ofbiz-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Brohl <michael.br...@ecomify.de>
Subject Fwd: [SECURITY] CVE-2016-8747 Apache Tomcat Information Disclosure
Date Tue, 14 Mar 2017 08:38:19 GMT

-------- Weitergeleitete Nachricht --------
Betreff: 	[SECURITY] CVE-2016-8747 Apache Tomcat Information Disclosure
Datum: 	Mon, 13 Mar 2017 20:05:14 +0000
Von: 	Mark Thomas <markt@apache.org>
An: 	Tomcat Users List <users@tomcat.apache.org>
Kopie (CC): 	Tomcat Developers List <dev@tomcat.apache.org>, 
announce@tomcat.apache.org <announce@tomcat.apache.org>, 

CVE-2016-8747 Apache Tomcat Information Disclosure

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M11 to 9.0.0.M15
Apache Tomcat 8.5.7 to 8.5.9

The refactoring to make wider use of ByteBuffer introduced a regression
that could cause information to leak between requests on the same
connection. When running behind a reverse proxy, this could result in
information leakage between users. All HTTP connector variants are
affected but HTTP/2 and AJP are not affected.

Users of the affected versions should apply one of the following
- Upgrade to Apache Tomcat 9.0.0.M17 or later
   (Apache Tomcat 9.0.0.M16 has the fix but was not released)
- Upgrade to Apache Tomcat 8.5.11 or later
   (Apache Tomcat 8.5.10 has the fix but was not released)
Earlier versions are not affected

This issue was identified by the Tomcat security team.

2017-03-13 Original advisory

[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html

View raw message