=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2011/VULN210
_____________________________________________________________________

DATE                      : 10/03/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       :  Systems running Apache Tomcat version 7 prior to 7.0.10.

======================================================================
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.10_(released_8_Mar_2011)
______________________________________________________________________

Fixed in Apache Tomcat 7.0.10 (released 8 Mar 2011)

     Important: Security constraint bypass CVE-2011-1088

     When a web application was started, ServletSecurity annotations were
ignored. This meant that some areas of the application may not have been
protected as expected.

     This was fixed in revision 1076586, revision 1076587 and revision 1077995.

     This was reported publicly on the Tomcat users mailing list on 2 Mar 2011.

     Affects: 7.0.0-7.0.9

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================