From notifications-return-31381-archive-asf-public=cust-asf.ponee.io@ofbiz.apache.org Mon Feb 24 13:24:03 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 0D2801802C7 for ; Mon, 24 Feb 2020 14:24:02 +0100 (CET) Received: (qmail 7931 invoked by uid 500); 24 Feb 2020 13:24:02 -0000 Mailing-List: contact notifications-help@ofbiz.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ofbiz.apache.org Delivered-To: mailing list notifications@ofbiz.apache.org Received: (qmail 7921 invoked by uid 99); 24 Feb 2020 13:24:02 -0000 Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 24 Feb 2020 13:24:02 +0000 Received: from jira-he-de.apache.org (static.172.67.40.188.clients.your-server.de [188.40.67.172]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 3980BE12F2 for ; Mon, 24 Feb 2020 13:24:00 +0000 (UTC) Received: from jira-he-de.apache.org (localhost.localdomain [127.0.0.1]) by jira-he-de.apache.org (ASF Mail Server at jira-he-de.apache.org) with ESMTP id 47AA2780624 for ; Mon, 24 Feb 2020 13:24:00 +0000 (UTC) Date: Mon, 24 Feb 2020 13:24:00 +0000 (UTC) From: "Michael Brohl (Jira)" To: notifications@ofbiz.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/OFBIZ-11407?page=3Dcom.atlassi= an.jira.plugin.system.issuetabpanels:all-tabpanel ] Michael Brohl updated OFBIZ-11407: ---------------------------------- Description:=20 The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.30. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.31 is a bugfix and feature release. The notable changes compared to 9.0.30 include: - AJP defaults changed to listen the loopback address, require a secret and to be disabled in the sample server.xml - The JmxRemoteLifecycleListener is now deprecated - The HTTP Connector attribute rejectIllegalHeaderName is renamed to rejectIllegalHeader and expanded to include header values as well as names Please refer to the change log for the complete list of changes: [http://tomcat.apache.org/tomcat-9.0-doc/changelog.html] =C2=A0 EDIT: additional CVE info CVE-2019-17569 HTTP Request Smuggling Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.28 to 9.0.30 Apache Tomcat 8.5.48 to 8.5.50 Apache Tomcat 7.0.98 to 7.0.99 Description: The refactoring in 9.0.28, 8.5.48 and 7.0.98 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. Mitigation: - Upgrade to Apache Tomcat 9.0.31 or later - Upgrade to Apache Tomcat 8.5.51 or later - Upgrade to Apache Tomcat 7.0.100 or later Credit: This issue was found by @ZeddYu and reported responsibly to the Apache Tomcat Security Team. References: [1]=20 [http://tomcat.apache.org/security-9.html] was: The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.30. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.31 is a bugfix and feature release. The notable changes compared to 9.0.30 include: - AJP defaults changed to listen the loopback address, require a secret and to be disabled in the sample server.xml - The JmxRemoteLifecycleListener is now deprecated - The HTTP Connector attribute rejectIllegalHeaderName is renamed to rejectIllegalHeader and expanded to include header values as well as names Please refer to the change log for the complete list of changes: [http://tomcat.apache.org/tomcat-9.0-doc/changelog.html] > Upgrade Tomcat from 9.0.29 to 9.0.31 > ------------------------------------ > > Key: OFBIZ-11407 > URL: https://issues.apache.org/jira/browse/OFBIZ-11407 > Project: OFBiz > Issue Type: Improvement > Components: framework > Affects Versions: Trunk > Reporter: Michael Brohl > Assignee: Michael Brohl > Priority: Minor > Fix For: Upcoming Branch > > > The Apache Tomcat team announces the immediate availability of Apache > Tomcat 9.0.30. > Apache Tomcat 9 is an open source software implementation of the Java > Servlet, JavaServer Pages, Java Unified Expression Language, Java > WebSocket and JASPIC technologies. > Apache Tomcat 9.0.31 is a bugfix and feature release. The notable > changes compared to 9.0.30 include: > - AJP defaults changed to listen the loopback address, require a secret > and to be disabled in the sample server.xml > - The JmxRemoteLifecycleListener is now deprecated > - The HTTP Connector attribute rejectIllegalHeaderName is renamed to > rejectIllegalHeader and expanded to include header values as well as > names > Please refer to the change log for the complete list of changes: > [http://tomcat.apache.org/tomcat-9.0-doc/changelog.html] > =C2=A0 > EDIT: additional CVE info > CVE-2019-17569 HTTP Request Smuggling > Severity: Low > Vendor: The Apache Software Foundation > Versions Affected: > Apache Tomcat 9.0.28 to 9.0.30 > Apache Tomcat 8.5.48 to 8.5.50 > Apache Tomcat 7.0.98 to 7.0.99 > Description: > The refactoring in 9.0.28, 8.5.48 and 7.0.98 introduced a regression. > The result of the regression was that invalid Transfer-Encoding headers > were incorrectly processed leading to a possibility of HTTP Request > Smuggling if Tomcat was located behind a reverse proxy that incorrectly > handled the invalid Transfer-Encoding header in a particular manner. > Such a reverse proxy is considered unlikely. > Mitigation: > - Upgrade to Apache Tomcat 9.0.31 or later > - Upgrade to Apache Tomcat 8.5.51 or later > - Upgrade to Apache Tomcat 7.0.100 or later > Credit: > This issue was found by @ZeddYu and reported responsibly to the Apache > Tomcat Security Team. > References: > [1]=20 > [http://tomcat.apache.org/security-9.html] -- This message was sent by Atlassian Jira (v8.3.4#803005)