Hi Mark met you at pivotal...in toronto.. i have been watching these forums for some time..and just seeing the quantity of emails are these people experiencing a normal number of issues with gettting tomacat to work with their software? Can you catergorize some of those issues to me..as student studying security i am curious... richard
On Thu, Oct 27, 2016 at 8:17 AM, Mark Thomas <ma...@apache.org> wrote: > CVE-2016-6797 Apache Tomcat Unrestricted Access to Global Resources > > Severity: Low > > Vendor: The Apache Software Foundation > > Versions Affected: > Apache Tomcat 9.0.0.M1 to 9.0.0.M9 > Apache Tomcat 8.5.0 to 8.5.4 > Apache Tomcat 8.0.0.RC1 to 8.0.36 > Apache Tomcat 7.0.0 to 7.0.70 > Apache Tomcat 6.0.0 to 6.0.45 > Earlier, unsupported versions may also be affected. > > Description > The ResourceLinkFactory did not limit web application access to global > JNDI resources to those resources explicitly linked to the web > application. Therefore, it was possible for a web application to access > any global JNDI resource whether an explicit ResourceLink had been > configured or not. > > Mitigation > Users of affected versions should apply one of the following mitigations > - Upgrade to Apache Tomcat 9.0.0.M10 or later > - Upgrade to Apache Tomcat 8.5.5 or later > - Upgrade to Apache Tomcat 8.0.37 or later > - Upgrade to Apache Tomcat 7.0.72 or later > (Apache Tomcat 7.0.71 has the fix but was not released) > - Upgrade to Apache Tomcat 6.0.47 or later > (Apache Tomcat 6.0.46 has the fix but was not released) > > Credit: > This issue was discovered by the Apache Tomcat Security Team. > > References: > [1] http://tomcat.apache.org/security-9.html > [2] http://tomcat.apache.org/security-8.html > [3] http://tomcat.apache.org/security-7.html > [4] http://tomcat.apache.org/security-6.html > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
