[SECURITY][UPDATE] CVE-2016-8745 Apache Tomcat Information Disclosure
CVE-2016-8745 Apache Tomcat Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M13 Apache Tomcat 8.5.0 to 8.5.8 Apache Tomcat 8.0.0.RC1 to 8.0.39 (new) Apache Tomcat 7.0.0 to 7.0.73 (new) Apache Tomcat 6.0.16 to 6.0.48 (new) Description A bug in the error handling of the send file code for the NIO HTTP connector resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions. Mitigation: Users of the NIO HTTP connector with the affected versions should apply one of the following mitigations - Switch to the BIO HTTP, NIO2 HTTP or APR HTTP connector - Disable send file - Upgrade to Apache Tomcat 9.0.0.M15 or later (Apache Tomcat 9.0.0.M14 has the fix but was not released) - Upgrade to Apache Tomcat 8.5.9 or later - Upgrade to Apache Tomcat 8.0.40 or later when released - Upgrade to Apache Tomcat 7.0.74 or later when released - Upgrade to Apache Tomcat 6.0.49 or later when released Credit: This issue was reported publicly as Bug 60409 [1] and the security implications identified by the Tomcat security team. History: 2016-12-12 Original advisory 2017-01-04 Updated information on affected versions References: [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60409 [2] http://tomcat.apache.org/security-9.html [3] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html
[ANN] Apache log4net 2.0.7 Released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The Apache log4net team is pleased to announce the release of Apache log4net 2.0.7. The release is available for download at https://logging.apache.org/log4net/download_log4net.cgi as well as via nuget https://www.nuget.org/packages/log4net/ The Apache log4net library is a tool to help the programmer output log statements to a variety of output targets. log4net is a port of the excellent Apache log4j framework to the Microsoft(R) .NET runtime. The 2.0.7 fixes a nuget packaging problem enountered with 2.0.6 when using the .NET Framework 4.6. The log4net assemblies themselves are identical to those of 2.0.6 - except for the version number and the copyright attribute (happy new year!). If you are not using the nuget package there is no reason to upgrade. See the release-notes at http://logging.apache.org/log4net/release/release-notes.html for a full list of changes. Please verify signatures using the KEYS file available at the above location when downloading the release. For complete information on log4net, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache log4net website: http://logging.apache.org/log4net/ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlhufXIACgkQohFa4V9ri3KQbgCeIqzJKR0H7Gv8MUizjArCb/Zj CtMAoKvLSFBcZ6bFxlroDFCnqm0CXHsH =a23R -END PGP SIGNATURE-
[ANN] Apache DeviceMap retired
Announcing that the Apache DeviceMap project has been retired to the Attic due to inactivity. DeviceMap was a project to create a data repository containing device information, images and other relevant information for all sorts of mobile devices. Retiring a project is not as simple as turning everything off, as existing users need to retain access to the necessary information for their own development efforts. The project's resources will continue to be available in a read-only state - mail archives, website, wiki, svn/git, downloads and bug tracker with no change in url. You can read more about DeviceMap's retirement at: http://attic.apache.org/projects/devicemap.html Providing process and solutions to make it clear when an Apache project has reached its end of life is the role of the Apache Attic, and you can read more about that at: http://attic.apache.org/ Thanks, Henri Yandell on behalf of the Apache Attic and the now retired Apache DeviceMap project