-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Raghavendra,
On 5/6/15 2:19 AM, Raghavendra Nilekani wrote: > Thanks for the information. This is useful. I feel I should take > the latest available version and upgrade. Once the new version > (6.0.44) with fix is available, I can upgrade once again. You should really make plans to upgrade to the Tomcat 8.0.x series sooner rather than later. > Can I know the tentative data (month) during which we get the > official release of the version 6.0.44 ? It is likely to be in the next 5-10 days, but we can't make any promises . - -chris > On 5 May 2015 at 17:15, André Warnier <a...@ice-sa.com> wrote: > >> Raghavendra Nilekani wrote: >> >>> Hi >>> >>> I have an application where I currently use 6.0.20 version of >>> Apache tomcat bundle from spring source. Now because of >>> security vulnerabilities I have to migrate to newer latest >>> version of Apache tomcat. I saw the latest version on Apace >>> tomcat site is Apache Tomcat 6.0.43 where the highest CVE fixed >>> is *CVE-2014-0227. * >>> >>> Now one more latest CVE *Apache Tomcat File Upload denial of >>> service *has come. The fix for this problem is not officially >>> released by Apache. I see applying a patch is able to eliminate >>> this problem. The bugfix is ready for download at >>> svn.apache.org. The vulnerability is also documented in the >>> databases at X-Force (102131) and SecurityTracker (ID >>> 1032079). >>> >>> From seclists.org, I heard this problem was identified as a >>> partial DoS >>>> >>> (non persistent, but you can very easily eat up all server ram) >>> and assigned CVE-2014-0230 and then the person handling it left >>> Red Hat and it didn't get processed properly. >>> >>> Can you please tell me, is there any official fix for this >>> problem available and from where I can download the official >>> fix for this CVE ? When will Apache tomcat site have a newer >>> version of Apache tomcat with this CVE fixed ? >>> >>> >> Hi. I believe that you should first read this : >> http://tomcat.apache.org/security.html at least the first >> section, to get a general idea. >> >> Do not forget that Tomcat is an open-source, free software, that >> the people developing it and maintaining it do this on a >> voluntary base, and that their time is limited. Other >> organisations set it as their task to provide their own versions >> of Tomcat packages, and to guarantee that they are "patched" to >> the latest known security vulnerabilities. And they (rightly) >> charge a fee for that work. >> >> That does not mean that the developers of Apache Tomcat do not >> take security vulnerabilities seriously, and do not do their best >> to fix them as quickly as possible. But it does mean that there >> is not necessarily always a released version of Tomcat available >> on the official website, with patches for the latest >> vulnerabilities. >> >> So, probably the best you can do is : 1) look in the page above >> (Lists of security problems fixed in released versions of Apache >> Tomcat are available:) for your version of Tomcat, and uprade to >> a version indicated there if appropriate 2) otherwise, make >> pressure on your Tomcat package provider (whom you presumably pay >> for that), to provide the patch you need >> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVSg0+AAoJEBzwKT+lPKRYwIsP/iJC8N+UvRD7Gto80qz77R+O oEiCxBuf3l4XKC7OGWMh+wkzDjEZIuFgNeEY3uqUFfOtDs0eKYDeqpBNvCB2Cayi UwGIHa0xTWZ2Fn05SIv/b7g6bgHZ+qSCBxLWq4bcLEeWXwOZNmEBUruLL7RiwszQ m+MHZMxCDAXLs7+P2R/4pQlPCyy6QDspHLhcHXhWBHMK9BuqQuJfwtnVdpVUKJtu SUAhYB3VE+iBlL6a9onCR1FoV+sTlw2ZkQB2EVe22OhrkpKDPDzgtiMl19Z7Q2lN tZo9t/COIHTCtwUE2jkg7Zc7YhcsZgULIsdMrDsy71nlPoz0shD/Sa15UEb7IrC8 K7lIHBtzPCn/SXNSG2a7kqxXKVBNdWj9Wkv9+gcAaEgg682c10y4ATc9koAyBMya +QsXJkpcumt5MRr9rBFJE86+/bewOIODQ/xLILETFKPLYqqZiW+0mISSa6P+ePeP XGF9Z2hyEHZ08EC+vl8kAKLGsQYuRNvUhADuqhBwCknBrKdP55gQPU2+OP0x2uU8 mB7n85ZlhZqTGNrAlsyCU/9MYo2vkyOOgr/MfCksM6EJpUzrF4jgGbK7eNLPKIyj jaFSbcSPJEBHGzJc97sfkqwO4MjMVngkxP3nTxZ8Q19rQnWkZ0AMDfqMKo/hICAt Qec5dQmz5a0wLtx3tlhd =ysTD -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org