+1 Thank you to you both :)
On Mon, Apr 7, 2014 at 9:45 PM, Romain Manni-Bucau <[email protected]>wrote: > and to JL to drive it so hard ;) > Romain Manni-Bucau > Twitter: @rmannibucau > Blog: http://rmannibucau.wordpress.com/ > LinkedIn: http://fr.linkedin.com/in/rmannibucau > Github: https://github.com/rmannibucau > > > > 2014-04-07 22:44 GMT+02:00 Jean-Louis MONTEIRO <[email protected]>: > > Forgot a big big thank you to Romain as usual. He's always so active and > > efficient that we sometimes forget to highlight his high valuable > > contribution. > > > > Thanks Romain. > > > > > > 2014-04-07 21:50 GMT+02:00 Jean-Louis MONTEIRO <[email protected]>: > > > >> Hi devs, > >> > >> As discussed heavily, the security maintenance release to fix the Tomcat > >> CVE 2014-50. > >> According to our discussions and decisions summarized here > >> https://tomee.apache.org/security/index.html > >> we will start the release process. > >> > >> Special thanks to Jon who has worked heavily to prepare everything and > >> ensure the TCK all passes. > >> > >> Another big thanks to Andy who proposed to be the release manager. > >> > >> That's what I call a community. > >> > >> Jean-Louis > >> > >> > >> See the end of the message for more details on the CVE. > >> > >> *Important: Denial of Service* CVE-2014-0050< > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050> > >> > >> It was possible to craft a malformed Content-Type header for a multipart > >> request that caused Apache Tomcat to enter an infinite loop. A malicious > >> user could, therefore, craft a malformed request that triggered a > denial of > >> service. > >> > >> The root cause of this error was a bug in Apache Commons FileUpload. > >> Tomcat 7 uses a packaged renamed copy of Apache Commons FileUpload to > >> implement the requirement of the Servlet 3.0 specification to support > the > >> processing of mime-multipart requests. Tomcat 7 was therefore affected > by > >> this issue. > >> > >> This was fixed in revision 1565169< > http://svn.apache.org/viewvc?view=rev&rev=1565169> > >> . > >> > >> This issue was reported to the Apache Software Foundation on 04 Feb 2014 > >> and accidently made public on 06 Feb 2014. > >> > >> Affects: 7.0.0-7.0.50 > >> -- > >> Jean-Louis > >> > > > > > > > > -- > > Jean-Louis >
