Raghavendra Nilekani wrote:
Hi
I have an application where I currently use 6.0.20 version of Apache tomcat
bundle from spring source. Now because of security vulnerabilities I have
to migrate to newer latest version of Apache tomcat. I saw the latest
version on Apace tomcat site is Apache Tomcat 6.0.43 where the highest CVE
fixed is *CVE-2014-0227. *
Now one more latest CVE *Apache Tomcat File Upload denial of service *has
come. The fix for this problem is not officially released by Apache. I see
applying a patch is able to eliminate this problem. The bugfix is ready for
download at svn.apache.org. The vulnerability is also documented in the
databases at X-Force (102131) and SecurityTracker (ID 1032079).
From seclists.org, I heard this problem was identified as a partial DoS
(non persistent, but you can very easily eat up all server ram) and
assigned CVE-2014-0230 and then the person handling it left Red Hat and it
didn't get processed properly.
Can you please tell me, is there any official fix for this problem
available and from where I can download the official fix for this CVE ?
When will Apache tomcat site have a newer version of Apache tomcat with
this CVE fixed ?
Hi.
I believe that you should first read this :
http://tomcat.apache.org/security.html
at least the first section, to get a general idea.
Do not forget that Tomcat is an open-source, free software, that the people developing it
and maintaining it do this on a voluntary base, and that their time is limited.
Other organisations set it as their task to provide their own versions of Tomcat packages,
and to guarantee that they are "patched" to the latest known security vulnerabilities.
And they (rightly) charge a fee for that work.
That does not mean that the developers of Apache Tomcat do not take security
vulnerabilities seriously, and do not do their best to fix them as quickly as possible.
But it does mean that there is not necessarily always a released version of Tomcat
available on the official website, with patches for the latest vulnerabilities.
So, probably the best you can do is :
1) look in the page above (Lists of security problems fixed in released versions of Apache
Tomcat are available:) for your version of Tomcat, and uprade to a version indicated there
if appropriate
2) otherwise, make pressure on your Tomcat package provider (whom you presumably pay for
that), to provide the patch you need
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
