tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Raghavendra Nilekani <>
Subject Re: Officially released Apache tomcat version with CVE-2014-0230
Date Wed, 06 May 2015 06:19:39 GMT

Thanks for the information. This is useful. I feel I should take the latest
available version and upgrade. Once the new version (6.0.44) with fix is
available, I can upgrade once again.

Can I know the tentative data (month) during which we get the official
release of the version 6.0.44 ?

Thanks and Regards
Raghavendra Neelekani

On 5 May 2015 at 17:15, André Warnier <> wrote:

> Raghavendra Nilekani wrote:
>> Hi
>> I have an application where I currently use 6.0.20 version of Apache
>> tomcat
>> bundle from spring source. Now because of security vulnerabilities I have
>> to migrate to newer latest version of Apache tomcat. I saw the latest
>> version on Apace tomcat site is Apache Tomcat 6.0.43 where the highest CVE
>> fixed is *CVE-2014-0227. *
>> Now one more latest CVE *Apache Tomcat File Upload denial of service *has
>> come. The fix for this problem is not officially released by Apache. I see
>> applying a patch is able to eliminate this problem. The bugfix is ready
>> for
>> download at The vulnerability is also documented in the
>> databases at X-Force (102131) and SecurityTracker (ID 1032079).
>>  From, I heard this problem was identified as a partial DoS
>> (non persistent, but you can very easily eat up all server ram) and
>> assigned CVE-2014-0230 and then the person handling it left Red Hat and it
>> didn't get processed properly.
>> Can you please tell me, is there any official fix for this problem
>> available and from where I can download the official fix for this CVE ?
>> When will Apache tomcat site have a newer version of Apache tomcat with
>> this CVE fixed ?
> Hi.
> I believe that you should first read this :
> at least the first section, to get a general idea.
> Do not forget that Tomcat is an open-source, free software, that the
> people developing it and maintaining it do this on a voluntary base, and
> that their time is limited.
> Other organisations set it as their task to provide their own versions of
> Tomcat packages, and to guarantee that they are "patched" to the latest
> known security vulnerabilities.
> And they (rightly) charge a fee for that work.
> That does not mean that the developers of Apache Tomcat do not take
> security vulnerabilities seriously, and do not do their best to fix them as
> quickly as possible.
> But it does mean that there is not necessarily always a released version
> of Tomcat available on the official website, with patches for the latest
> vulnerabilities.
> So, probably the best you can do is :
> 1) look in the page above (Lists of security problems fixed in released
> versions of Apache Tomcat are available:) for your version of Tomcat, and
> uprade to a version indicated there if appropriate
> 2) otherwise, make pressure on your Tomcat package provider (whom you
> presumably pay for that), to provide the patch you need
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message