Confusion about tomcat security bulletin
Dear All, Our company have an application use tomcat 5.0.27 and can't upgrade the version. I'm very concern about the security issue relate to this version. Now I have some confusion about tomcat security bulletin http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-5.html . For example: Fixed in Apache Tomcat 5.5.23, 5.0.HEAD important: Information disclosure CVE-2005-2090 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090 Requests with multiple content-length headers should be rejected as invalid. When multiple components (firewalls, caches, proxies and Tomcat) process a sequence of requests where one or more requests contain multiple content-length headers and several components do not reject the request and make different decisions as to which content-length leader to use an attacker can poision a web-cache, perform an XSS attack and obtain senstive information from requests other then their own. Tomcat now returns 400 for requests with multiple content-length headers. Affects: 5.0.0-5.0.30, 5.5.0-5.5.22 -- This issue does affect 5.0.27, but Fixed in Apache Tomcat 5.5.23, 5.0.HEAD . Does 5.0.HEAD include 5.0.27 itself? If so does it mean when I get new release 5.0.27 from tomcat website then the issue will be fixed? And if new issue has been report such as moderate: Cross-site scripting CVE-2007-1355 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355 , it also affects 5.0.27 and Fixed in 5.0.HEAD, does it mean I must get 5.0.27 from tomcat website agagin to fixed this issue? Look forward your answer and Thans a lot! Best regards, Cheng Jianhua
RE: Confusion about tomcat security bulletin
Rainer, OK, I see now. Thank you very much! Best regards, Cheng Jianhua -Original Message- From: Rainer Jung [mailto:[EMAIL PROTECTED] Sent: 2007年8月1日 16:35 To: Tomcat Users List Subject: Re: Confusion about tomcat security bulletin 5.0.HEAD is the most actual, non-released version of the 5.0 code branch. So this means, the problem will be fixed in any new 5.0 release. Currently there are no plans do do a new 5.0 release. So if security is a real concern for you, you should upgrade to at least 5.5 (which shouldn't be a big deal) or to 6.0. If you can't upgrade and you must fix the issue, you will need to build from the source (which is a little painful for TC 5.0). Regards, Rainer CHENG Jianhua wrote: Dear All, Our company have an application use tomcat 5.0.27 and can't upgrade the version. I'm very concern about the security issue relate to this version. Now I have some confusion about tomcat security bulletin http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-5.html . For example: -- -- Fixed in Apache Tomcat 5.5.23, 5.0.HEAD important: Information disclosure CVE-2005-2090 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090 Requests with multiple content-length headers should be rejected as invalid. When multiple components (firewalls, caches, proxies and Tomcat) process a sequence of requests where one or more requests contain multiple content-length headers and several components do not reject the request and make different decisions as to which content-length leader to use an attacker can poision a web-cache, perform an XSS attack and obtain senstive information from requests other then their own. Tomcat now returns 400 for requests with multiple content-length headers. Affects: 5.0.0-5.0.30, 5.5.0-5.5.22 -- -- -- -- -- This issue does affect 5.0.27, but Fixed in Apache Tomcat 5.5.23, 5.0.HEAD . Does 5.0.HEAD include 5.0.27 itself? If so does it mean when I get new release 5.0.27 from tomcat website then the issue will be fixed? And if new issue has been report such as moderate: Cross-site scripting CVE-2007-1355 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355 , it also affects 5.0.27 and Fixed in 5.0.HEAD, does it mean I must get 5.0.27 from tomcat website agagin to fixed this issue? Look forward your answer and Thans a lot! Best regards, Cheng Jianhua - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Confusion about tomcat security bulletin
5.0.HEAD is the most actual, non-released version of the 5.0 code branch. So this means, the problem will be fixed in any new 5.0 release. Currently there are no plans do do a new 5.0 release. So if security is a real concern for you, you should upgrade to at least 5.5 (which shouldn't be a big deal) or to 6.0. If you can't upgrade and you must fix the issue, you will need to build from the source (which is a little painful for TC 5.0). Regards, Rainer CHENG Jianhua wrote: Dear All, Our company have an application use tomcat 5.0.27 and can't upgrade the version. I'm very concern about the security issue relate to this version. Now I have some confusion about tomcat security bulletin http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-5.html . For example: Fixed in Apache Tomcat 5.5.23, 5.0.HEAD important: Information disclosure CVE-2005-2090 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090 Requests with multiple content-length headers should be rejected as invalid. When multiple components (firewalls, caches, proxies and Tomcat) process a sequence of requests where one or more requests contain multiple content-length headers and several components do not reject the request and make different decisions as to which content-length leader to use an attacker can poision a web-cache, perform an XSS attack and obtain senstive information from requests other then their own. Tomcat now returns 400 for requests with multiple content-length headers. Affects: 5.0.0-5.0.30, 5.5.0-5.5.22 -- This issue does affect 5.0.27, but Fixed in Apache Tomcat 5.5.23, 5.0.HEAD . Does 5.0.HEAD include 5.0.27 itself? If so does it mean when I get new release 5.0.27 from tomcat website then the issue will be fixed? And if new issue has been report such as moderate: Cross-site scripting CVE-2007-1355 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355 , it also affects 5.0.27 and Fixed in 5.0.HEAD, does it mean I must get 5.0.27 from tomcat website agagin to fixed this issue? Look forward your answer and Thans a lot! Best regards, Cheng Jianhua - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]