[
https://issues.apache.org/jira/browse/OFBIZ-12165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Brohl updated OFBIZ-12165:
----------------------------------
Description:
Needs backport because of the CVE reports:
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.43
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.43.
Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.
Apache Tomcat 9.0.43 is a bugfix and feature release. The notable
changes compared to 9.0.41 include:
- Add support for using Unix domain sockets for NIO when running on Java
16 or later.
- Add a new StringInterpreter interface that allows applications to
provide customised string attribute value to type conversion within
JSPs. This allows applications to provide a conversion implementation
that is optimised for the application.
- Add peerAddress to coyote request, which contains the IP address of
the direct connection peer. If a reverse proxy sits in front of Tomcat
and the RemoteIp(Valve|Filter) is used, the peerAddress is likely to
differ from the remoteAddress. The remoteAddress is likely to contain
the address of the client in front of the reverse proxy, not the
address of the proxy itself.
Please refer to the change log for the complete list of changes:
[http://tomcat.apache.org/tomcat-9.0-doc/changelog.html]
was:
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.43.
Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.
Apache Tomcat 9.0.43 is a bugfix and feature release. The notable
changes compared to 9.0.41 include:
- Add support for using Unix domain sockets for NIO when running on Java
16 or later.
- Add a new StringInterpreter interface that allows applications to
provide customised string attribute value to type conversion within
JSPs. This allows applications to provide a conversion implementation
that is optimised for the application.
- Add peerAddress to coyote request, which contains the IP address of
the direct connection peer. If a reverse proxy sits in front of Tomcat
and the RemoteIp(Valve|Filter) is used, the peerAddress is likely to
differ from the remoteAddress. The remoteAddress is likely to contain
the address of the client in front of the reverse proxy, not the
address of the proxy itself.
Please refer to the change log for the complete list of changes:
[http://tomcat.apache.org/tomcat-9.0-doc/changelog.html]
> Upgrade Tomcat from 9.0.41 to 9.0.43
> ------------------------------------
>
> Key: OFBIZ-12165
> URL: https://issues.apache.org/jira/browse/OFBIZ-12165
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Release Branch 18.12, Trunk
> Reporter: Michael Brohl
> Assignee: Michael Brohl
> Priority: Minor
> Labels: backport-needed
> Fix For: Upcoming Branch
>
>
> Needs backport because of the CVE reports:
> https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.43
>
> The Apache Tomcat team announces the immediate availability of Apache
> Tomcat 9.0.43.
> Apache Tomcat 9 is an open source software implementation of the Java
> Servlet, JavaServer Pages, Java Unified Expression Language, Java
> WebSocket and JASPIC technologies.
> Apache Tomcat 9.0.43 is a bugfix and feature release. The notable
> changes compared to 9.0.41 include:
> - Add support for using Unix domain sockets for NIO when running on Java
> 16 or later.
> - Add a new StringInterpreter interface that allows applications to
> provide customised string attribute value to type conversion within
> JSPs. This allows applications to provide a conversion implementation
> that is optimised for the application.
> - Add peerAddress to coyote request, which contains the IP address of
> the direct connection peer. If a reverse proxy sits in front of Tomcat
> and the RemoteIp(Valve|Filter) is used, the peerAddress is likely to
> differ from the remoteAddress. The remoteAddress is likely to contain
> the address of the client in front of the reverse proxy, not the
> address of the proxy itself.
> Please refer to the change log for the complete list of changes:
> [http://tomcat.apache.org/tomcat-9.0-doc/changelog.html]
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
