Hi. Thanks for the information. This is useful. I feel I should take the latest available version and upgrade. Once the new version (6.0.44) with fix is available, I can upgrade once again.
Can I know the tentative data (month) during which we get the official release of the version 6.0.44 ? Thanks and Regards ------------------------------- Raghavendra Neelekani On 5 May 2015 at 17:15, André Warnier <a...@ice-sa.com> wrote: > Raghavendra Nilekani wrote: > >> Hi >> >> I have an application where I currently use 6.0.20 version of Apache >> tomcat >> bundle from spring source. Now because of security vulnerabilities I have >> to migrate to newer latest version of Apache tomcat. I saw the latest >> version on Apace tomcat site is Apache Tomcat 6.0.43 where the highest CVE >> fixed is *CVE-2014-0227. * >> >> Now one more latest CVE *Apache Tomcat File Upload denial of service *has >> come. The fix for this problem is not officially released by Apache. I see >> applying a patch is able to eliminate this problem. The bugfix is ready >> for >> download at svn.apache.org. The vulnerability is also documented in the >> databases at X-Force (102131) and SecurityTracker (ID 1032079). >> >> From seclists.org, I heard this problem was identified as a partial DoS >>> >> (non persistent, but you can very easily eat up all server ram) and >> assigned CVE-2014-0230 and then the person handling it left Red Hat and it >> didn't get processed properly. >> >> Can you please tell me, is there any official fix for this problem >> available and from where I can download the official fix for this CVE ? >> When will Apache tomcat site have a newer version of Apache tomcat with >> this CVE fixed ? >> >> > Hi. > I believe that you should first read this : > http://tomcat.apache.org/security.html > at least the first section, to get a general idea. > > Do not forget that Tomcat is an open-source, free software, that the > people developing it and maintaining it do this on a voluntary base, and > that their time is limited. > Other organisations set it as their task to provide their own versions of > Tomcat packages, and to guarantee that they are "patched" to the latest > known security vulnerabilities. > And they (rightly) charge a fee for that work. > > That does not mean that the developers of Apache Tomcat do not take > security vulnerabilities seriously, and do not do their best to fix them as > quickly as possible. > But it does mean that there is not necessarily always a released version > of Tomcat available on the official website, with patches for the latest > vulnerabilities. > > So, probably the best you can do is : > 1) look in the page above (Lists of security problems fixed in released > versions of Apache Tomcat are available:) for your version of Tomcat, and > uprade to a version indicated there if appropriate > 2) otherwise, make pressure on your Tomcat package provider (whom you > presumably pay for that), to provide the patch you need > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
