans-descriptors.xml

60

60

description="Fully qualified class name of the managed object"

61

61

type="java.lang.String"

62

62

writeable="false"/>

63

63

64

<attribute name="cnonceCacheSize"

65

description="The size of the cnonce cache used to prevent replay attacks"

66

type="int"/>

67

64

68

<attribute name="entropy"

65

69

description="A String initialization parameter used to increase the entropy of the initialization of our random number generator"

66

70

type="java.lang.String"/>

71

72

<attribute name="key"

73

description="The secret key used by digest authentication"

74

type="java.lang.String"/>

75

76

<attribute name="nonceValidity"

77

description="The time, in milliseconds, for which a server issued nonce will be valid"

78

type="long"/>

79

80

<attribute name="opaque"

81

description="The opaque server string used by digest authentication"

82

type="java.lang.String"/>

83

84

<attribute name="validateUri"

85

description="Should the uri be validated as required by RFC2617?"

86

type="boolean"/>

67

87

</mbean>

68

88

69

89

<mbean name="FormAuthenticator"

Older »