Hi devs, As discussed heavily, the security maintenance release to fix the Tomcat CVE 2014-50. According to our discussions and decisions summarized here https://tomee.apache.org/security/index.html we will start the release process.
Special thanks to Jon who has worked heavily to prepare everything and ensure the TCK all passes. Another big thanks to Andy who proposed to be the release manager. That's what I call a community. Jean-Louis See the end of the message for more details on the CVE. *Important: Denial of Service* CVE-2014-0050<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050> It was possible to craft a malformed Content-Type header for a multipart request that caused Apache Tomcat to enter an infinite loop. A malicious user could, therefore, craft a malformed request that triggered a denial of service. The root cause of this error was a bug in Apache Commons FileUpload. Tomcat 7 uses a packaged renamed copy of Apache Commons FileUpload to implement the requirement of the Servlet 3.0 specification to support the processing of mime-multipart requests. Tomcat 7 was therefore affected by this issue. This was fixed in revision 1565169<http://svn.apache.org/viewvc?view=rev&rev=1565169> . This issue was reported to the Apache Software Foundation on 04 Feb 2014 and accidently made public on 06 Feb 2014. Affects: 7.0.0-7.0.50 -- Jean-Louis
