[SECURITY] CVE-2017-15699: Apache Qpid Dispatch Router Denial of Service Vulnerability when specially crafted frame is sent to the Router
CVE-2017-15699: Apache Qpid Dispatch Router Denial of Service Vulnerability when specially crafted frame is sent to the Router Severity: Important Vendor: The Apache Software Foundation Versions Affected: Versions 0.7.0 and 0.8.0 Description: A Denial of Service vulnerability was found in Apache Qpid Dispatch Router 0.7.0 and 0.8.0. To exploit this vulnerability, a remote user must be able to establish an AMQP connection to the Qpid Dispatch Router and send a specifically crafted AMQP frame which will cause it to segfault and shut down. Resolution: Users of Qpid Dispatch Router versions 0.7.0 and 0.8.0 must upgrade to version 0.8.1 or 1.0.0 and later. Mitigation: Any user who is able to connect to the Router may exploit the vulnerability. If anonymous authentication is enabled then any remote user with network access the Router is a possible attacker. The number of possible attackers is reduced if the Router is configured to require authentication. Then an attacker needs to have authentic credentials which are used to create a connection to the Router before proceeding to exploit this vulnerability. [1] - https://issues.apache.org/jira/browse/DISPATCH-924
[ANNOUNCE] Apache Qpid Dispatch 0.8.1 released
The Apache Qpid (http://qpid.apache.org) community is pleased to announce the immediate availability of Apache Qpid Dispatch 0.8.1. Qpid Dispatch is a router for the Advanced Message Queuing Protocol 1.0 (AMQP 1.0, ISO/IEC 19464, http://www.amqp.org). It provides a flexible and scalable interconnect between AMQP endpoints, whether they be clients, brokers, or other AMQP-enabled services. The release is available now from our website: https://qpid.apache.org/releases/qpid-dispatch-0.8.1/index.html Release notes can be found at: http://qpid.apache.org/releases/qpid-dispatch-0.8.1/release-notes.html Thanks to all involved, Ganesh.
[ANN] Apache Tomcat 9.0.5 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.5. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.5 is a bugfix and feature release. The notable changes compared to 9.0.4 include: - Refactor error handling to enable errors that occur before processing is passed to the application to be handled by the application provided error handling and/or the container provided error handling (ErrorReportValve) as appropriate. - Enable strict validation of the provided host name and port for all connectors. Requests with invalid host names and/or ports will be rejected with a 400 response. - Enhance the JMX support for jdbc-pool in order to expose PooledConnection and JdbcInterceptors. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-9.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-90.cgi Migration guides from Apache Tomcat 7.x and 8.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team
[ANN] Apache Tomcat 8.5.28 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.28. Tomcat 8.x users should be using 8.5.x releases in preference to 8.0.x releases. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and Java Authentication Service Provider Interface for Containers technologies. Apache Tomcat 8.5.x is intended to replace 8.0.x and includes new features pulled forward from the 9.0.x branch. The notable changes since 8.5.27 include: - Fix truncated request input streams when using NIO2 with TLS. - Improved error handling and reporting for TLS configuration. - Enhance the JMX support for jdbc-pool in order to expose PooledConnection and JdbcInterceptors. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-8.5-doc/changelog.html Downloads: http://tomcat.apache.org/download-80.cgi Migration guides from Apache Tomcat 7.x and 8.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team