and to JL to drive it so hard ;) Romain Manni-Bucau Twitter: @rmannibucau Blog: http://rmannibucau.wordpress.com/ LinkedIn: http://fr.linkedin.com/in/rmannibucau Github: https://github.com/rmannibucau
2014-04-07 22:44 GMT+02:00 Jean-Louis MONTEIRO <[email protected]>: > Forgot a big big thank you to Romain as usual. He's always so active and > efficient that we sometimes forget to highlight his high valuable > contribution. > > Thanks Romain. > > > 2014-04-07 21:50 GMT+02:00 Jean-Louis MONTEIRO <[email protected]>: > >> Hi devs, >> >> As discussed heavily, the security maintenance release to fix the Tomcat >> CVE 2014-50. >> According to our discussions and decisions summarized here >> https://tomee.apache.org/security/index.html >> we will start the release process. >> >> Special thanks to Jon who has worked heavily to prepare everything and >> ensure the TCK all passes. >> >> Another big thanks to Andy who proposed to be the release manager. >> >> That's what I call a community. >> >> Jean-Louis >> >> >> See the end of the message for more details on the CVE. >> >> *Important: Denial of Service* >> CVE-2014-0050<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050> >> >> It was possible to craft a malformed Content-Type header for a multipart >> request that caused Apache Tomcat to enter an infinite loop. A malicious >> user could, therefore, craft a malformed request that triggered a denial of >> service. >> >> The root cause of this error was a bug in Apache Commons FileUpload. >> Tomcat 7 uses a packaged renamed copy of Apache Commons FileUpload to >> implement the requirement of the Servlet 3.0 specification to support the >> processing of mime-multipart requests. Tomcat 7 was therefore affected by >> this issue. >> >> This was fixed in revision >> 1565169<http://svn.apache.org/viewvc?view=rev&rev=1565169> >> . >> >> This issue was reported to the Apache Software Foundation on 04 Feb 2014 >> and accidently made public on 06 Feb 2014. >> >> Affects: 7.0.0-7.0.50 >> -- >> Jean-Louis >> > > > > -- > Jean-Louis
