We are not concerned and if we switch to to 8.5 it will be 8.5.9, one worry less
See OFBIZ-7348 for more Jacques Le 14/03/2017 à 09:38, Michael Brohl a écrit :
FYI -------- Weitergeleitete Nachricht -------- Betreff: [SECURITY] CVE-2016-8747 Apache Tomcat Information Disclosure Datum: Mon, 13 Mar 2017 20:05:14 +0000 Von: Mark Thomas <ma...@apache.org> An: Tomcat Users List <us...@tomcat.apache.org> Kopie (CC): Tomcat Developers List <d...@tomcat.apache.org>, annou...@tomcat.apache.org <annou...@tomcat.apache.org>, annou...@apache.org CVE-2016-8747 Apache Tomcat Information Disclosure Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M11 to 9.0.0.M15 Apache Tomcat 8.5.7 to 8.5.9 Description The refactoring to make wider use of ByteBuffer introduced a regression that could cause information to leak between requests on the same connection. When running behind a reverse proxy, this could result in information leakage between users. All HTTP connector variants are affected but HTTP/2 and AJP are not affected. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.0.M17 or later (Apache Tomcat 9.0.0.M16 has the fix but was not released) - Upgrade to Apache Tomcat 8.5.11 or later (Apache Tomcat 8.5.10 has the fix but was not released) Earlier versions are not affected Credit: This issue was identified by the Tomcat security team. History: 2017-03-13 Original advisory References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html
