ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Brohl (Jira)" <j...@apache.org>
Subject [jira] [Updated] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31
Date Mon, 24 Feb 2020 13:24:00 GMT

     [ https://issues.apache.org/jira/browse/OFBIZ-11407?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Michael Brohl updated OFBIZ-11407:
----------------------------------
    Description: 
The Apache Tomcat team announces the immediate availability of Apache
 Tomcat 9.0.30.

Apache Tomcat 9 is an open source software implementation of the Java
 Servlet, JavaServer Pages, Java Unified Expression Language, Java
 WebSocket and JASPIC technologies.

Apache Tomcat 9.0.31 is a bugfix and feature release. The notable
 changes compared to 9.0.30 include:
 - AJP defaults changed to listen the loopback address, require a secret
 and to be disabled in the sample server.xml

 - The JmxRemoteLifecycleListener is now deprecated

 - The HTTP Connector attribute rejectIllegalHeaderName is renamed to
 rejectIllegalHeader and expanded to include header values as well as
 names

Please refer to the change log for the complete list of changes:
 [http://tomcat.apache.org/tomcat-9.0-doc/changelog.html]

 

EDIT: additional CVE info


CVE-2019-17569 HTTP Request Smuggling

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.28 to 9.0.30
Apache Tomcat 8.5.48 to 8.5.50
Apache Tomcat 7.0.98 to 7.0.99

Description:
The refactoring in 9.0.28, 8.5.48 and 7.0.98 introduced a regression.
The result of the regression was that invalid Transfer-Encoding headers
were incorrectly processed leading to a possibility of HTTP Request
Smuggling if Tomcat was located behind a reverse proxy that incorrectly
handled the invalid Transfer-Encoding header in a particular manner.
Such a reverse proxy is considered unlikely.

Mitigation:
- Upgrade to Apache Tomcat 9.0.31 or later
- Upgrade to Apache Tomcat 8.5.51 or later
- Upgrade to Apache Tomcat 7.0.100 or later

Credit:
This issue was found by @ZeddYu and reported responsibly to the Apache
Tomcat Security Team.

References:
[1] 
[http://tomcat.apache.org/security-9.html]

  was:
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.30.

Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.

Apache Tomcat 9.0.31 is a bugfix and feature release. The notable
changes compared to 9.0.30 include:

- AJP defaults changed to listen the loopback address, require a secret
  and to be disabled in the sample server.xml

- The JmxRemoteLifecycleListener is now deprecated

- The HTTP Connector attribute rejectIllegalHeaderName is renamed to
  rejectIllegalHeader and expanded to include header values as well as
  names

Please refer to the change log for the complete list of changes:
[http://tomcat.apache.org/tomcat-9.0-doc/changelog.html]


> Upgrade Tomcat from 9.0.29 to 9.0.31
> ------------------------------------
>
>                 Key: OFBIZ-11407
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11407
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Michael Brohl
>            Assignee: Michael Brohl
>            Priority: Minor
>             Fix For: Upcoming Branch
>
>
> The Apache Tomcat team announces the immediate availability of Apache
>  Tomcat 9.0.30.
> Apache Tomcat 9 is an open source software implementation of the Java
>  Servlet, JavaServer Pages, Java Unified Expression Language, Java
>  WebSocket and JASPIC technologies.
> Apache Tomcat 9.0.31 is a bugfix and feature release. The notable
>  changes compared to 9.0.30 include:
>  - AJP defaults changed to listen the loopback address, require a secret
>  and to be disabled in the sample server.xml
>  - The JmxRemoteLifecycleListener is now deprecated
>  - The HTTP Connector attribute rejectIllegalHeaderName is renamed to
>  rejectIllegalHeader and expanded to include header values as well as
>  names
> Please refer to the change log for the complete list of changes:
>  [http://tomcat.apache.org/tomcat-9.0-doc/changelog.html]
>  
> EDIT: additional CVE info
> CVE-2019-17569 HTTP Request Smuggling
> Severity: Low
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 9.0.28 to 9.0.30
> Apache Tomcat 8.5.48 to 8.5.50
> Apache Tomcat 7.0.98 to 7.0.99
> Description:
> The refactoring in 9.0.28, 8.5.48 and 7.0.98 introduced a regression.
> The result of the regression was that invalid Transfer-Encoding headers
> were incorrectly processed leading to a possibility of HTTP Request
> Smuggling if Tomcat was located behind a reverse proxy that incorrectly
> handled the invalid Transfer-Encoding header in a particular manner.
> Such a reverse proxy is considered unlikely.
> Mitigation:
> - Upgrade to Apache Tomcat 9.0.31 or later
> - Upgrade to Apache Tomcat 8.5.51 or later
> - Upgrade to Apache Tomcat 7.0.100 or later
> Credit:
> This issue was found by @ZeddYu and reported responsibly to the Apache
> Tomcat Security Team.
> References:
> [1] 
> [http://tomcat.apache.org/security-9.html]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message