=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2011/VULN231
_____________________________________________________________________

DATE                      : 16/03/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       :  Systems running Apache Tomcat version 7 prior to 7.0.11.

======================================================================
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.11_(released_11_Mar_2011)
______________________________________________________________________


Important: Security constraint bypass CVE-2011-1088

     When a web application was started, ServletSecurity annotations
were ignored. This meant that some areas of the application may not
have been protected as expected. This was partially fixed in Apache
Tomcat 7.0.10 and fully fixed in 7.0.11.

This was fixed in revision 1076586, revision 1076587 and revision
1077995 and revision 1079752.

This was reported publicly on the Tomcat users mailing list on 2 Mar 2011.

     Affects: 7.0.0-7.0.10



======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================