[
https://issues.apache.org/jira/browse/OFBIZ-12165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Brohl updated OFBIZ-12165:
----------------------------------
Description:
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.43.
Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.
Apache Tomcat 9.0.43 is a bugfix and feature release. The notable
changes compared to 9.0.41 include:
- Add support for using Unix domain sockets for NIO when running on Java
16 or later.
- Add a new StringInterpreter interface that allows applications to
provide customised string attribute value to type conversion within
JSPs. This allows applications to provide a conversion implementation
that is optimised for the application.
- Add peerAddress to coyote request, which contains the IP address of
the direct connection peer. If a reverse proxy sits in front of Tomcat
and the RemoteIp(Valve|Filter) is used, the peerAddress is likely to
differ from the remoteAddress. The remoteAddress is likely to contain
the address of the client in front of the reverse proxy, not the
address of the proxy itself.
Please refer to the change log for the complete list of changes:
[http://tomcat.apache.org/tomcat-9.0-doc/changelog.html]
was:
CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.0-M5
Apache Tomcat 9.0.0.M1 to 9.0.35
Apache Tomcat 8.5.0 to 8.5.55
Description:
A specially crafted sequence of HTTP/2 requests could trigger high CPU
usage for several seconds. If a sufficient number of such requests were
made on concurrent HTTP/2 connections, the server could become unresponsive.
Mitigation:
- Upgrade to Apache Tomcat 10.0.0-M6 or later
- Upgrade to Apache Tomcat 9.0.36 or later
- Upgrade to Apache Tomcat 8.5.56 or later
Credit:
This issue was reported publicly via the Apache Tomcat Users mailing
list without reference to the potential for DoS. The DoS risks were
identified by the Apache Tomcat Security Team.
References:
[1] http://tomcat.apache.org/security-10.html
[2] http://tomcat.apache.org/security-9.html
[3] http://tomcat.apache.org/security-8.html
> Upgrade Tomcat from 9.0.41 to 9.0.43
> ------------------------------------
>
> Key: OFBIZ-12165
> URL: https://issues.apache.org/jira/browse/OFBIZ-12165
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: Trunk
> Reporter: Michael Brohl
> Assignee: Michael Brohl
> Priority: Major
>
> The Apache Tomcat team announces the immediate availability of Apache
> Tomcat 9.0.43.
> Apache Tomcat 9 is an open source software implementation of the Java
> Servlet, JavaServer Pages, Java Unified Expression Language, Java
> WebSocket and JASPIC technologies.
> Apache Tomcat 9.0.43 is a bugfix and feature release. The notable
> changes compared to 9.0.41 include:
> - Add support for using Unix domain sockets for NIO when running on Java
> 16 or later.
> - Add a new StringInterpreter interface that allows applications to
> provide customised string attribute value to type conversion within
> JSPs. This allows applications to provide a conversion implementation
> that is optimised for the application.
> - Add peerAddress to coyote request, which contains the IP address of
> the direct connection peer. If a reverse proxy sits in front of Tomcat
> and the RemoteIp(Valve|Filter) is used, the peerAddress is likely to
> differ from the remoteAddress. The remoteAddress is likely to contain
> the address of the client in front of the reverse proxy, not the
> address of the proxy itself.
> Please refer to the change log for the complete list of changes:
> [http://tomcat.apache.org/tomcat-9.0-doc/changelog.html]
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
