Tomcat 5.5.28 released ?
Hi, Has Tomcat 5.5.28 been released? I've never seen the release announce yet, but it seems we can download it. http://tomcat.apache.org/download-55.cgi For changelog and status, they are still 5.5.27. http://tomcat.apache.org/tomcat-5.5-doc/changelog.html http://tomcat.apache.org/tomcat-5.5-doc/status.html This situation are same for several days. Fix it, please. Kazu Nambo - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [SECURITY] CVE-2008-4308: Tomcat information disclosure vulnerability
From: ma...@apache.org Subject: Re: [SECURITY] CVE-2008-4308: Tomcat information disclosure vulnerability Date: Thu, 05 Mar 2009 12:45:10 +0100 > nambo.k...@oss.ntt.co.jp wrote: > > Hi, Mark. > > > >> The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected > > I checked Tomcat 5.0.x source code and I've found that > > org.apache.coyote.http11.filters.SavedRequestInputFilter is NOT included. > > Does this mean Tomcat 5.0.x is not affected by this vulnerability? > > I would assume so but haven't confirmed this as 5.0.x is unsupported. OK, I understand. BTW I've found a typo in the security reports. http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-4.html low: Information disclosure CVE-2008-4308 Bug 40711 may result in the disclosure of POSTed . 40711 -> 40771. Best regards, Kazu Nambo > > Mark > > > > > Advice, please. > > Kazu Nambo > > > > > > From: ma...@apache.org > > Subject: [SECURITY] CVE-2008-4308: Tomcat information disclosure > > vulnerability > > Date: Wed, 25 Feb 2009 23:17:37 + > > > > CVE-2008-4308: Tomcat information disclosure vulnerability > > > > Severity: Low > > > > Vendor: > > The Apache Software Foundation > > > > Versions Affected: > > Tomcat 4.1.32 to 4.1.34 > > Tomcat 5.5.10 to 5.5.20 > > Tomcat 6.0.x is not affected > > The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected > > > > Note: Although this vulnerability affects relatively old versions of > > Apache Tomcat, it was only discovered and reported to the Apache Tomcat > > Security team in October 2008. Publication of this issue was then > > postponed until now at the request of the reporter. > > > > Description: > > Bug 40771 (https://issues.apache.org/bugzilla/show_bug.cgi?id=40771) may > > result in the disclosure of POSTed content from a previous request. For > > a vulnerability to exist the content read from the input stream must be > > disclosed, eg via writing it to the response and committing the > > response, before the ArrayIndexOutOfBoundsException occurs which will > > halt processing of the request. > > > > Mitigation: > > Upgrade to: > > 4.1.35 or later > > 5.5.21 or later > > 6.0.0 or later > > > > Example: > > See original bug report for example of how to create the error condition. > > > > Credit: > > This issue was discovered by Fujitsu and reported to the Tomcat Security > > Team via JPCERT. > > > > References: > > http://tomcat.apache.org/security.html > > > > Mark Thomas > >> > >> > > > - > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: dev-h...@tomcat.apache.org > > > > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [SECURITY] CVE-2008-4308: Tomcat information disclosure vulnerability
Hi, Mark. > The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected I checked Tomcat 5.0.x source code and I've found that org.apache.coyote.http11.filters.SavedRequestInputFilter is NOT included. Does this mean Tomcat 5.0.x is not affected by this vulnerability? Advice, please. Kazu Nambo From: ma...@apache.org Subject: [SECURITY] CVE-2008-4308: Tomcat information disclosure vulnerability Date: Wed, 25 Feb 2009 23:17:37 + > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > CVE-2008-4308: Tomcat information disclosure vulnerability > > Severity: Low > > Vendor: > The Apache Software Foundation > > Versions Affected: > Tomcat 4.1.32 to 4.1.34 > Tomcat 5.5.10 to 5.5.20 > Tomcat 6.0.x is not affected > The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected > > Note: Although this vulnerability affects relatively old versions of > Apache Tomcat, it was only discovered and reported to the Apache Tomcat > Security team in October 2008. Publication of this issue was then > postponed until now at the request of the reporter. > > Description: > Bug 40771 (https://issues.apache.org/bugzilla/show_bug.cgi?id=40771) may > result in the disclosure of POSTed content from a previous request. For > a vulnerability to exist the content read from the input stream must be > disclosed, eg via writing it to the response and committing the > response, before the ArrayIndexOutOfBoundsException occurs which will > halt processing of the request. > > Mitigation: > Upgrade to: > 4.1.35 or later > 5.5.21 or later > 6.0.0 or later > > Example: > See original bug report for example of how to create the error condition. > > Credit: > This issue was discovered by Fujitsu and reported to the Tomcat Security > Team via JPCERT. > > References: > http://tomcat.apache.org/security.html > > Mark Thomas > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFJpdGRb7IeiTPGAkMRAkK+AKC1m5WunqOmwuFYSYEoASF/AokgDQCffmxM > U3IdbfYNVtRIzCW5XTvhv2E= > =rJGg > -END PGP SIGNATURE- > > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: JK 1.2.26 ?
Henri Gomez wrote: > 2007/9/11, Rainer Jung <[EMAIL PROTECTED]>: >> Hi Henri, >> >> 1.2.25 is still pretty young :) > > Yes > >> There are 2 new bugs for 1.2.25 that I'm aware of: >> >> - BZ 43287 (already fixed) >> - BZ 43229 (still needs to be fixed, should be fixed in next release) Hi, this bug (43229) is very serious I think. It means retries/failover doesn't work with reply_timeout. >> >> Version 1.2.25 is now 1 month old. So a reasonable target release date >> would be in about 10 weeks? >> >> Do you have anything special in mind or the need for earlier fixes? I hope earlier fixes. Or could you alert the users? Kazu Nambo -- View this message in context: http://www.nabble.com/JK-1.2.26---tf4421382.html#a12632302 Sent from the Tomcat - Dev mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [ANN] Apache Tomcat JK 1.2.22 Web Server Connector released
Does it contain a security fix? Which one is a security fix in ChangeLog? Best regards, Kazu Nambo Mladen Turk-3 wrote: > > The Apache Tomcat team is pleased to announce the immediate availability > of version 1.2.22 of the Apache Tomcat Connectors. > > It contains connectors, which allow a web server such as Apache HTTPD, > Microsoft IIS and Sun Web Server to act as a front end to the Tomcat web > application server. > > This version of mod_jk is principally a bug and security fix release. > See http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html > for a complete list of changes. > > Source distribtions can be downloaded from an > Apache Software Foundation mirror at: > > http://tomcat.apache.org/download-connectors.cgi > > Binary distributions for a number of different operating systems and > web servers can be downloaded from an > Apache Software Foundation mirror at: > > http://tomcat.apache.org/download-connectors.cgi > > Documentation for using JK with Tomcat 3.3, 4.1, 5.0 and 5.5 > can be found at: > > http://tomcat.apache.org/connectors-doc/ > > Thank you, > > -- The Apache Tomcat Team > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/-ANN--Apache-Tomcat-JK-1.2.22-Web-Server-Connector-released-tf3601976.html#a10070057 Sent from the Tomcat - Dev mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]