The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.37.
Please note that Tomcat 8.x users should normally be using 8.5.x
releases in preference to 8.0.x releases.
Apache Tomcat 8.0 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.5.5.
Tomcat 8.x users should normally be using 8.5.x releases in preference
to 8.0.x releases.
Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.0.M10.
Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.
Apache Tomcat 9.0.0.M10 is a
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.5.4.
This is the first stable release of the 8.5.x branch. Tomcat 8.x users
should now use 8.5.x releases in preference to 8.0.x releases.
Apache Tomcat 8 is an open source software implementation of the Java
Servlet,
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.0.M9.
Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.
Apache Tomcat 9.0.0.M9 is a milestone
The Apache Tomcat team announces the immediate availability of Apache
Tomcat Native 1.2.8 stable.
The key features of this release are:
- Improved performance with concurrent loads
- Correctly enable and disable OCSP in the binaries for Windows
- Fix a bug in the handling of EAGAIN during
Note: This announcement corrects several errors and omissions in the
Tomcat aspects of the announcement for CVE-2016-3092 from the Apache
Commons project that was recently forwarded to various Apache Tomcat
mailing lists.
For the sake of clarity, the Tomcat specific corrections are as follows:
1.
Original Message
From: Jochen Wiedmann
Sent: 21 June 2016 10:18:15 BST
To: priv...@commons.apache.org, "secur...@apache.org" ,
Tomcat Security List , announce@apache.org, Apache
Commons Developers
Apologies for the delay in sending this out.
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.35.
Apache Tomcat 8.0 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.5.2 BETA.
Apache Tomcat 8.0 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and Java Authentication Service Provider Interface for
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.0.M6.
Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.
Apache Tomcat 9.0.0.M6 is a milestone
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.33.
Apache Tomcat 8.0 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.
Apache Tomcat 8.0.33 includes fixes for issues
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.5.0 BETA.
Apache Tomcat 8.0 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and Java Authentication Service Provider Interface for
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.0.M4.
Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.
Apache Tomcat 9.0.0.M4 is a milestone
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
CVE-2015-5346 Apache Tomcat Session fixation
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - Apache Tomcat 7.0.5 to 7.0.65
- - Apache Tomcat 8.0.0.RC1 to 8.0.30
- - Apache Tomcat 9.0.0.M1
Description:
When recycling
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
CVE-2015-5351 Apache Tomcat CSRF token leak
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
- - Apache Tomcat 7.0.1 to 7.0.67
- - Apache Tomcat 8.0.0.RC1 to 8.0.31
- - Apache Tomcat 9.0.0.M1
Description:
The index
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
CVE-2016-0706 Apache Tomcat Security Manager bypass
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - Apache Tomcat 6.0.0 to 6.0.44
- - Apache Tomcat 7.0.0 to 7.0.67
- - Apache Tomcat 8.0.0.RC1 to 8.0.30
- - Apache
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
CVE-2015-5345 Apache Tomcat Directory disclosure
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - Apache Tomcat 6.0.0 to 6.0.44
- - Apache Tomcat 7.0.0 to 7.0.66
- - Apache Tomcat 8.0.0.RC1 to 8.0.29
- - Apache Tomcat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
CVE-2016-0714 Apache Tomcat Security Manager Bypass
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
- - Apache Tomcat 6.0.0 to 6.0.44
- - Apache Tomcat 7.0.0 to 7.0.67
- - Apache Tomcat 8.0.0.RC1 to 8.0.30
- - Apache
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
CVE-2016-0763 Apache Tomcat Security Manager Bypass
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
- - Apache Tomcat 7.0.0 to 7.0.67
- - Apache Tomcat 8.0.0.RC1 to 8.0.30
- - Apache Tomcat 9.0.0.M1 to 9.0.0.M2
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.32.
Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.
Apache Tomcat 8.0.32 includes fixes for issues
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.0.M3.
Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.
Apache Tomcat 9.0.0.M3 is a milestone release
The Apache Tomcat team announces the immediate availability of Apache
Tomcat Native 1.2.4 stable.
The key features of this release are:
- Improvements to renegotiation
Note that, unless a regression is discovered in 1.2.x, users should now
be using 1.2.x in preference to 1.1.x.
Please refer to
The Apache Tomcat team announces the immediate availability of Apache
Tomcat Native 1.2.3 stable.
The key features of this release are:
- Java keystore support.
- Various fixes to align the Java and native APIs
- Various fixes if building without OpenSSL
- Windows binaries built with OpenSSL
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.30.
Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.
Apache Tomcat 8.0.30 includes fixes for issues
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.0.M1.
Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.
Apache Tomcat 9.0.0.M1 is the first milestone
The Apache Tomcat team announces the immediate availability of Apache
Tomcat Native 1.2.2 stable.
The key features of this release are:
- ALPN support
- SNI support
- Add access methods for OpenSSL BIO
- Windows binaries built with APR 1.5.1 and OpenSSL 1.0.2d
- Itanium binaries no longer
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.28.
Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.
Apache Tomcat 8.0.28 includes fixes for issues
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.24.
Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.
Apache Tomcat 8.0.24 includes numerous fixes for
The Apache Tomcat team announces that support for Apache Tomcat 6.0.x
will end on 31 December 2016.
This means that after 31 December 2016:
- releases from the 6.0.x branch are highly unlikely
- bugs affecting only the 6.0.x branch will not be addressed
- security vulnerability reports will not
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.23.
Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.
Apache Tomcat 8.0.23 includes numerous fixes for
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 6.0.44.
Apache Tomcat is an open source software implementation of the Java
Servlet, JavaServer Pages and Java Expression Language technologies.
This release contains a number of bug fixes and improvements compared to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
CVE-2014-7810 Security Manager Bypass
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
- - Apache Tomcat 8.0.0-RC1 to 8.0.15
- - Apache Tomcat 7.0.0 to 7.0.57
- - Apache Tomcat 6.0.0 to 6.0.43
Description:
Malicious
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.22.
Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.
Apache Tomcat 8.0.22 includes numerous fixes for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
CVE-2014-0230 Denial of Service
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - Apache Tomcat 8.0.0-RC1 to 8.0.8
- - Apache Tomcat 7.0.0 to 7.0.54
- - Apache Tomcat 6.0.0 to 6.0.43
Description:
When a response for a
The Apache Tomcat team announces the immediate availability of Apache
Tomcat Native 1.1.33 stable.
The key features of this release are:
- Fixed a crash when the poller returned multiple events for the same
socket.
- Link Windows binaries with OpenSSL 1.0.1m and APR 1.5.1
Please refer to the
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.20.
Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.
Apache Tomcat 8.0.20 includes numerous fixes for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2014-0227 Request Smuggling
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- - Apache Tomcat 8.0.0-RC1 to 8.0.8
- - Apache Tomcat 7.0.0 to 7.0.54
- - Apache Tomcat 6.0.0 to 6.0.41
Description:
It was possible to
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.17.
Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.
Apache Tomcat 8.0.17 includes numerous fixes for
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 6.0.43.
Apache Tomcat is an open source software implementation of the Java
Servlet, JavaServer Pages and Java Expression Language technologies.
This release contains a number of bug fixes and improvements compared to
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.15.
Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.
Apache Tomcat 8.0.15 includes numerous fixes for
On 28/10/2014 21:28, Mark Thomas wrote:
The Apache Tomcat team announces the immediate availability of Apache
Tomcat Native 1.1.32 stable.
The key features of this release are:
- Add support for TLSv1.1 and TLSv1.2
- Link Windows binaries with OpenSSL 1.0.1i and APR 1.5.1
Correction
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2013- Remote Code Execution
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- - Apache Tomcat 7.0.0 to 7.0.39
Description:
In very limited circumstances, it was possible for an attacker to upload
a malicious
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.12.
Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.
Apache Tomcat 8.0.12 includes numerous fixes for
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.11.
Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.
Apache Tomcat 8.0.11 includes numerous fixes for
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.9, the first stable release of the 8.0.x series.
Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.
CVE-2014-0075 Denial of Service
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Apache Tomcat 8.0.0-RC1 to 8.0.3
- Apache Tomcat 7.0.0 to 7.0.52
- Apache Tomcat 6.0.0 to 6.0.39
Description:
It was possible to craft a malformed chunk size as part of a chucked
CVE-2014-0096 Information Disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Apache Tomcat 8.0.0-RC1 to 8.0.3
- Apache Tomcat 7.0.0 to 7.0.52
- Apache Tomcat 6.0.0 to 6.0.39
Description:
The default servlet allows web applications to define (at multiple
CVE-2014-0119 Information Disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Apache Tomcat 8.0.0-RC1 to 8.0.5
- Apache Tomcat 7.0.0 to 7.0.53
- Apache Tomcat 6.0.0 to 6.0.39
Description:
In limited circumstances it was possible for a malicious web
CVE-2014-0095 Denial of Service
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Apache Tomcat 8.0.0-RC2 to 8.0.3
Description:
A regression was introduced in revision 1519838 that caused AJP
requests to hang if an explicit content length of zero was set on the
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 6.0.41 stable.
Apache Tomcat 6.0.41 is primarily a bug fix release. The
notable changes include:
- Add support for using ecj-P20140317-1600.jar to use Java 8 syntax in
JSPs
- Update native library to 1.1.30
- Various
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.8 (beta).
Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.
Apache Tomcat 8 is aligned with Java EE 7.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2013-4322 Incomplete fix for CVE-2012-3544 (Denial of Service)
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- - Apache Tomcat 8.0.0-RC1 to 8.0.0-RC5
- - Apache Tomcat 7.0.0 to 7.0.47
- - Apache Tomcat 6.0.0 to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2013-4286 Incomplete fix for CVE-2005-2090 (Information disclosure)
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- - Apache Tomcat 8.0.0-RC1
- - Apache Tomcat 7.0.0 to 7.0.42
- - Apache Tomcat 6.0.0 to 6.0.37
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 6.0.39 stable.
Apache Tomcat 6.0.39 is primarily a security and bug fix release. The
notable changes include:
- Various improvements to XML configuration file validation.
- Better adherence to RFC2616 for Content-Type
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.0-RC10 (alpha).
Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.
Apache Tomcat 8 is aligned with Java
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.0-RC5 (alpha).
Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.
Apache Tomcat 8 is aligned with Java
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.0-RC3 (alpha).
Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.
Apache Tomcat 8 is aligned with Java
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.0-RC1 (alpha).
Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language and Java
WebSocket technologies.
Apache Tomcat 8 is aligned with Java
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.41.
Apache Tomcat is an open source software implementation of the Java
Servlet, JavaServer Pages and Java Expression Language technologies.
This release contains a number of bug fixes and improvements compared to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2013-2071 Request mix-up if AsyncListener method throws
RuntimeException
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.39
Description:
Bug 54178 described a scenario where
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.40.
Apache Tomcat is an open source software implementation of the Java
Servlet, JavaServer Pages and Java Expression Language technologies.
This release contains a security fix and a number of bug fixes
and
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.39.
Apache Tomcat is an open source software implementation of the Java
Servlet and JavaServer Pages technologies.
This release contains a number of bug fixes and improvements compared to
version 7.0.37. The notable
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.37.
Apache Tomcat is an open source software implementation of the Java
Servlet and JavaServer Pages technologies.
This release contains a small number of bug fixes and improvements
compared to version 7.0.35. The
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.35.
Apache Tomcat is an open source software implementation of the Java
Servlet and JavaServer Pages technologies.
This release contains a small number of bug fixes and improvements
compared to version 7.0.34. The
On 10/08/2011 13:00, Mark Thomas wrote:
The Apache Tomcat team announces that support for Apache Tomcat 5.5.x
will end on 30 September 2012.
This means that after 30 September 2012:
- releases from the 5.5.x branch are highly unlikely
- bugs affecting only the 5.5.x branch
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.34.
Apache Tomcat is an open source software implementation of the Java
Servlet and JavaServer Pages technologies.
This release contains a small number of bug fixes and improvements
compared to version 7.0.33. The
CVE-2012-4534 Apache Tomcat denial of service
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Tomcat 7.0.0 to 7.0.27
- Tomcat 6.0.0 to 6.0.35
Description:
When using the NIO connector with sendfile and HTTPS enabled, if a
client breaks the connection while
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2012-3546 Apache Tomcat Bypass of security constraints
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.29
- - Tomcat 6.0.0 to 6.0.35
Earlier unsupported versions may also be affected
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.31
- - Tomcat 6.0.0 to 6.0.35
Description:
The CSRF prevention filter could be
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.33.
Apache Tomcat is an open source software implementation of the Java
Servlet and JavaServer Pages technologies.
This release contains a small number of bug fixes and improvements
compared to version 7.0.32. The
It has been brought to the attention of the Apache Tomcat PMC that the
Tomcat 6.0.36 release announcement below was sent to the Tomcat users
list and the Tomcat developers list but not the Tomcat and ASF announce
lists.
Please accept our apologies if you missed the Apache Tomcat 6.0.36
release
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.29
- - Tomcat 6.0.0 to 6.0.35
- - Tomcat 5.5.0 to 5.5.35
- - Earlier, unsupported
The Apache Tomcat Team announces the immediate availability of Apache
Tomcat 5.5.36.
Apache Tomcat 5.5.36 is primarily a bug-fix release.
As per the previous end of life announcement [1] this will almost
certainly be the final Apache Tomcat 5.5.x release. Users of the 5.5.x
series are strongly
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.30.
Apache Tomcat is an open source software implementation of the Java
Servlet and JavaServer Pages technologies.
This release contains numerous bug fixes and improvements compared to
version 7.0.29. The notable
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.28.
Apache Tomcat is an open source software implementation of the Java
Servlet and JavaServer Pages technologies.
This release is includes may improvements as well as a number of bug
fixes compared to version
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.27
This release is includes significant new features as well as a number of
bug fixes compared to version 7.0.26. The notable changes include:
* Support for the WebSocket protocol (RFC6455). Both streaming and
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.26
This release is primarily a bug fix release and includes numerous
bug fixes compared to version 7.0.25. The notable bug fixes include:
* Improved code@HandlesTypes/code processing which no longer loads
all
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.25
This release includes numerous bug fixes and several new features
compared to version 7.0.23. The notable new features include:
* Align the Servlet 3.0 implementation with the changes defined in the
first
CVE-2011-3375 Apache Tomcat Information disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Tomcat 7.0.0 to 7.0.21
- Tomcat 6.0.30 to 6.0.33
- Earlier versions are not affected
Description:
For performance reasons, information parsed from a request is
You may have read about a recently announced vulnerability rooted in the
Java hashtable implementation [1]. Since Apache Tomcat uses a hashtable
for storing HTTP request parameters, it is affected by this issue.
As per [1], it appears that Oracle will not be providing a fix for this
vulnerability
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.23
This release includes numerous bug fixes and several new features
compared to version 7.0.22. The notable new features include:
* The ability to start and stop child containers (primarily Contexts:
i.e. web
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2011-3376 Apache Tomcat - Privilege Escalation via Manager app
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.21
Description:
This issue only affects environments running web applications that
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.22
Apache Tomcat 7.0.22 includes bug fixes and new features compared to
version 7.0.21 including:
- Further improvements to the memory leak detection and prevention features.
- Fix issue that prevented using SSL with
CVE-2011-2729: Commons Daemon fails to drop capabilities (Apache Tomcat)
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 7.0.0 to 7.0.19
Tomcat 6.0.30 to 6.0.32
Tomcat 5.5.32 to 5.5.33
Description:
Due to a bug in the capabilities code, jsvc (the service
CVE-2011-2481: Apache Tomcat information disclosure vulnerability
Severity: low
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 7.0.0 to 7.0.16
Previous versions are not affected.
Description:
The re-factoring of XML validation for Tomcat 7.0.x re-introduced the
vulnerability
The Apache Tomcat team announces that support for Apache Tomcat 5.5.x
will end on 30 September 2012.
This means that after 30 September 2012:
- releases from the 5.5.x branch are highly unlikely
- bugs affecting only the 5.5.x branch will not be addressed
- security vulnerability reports will not
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.19
Apache Tomcat 7.0.19 includes security fixes, bug fixes and the
following new features compared to version 7.0.16:
- JSP recompilation is now triggered by any change (backwards as well
as forwards) in the last
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2011-2526: Apache Tomcat Information disclosure and availability
vulnerabilities
Severity: low
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 7.0.0 to 7.0.18
Tomcat 6.0.0 to 6.0.32
Tomcat 5.5.0 to 5.0.33
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.16.
Apache Tomcat 7.0.16 includes bug fixes and the following new features
compared to version 7.0.14:
- NIO implementation of the AJP connector
- Enable Servlet 3 asynchronous processing support when using
CVE-2011-1183 Apache Tomcat security constraint bypass
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Tomcat 7.0.11
- Earlier versions are not affected
Description:
A regression in the fix for CVE-2011-1088 meant that security
constraints were ignored when no
CVE-2011-1475 Apache Tomcat information disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Tomcat 7.0.0 to 7.0.11
- Earlier versions are not affected
Description:
Changes introduced to the HTTP BIO connector to support Servlet 3.0
asynchronous requests
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.11
Apache Tomcat 7.0.11 is primarily a security fix release with a small
number of additional bug fixes compared to 7.0.10.
Please refer to the change log for the list of changes:
The fix in Tomcat 7.0.10 was incomplete. @SecurityAnnotations are still
ignored when there are no security constraints defined in web.xml (a
typical use case).
There will be a Tomcat 7.0.11 release shortly to address this. In the
meantime, the workaround of specifying at least one security
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.8
Apache Tomcat 7.0.8 is primarily a security and bug fix release with
numerous fixes compared to 7.0.6.
Please refer to the change log for the list of changes:
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2011-0534 Apache Tomcat DoS vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.6
- - Tomcat 6.0.0 to 6.0.30
Description:
Tomcat did not enforce the maxHttpHeaderSize limit while
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2011-0013 Apache Tomcat Manager XSS vulnerability
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.5
- - Tomcat 6.0.0 to 6.0.29
- - Tomcat 5.5.0 to 5.5.31
- - Earlier, unsupported versions may also
CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- Tomcat 7.0.0 to 7.0.3
- Tomcat 6.0.0 to 6.0.?
- Tomcat 5.5.0 to 5.5.?
- Earlier, unsupported versions may also be affected
Description:
When
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.6.
This is the first stable release of the Tomcat 7 branch.
Apache Tomcat 7.0.6 contains further performance improvements in session
management, a new binary distribution targeted at users embedding Tomcat
in other
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
Severity: Tomcat 7.0.x - Low, Tomcat 6.0.x - Moderate
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.4
- Not affected in default configuration.
301 - 400 of 409 matches
Mail list logo