Forgot a big big thank you to Romain as usual. He's always so active and efficient that we sometimes forget to highlight his high valuable contribution.
Thanks Romain. 2014-04-07 21:50 GMT+02:00 Jean-Louis MONTEIRO <[email protected]>: > Hi devs, > > As discussed heavily, the security maintenance release to fix the Tomcat > CVE 2014-50. > According to our discussions and decisions summarized here > https://tomee.apache.org/security/index.html > we will start the release process. > > Special thanks to Jon who has worked heavily to prepare everything and > ensure the TCK all passes. > > Another big thanks to Andy who proposed to be the release manager. > > That's what I call a community. > > Jean-Louis > > > See the end of the message for more details on the CVE. > > *Important: Denial of Service* > CVE-2014-0050<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050> > > It was possible to craft a malformed Content-Type header for a multipart > request that caused Apache Tomcat to enter an infinite loop. A malicious > user could, therefore, craft a malformed request that triggered a denial of > service. > > The root cause of this error was a bug in Apache Commons FileUpload. > Tomcat 7 uses a packaged renamed copy of Apache Commons FileUpload to > implement the requirement of the Servlet 3.0 specification to support the > processing of mime-multipart requests. Tomcat 7 was therefore affected by > this issue. > > This was fixed in revision > 1565169<http://svn.apache.org/viewvc?view=rev&rev=1565169> > . > > This issue was reported to the Apache Software Foundation on 04 Feb 2014 > and accidently made public on 06 Feb 2014. > > Affects: 7.0.0-7.0.50 > -- > Jean-Louis > -- Jean-Louis
