[jira] [Updated] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31
Locked
[jira] [Updated] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31
 
|
[ https://issues.apache.org/jira/browse/OFBIZ-11407?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Michael Brohl updated OFBIZ-11407: ---------------------------------- Description: The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.30. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.31 is a bugfix and feature release. The notable changes compared to 9.0.30 include: - AJP defaults changed to listen the loopback address, require a secret and to be disabled in the sample server.xml - The JmxRemoteLifecycleListener is now deprecated - The HTTP Connector attribute rejectIllegalHeaderName is renamed to rejectIllegalHeader and expanded to include header values as well as names Please refer to the change log for the complete list of changes: [http://tomcat.apache.org/tomcat-9.0-doc/changelog.html] EDIT: additional CVE info CVE-2019-17569 HTTP Request Smuggling Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.28 to 9.0.30 Apache Tomcat 8.5.48 to 8.5.50 Apache Tomcat 7.0.98 to 7.0.99 Description: The refactoring in 9.0.28, 8.5.48 and 7.0.98 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. Mitigation: - Upgrade to Apache Tomcat 9.0.31 or later - Upgrade to Apache Tomcat 8.5.51 or later - Upgrade to Apache Tomcat 7.0.100 or later Credit: This issue was found by @ZeddYu and reported responsibly to the Apache Tomcat Security Team. References: [1] [http://tomcat.apache.org/security-9.html] was: The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.30. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.31 is a bugfix and feature release. The notable changes compared to 9.0.30 include: - AJP defaults changed to listen the loopback address, require a secret and to be disabled in the sample server.xml - The JmxRemoteLifecycleListener is now deprecated - The HTTP Connector attribute rejectIllegalHeaderName is renamed to rejectIllegalHeader and expanded to include header values as well as names Please refer to the change log for the complete list of changes: [http://tomcat.apache.org/tomcat-9.0-doc/changelog.html] > Upgrade Tomcat from 9.0.29 to 9.0.31 > ------------------------------------ > > Key: OFBIZ-11407 > URL: https://issues.apache.org/jira/browse/OFBIZ-11407 > Project: OFBiz > Issue Type: Improvement > Components: framework > Affects Versions: Trunk > Reporter: Michael Brohl > Assignee: Michael Brohl > Priority: Minor > Fix For: Upcoming Branch > > > The Apache Tomcat team announces the immediate availability of Apache > Tomcat 9.0.30. > Apache Tomcat 9 is an open source software implementation of the Java > Servlet, JavaServer Pages, Java Unified Expression Language, Java > WebSocket and JASPIC technologies. > Apache Tomcat 9.0.31 is a bugfix and feature release. The notable > changes compared to 9.0.30 include: > - AJP defaults changed to listen the loopback address, require a secret > and to be disabled in the sample server.xml > - The JmxRemoteLifecycleListener is now deprecated > - The HTTP Connector attribute rejectIllegalHeaderName is renamed to > rejectIllegalHeader and expanded to include header values as well as > names > Please refer to the change log for the complete list of changes: > [http://tomcat.apache.org/tomcat-9.0-doc/changelog.html] > > EDIT: additional CVE info > CVE-2019-17569 HTTP Request Smuggling > Severity: Low > Vendor: The Apache Software Foundation > Versions Affected: > Apache Tomcat 9.0.28 to 9.0.30 > Apache Tomcat 8.5.48 to 8.5.50 > Apache Tomcat 7.0.98 to 7.0.99 > Description: > The refactoring in 9.0.28, 8.5.48 and 7.0.98 introduced a regression. > The result of the regression was that invalid Transfer-Encoding headers > were incorrectly processed leading to a possibility of HTTP Request > Smuggling if Tomcat was located behind a reverse proxy that incorrectly > handled the invalid Transfer-Encoding header in a particular manner. > Such a reverse proxy is considered unlikely. > Mitigation: > - Upgrade to Apache Tomcat 9.0.31 or later > - Upgrade to Apache Tomcat 8.5.51 or later > - Upgrade to Apache Tomcat 7.0.100 or later > Credit: > This issue was found by @ZeddYu and reported responsibly to the Apache > Tomcat Security Team. > References: > [1] > [http://tomcat.apache.org/security-9.html] -- This message was sent by Atlassian Jira (v8.3.4#803005) |
«
Return to OFBiz - Notifications
|
1 view|%1 views
| Free forum by Nabble | Edit this page |