Vulnerability Remediation
It has been identified to me by our security group that my Apache Tomcat 6.0.33 has the following vulnerability CVE-2011-3190. There is a link on the Apache Tomcat 6.0 Security page to http://svn.apache.org/viewvc?view=revisionrevision=1162959 as a patch. The link list three files: /tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java /tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java /tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml There is no trunk or java/org/apache/coyote directory in my installation. Do I add those directories to apply the patch. I am completely new at all of this so all help and direction is appreciated and necessary. Thanks Brendan P Keenan Mainframe Automation CSC Home Office - Columbia, CT USA GOS | Global Enterprise Service Mgmt | 1.860.416.0251 | bkee...@csc.com | www.csc.com This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Vulnerability Remediation
Brendan, The link is a list of the files that were modified to fix the vulnerability. These files can be used to patch the source code for Tomcat. After patching the source code, you would then need to recompile it and update your Tomcat installation with the recompiled binaries. In my opinion, it's easier to apply one of the mitigations now and upgrade to Tomcat 6.0.34 when it is officially released. * Configure both Tomcat and the reverse proxy to use a shared secret. (It is request.secret attribute in AJP Connector, worker.workername.secret directive for mod_jk. The mod_proxy_ajp module currently does not support shared secrets). * Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector implementation. (It is automatically selected if you do not have Tomcat-Native library installed. It can be also selected explicitly: Connector protocol=org.apache.jk.server.JkCoyoteHandler). Dan On Fri, 2011-11-04 at 13:20 -0700, Brendan P Keenan wrote: It has been identified to me by our security group that my Apache Tomcat 6.0.33 has the following vulnerability CVE-2011-3190. There is a link on the Apache Tomcat 6.0 Security page to http://svn.apache.org/viewvc?view=revisionrevision=1162959 as a patch. The link list three files: /tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java /tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java /tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml There is no trunk or java/org/apache/coyote directory in my installation. Do I add those directories to apply the patch. I am completely new at all of this so all help and direction is appreciated and necessary. Thanks Brendan P Keenan Mainframe Automation CSC Home Office - Columbia, CT USA GOS | Global Enterprise Service Mgmt | 1.860.416.0251 | bkee...@csc.com | www.csc.com This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Vulnerability Remediation
2011/11/5 Brendan P Keenan bkee...@csc.com: It has been identified to me by our security group that my Apache Tomcat 6.0.33 has the following vulnerability CVE-2011-3190. There is a link on the Apache Tomcat 6.0 Security page to http://svn.apache.org/viewvc?view=revisionrevision=1162959 as a patch. (...) Do I add those directories to apply the patch. Have you read the first section at the top of that Tomcat 6 security page? http://tomcat.apache.org/security-6.html#Apache_Tomcat_6.x_vulnerabilities Regarding those three files that you mentioned: That is ViewVC program that displays Subversion repository that contains the source code. That page shows what files were changed in revision #1162959 and what the differences were. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
